--- title: "Installing and Configuring the Microsoft Sentinel Content Pack" slug: "installing-and-configuring-the-microsoft-sentinel-content-pack" description: "This article describes how to install the Microsoft Sentinel Content Pack via TC Exchange and the configuration you must complete in ThreatConnect and Microsoft Sentinel to use the Content Pack." tags: ["Administrator"] updated: 2023-07-05T12:23:52Z published: 2023-07-05T12:23:52Z canonical: "knowledge.threatconnect.com/installing-and-configuring-the-microsoft-sentinel-content-pack" --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # Installing and Configuring the Microsoft Sentinel Content Pack ## Installing the Microsoft Sentinel Content Pack Follow the steps in this section to install the Microsoft Sentinel™ Content Pack through TC Exchange™ in ThreatConnect®. 1. Log into ThreatConnect with a System Administrator account. 2. On the top navigation bar, hover over **Settings**![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)and select **TC Exchange Settings**. The **Installed**tab of the **TC Exchange Settings**screen will be displayed. 3. Click the **Catalog**tab. The **Catalog**screen will be displayed. 4. Select **Content Packs**from the dropdown to the left of the search bar to display all Content Packs in the TC Exchange catalog (Figure 1). ![Figure 1_Installing and Configuring the Microsoft Sentinel Content Pack_7.1.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_Installing%20and%20Configuring%20the%20Microsoft%20Sentinel%20Content%20Pack_7.1.2.png) 5. Click **Install![Plus icon_Dark blue](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Plus%20icon_Dark%20blue.png)**in the **Options**column for the Microsoft Sentinel Content Pack. A drawer showing all items in the Content Pack will be displayed (Figure 2). Note that you may need to scroll down to view all items in the table displayed in this drawer. ![Figure 2_Installing and Configuring the Microsoft Sentinel Content Pack_7.1.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_Installing%20and%20Configuring%20the%20Microsoft%20Sentinel%20Content%20Pack_7.1.2.png) - **Description**: This section displays the Content Pack’s description. - **Contents**: This section displays the items (i.e., Apps, [Artifact](https://knowledge.threatconnect.com/docs/artifacts) types, [Attribute](https://knowledge.threatconnect.com/docs/attributes) Types, [Playbooks](https://knowledge.threatconnect.com/docs/playbooks), and [Workflows](https://knowledge.threatconnect.com/docs/workflows-and-workflow-templates)) that the Content Pack contains. If an item is already installed on your ThreatConnect instance, a green checkmark will be displayed in the **Installed**column. - Click the **+ Install**button to install the Content Pack and any items it contains that are not already installed or created on your ThreatConnect instance. After the Content Pack is installed, the following items will be created at the System level on your ThreatConnect instance: - [Playbooks Templates](https://knowledge.threatconnect.com/docs/playbook-templates): - Microsoft Sentinel - Get TAXII™ collection IDs R2 - Microsoft Sentinel - Parse KQL Query From Signature Group and pull Incidents or Alerts R2 - Microsoft Sentinel - Pull Sentinel Incidents and create Desired Cases R2 - Microsoft Sentinel - Pull Incidents and Create TC Incidents R2 - Microsoft Sentinel - Send KQL Query to pull Incidents or Alerts R2 - [Artifact](https://knowledge.threatconnect.com/docs/artifacts)types: - Sentinel Incident ID ## Configuring the Microsoft Sentinel Content Pack The Microsoft Sentinel Content Pack leverages the [**Microsoft® Azure® Sentinel** Playbook App](https://threatconnect.readme.io/docs/microsoft-azure-sentinel-playbook) and several Playbooks to accomplish its use cases. The following subsections describe the configuration that must be completed in order to use this App and the Content Pack’s Playbooks. NoteThe configuration described in the following subsections is applicable to both the  **Microsoft Azure Sentinel**Playbook and Service Apps. The **Microsoft Azure Sentinel** Playbook App is a standalone App that does not require a [Playbook Service](https://knowledge.threatconnect.com/docs/playbook-services) to operate; however, it can be used in conjunction with the [**Microsoft Azure Sentinel**Service App](https://threatconnect.readme.io/docs/microsoft-azure-sentinel-service-service) and corresponding Service Trigger to accomplish combined use cases. ### Registering and Configuring an App in the Azure Portal To use the **Microsoft Azure Sentinel** Playbook App and the Microsoft Sentinel Content Pack’s Playbooks, you must register an app in the [Azure portal](https://portal.azure.com/). Before following the steps in this section, verify that you have [created an Azure Active Directory™ (AD) tenant](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) in the Azure portal. 1. [Register an app](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) in Azure AD. In most cases, an account type of **Single Tenant** should be selected and the optional **Redirect URI** field should be left empty. 2. [Add a client secret](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-client-secret) to the app you registered in Step 1. The client secret’s value will be used as the value for the **Client Secret**parameter in the **Microsoft Azure Sentinel**Playbook App and the Content Pack’s Playbooks. ImportantMake sure to save the client secret’s value, as you will not be able to retrieve it after leaving the **Client & secrets**page in the Azure portal. 3. Navigate to Microsoft Sentinel, click **Settings** in the side navigation bar, select the **Workspace settings** tab, and locate the resource group associated with the Microsoft Sentinel workspace. 4. Return to the Azure portal homepage and select **Resource groups** on the side navigation bar. The **Resource groups**page will be displayed. 5. Select the resource group you located in Step 3. The resource group’s page will be displayed. 6. On the resource group’s page, select **Access control (IAM)**on the side navigation bar, click **Role assignments**, and [assign the **Contributor**role](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal#step-2-open-the-add-role-assignment-page) to the app you registered in Step 1. Note that you can search for the registered app in the **Members**tab of the **Add role assignment**page. The app you registered is now properly configured for use with the **Microsoft Azure Sentinel**Playbook App and the Content Pack’s Playbooks. ### Setting Up Credentials for Playbooks The credentials listed in this section are used for communication between ThreatConnect and Microsoft Sentinel in the **Microsoft Azure Sentinel**Playbook App and the Content Pack’s Playbooks. It is recommended to create an Organization-level variable in ThreatConnect for each credential. (See the “Variables” section of *ThreatConnect Organization Administration Guide* for instructions on creating Organization-level variables.) - **Tenant ID**: The [ID of the Azure AD tenant](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-find-tenant/). To obtain this value, navigate to the **Properties**page in Azure AD. - **Example value**: abcd1234-a333-a333-a333-abcdabcd123 - **Client ID**: The client ID of the app you registered in the “Registering and Configuring an App in the Azure Portal” section. To obtain this value, navigate to the **Overview**page for the app in Azure AD. - **Example value**: abcd1234-a333-a333-a333-abcdabcd123 - **Client Secret**: The value of the client secret created in Step 2 of the “Registering and Configuring an App in the Azure Portal” section. Note that the client secret’s value is displayed in the **Value**column of the **Client secrets**tab of the **Clients & secrets**page in Azure. - **Example value**: ab123~ABCDabd.abc175.ABCdc.abc~abcabcABC - **Subscription ID**: The ID of the subscription assigned to the Microsoft Sentinel workspace. To obtain this value, navigate to Microsoft Sentinel, click **Settings** in the side navigation bar, and select the **Workspace settings**tab. - **Example value**: abcd1234-a333-a333-a333-abcdabcd123 - **Resource Group Name**: The name of the resource group associated with the Microsoft Sentinel workspace. To obtain this value, navigate to Microsoft Sentinel, click **Settings** in the side navigation bar, and select the **Workspace settings**tab. - **Example value**: threatconnect-example - **Workspace Name**: The name of the workspace to which Microsoft Sentinel is added. To obtain this value, navigate to Microsoft Sentinel, click **Settings** in the side navigation bar, and select the **Workspace settings**tab. - **Example value**: tc-sentinel - **Workspace ID**: The ID of the workspace to which Microsoft Sentinel is added. To obtain this value, navigate to Microsoft Sentinel, click **Settings** in the side navigation bar, and select the **Workspace settings**tab. - **Example value**: 9081f3fe-0f4a-aaaa-aaaa-5083530be7cf --- *ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc. Azure® and Microsoft® are registered trademarks, and Active Directory™ and Microsoft Sentinel™ are trademarks, of Microsoft Corporation. TAXII™ is a trademark of The MITRE Corporation.* 20153-02 v.01.A