Many organisations today prioritise streamlining and enhancing security operations. With cyber threats increasing in complexity and sophistication, the need for efficient, automated security measures has never been greater. This guide explores how to connect the SecQube portal to Microsoft Sentinel, leveraging Azure Lighthouse for a seamless integration that enhances security operations through the Azure portal.

Background

SecQube offers an AI-powered multi-tenant platform for Microsoft Sentinel that simplifies security operations through conversational AI and automated workflows. The connection between your Sentinel environment and the SecQube portal relies on Azure Lighthouse. This Microsoft service provides providers a single control plane to manage Azure across multiple customers. This approach enhances your unified security operations platform by providing a comprehensive view of all connected entities.

Benefits of Azure Lighthouse

Azure Lighthouse provides several key advantages for Managed Security Service Providers (MSSPs):

1. Enhanced automation and scalability: MSSPs can automate the management of numerous Azure tenants and deploy services at scale across different customer environments.
2. Improved visibility and control: Azure Lighthouse ensures better governance and control by providing a centralised view of all customer environments.
3. Secure access and data protection: Customer data remains secure and under their control, as service providers are granted only delegated access, minimising the risk of data breaches.
4. Efficient operations: By consolidating all customer environments into one interface, Azure Lighthouse enables efficient operations, allowing MSSPs to focus on adding value rather than managing infrastructure.

In terms of security, Azure Lighthouse improves the security posture by enabling centralised management of security policies and providing visibility into security incidents across multiple Azure tenants. This ensures a cost-effective solution for managing extensive security measures.

Required Permissions

The Lighthouse script used for integrating SecQube with Microsoft Sentinel requires the following permissions:

• Log Analytics Contributor
• Log Analytics Reader
• Sentinel Contributor
• Sentinel Reader

The script, generated through the Microsoft Azure Lighthouse wizard, simplifies the setup process. Unlike other MSSPs, SecQube adds an App Registration service to the created groups, enabling the SecQube portal to securely access Sentinel and Log Analytics. This ensures no users can directly access Log Analytics or Microsoft Sentinel, enhancing security. Integrating with Azure subscription ID and defender components raw event data ensures streamlined security data management.

Deployment

The deployment process involves two main steps:

1. Executing the Microsoft Azure Lighthouse script.
2. Connecting the SecQube portal to Azure Sentinel for smooth integration.

1. Deploying the Azure Lighthouse Script

1. In the Azure portal, search for "Azure Lighthouse".
2. Navigate to "Service provider's offers" and click "Add offer".
3. Add the script generated by the Microsoft Azure Lighthouse wizard, agree to the prompts, and run the script.

Once the script execution is complete, you can verify the added groups by navigating to Log Analytics workspaces, checking your workspace for Sentinel, and searching for Log Analytics reader/contributor and Sentinel reader/contributor groups.

2. Connecting the SecQube Portal to Azure Sentinel

1. Navigate to the user’s section within the SecQube portal.
2. Click on "Additional Actions" and select "Sentinel Configuration".
3. Enter your Subscription ID and click "Validate ID".

If the Lighthouse script is successful, the necessary fields will be automatically populated, and no further action will be required. Allow 15 to 20 minutes for the portal to propagate the changes. This facilitates incident integration and synchronising incidents, improving the response efficacy.

Conclusion

SecQube's security approach aims to complement your existing security policies, providing an expanded framework to enhance your security posture. By connecting the SecQube portal to Microsoft Sentinel, organisations can leverage AI-driven automation, user-centric simplicity, and proactive security measures. With the power of Azure Lighthouse and the advanced capabilities of SecQube, you can ensure that your security operations are efficient and robust. This integration amplifies the functionality of the unified security operations platform, enabling detailed management of user entities and security alerts.

A client with Global Administrator or Security Administrator rights can connect the SecQube portal to Microsoft Sentinel, allowing you to control your security environment when shared externally fully.

Embrace the seamless integration and elevated security management that SecQube and Sentinel deliver, and take your cybersecurity operations to the next level.