Microsoft Azure Sentinel
Outputs data to Microsoft Sentinel (Azure Monitor Logs). Compatible with Sentinel's data ingestion and querying capabilities.
Requirements
To use this output connector, you need:
- An onboarded Logs Analytics workspace in your Azure Portal.
- A Log Analytics workspace where you have at least contributor rights.
- Permissions to create DCR objects in the workspace.
Setup
Step 1: Create Microsoft Entra Application
From the above step, you would receive a valid Application (Client) ID, Directory (Tenant ID), and a Client Secret Value, which would be used as a part of setting up the output connector.
Where to find these values:
- Navigate to Azure Portal → Microsoft Entra ID (formerly Azure Active Directory)
- Click on App registrations → Select your application
- Application (Client) ID: Found on the application's Overview page
- Directory (Tenant) ID: Also found on the application's Overview page
- Client Secret: Go to Certificates & secrets → Client secrets tab → Copy the Value (not the Secret ID)
- ⚠️ Important: The client secret value is only shown once when created. Save it immediately.
Step 2: Create Data Collection Endpoint
Retrieve the Logs Ingestion URI from the dashboard created for the Data Collection Endpoint. (used as a setting named endpoint within the Output Configuration in Monad)
Where to find the Endpoint URL:
- Navigate to Azure Portal → Monitor → Data Collection Endpoints
- Select your data collection endpoint
- Find the Logs Ingestion URI on the Overview page
- Format:
https://<endpoint-name>.<region>.ingest.monitor.azure.com
Step 3: Create New Table in Log Analytics Workspace
Note: On creating a new table, you would be asked to upload a file with a sample JSON array of data through the portal for the Azure Monitor to set the schema automatically. This schema in Monad's context would refer to the type of data from an input connector you're trying to ingest (Example: Okta Users, CrowdStrike Vulnerabilities, etc). Some fields may be restored as keywords within Microsoft Sentinel. Refer to the below for more information:
Keywords Omitted (based on input connectors Monad supports as of July 29th, 2024):
uuidkindoutputscanidtype
Transformation to add timestamp:
source | extend TimeGenerated = now()
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Endpoint URL | string | Yes | The Azure Monitor Data Collection Rule (DCR) ingestion endpoint URL. |
| Rule ID | string | Yes | The unique identifier of the Data Collection Rule (DCR). |
| Stream Name | string | Yes | The name of the data stream defined in the Data Collection Rule. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| Tenant ID | string | Yes | The Azure Active Directory tenant (directory) ID. |
| Client ID | string | Yes | The application (client) ID registered in Azure Active Directory. |
| Client Secret | string | Yes | The client secret associated with the registered application in Azure AD. |
Quick Reference: Finding Your Configuration Values
Rule ID (DCR Immutable ID)
- Go to Monitor → Data Collection Rules
- Select your DCR (e.g., "testrule")
- Click JSON View (top menu)
- Look for
"immutableId": "dcr-xxxxx..."
Stream Name
The stream name follows the pattern: Custom-[TableName]_CL
Method 1 - Via Tables:
- Go to Log Analytics workspaces → Select workspace
- Click Tables (under Settings)
- Find your custom table (e.g.,
docsuserfacingfixtest_CL) - Add
Custom-prefix:Custom-docsuserfacingfixtest_CL
Method 2 - Via DCR JSON:
- Go to Monitor → Data Collection Rules → Select your DCR
- Click JSON View
- Look under
properties.streamDeclarationsfor all available stream names to find the stream associated with your created table.