diff --git a/docs/docs.json b/docs/docs.json
index 30a87547..c9a39db2 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -627,6 +627,13 @@
"integrations/cortex-xsoar/reference"
]
},
+ {
+ "group": "Microsoft Sentinel",
+ "pages": [
+ "integrations/microsoft/sentinel/configure",
+ "integrations/microsoft/sentinel/use"
+ ]
+ },
{
"group": "ServiceNow",
"pages": [
diff --git a/docs/images/integrations/microsoft/sentinel/image14.png b/docs/images/integrations/microsoft/sentinel/image14.png
new file mode 100644
index 00000000..c5288f05
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image14.png differ
diff --git a/docs/images/integrations/microsoft/sentinel/image15.jpeg b/docs/images/integrations/microsoft/sentinel/image15.jpeg
new file mode 100644
index 00000000..64901a0c
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image15.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image16.jpeg b/docs/images/integrations/microsoft/sentinel/image16.jpeg
new file mode 100644
index 00000000..a4a40b90
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image16.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image17.jpeg b/docs/images/integrations/microsoft/sentinel/image17.jpeg
new file mode 100644
index 00000000..2f123217
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image17.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image18.jpeg b/docs/images/integrations/microsoft/sentinel/image18.jpeg
new file mode 100644
index 00000000..bf0b292f
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image18.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image19.png b/docs/images/integrations/microsoft/sentinel/image19.png
new file mode 100644
index 00000000..064b01f4
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image19.png differ
diff --git a/docs/images/integrations/microsoft/sentinel/image20.jpeg b/docs/images/integrations/microsoft/sentinel/image20.jpeg
new file mode 100644
index 00000000..c9742ad0
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image20.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image21.png b/docs/images/integrations/microsoft/sentinel/image21.png
new file mode 100644
index 00000000..ca1447e5
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image21.png differ
diff --git a/docs/images/integrations/microsoft/sentinel/image22.jpeg b/docs/images/integrations/microsoft/sentinel/image22.jpeg
new file mode 100644
index 00000000..dbfe1095
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image22.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image23.jpeg b/docs/images/integrations/microsoft/sentinel/image23.jpeg
new file mode 100644
index 00000000..3caba9d1
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image23.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image24.jpeg b/docs/images/integrations/microsoft/sentinel/image24.jpeg
new file mode 100644
index 00000000..e37b8c94
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image24.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image26.png b/docs/images/integrations/microsoft/sentinel/image26.png
new file mode 100644
index 00000000..a4e7b338
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image26.png differ
diff --git a/docs/images/integrations/microsoft/sentinel/image27.jpeg b/docs/images/integrations/microsoft/sentinel/image27.jpeg
new file mode 100644
index 00000000..3b94a81f
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image27.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image28.jpeg b/docs/images/integrations/microsoft/sentinel/image28.jpeg
new file mode 100644
index 00000000..6d159ea0
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image28.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image29.jpeg b/docs/images/integrations/microsoft/sentinel/image29.jpeg
new file mode 100644
index 00000000..3b5139e5
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image29.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image30.jpeg b/docs/images/integrations/microsoft/sentinel/image30.jpeg
new file mode 100644
index 00000000..03d68654
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image30.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image31.png b/docs/images/integrations/microsoft/sentinel/image31.png
new file mode 100644
index 00000000..8949f0aa
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image31.png differ
diff --git a/docs/images/integrations/microsoft/sentinel/image32.png b/docs/images/integrations/microsoft/sentinel/image32.png
new file mode 100644
index 00000000..c6df8fb6
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image32.png differ
diff --git a/docs/images/integrations/microsoft/sentinel/image33.png b/docs/images/integrations/microsoft/sentinel/image33.png
new file mode 100644
index 00000000..21fddbca
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image33.png differ
diff --git a/docs/images/integrations/microsoft/sentinel/image34.jpeg b/docs/images/integrations/microsoft/sentinel/image34.jpeg
new file mode 100644
index 00000000..f7b09d65
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image34.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image35.jpeg b/docs/images/integrations/microsoft/sentinel/image35.jpeg
new file mode 100644
index 00000000..d2095054
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image35.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image36.png b/docs/images/integrations/microsoft/sentinel/image36.png
new file mode 100644
index 00000000..b1fc0b56
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image36.png differ
diff --git a/docs/images/integrations/microsoft/sentinel/image37.jpeg b/docs/images/integrations/microsoft/sentinel/image37.jpeg
new file mode 100644
index 00000000..0c0ceda3
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image37.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image38.jpeg b/docs/images/integrations/microsoft/sentinel/image38.jpeg
new file mode 100644
index 00000000..39ec2211
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image38.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image39.jpeg b/docs/images/integrations/microsoft/sentinel/image39.jpeg
new file mode 100644
index 00000000..d881d8d9
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image39.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image4.jpeg b/docs/images/integrations/microsoft/sentinel/image4.jpeg
new file mode 100644
index 00000000..64f4ef95
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image4.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image40.jpeg b/docs/images/integrations/microsoft/sentinel/image40.jpeg
new file mode 100644
index 00000000..91dbbfe2
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image40.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image41.png b/docs/images/integrations/microsoft/sentinel/image41.png
new file mode 100644
index 00000000..4c09f115
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image41.png differ
diff --git a/docs/images/integrations/microsoft/sentinel/image42.jpeg b/docs/images/integrations/microsoft/sentinel/image42.jpeg
new file mode 100644
index 00000000..4a398a06
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image42.jpeg differ
diff --git a/docs/images/integrations/microsoft/sentinel/image7.jpeg b/docs/images/integrations/microsoft/sentinel/image7.jpeg
new file mode 100644
index 00000000..b446d2fb
Binary files /dev/null and b/docs/images/integrations/microsoft/sentinel/image7.jpeg differ
diff --git a/docs/integrations/microsoft/sentinel/configure.mdx b/docs/integrations/microsoft/sentinel/configure.mdx
new file mode 100644
index 00000000..12a0cf2e
--- /dev/null
+++ b/docs/integrations/microsoft/sentinel/configure.mdx
@@ -0,0 +1,369 @@
+---
+title: Integrate BloodHound Enterprise with Microsoft Sentinel
+description: Install, configure, and verify the Microsoft Sentinel integration for BloodHound Enterprise.
+sidebarTitle: Install and configure
+---
+
+
+
+The Microsoft Sentinel integration for BloodHound Enterprise enables security teams to ingest attack path data, audit logs, posture trends, and Tier Zero asset exposure into Microsoft Sentinel for centralized monitoring, investigation, and response.
+
+It's available as a data connector that can be deployed to your Azure environment, with pre-built workbooks (dashboards) and analytics rules to visualize and act on the data.
+
+## Roles and permissions
+
+To successfully deploy and use the Microsoft Sentinel integration, different Azure roles and permissions are required for various personas involved in the process.
+
+The following table outlines the key roles, their responsibilities, and the required permissions for each role:
+
+| Role | Responsibilities | Required permissions |
+|---|---|---|
+| **Installer** |
- Deploy resources for the Microsoft Sentinel solution resources from the Azure Marketplace
| - Subscription Owner on the target subscription.
|
+| **Admin** | - Manage data connectors, including enable/disable actions and authentication settings
- Maintain and troubleshoot the integration, including parameters, playbooks, workbooks, and analytics rules
| - Microsoft Sentinel Contributor on the Log Analytics workspace
- Log Analytics Contributor to manage queries, tables, and saved searches
- Resource Group Contributor on the target resource group
_Optional:_ - User Access Administrator to assign RBAC roles when needed
- Contributor for broader management of underlying Azure resources
|
+| **User** | - Use the deployed solution in daily operations
- View dashboards, alerts, incidents, and workbooks
| - Microsoft Sentinel Reader for view-only access to incidents and workbooks
- Log Analytics Reader for read-only access to logs and query results
- Microsoft Sentinel Responder if the user needs to update incident status, assign incidents, or run playbooks
|
+
+## Prerequisites
+
+Before you begin the installation and configuration process, ensure the following prerequisites are met:
+
+- Active Azure subscription with permissions to deploy resources
+- Microsoft Sentinel workspace (Log Analytics Workspace) in a target resource group
+- BloodHound Enterprise tenant
+- BloodHound Enterprise [non-personal API key/ID pair](/integrations/bloodhound-api/working-with-api#create-a-non-personal-api-key%2Fid-pair)
+- Microsoft Entra ID application with the **Monitoring Metrics Publisher** role on the target resource group
+
+## Configure the integration
+
+Follow the steps below to deploy and configure the Microsoft Sentinel integration for BloodHound Enterprise. This process involves deploying Azure resources, configuring authentication, and setting up data ingestion.
+
+
+
+ Create a Log Analytics Workspace to store the data ingested from BloodHound Enterprise. This workspace will be connected to Microsoft Sentinel for monitoring and analysis.
+
+ 1. Log in to the [Azure Portal](https://portal.azure.com/) with an account that has the necessary permissions for Microsoft Sentinel and Log Analytics Workspace configurations.
+ 1. Navigate to the Log Analytics Workspace and click **Create**.
+ 1. Select subscription and resource group, then enter a workspace name.
+
+
+
+
+
+ 1. Click **Review + create**.
+ 1. Add the Log Analytics Workspace in Sentinel:
+
+ 1. Navigate to Sentinel.
+ 1. Click **Create.**
+ 1. Select the newly created Log Analytics Workspace.
+ 1. Click **Add**.
+
+
+ Register a Microsoft Entra ID application to authenticate the data connector with Microsoft Sentinel. This application will be granted the necessary permissions to publish data to Sentinel.
+
+ 1. Open [Microsoft Entra ID](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview).
+ 1. Go to **App registrations** > **New registration**.
+ 1. Enter an app name and choose **Accounts in this organizational directory only**. No redirect URI is necessary.
+
+
+
+
+
+ 1. Click **Register**.
+ 1. Copy the **Application (client) ID** and **Directory (tenant) ID**. You'll need these later.
+ 1. Under **Certificates & secrets**, create a client secret and save its value immediately. It will not be shown again.
+
+
+ Assign the **Monitoring Metrics Publisher** role to the Microsoft Entra ID application on your resource group:
+
+ 1. Open your resource group.
+ 1. Go to **Access control (IAM)** > **Add role assignment**.
+ 1. Assign **Monitoring Metrics Publisher** to the Entra application.
+ 1. Select a user, group, or service principal to assign access to, then click **Select members**.
+ 1. Select the application that you created, then click **Select**.
+ 1. Click **Review + Assign**.
+
+
+ Before starting the deployment, go to the Log Analytics Workspace you created and note the name and location of the workspace. You will need this during deployment.
+
+ 1. Click the following link to open a preloaded ARM template in the Azure Portal: [Deploy to Azure](https://portal.azure.com/%23create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmetron-labs%2FAzure-Sentinel%2Fbloodhound%2FSolutions%2FBloodHound%2520Enterprise%2FPackage%2FmainTemplate.json).
+ 1. Confirm the template opens on the **Custom deployment** page.
+
+
+
+
+
+
+
+ Fill in the deployment parameters for the workbook and analytics rules template using the information from previous steps and your environment.
+
+ 1. Select the target subscription and resource group, then enter deployment parameters such as workspace name and workspace location.
+
+ 1. Click **Review + create**.
+
+ 1. Click **Create** to deploy the workbook and data connector resources.
+
+
+ Verify the workbook and analytics rules deployment before deploying the data connector template:
+
+ 1. In the Azure Portal, open **Microsoft Sentinel** and select the workspace where you deployed the template.
+ 1. Go to **Workbooks** under **Threat management**.
+ 1. If prompted to continue in Microsoft Defender, select the link to open **Microsoft Defender portal**.
+
+
+
+
+
+ 1. If multiple Sentinel workspaces are available, select the integration workspace from the workspace selector in the top-right corner.
+
+
+
+
+
+
+
+
+
+ 1. In **Workbooks**, open the **Templates** tab and verify the BloodHound workbook templates are available.
+
+
+
+
+
+ 1. Go to **Configuration** > **Analytics** > **Rule templates** and verify the BloodHound analytics rules are available.
+
+
+
+
+
+ 1. Go to **Configuration** > **Data connectors** and verify the **BloodHound Data Connector** is listed and connected.
+
+
+
+
+
+
+ After deploying the workbook and analytics rules template, configure the data connector with your BloodHound Enterprise API credentials and settings.
+
+ 1. Log in to the Azure Portal with an account that has the **Owner** role on the resource group.
+ 1. Click the following link to open a preloaded ARM template in the Azure Portal: [Deploy to Azure](https://portal.azure.com/%23create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmetron-labs%2FAzure-Sentinel%2Fbloodhound%2FSolutions%2FBloodHound%2520Enterprise%2FData%2520Connectors%2Fazuredeploy_BloodHoundEnterprise_FunctionApp.json).
+ 1. Confirm the template opens on the **Custom deployment** page.
+
+
+
+
+
+
+ Fill in the deployment parameters:
+
+ | Parameter Name | Description |
+ |---|---|
+ | Subscription | The Azure subscription to deploy the resources to. |
+ | Resource Group | The name of the resource group where the resources will be deployed. |
+ | Function App Name | The name of the Azure Function App. This must be unique across Azure, since each instance requires its own Function App (for example, BloodHoundEnterprise-Maple). |
+ | Log Analytics Workspace Name | The name of the existing Log Analytics Workspace where you want to create a Data Collection Endpoint (DCE) and Data Collection Rule (DCR) for custom tables. |
+ | Bloodhound Tenant Domain | The URL for the BloodHound Enterprise tenant domain. |
+ | Bloodhound Token ID Secret Value | The value for the **BloodHound token ID**. This value will be stored in an Azure Key Vault secret. |
+ | Bloodhound Token Key Secret Value | The value for the **BloodHound token key**. This value will be stored in an Azure Key Vault secret. |
+ | Microsoft Entra Id Application App Id | The unique identifier for the Microsoft Entra ID application. This ID, also known as the **Client ID**, is used to authenticate your application to the Microsoft identity platform. |
+ | Microsoft Entra ID Application App Secret | A confidential secret generated for your Microsoft Entra ID application. This secret, also known as the **Client Secret**, is used along with the App ID to prove the application's identity when requesting an access token. |
+ | Lookup Days | Specifies the number of days in the past for which the system should fetch data. A higher value means more historical data will be retrieved, which increases the time and compute resources required during the first iteration when setting up the system. This parameter sets the default lookback period when no previous timestamp is available. |
+ | Selected Bloodhound Environments | The selected BloodHound environments from which you want to fetch data. These should be provided as comma-separated values (e.g., Ghost.Corp, Phantom.Corp). The default value is **All**. |
+ | Selected Finding Types | The selected Finding Types from which you want to fetch data. These should be provided as comma-separated values (e.g., T0MarkSensitive, T0GenericAll). The default value is **All**. |
+
+ 1. Select the target subscription and resource group, then enter deployment parameters such as workspace name and workspace location.
+
+ 1. Click **Review + create**.
+
+ 1. Click **Create** to deploy the workbook and data connector resources.
+
+
+ The ARM template will deploy the necessary Azure resources for the data connector, but you will also need to deploy the Azure Function code that fetches data from BloodHound Enterprise and ingests it into Microsoft Sentinel.
+
+ 1. Download the `BloodHoundAzureFunction.zip` archive from the [GitHub repository](https://github.com/metron-labs/Azure-Sentinel/blob/bloodhound/Solutions/BloodHound%20Enterprise/Data%20Connectors/BloodHoundDataConnector/BloodHoundAzureFunction.zip?raw=true).
+
+ 1. Open your Function App in Azure Portal.
+
+ 1. In the left menu, select **Deployment Center** under the **Deployment** section.
+
+ You will see multiple options for deployment, including:
+
+ - **GitHub**: Connect your GitHub repository for continuous deployment.
+ - **Azure Repos**: Connect your Azure DevOps repository for continuous deployment.
+ - **Publish files**: Manually upload your function code for one-time deployment.
+
+ 1. Select **Publish files**, select the downloaded `BloodHoundAzureFunction.zip` archive, and click **Save**.
+
+
+
+
+
+ After deployment, you should see the function code in the **Functions** section of your Function App.
+
+
+ After deploying the Azure Function code, manually run each function to verify that the functions are running correctly and able to fetch data from BloodHound Enterprise and push it into the custom tables in your Log Analytics Workspace.
+
+ 1. Navigate to the **Overview** page of your Function App and select one of the deployed functions.
+
+
+
+
+
+ 1. Click the **Code + Test** tab.
+
+ 1. Click **Test/Run**.
+
+ 1. Click **Run** to execute the function.
+
+
+
+
+
+ 1. Monitor the execution logs to confirm that the function is running successfully and fetching data from BloodHound Enterprise.
+
+ You should see log entries indicating successful execution and data retrieval for each finding type.
+
+
+ ```log
+ 2025-10-31T08:57:55Z [Information] Collecting asset details for finding type: AzureT0MGGrantAppRoles
+ 2025-10-31T08:57:55Z [Information] Making GET request to https://.bloodhoundenterprise.io/api/v2/assets/findings/AzureT0MGGrantAppRoles/title.md
+ 2025-10-31T08:57:55Z [Information] Response status code: 200
+ 2025-10-31T08:57:56Z [Information] Making GET request to https://.bloodhoundenterprise.io/api/v2/assets/findings/AzureT0MGGrantAppRoles/short_description.md
+ 2025-10-31T08:57:56Z [Information] Response status code: 200
+ 2025-10-31T08:57:56Z [Information] Making GET request to https://.bloodhoundenterprise.io/api/v2/assets/findings/AzureT0MGGrantAppRoles/short_remediation.md
+ 2025-10-31T08:57:57Z [Information] Response status code: 200
+ 2025-10-31T08:57:57Z [Information] Making GET request to https://.bloodhoundenterprise.io/api/v2/assets/findings/AzureT0MGGrantAppRoles/long_remediation.md
+ 2025-10-31T08:57:57Z [Information] Response status code: 200
+ ```
+
+
+ 1. Repeat this one-time manual process for each deployed function to ensure all functions are working correctly.
+
+
+
+## Validate the integration
+
+Complete verification before operational use.
+
+
+
+ 1. In Azure Portal, open **Function App** and confirm your deployed app exists and all BloodHound functions are listed.
+
+
+
+
+
+ 1. Open **Key Vault** and confirm the connector vault exists and includes the expected secrets.
+
+
+
+
+
+ 1. Open **Data Collection Endpoints** and confirm the BloodHound endpoint exists.
+
+
+
+
+
+ 1. Open **Data Collection Rules** and confirm the BloodHound rules exist.
+
+
+
+
+
+ 1. Open your Log Analytics workspace and confirm these custom tables exist:
+ - `BHEAttackPathsData_CL`
+ - `BHEAttackPathsTimelineData_CL`
+ - `BHEAuditLogsData_CL`
+ - `BHEFindingTrendsData_CL`
+ - `BHEPostureHistoryData_CL`
+ - `BHETierZeroAssetsData_CL`
+
+
+
+
+
+
+ Complete these steps to start your Azure Function App and begin ingesting BloodHound Enterprise data into custom tables.
+
+ 1. Open your **Function App** and start it from **Overview** if it is stopped.
+ 1. Open your Log Analytics workspace and click **Logs**.
+ 1. Verify that you can see custom logs.
+
+
+
+
+
+
+ 1. In Microsoft Sentinel, go to **Workbooks**. You must save each workbook before editing or operational use.
+
+
+
+
+
+ 1. To save each workbook, double-click the workbook, then click **Save** in the modal that displays.
+
+
+
+
+
+ 1. Open each workbook to confirm it loads data correctly. If you see errors, review the function execution logs and ensure the data connector is ingesting data into the custom tables.
+
+
+
+
+
+
+ 1. In the Sentinel workspace, navigate to **Configuration** > **Analytics** > **Rule templates**.
+
+
+
+
+
+ 1. To generate incidents, create and save each **Analytics rule**. Select any rule to open the right-side panel, then click **Create rule**.
+
+
+
+
+
+ 1. Click **Next: Set rule logic** and keep the default values.
+
+
+
+
+
+ 1. Click **Next: Incident settings** and keep the default values.
+
+
+
+
+
+ 1. Click **Next: Automated response** and keep the default values.
+
+
+
+
+
+ 1. Click **Next: Review + Create** and keep the default values.
+
+
+
+
+
+ 1. Click **Save**.
+
+
+
+
+
+ 1. Repeat this process for each **Analytics rule**. Incidents are generated only after the rules are created and saved.
+
+ 1. To check incidents after rules are created, navigate to **Investigation & Responses** > **Incidents & Alerts** > **Incidents**.
+
+
+
+
+
+
+
+## Next steps
+
+Explore the pre-built workbooks to [visualize](/integrations/microsoft/sentinel/use) BloodHound Enterprise data and use the analytics rules to generate incidents for findings.
\ No newline at end of file
diff --git a/docs/integrations/microsoft/sentinel/use.mdx b/docs/integrations/microsoft/sentinel/use.mdx
new file mode 100644
index 00000000..856c0994
--- /dev/null
+++ b/docs/integrations/microsoft/sentinel/use.mdx
@@ -0,0 +1,92 @@
+---
+title: Use the Microsoft Sentinel Integration with BloodHound Enterprise
+description: View BloodHound Enterprise attack path risk, audit logs, posture trends, and critical asset exposure in Microsoft Sentinel dashboards and incidents.
+sidebarTitle: View attack path data
+---
+
+
+
+Workbooks in Microsoft Sentinel provide interactive dashboards that help you review and investigate data.
+
+The BloodHound Enterprise integration includes workbooks that visualize attack path data, audit logs, posture trends, and Tier Zero asset exposure.
+
+You can also use Microsoft Sentinel's incident management capabilities to triage and track remediation of BloodHound Enterprise findings.
+
+
+ See the [Microsoft Sentinel documentation](https://learn.microsoft.com/en-us/azure/sentinel/) for more information.
+
+
+## Dashboards
+
+Explore the following dashboards to review BloodHound Enterprise data in Microsoft Sentinel.
+
+### Attack Path Overview
+
+Use this dashboard for high-level attack path trends across environments:
+
+- Total attack paths by environment
+- Exposure-oriented metrics such as expected compromise indicators
+- Tier distribution context
+- Environment filtering for focused analysis
+
+### Attack Path Details
+
+Use this dashboard to investigate individual paths and prioritize remediation:
+
+- Timeline and state changes for path findings
+- Affected principals and related objects
+- Exposure and impact context
+- Remediation-linked context for triage
+
+### Audit Logs
+
+Use this dashboard to monitor security-relevant operational changes:
+
+- Create/update/delete activity timeline
+- Actor and object context
+- Environment-level filtering
+
+### Posture
+
+Use this dashboard to monitor posture and progress over time:
+
+- Posture trend metrics
+- Service/control health indicators
+- Environment-to-environment comparison
+
+### Tier Zero Assets
+
+Use this dashboard to prioritize highest-impact exposure:
+
+- Tier Zero principal inventory
+- Exposure-oriented prioritization indicators
+- Relationship context for critical assets
+
+## Work with incidents
+
+Analytics Rules generate incidents from BloodHound Enterprise findings in custom log tables.
+
+1. In Microsoft Sentinel, open **Incidents**.
+1. Filter by BloodHound-related product/source fields.
+1. Triage, assign, and track remediation in your incident workflow.
+
+
+ Use incidents for operational ownership and dashboards for trend/coverage analysis.
+
+
+## Multi-environment analysis
+
+Use environment filters across dashboards to compare business units, regions, or segmented environments.
+
+- View one environment in isolation.
+- Compare multiple environments side-by-side.
+- Reduce noise by excluding non-relevant environments.
+
+## Data scope and freshness
+
+Dashboard and incident views reflect connector configuration choices:
+
+- Environment and finding-type selection
+- Polling cadence
+- Initial lookback window (`Lookup Days`)
+- Deduplication behavior favoring latest event state
diff --git a/docs/integrations/overview.mdx b/docs/integrations/overview.mdx
index eade88e0..478c4bf4 100644
--- a/docs/integrations/overview.mdx
+++ b/docs/integrations/overview.mdx
@@ -60,6 +60,19 @@ The following integrations are officially supported by SpecterOps.
| **Integration instructions** | Configure the Axonius adapter for BloodHound |
+
+ The Microsoft Sentinel integration enables you to manage and visualize BloodHound Enterprise Attack Path statistics within a Microsoft Sentinel workspace.
+
+ | | |
+ | --- | --- |
+ | **Supported actions** | - Fetch Attack Path findings from BloodHound Enterprise.
- Create an incident in Microsoft Sentinel for each finding.
- Ingest and visualize posture statistics, audit logs, and Tier Zero assets in Microsoft Sentinel dashboards.
|
+ | **Common use cases** | - Automatically convert custom logs into Incidents within Sentinel based on BloodHound Enterprise findings data.
- Empower security analysts to investigate and respond to potential security threats identified by BloodHound Enterprise.
- Use Sentinel Workbooks to visualize and analyze BloodHound Enterprise data for a clear, actionable view of Attack Paths and potential vulnerabilities in Active Directory environments.
|
+ | **Integration instructions** | Configure the Microsoft Sentinel integration |
+
+