Microsoft Sentinel Integration
Integrate TigerAccess with Microsoft Sentinel for cloud-native SIEM capabilities. Stream privileged access events, audit logs, and session data to Sentinel for advanced threat detection, incident response, and security analytics across your Azure and hybrid environments.
Cloud-Native SIEM Integration
Leverage Microsoft Sentinel's AI-powered security analytics for comprehensive privileged access monitoring.
Real-Time Log Streaming
Stream privileged access events, audit logs, and session data to Sentinel in real-time using Azure Event Hubs or Log Analytics API.
Pre-Built Workbooks
Leverage ready-made Azure Workbooks for privileged access analytics, session monitoring, and compliance reporting.
Automated Incident Creation
Automatically create security incidents in Sentinel based on suspicious privileged access patterns and anomalies.
Automated Response
Trigger Azure Logic Apps and playbooks to automatically revoke access, lock accounts, and notify teams on security events.
Enterprise Security Operations
Integration Setup Guide
Follow these steps to integrate TigerAccess with Microsoft Sentinel for comprehensive security monitoring.
Create Log Analytics Workspace
Set up an Azure Log Analytics workspace to receive TigerAccess logs and enable Microsoft Sentinel.
# Create resource group
az group create \
--name tigeraccess-sentinel-rg \
--location eastus
# Create Log Analytics workspace
az monitor log-analytics workspace create \
--resource-group tigeraccess-sentinel-rg \
--workspace-name tigeraccess-workspace
# Enable Microsoft Sentinel
az sentinel workspace create \
--resource-group tigeraccess-sentinel-rg \
--workspace-name tigeraccess-workspaceConfigure TigerAccess Log Export
Enable log export from TigerAccess to Azure Event Hub or directly to Log Analytics workspace using CEF format.
# Configure Event Hub export in TigerAccess
tacctl integrations add sentinel \
--workspace-id=<workspace-id> \
--workspace-key=<workspace-key> \
--event-hub-connection="Endpoint=sb://..." \
--log-types=audit,session,access
# Or configure direct CEF export
tacctl config set log.syslog.enabled=true
tacctl config set log.syslog.server=<log-analytics-agent>
tacctl config set log.syslog.format=cefDeploy TigerAccess Data Connector
Install the TigerAccess data connector in Sentinel to parse logs and enable built-in analytics.
# Deploy custom data connector (via Azure Portal or ARM template)
az sentinel data-connector create \
--resource-group tigeraccess-sentinel-rg \
--workspace-name tigeraccess-workspace \
--name TigerAccessConnector \
--kind GenericUI \
--connector-definition @tigeraccess-connector.jsonImport Workbooks and Analytics Rules
Deploy pre-built workbooks, KQL queries, and analytics rules for TigerAccess monitoring.
# Import TigerAccess workbook template
az sentinel workbook create \
--resource-group tigeraccess-sentinel-rg \
--workspace-name tigeraccess-workspace \
--name "TigerAccess Privileged Access Analytics" \
--template-file tigeraccess-workbook.json
# Deploy analytics rules
az sentinel alert-rule create \
--resource-group tigeraccess-sentinel-rg \
--workspace-name tigeraccess-workspace \
--alert-rule-template "TigerAccess-FailedMFAAttempts" \
--enabled trueCreate KQL Queries and Alerts
Build custom KQL queries to analyze privileged access patterns and create automated alerts.
// Example KQL query: Failed SSH authentication attempts
TigerAccessAudit_CL
| where EventType_s == "auth.failed"
| where Protocol_s == "ssh"
| summarize FailedAttempts=count() by UserName_s, bin(TimeGenerated, 5m)
| where FailedAttempts > 5
| project TimeGenerated, UserName_s, FailedAttempts
// Example KQL query: Privilege escalation detection
TigerAccessSession_CL
| where CommandType_s in ("sudo", "su", "runas")
| where Result_s == "success"
| project TimeGenerated, UserName_s, TargetHost_s, Command_s, SessionID_sConfigure Automated Response Playbooks
Set up Azure Logic Apps to automatically respond to security incidents detected in TigerAccess logs.
# Deploy automated response playbook
az logic workflow create \
--resource-group tigeraccess-sentinel-rg \
--name TigerAccess-RevokeOnAnomaly \
--definition @revoke-playbook.json
# The playbook can:
# 1. Receive incident from Sentinel
# 2. Parse incident details (user, session ID, anomaly type)
# 3. Call TigerAccess API to revoke certificate
# 4. Terminate active session
# 5. Send notification to security team
# 6. Update incident with response actionsSample Kusto Queries
Pre-built KQL queries for analyzing TigerAccess logs in Azure Sentinel.
Top Failed Login Attempts
TigerAccessAudit_CL
| where EventType_s == "auth.failed"
| summarize Count=count() by UserName_s, SourceIP_s
| top 10 by Count descSession Duration Anomalies
TigerAccessSession_CL
| extend Duration = datetime_diff('minute', EndTime_t, StartTime_t)
| where Duration > 240 // Sessions longer than 4 hours
| project UserName_s, TargetHost_s, Duration, CommandCount_dPrivileged Access from New Locations
TigerAccessAudit_CL
| where EventType_s == "session.start"
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by UserName_s, Country_s
| where datetime_diff('day', LastSeen, FirstSeen) < 1 // New country in last 24hReal-World Security Scenarios
Privileged Access Threat Detection
Detect anomalous privileged access patterns like unusual login times, geographic anomalies, or suspicious command execution across your infrastructure.
Compliance and Audit Analytics
Build comprehensive audit trails and compliance reports using Sentinel workbooks that correlate privileged access with business context and regulatory requirements.
Automated Incident Response
Automatically respond to security incidents by revoking certificates, terminating sessions, and locking accounts using Azure Logic Apps and Sentinel playbooks.
Cross-Platform Security Monitoring
Combine TigerAccess logs with other Azure and third-party security data in Sentinel for unified security monitoring and correlation across your entire environment.
Frequently Asked Questions
What log formats does TigerAccess support for Sentinel?
TigerAccess supports CEF (Common Event Format), Syslog, and direct streaming to Azure Event Hubs or Log Analytics workspace via the Azure Monitor API. CEF format is recommended for best integration with Sentinel analytics.
How much does it cost to send TigerAccess logs to Sentinel?
Costs include Azure Log Analytics data ingestion (typically $2-3/GB), Sentinel analysis ($2-5/GB depending on commitment tier), and Event Hub streaming if used. Most TigerAccess deployments generate 100-500 MB of logs per 1000 users per day.
Can Sentinel automatically revoke TigerAccess certificates?
Yes. Using Azure Logic Apps playbooks, Sentinel can automatically call the TigerAccess API to revoke certificates, terminate sessions, or trigger access locks when security incidents are detected.
What pre-built detection rules are available?
TigerAccess provides detection rules for: brute force attacks, privilege escalation, unusual access patterns, failed MFA attempts, certificate anomalies, session recording tampering, and sensitive command execution. All rules are customizable.
How does TigerAccess integrate with Azure Sentinel API?
TigerAccess can be configured as a Sentinel data connector, automatically parsing logs into custom tables. You can also use the Sentinel API to programmatically create incidents from TigerAccess events or enrich alerts with additional context.
Can I correlate TigerAccess logs with other security data in Sentinel?
Absolutely. Sentinel allows you to join TigerAccess logs with Azure AD sign-ins, firewall logs, endpoint detection data, and other sources using KQL queries. This enables powerful cross-platform threat detection and investigation.
Ready to Secure Your Infrastructure?
Join thousands of security-conscious teams using TigerAccess to protect their critical infrastructure and AI agents.
No credit card required • 14-day free trial • Enterprise support available