Microsoft Sentinel

Description

The Microsoft Sentinel destination allows you to export logs from Bindplane to Microsoft Sentinel (Azure Log Analytics) using the Log Analytics Ingestion API. Logs are sent to a custom table in your Log Analytics workspace. You can choose to send logs in standard OpenTelemetry Protocol (OTLP) JSON format or as raw log entries, depending on your configuration.

Supported Types

Configuration

*required field

Supported Retry and Queuing Settings

This destination supports the retry settings, the sending queue settings, and the persistent queue settings.

How It Works

This destination sends logs to Microsoft Sentinel using the Log Analytics Ingestion API. You must configure a Data Collection Rule (DCR) and a custom table in your Log Analytics workspace. Logs can be sent in two formats:

• OTLP JSON Format (default): If raw_log_field is not set, logs are sent in standard OpenTelemetry Protocol JSON format. Your custom table must be compatible with this schema.

• Raw Log Mode: If raw_log_field is set, the exporter extracts the data from the specified field and sends logs as { "RawData": ... }. Your custom table must have a RawData column.

A TimeGenerated field is always included in the schema.

Setup Instructions

1. Register an Azure AD Application (skip if you already have one)

1. Go to Azure Active Directory > App registrations

2. Click New registration

3. Name your application and select account type (usually "Single tenant")

4. Click Register

5. Note the Application (client) ID and Directory (tenant) ID

6. Under Certificates & secrets, create a new client secret and copy its value immediately (you won't be able to see it again)

2. Create a Log Analytics Workspace Table (skip if you already have one)

1. Go to your Log Analytics workspace

2. Under Settings, select Tables

3. Click New Custom Table

4. Name your table (the stream_name must be prefixed with Custom-, e.g., Custom-my_logs)

5. Select JSON as the data format

6. Provide a schema example based on your configuration:

   • If raw_log_field is NOT set (Default): Use the following OTLP log formatted schema:

   • If raw_log_field IS set: Use the following simple schema with a RawData field:

7. Click Create

3. Create a Data Collection Rule (DCR)

1. In Microsoft Sentinel, go to Settings > Data Collection Rules

2. Click Create

3. Select your subscription, resource group, and Log Analytics workspace

4. Choose your custom table

5. Complete the setup and note the DCR Endpoint URL and Rule ID

   • If you do not see an endpoint URL, try updating the API version in the JSON view of your DCR ruleset. If you still don't see it, you may need to set up a Data Collection Endpoint (DCE). See Azure documentation for more information.

4. Assign Permissions

1. Go to your DCR

2. Under Access control (IAM), add a role assignment:

   • Role: Monitoring Metrics Publisher

   • Assign to: your Azure AD application (service principal)

3. Repeat for the Log Analytics workspace if needed

Now you have all the required information to configure the exporter:

• endpoint: The DCR Endpoint URL

• client_id: The Application (client) ID

• client_secret: The secret value you created

• tenant_id: The Directory (tenant) ID

• rule_id: The DCR Rule ID

• stream_name: The name of your custom table (must be prefixed with Custom-)

Notes

• The first export of logs to a new table may take 5–15 minutes to appear in Microsoft Sentinel.

• Only logs are supported for this destination.

• For more details, see the Azure Log Analytics Ingestion API documentation.

Standalone Destination