BP-2395: Microsoft Sentinel

[jeff-matthews]

Purpose

This pull request (PR) adds docs for the Microsoft Sentinel integration for BloodHound Enterprise.

It's in draft because the instructions need to be updated after the integration has been published to the Azure Marketplace. For example, the steps for configuring and deploying the ARM templates may no longer be necessary.

Staging

https://specterops-bp-2395-ms-sentinel.mintlify.app/integrations/microsoft/sentinel/configure

Summary by CodeRabbit

Documentation

• Added comprehensive Microsoft Sentinel integration documentation with step-by-step configuration, prerequisite validation, and Azure deployment guidance
• Added user guide covering Sentinel workbooks, dashboards, incident workflows, and multi-environment filtering for attack path investigation and audit log analysis
• Updated integrations overview to feature Microsoft Sentinel integration with supported actions and use cases

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c100cd0a-e202-49a6-8e3a-98e2a10daf36

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This pull request adds comprehensive documentation for a new Microsoft Sentinel integration with BloodHound Enterprise. It includes navigation updates, a configuration guide covering setup and deployment, a usage guide explaining available dashboards and incident workflows, and an overview card in the integrations listing.

Changes

Cohort / File(s)	Summary
Navigation Configuration docs/docs.json	Added new navigation group for Microsoft Sentinel integration under API & Integrations, referencing configure and use documentation pages.
Microsoft Sentinel Documentation docs/integrations/microsoft/sentinel/configure.mdx, docs/integrations/microsoft/sentinel/use.mdx	Created comprehensive guides covering deployment prerequisites, step-by-step ARM template and Function App setup, validation procedures, and available dashboards (Attack Path Overview, Attack Path Details, Audit Logs, Posture, Tier Zero Assets) with incident workflow usage.
Integration Overview docs/integrations/overview.mdx	Added Microsoft Sentinel integration card describing supported actions for fetching findings, creating incidents, and ingesting audit logs, posture statistics, and Tier Zero assets.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A new Sentinel shines bright in our docs,
Through Azure clouds and security locks,
Configuration flows and dashboards bloom,
BloodHound data in Sentinel's room! 🔍

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'BP-2395: Microsoft Sentinel' clearly identifies the main change—adding Microsoft Sentinel integration documentation. It includes a ticket reference and is specific enough to understand the primary purpose.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch BP-2395-ms-sentinel

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
bloodhound	🟢 Ready	View Preview	Mar 30, 2026, 5:11 PM

[jeff-matthews]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

docs/integrations/microsoft/sentinel/configure.mdx (1)

84-103: Consider using a stable/released ARM template URL.

The ARM template link currently points to a feature branch (bloodhound) in an external repository. While the link is accessible, feature branches can be temporary, deleted, or renamed. Consider hosting the template at a stable/released location or a canonical stable branch to ensure the deployment link remains reliable long-term.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/integrations/microsoft/sentinel/configure.mdx` around lines 84 - 103,
The ARM template link in the "Deploy the workbook and analytics rules template"
step points to a feature branch URL (the raw.githubusercontent.com link
containing "bloodhound" and "Package/mainTemplate.json"); update this to a
stable/released location—for example point to a release tag, the repository's
main branch, or a hosted canonical URL (or include the template in project
release assets) so the Deploy to Azure link remains reliable long-term and does
not depend on a transient feature branch.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/docs.json`:
- Around line 590-596: Normalize the indentation inside the JSON object where
"group": "Microsoft Sentinel" and its "pages" array are defined by removing the
extra leading whitespace before the second array entry so both entries have
consistent indentation; update the "pages" array formatting to align entries
(e.g., same number of spaces as the first entry) to improve readability.

In `@docs/integrations/microsoft/sentinel/configure.mdx`:
- Around line 66-68: The img tag inside the <Frame> element has the wrong alt
text ("Create Log Analytics Workspace"); update its alt attribute to accurately
describe the screenshot (e.g., "Entra ID application registration" or similar)
so the image reflects Step 2: Register a Microsoft Entra ID application; locate
the <img src="/images/integrations/microsoft/sentinel/image7.jpeg" alt="..."/>
and replace the alt string accordingly.
- Line 51: Replace the UI button text "Review and Create" in the docs with the
actual Azure Portal label "Review + create" to match the portal's UI; locate the
exact string "Review and Create" in the content
(docs/integrations/microsoft/sentinel/configure.mdx) and update it to "Review +
create".

---

Nitpick comments:
In `@docs/integrations/microsoft/sentinel/configure.mdx`:
- Around line 84-103: The ARM template link in the "Deploy the workbook and
analytics rules template" step points to a feature branch URL (the
raw.githubusercontent.com link containing "bloodhound" and
"Package/mainTemplate.json"); update this to a stable/released location—for
example point to a release tag, the repository's main branch, or a hosted
canonical URL (or include the template in project release assets) so the Deploy
to Azure link remains reliable long-term and does not depend on a transient
feature branch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fbf9bd67-5623-4d85-98ab-8bf25cc7ebdd

📥 Commits

Reviewing files that changed from the base of the PR and between 2de77f9 and f98b024.

⛔ Files ignored due to path filters (30)

• docs/images/integrations/microsoft/sentinel/image14.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image15.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image16.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image17.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image18.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image19.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image20.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image21.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image22.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image23.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image24.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image26.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image27.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image28.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image29.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image30.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image31.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image32.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image33.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image34.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image35.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image36.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image37.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image38.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image39.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image4.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image40.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image41.png is excluded by !**/*.png
• docs/images/integrations/microsoft/sentinel/image42.jpeg is excluded by !**/*.jpeg
• docs/images/integrations/microsoft/sentinel/image7.jpeg is excluded by !**/*.jpeg

📒 Files selected for processing (4)

• docs/docs.json
• docs/integrations/microsoft/sentinel/configure.mdx
• docs/integrations/microsoft/sentinel/use.mdx
• docs/integrations/overview.mdx

[zaton-netizen]

Holding off approval as we are close to having the app published, recommend we review once it's live and adjust the documentation where needed, which at this point is difficult to assess without it being available in the marketplace. We expect this to be live by 5/29.