# Microsoft Sentinel
### Description
The Microsoft Sentinel destination allows you to export logs from Bindplane to Microsoft Sentinel (Azure Log Analytics) using the [Log Analytics Ingestion API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview).
**Two modes are supported:**
**Basic:** logs go to a single custom table you provision yourself. Output is either OTLP JSON or raw lines.
**ASIM:** logs are routed per-record to one of ten native Microsoft Sentinel ASIM tables (e.g.`ASimAuthenticationEventLogs`, `ASimNetworkSessionLogs`). Requires the companion `asim_standardization` processor,which sets the \`sentinel\_stream\_name\` attribute Bindplane uses for routing. Bindplane provisions a single consolidatd DCR covering all ten tables via an ARM template the wizard generates for you.
Pick **ASIM** if you want native Sentinel analytics rules, workbooks, and hunting queries to work out of the box. Pick **Basic** if you want a flat custom table and full control over the schema.
### Supported Types
| Logs | Metrics | Traces | Persistent Queuing | Proxy |
| ---- | ------- | ------ | ------------------ | ----- |
| ✓ | | | ✓ | |
### Configuration
| Parameter | Type | Default | Description |
| ---------------- | -------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| mode\* | `string` | `basic` | Controls schema + routing behavior. |
| endpoint\* | `string` | | The DCR/DCE log ingestion endpoint. [Learn more](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-endpoint-overview?tabs=portal) |
| rule\_id\* | `string` | | The Data Collection Rule (DCR) ID or immutable ID. [Learn more](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-structure) |
| client\_id\* | `string` | | The Azure client ID for authentication. [Learn more](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application) |
| client\_secret\* | `string` | | The Azure client secret for authentication. [Learn more](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application) |
| tenant\_id\* | `string` | | The Azure tenant ID for authentication. [Learn more](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application) |
| stream\_name\* | `string` | | The name of the custom log table in Log Analytics. Must be prefixed with `Custom-`. [Learn more](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application) |
| raw\_log\_field | `string` | | The field name to use for sending raw logs. If set, logs are sent as `{ "RawData": ... }`. |
\**required field*
### Supported Retry and Queuing Settings
This destination supports the [retry settings](/configuration/bindplane-otel-collector/retry-on-failure.md), the [sending queue settings](/configuration/bindplane-otel-collector/sending-queue.md), and the [persistent queue settings.](/configuration/bindplane-otel-collector/persistent-queue.md)
| Sending Queue | Persistent Queue | Retry on Failure |
| ------------- | ---------------- | ---------------- |
| ✓ | ✓ | ✓ |
### Mode: Basic
#### How It Works
This destination sends logs to Microsoft Sentinel using the Log Analytics Ingestion API. You must configure a Data Collection Rule (DCR) and a custom table in your Log Analytics workspace. Logs can be sent in two formats:
* **OTLP JSON Format (default):** If `raw_log_field` is not set, logs are sent in standard OpenTelemetry Protocol JSON format. Your custom table must be compatible with this schema.
* **Raw Log Mode:** If `raw_log_field` is set, the exporter extracts the data from the specified field and sends logs as `{ "RawData": ... }`. Your custom table must have a `RawData` column.
A `TimeGenerated` field is always included in the schema.
### Setup Instructions
#### 1. Register an Azure AD Application (skip if you already have one)
1. Go to Azure Active Directory > App registrations
2. Click **New registration**
3. Name your application and select account type (usually "Single tenant")
4. Click **Register**
5. Note the **Application (client) ID** and **Directory (tenant) ID**
6. Under **Certificates & secrets**, create a new client secret and copy its value immediately (you won't be able to see it again)
#### 2. Create a Log Analytics Workspace Table (skip if you already have one)
1. Go to your Log Analytics workspace
2. Under **Settings**, select **Tables**
3. Click **New Custom Table**
4. Name your table (the `stream_name` must be prefixed with `Custom-`, e.g., `Custom-my_logs`)
5. Select **JSON** as the data format
6. Provide a schema example based on your configuration:
* **If `raw_log_field` is NOT set (Default):** Use the following OTLP log formatted schema:
```json
{
"resourceLogs": [
{
"resource": {},
"scopeLogs": [
{
"scope": {},
"logRecords": [
{
"observedTimeUnixNano": "1744314249480007000",
"body": {
"stringValue": "Tue Mar 04 15:57:06 2020: <14>Mar 4 15:53:03 BAR-NG-VF500 BAR-NG-VF500/box_Firewall_Activity: Info BAR-NG-VF500 Remove: type=FWD|proto=UDP|srcIF=eth1|srcIP=192.168.70.7|srcPort=35119|srcMAC=08:00:27:da:d7:9c|dstIP=8.8.8.8|dstPort=53|dstService=domain|dstIF=eth0|rule=InternetAccess/:RestrictTim|info=Balanced Session Idle Timeout|srcNAT=192.168.70.7|dstNAT=8.8.8.8|duration=21132|count=1|receivedBytes=130|sentBytes=62|receivedPackets=1|sentPackets=1|user=|protocol=|application=|target=|content=|urlcat"
},
"attributes": [
{
"key": "log.file.name",
"value": {
"stringValue": "sample.log"
}
}
],
"traceId": "",
"spanId": ""
},
{
"observedTimeUnixNano": "1744314249480014000",
"body": {
"stringValue": "Tue Mar 04 15:57:06 2020: <14>Mar 4 15:53:04 BAR-NG-VF500 BAR-NG-VF500/box_Firewall_Activity: Info BAR-NG-VF500 Remove: type=FWD|proto=UDP|srcIF=eth1|srcIP=192.168.70.7|srcPort=38686|srcMAC=08:00:27:da:d7:9c|dstIP=8.8.8.8|dstPort=53|dstService=domain|dstIF=eth0|rule=InternetAccess/:RestrictTim|info=Session Idle Timeout|srcNAT=192.168.70.7|dstNAT=8.8.8.8|duration=60100|count=1|receivedBytes=0|sentBytes=62|receivedPackets=0|sentPackets=1|user=|protocol=|application=|target=|content=|urlcat="
},
"attributes": [
{
"key": "log.file.name",
"value": {
"stringValue": "sample.log"
}
}
],
"traceId": "",
"spanId": ""
}
]
}
]
}
]
}
```
* **If `raw_log_field` IS set:** Use the following simple schema with a `RawData` field:
```json
[
{
"RawData": "Sample log entry content"
}
]
```
7. Click **Create**
#### 3. Create a Data Collection Rule (DCR)
1. In Microsoft Sentinel, go to **Settings > Data Collection Rules**
2. Click **Create**
3. Select your subscription, resource group, and Log Analytics workspace
4. Choose your custom table
5. Complete the setup and note the DCR **Endpoint URL** and **Rule ID**
* If you do not see an endpoint URL, try updating the API version in the JSON view of your DCR ruleset. If you still don't see it, you may need to set up a Data Collection Endpoint (DCE). See [Azure documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview#data-collection-rule-dcr) for more information.
#### 4. Assign Permissions
1. Go to your DCR
2. Under **Access control (IAM)**, add a role assignment:
* Role: **Monitoring Metrics Publisher**
* Assign to: your Azure AD application (service principal)
3. Repeat for the Log Analytics workspace if needed
Now you have all the required information to configure the exporter:
* `endpoint`: The DCR Endpoint URL
* `client_id`: The Application (client) ID
* `client_secret`: The secret value you created
* `tenant_id`: The Directory (tenant) ID
* `rule_id`: The DCR Rule ID
* `stream_name`: The name of your custom table (must be prefixed with `Custom-`)
### Mode: ASIM
#### How It Works
Direct source → ASIM table mapping via a wizard, a consolidated DCR, and the `asim_standardization` processor.
A single consolidated DCR provisions ten native ASIM tables in one go:
| Schema | Sentinel Table |
| ---------------- | -------------------------------- |
| authentication | `ASimAuthenticationEventLogs` |
| network\_session | `ASimNetworkSessionLogs` |
| dns\_activity | `ASimDnsActivityLogs` |
| process\_event | `ASimProcessEventLogs` |
| file\_event | `ASimFileEventLogs` |
| audit\_event | `ASimAuditEventLogs` |
| web\_session | `ASimWebSessionLogs` |
| dhcp\_event | `ASimDhcpEventLogs` |
| registry\_event | `ASimRegistryEventLogs` |
| user\_management | `ASimUserManagementActivityLogs` |
### Setup Instructions (Configuring ASIM destination)
#### 1. Start the destination wizard
In the Bindplane UI, add a new destination → pick Microsoft Sentinel → set Mode: ASIM. The Sentinel ASIM setup panel appears.
#### 2. Download the ARM template
Click Download ARM template. Bindplane generates a single consolidated template that provisions:
* 1 Data Collection Rule with 10 streamDeclarations and 10 dataFlows
* 1 role assignment (Monitoring Metrics Publisher) for the service principal you specify
#### 3. Deploy the ARM template in Azure
Deploy via the Azure portal (Deploy a custom template), Azure CLI (az deployment group create), or Terraform. Provide:
* Target resource group
* Service principal object ID (so the role assignment lands on the right identity)
Wait for the deployment to finish and copy the deployment output JSON.
#### 4. Paste the deployment output
Paste the deployment output JSON into the wizard. Bindplane parses it and auto-fills:
* `rule_id` (DCR immutable ID)
* `endpoint` (DCE ingestion endpoint)
* `tenant_id`
#### 5. Add credentials
Enter `client_id` and `client_secret` for your Azure AD application (these are not in the deployment output).
#### 6. Add the `asim_standardization` processor
Bindplane surfaces a recommended processor: asim\_standardization. Add it to your configuration. Either:
* Pick a resource preset:
* `asim_windows_security` — Windows Security events (4624, 4625, 4688, 4720, 4726, …) → Authentication / Process / UserManagement tables
* `asim_linux_syslog` — Linux auth / sshd / sudo / login syslog → Authentication / Audit tables
* `asim_cef` — CEF-formatted security events → Authentication / NetworkSession / FileEvent tables
* Or define custom event\_mappings (list of { filter, targetTable, fieldMappings })
The processor's runtime\_validation parameter (default true) verifies each record satisfies the ASIM column contract before export.
### Notes
* The first export of logs to a new table may take 5–15 minutes to appear in Microsoft Sentinel.
* Only logs are supported for this destination.
* For more details, see the [Azure Log Analytics Ingestion API documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview).
### Standalone Destination
```yaml
apiVersion: bindplane.observiq.com/v1
kind: Destination
metadata:
id: microsoftsentinel
name: microsoftsentinel
spec:
type: microsoftsentinel
parameters:
- name: endpoint
value: ''
- name: client_id
value: ''
- name: client_secret
value: ''
- name: tenant_id
value: ''
- name: rule_id
value: ''
- name: stream_name
value: ''
# - name: raw_log_field
# value: body
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.bindplane.com/integrations/destinations/microsoft-sentinel.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.