Integrating PAM360 with Microsoft Sentinel

For procedures prior to build 8500, refer to this help document.

PAM360, a unified privileged access management product from ManageEngine, integrates with Microsoft Sentinel, a cloud-native security information and event management (SIEM) solution by Microsoft. This is in addition to the already available integrations with the third-party SIEM solutions such as Splunk, ManageEngine EventLog Analyzer, and Sumo Logic.

At the end of this document, you will have learned the following:

1. Key Benefits of the Integration
2. Configuring a PAM360 Workspace for Microsoft Sentinel
3. Configuring PAM360 for Microsoft Sentinel Integration
4. Viewing PAM360 logs in Microsoft Sentinel
5. Troubleshooting Tips

1. Key Benefits of Integration

PAM360's extensive auditing capabilities include gathering and processing audit logs for resources, passwords, and users in real time. The product allows you to tailor notifications for specific events from the Audit tab. Through the PAM360-Microsoft Sentinel integration, PAM360 sends detailed logs to the SIEM tool as syslog, enabling you to view PAM360 audit trails from the Microsoft Sentinel interface. Apart from the above-mentioned SIEM tools, you can set up any other log management tool to collect audit logs. It is possible to configure multiple log management tools concurrently.

2. Configuring a PAM360 Workspace for Microsoft Sentinel

To configure a PAM360 workspace for the Microsoft Sentinel integration, complete the following procedures in the Azure portal:

• Creating a Log Analytics Workspace
• Creating a Data Collection Endpoint (DCE)
• Creating a Data Collection Rule (DCR)
• Registering an Azure Application for Log Ingestion

2.1 Creating a Log Analytics Workspace

A Log Analytics workspace is the basic management unit of Microsoft Sentinel logs. To create a Log Analytics workspace in the Azure portal, follow the steps below:

1. Log in to your Azure portal and click Log Analytics workspaces under Azure services.
   
2. Click Create in the top pane to create a new Log Analytics workspace for the PAM360-Sentinel integration.
   
3. On the page that appears, select your resource group name from the dropdown or click Create new under the Resource group dropdown. In the pop-up that appears, enter a Name for the new resource group and click OK.
   
4. Under Instance details, enter a workspace name in the Name field and select your Region.

   Additional Details

   • The workspace name should be between 4 and 63 characters.
   • The workspace name can contain only letters, numbers and '-'. The '-' should not be the first or last symbol.
5. Click the Review + Create button to validate the workspace details.
6. Once the validation is passed, click Create and wait for the deployment to complete.
   

The newly created workspace can be viewed on the Log Analytics workspaces page. Note down the Custom Log Table name or Stream name of your workspace as you will be needing it when configuring Sentinel integration in PAM360. You can find this name by navigating to your Log Analytics workspace >> Settings >> Tables.

2.2 Creating a Data Collection Endpoint

A Data Collection Endpoint (DCE) defines the secure ingestion endpoint used by Microsoft Sentinel to receive logs from external sources, such as PAM360. Creating a DCE ensures that PAM360 audit logs are securely authenticated, routed, and ingested into the correct Log Analytics workspace through the Logs Ingestion API. To create a DCE in the Azure portal, follow the steps below:

1. On the Azure home page, under Azure services, click Data collection endpoints.
2. On the page that appears, click Create from the top menu and enter the following details:
   
   1. Endpoint Name - A name for the endpoint to be created.
   2. Resource Group - Select the existing resource group (created in the previous step) name from the dropdown.
   3. Region - Select the region of the resource group or workspace managed.
      
3. Click Review + Create >> Create.

The DCE has been created in the Azure portal for the PAM360-Sentinel integration. Now, note down the Logs Ingestion URL of your DCE. This will be used for authentication when integrating Sentinel in PAM360.

2.3 Creating a Data Collection Rule

A Data Collection Rule (DCR) defines how incoming PAM360 audit logs are processed, mapped, and stored in Microsoft Sentinel. It links the data source with the target Log Analytics table, ensuring logs are ingested in the correct format and location. To create a DCR in the Azure portal, follow the steps below:

1. On the Azure home page, under Azure services, click Log Analytics workspace.
2. On the page that appears, select your workspace from the list.
3. From the left-side pane, expand Settings and click Tables.
4. Click the Create dropdown and select New custom log (Direct Ingest) to create a custom log. This step is crucial because it enables Microsoft Sentinel to accept logs sent directly from PAM360 using the Logs Ingestion API. It also defines the custom table structure and associates it with a data collection rule, allowing PAM360 audit logs to be correctly parsed, stored, and queried within the Log Analytics workspace.
   
5. On the page that appears, enter the Table name and click Create a new data collection rule beneath the Data collection rule dropdown.
6. In the window that appears, enter the DCR name and click Done.
7. Select the Data collection endpoint from the dropdown and click Next.
   
8. On the page that appears, upload this sample log file and click Next >> Create.
   

   Additional Detail

   The sample log file represents the JSON structure of PAM360 audit logs. Uploading this file helps Microsoft Sentinel understand the schema and table format of the incoming data. This ensures that audit logs sent from PAM360 follow the same structure in Azure, allowing the logs to be correctly parsed, stored in the custom table, and queried effectively in the Log Analytics workspace.

   

The DCR has been created in the Azure portal. Note down the Immutable ID of your DCE. This will be used for authentication when integrating Sentinel in PAM360.

2.4 Registering an Azure Application for Log Ingestion

2.4.1 Creating an Azure Application

1. On the Azure home page, under Azure services, click Microsoft Entra ID.
2. On the page that appears, click Add >> App registration.
   
3. On the Register an application page,
   1. Enter a Name for the new application.
   2. Select the supported account types (optional) and Redirect URI (optional).
   3. Click Register to create the application.
      

2.4.2 Creating Client Secret and Assigning Roles

Once the application is created, note down the Application (client) ID and Directory (tenant) ID as these will be required while sending syslog messages from PAM360. Then, proceed to create client secret and assign roles for the registered application by following the steps below:

1. Expand Manage from the left-side panel and select Certificates & secrets from the list.
2. Under Client secrets, click + New client secret.
3. In the window that appears, enter a Description for the client secret and click Add.
   
4. Once the secret is created, copy its Value from the list as it is required in the future while creating and managing an Azure App resource in PAM360.
   
5. Now, navigate to the Log Analytics workspace page and select your workspace.
6. Click Access Control (IAM) from the left pane and click Add >> Add role assignment.
   
7. On the Add role assignment page that appears,
   1. Select the Contributor or Monitoring Metrics Publisher role from the list and click Next.

      Additional Detail

      The Contributor or Monitoring Metrics Publisher role is required to grant the Azure application the necessary permissions to ingest logs into the Log Analytics workspace. These roles allow the application to write log data, publish metrics, and interact with ingestion endpoints without providing excessive administrative privileges. Assigning these roles ensures secure and authorized log ingestion from PAM360 into Microsoft Sentinel.

      
   2. Ensure that the Assign access to option is set to User, group, or service principal.
   3. Click Select members next to the Members field.
   4. In the window that appears on the right-side of the page, search and select your registered Azure application for the Sentinel integration.
      
   5. Click Next >> Review + assign. The selected role will be assigned to the Azure application.

You have successfully configured a workspace for PAM360 in the Microsoft Sentinel portal.

3. Configuring PAM360 for Microsoft Sentinel Integration

3.1 Adding the Azure Application as a Resource in PAM360

This section explains how to add your Azure application (registered for log ingestion in the Azure portal) as a resource in PAM360 for the Sentinel integration.

1. Navigate to the Resource tab and click Add Resource >> Add Manually.
2. In the Add Resource window that appears,
   
   1. Enter the Resource Name of your Azure application.
   2. Select Azure App from the Resource Type dropdown.
   3. Fill in the Directory (Tenant) ID and Client ID that are copied from the Azure portal while creating an Azure application.
   4. Click Save & Proceed to add an account and save the client secret.
3. In the Add Accounts window that appears,
   1. Enter the Client Secret Name of your choice.
   2. Enter the secret value (copied from the Azure portal) in the Secret Value and Confirm Secret Value fields.
      
   3. Click Add >> Save to add the Azure application credentials. This will be used later for authentication when sending syslog messages after the Sentinel integration.

3.2 Enabling Microsoft Sentinel Integration in PAM360

Follow the below steps to complete the Microsoft Sentinel configuration in PAM360:

1. Navigate to Admin >> Integrations >> SIEM.
2. Under Microsoft Sentinel, click Enable.
3. In the dialog box that appears,
   
   1. Select the Azure application resource and the account from the dropdown.
   2. In the Stream Name field, enter the custom log table name or stream name that is copied from the Azure portal.
   3. In the DCE Logs Ingestion URL field, enter the logs ingestion URL copied from the Azure portal.
   4. In the DCE Immutable ID field, enter the immutable ID copied from the Azure portal and click Enable.
4. In the confirmation dialog box that appears, click Enable to confirm the integration.

The integration process is now complete. From now on, all audit trails that are captured in PAM360 will be transferred to the Microsoft Sentinel portal.

4. Viewing PAM360 Logs in Microsoft Sentinel

To view the PAM360 logs in Microsoft Sentinel, log in to the Azure portal and follow these steps:

1. Under Azure services, select Log Analytics workspace.
2. Select your workspace from the list and click Logs.
3. Expand the Custom Logs menu and verify if a custom log for PAM360 has been created (for example, PAM360_CL).
4. Double click the custom log, the command will appear on the terminal to the right. Add a semicolon to the custom log command: PAM360_CL;
   
5. You can choose the required time range and click the Run option from the top.
6. Now, all logs captured from PAM360 in the selected time range will appear below.
7. If required, use the Export option to export the logs in the CSV format.

5. Troubleshooting Tips

After configuring the integration, if you are still unable to view the PAM360 logs in the Microsoft Sentinel portal, try the below steps:

1. Ensure there is internet connectivity in the machine where the PAM360 server resides.
2. Check if the Generate Syslog option is enabled in the PAM360 interface under Configure Audit.
3. Ensure that you do not delete the custom logs that are auto-generated in Log Analytics workspace under Settings >> Tables. In case, you have deleted the custom logs, re-configure the integration with a new workspace.