Microsoft Sentinel

Important Update -

Microsoft deprecated the HTTP Data Collector API used by this integration. As a result:

• New Microsoft Sentinel connectors cannot be created through Harmony SASE.

• Existing connectors continue to function until mid-September 2025, after which they stop working.

Migrate to the export option available in the Infinity Portal. For more details, see Microsoft's announcement: Action Required: Transition from HTTP Data Collector API in Microsoft Sentinel.

Understanding Data Exporting to Microsoft Sentinel

This article describes how to set up and use Microsoft Sentinel (formerly Azure Sentinel). It is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution that integrates with the Harmony SASE platform. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. You can configure your Harmony SASE data stream to Microsoft Sentinel to have full visibility of your Harmony SASE activity.

Note -

The configuration steps on this page are retained for reference only. New integrations can no longer be created.

Setting up a Log Analytics workspace

1. Open the Azure portal and select Azure Sentinel.

2. Select +Add.

3. Select Create a new workspace.

4. Enter these details:

• Subscription: Choose a subscription according to your business's needs.

• Resource group: Associate the log analytics workspace with the appropriate business unit.

• Name: Choose the name of your own choice. The workspace name should include 4-63 letters, digits, or '-'. The '-' shouldn't be the first or the last symbol.

• Region: The physical location of the server generating the event collector. Choose according to pricing and business needs.

• (Optional) Review the pricing tiers and set appropriate tags for the workspace.

• Click Review + Create.

Linking the Logs Analytics workspace to Microsoft Sentinel

1. Open the Azure portal and select Azure Sentinel.

2. Select +Add.

3. Select the Logs Analytics Workspace that you've just created or an existing one you'd like to utilize.

Finding your Log Analytics workspace ID and shared key

Get the Log Analytics workspace ID

1. Open the Azure portal.

2. Go to Log Analytics workspaces.

3. Select the workspace connected to Microsoft Sentinel.

4. In the Overview page, copy the Workspace ID.

   

Get the shared key using Azure Cloud Shell

1. In the Azure portal, select Azure Cloud Shell from the top navigation bar.

2. Run these command:

   Get-AzOperationalInsightsWorkspaceSharedKey `
     -ResourceGroupName "YOUR_RESOURCE_GROUP_NAME" `
     -Name "YOUR_LOG_ANALYTICS_WORKSPACE_NAME"

3. Copy the value of PrimarySharedKey from the output.

   

Configuring the integration at the Management Platform

Note -

This section is for reference only. New integrations can no longer be created due to the Microsoft API deprecation.

1. Log in to the Harmony SASE Management Platform.

2. Go to Settings > Integrations.

3. Find Microsoft Sentinel and select Add.

   

   Enter these details:

   • Workspace ID: copied from the Azure Portal

   • Workspace Key: Primary Shared Key from Cloud Shell

4. Click Validate.

Recommendations

• When setting up the integration with Microsoft Sentinel, ensure that you have the correct Log Analytics Workspace ID and Primary Key.

• If you encounter error codes such as "SENTINEL_INACTIVE_CUSTOMER" or "SENTINEL_INVALID_AUTHORIZATION", review the provided workspace details and ensure they are accurate.

Troubleshooting

Support Contacts

If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at sase.checkpoint.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.