BP-2395: Microsoft Sentinel

[jeff-matthews]

Purpose

This pull request (PR) adds docs for the Microsoft Sentinel integration for BloodHound Enterprise.

It's in draft because the instructions need to be updated after the integration has been published to the Azure Marketplace. For example, the steps for configuring and deploying the ARM templates may no longer be necessary.

Staging

https://specterops-bp-2395-ms-sentinel.mintlify.app/integrations/microsoft/sentinel/configure

Summary by CodeRabbit

Documentation

• Added comprehensive Microsoft Sentinel integration documentation with step-by-step configuration, prerequisite validation, and Azure deployment guidance
• Added user guide covering Sentinel workbooks, dashboards, incident workflows, and multi-environment filtering for attack path investigation and audit log analysis
• Updated integrations overview to feature Microsoft Sentinel integration with supported actions and use cases

[coderabbitai]

Walkthrough

This pull request adds comprehensive documentation for a new Microsoft Sentinel integration with BloodHound Enterprise. It includes navigation updates, a configuration guide covering setup and deployment, a usage guide explaining available dashboards and incident workflows, and an overview card in the integrations listing.

Changes

Cohort / File(s)	Summary
Navigation Configuration docs/docs.json	Added new navigation group for Microsoft Sentinel integration under API & Integrations, referencing configure and use documentation pages.
Microsoft Sentinel Documentation docs/integrations/microsoft/sentinel/configure.mdx, docs/integrations/microsoft/sentinel/use.mdx	Created comprehensive guides covering deployment prerequisites, step-by-step ARM template and Function App setup, validation procedures, and available dashboards (Attack Path Overview, Attack Path Details, Audit Logs, Posture, Tier Zero Assets) with incident workflow usage.
Integration Overview docs/integrations/overview.mdx	Added Microsoft Sentinel integration card describing supported actions for fetching findings, creating incidents, and ingesting audit logs, posture statistics, and Tier Zero assets.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A new Sentinel shines bright in our docs,
Through Azure clouds and security locks,
Configuration flows and dashboards bloom,
BloodHound data in Sentinel's room! 🔍

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'BP-2395: Microsoft Sentinel' clearly identifies the main change—adding Microsoft Sentinel integration documentation. It includes a ticket reference and is specific enough to understand the primary purpose.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch BP-2395-ms-sentinel

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
bloodhound	🟢 Ready	View Preview	Mar 30, 2026, 5:11 PM

[jeff-matthews]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

docs/integrations/microsoft/sentinel/configure.mdx (1)

84-103: Consider using a stable/released ARM template URL.

The ARM template link currently points to a feature branch (bloodhound) in an external repository. While the link is accessible, feature branches can be temporary, deleted, or renamed. Consider hosting the template at a stable/released location or a canonical stable branch to ensure the deployment link remains reliable long-term.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/integrations/microsoft/sentinel/configure.mdx` around lines 84 - 103,
The ARM template link in the "Deploy the workbook and analytics rules template"
step points to a feature branch URL (the raw.githubusercontent.com link
containing "bloodhound" and "Package/mainTemplate.json"); update this to a
stable/released location—for example point to a release tag, the repository's
main branch, or a hosted canonical URL (or include the template in project
release assets) so the Deploy to Azure link remains reliable long-term and does
not depend on a transient feature branch.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/docs.json`:
- Around line 590-596: Normalize the indentation inside the JSON object where
"group": "Microsoft Sentinel" and its "pages" array are defined by removing the
extra leading whitespace before the second array entry so both entries have
consistent indentation; update the "pages" array formatting to align entries
(e.g., same number of spaces as the first entry) to improve readability.

In `@docs/integrations/microsoft/sentinel/configure.mdx`:
- Around line 66-68: The img tag inside the <Frame> element has the wrong alt
text ("Create Log Analytics Workspace"); update its alt attribute to accurately
describe the screenshot (e.g., "Entra ID application registration" or similar)
so the image reflects Step 2: Register a Microsoft Entra ID application; locate
the <img src="/images/integrations/microsoft/sentinel/image7.jpeg" alt="..."/>
and replace the alt string accordingly.
- Line 51: Replace the UI button text "Review and Create" in the docs with the
actual Azure Portal label "Review + create" to match the portal's UI; locate the
exact string "Review and Create" in the content
(docs/integrations/microsoft/sentinel/configure.mdx) and update it to "Review +
create".

---

Nitpick comments:
In `@docs/integrations/microsoft/sentinel/configure.mdx`:
- Around line 84-103: The ARM template link in the "Deploy the workbook and
analytics rules template" step points to a feature branch URL (the
raw.githubusercontent.com link containing "bloodhound" and
"Package/mainTemplate.json"); update this to a stable/released location—for
example point to a release tag, the repository's main branch, or a hosted
canonical URL (or include the template in project release assets) so the Deploy
to Azure link remains reliable long-term and does not depend on a transient
feature branch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fbf9bd67-5623-4d85-98ab-8bf25cc7ebdd

📥 Commits

Reviewing files that changed from the base of the PR and between 2de77f9 and f98b024.

⛔ Files ignored due to path filters (30)

• docs/images/integrations/microsoft/sentinel/image14.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image15.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image16.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image17.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image18.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image19.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image20.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image21.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image22.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image23.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image24.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image26.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image27.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image28.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image29.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image30.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image31.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image32.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image33.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image34.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image35.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image36.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image37.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image38.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image39.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image4.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image40.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image41.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image42.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image7.jpeg is excluded by !**/*.jpeg

📒 Files selected for processing (4)

• docs/docs.json
• docs/integrations/microsoft/sentinel/configure.mdx
• docs/integrations/microsoft/sentinel/use.mdx
• docs/integrations/overview.mdx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Minor: Inconsistent indentation in pages array.

Line 594 has extra leading whitespace compared to line 593. While valid JSON, this inconsistency affects readability.

🔧 Suggested fix

               {
                 "group": "Microsoft Sentinel",
                 "pages": [
                   "integrations/microsoft/sentinel/configure",
-                    "integrations/microsoft/sentinel/use"
+                  "integrations/microsoft/sentinel/use"
                 ]
               },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{
	"group": "Microsoft Sentinel",
	"pages": [
	"integrations/microsoft/sentinel/configure",
	"integrations/microsoft/sentinel/use"
	]
	},
	{
	"group": "Microsoft Sentinel",
	"pages": [
	"integrations/microsoft/sentinel/configure",
	"integrations/microsoft/sentinel/use"
	]
	},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/docs.json` around lines 590 - 596, Normalize the indentation inside the
JSON object where "group": "Microsoft Sentinel" and its "pages" array are
defined by removing the extra leading whitespace before the second array entry
so both entries have consistent indentation; update the "pages" array formatting
to align entries (e.g., same number of spaces as the first entry) to improve
readability.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Minor: UI text inconsistency.

Azure Portal buttons typically display as "Review + create" (with plus sign). Consider updating for consistency with the actual UI.

🔧 Suggested fix

-    1. Click **Review** and **Create**.
+    1. Click **Review + create**.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	1. Click **Review** and **Create**.
	1. Click **Review + create**.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/integrations/microsoft/sentinel/configure.mdx` at line 51, Replace the
UI button text "Review and Create" in the docs with the actual Azure Portal
label "Review + create" to match the portal's UI; locate the exact string
"Review and Create" in the content
(docs/integrations/microsoft/sentinel/configure.mdx) and update it to "Review +
create".

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Incorrect alt text for image.

The alt text says "Create Log Analytics Workspace" but this image shows the Entra ID application registration screen based on the context (Step 2: Register a Microsoft Entra ID application).

🔧 Suggested fix

        <Frame>
-          <img src="/images/integrations/microsoft/sentinel/image7.jpeg" alt="Create Log Analytics Workspace"/>
+          <img src="/images/integrations/microsoft/sentinel/image7.jpeg" alt="Register Microsoft Entra ID application"/>
        </Frame>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<Frame>
	<img src="/images/integrations/microsoft/sentinel/image7.jpeg" alt="Create Log Analytics Workspace"/>
	</Frame>
	<Frame>
	<img src="/images/integrations/microsoft/sentinel/image7.jpeg" alt="Register Microsoft Entra ID application"/>
	</Frame>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/integrations/microsoft/sentinel/configure.mdx` around lines 66 - 68, The
img tag inside the <Frame> element has the wrong alt text ("Create Log Analytics
Workspace"); update its alt attribute to accurately describe the screenshot
(e.g., "Entra ID application registration" or similar) so the image reflects
Step 2: Register a Microsoft Entra ID application; locate the <img
src="/images/integrations/microsoft/sentinel/image7.jpeg" alt="..."/> and
replace the alt string accordingly.