Microsoft Sentinel
Send logs to Microsoft Sentinel (Azure Log Analytics) via the Log Analytics Ingestion API.
Description
The Microsoft Sentinel destination allows you to export logs from Bindplane to Microsoft Sentinel (Azure Log Analytics) using the Log Analytics Ingestion API. Logs are sent to a custom table in your Log Analytics workspace. You can choose to send logs in standard OpenTelemetry Protocol (OTLP) JSON format or as raw log entries, depending on your configuration.
Supported Types
✓
✓
Configuration
stream_name*
string
The name of the custom log table in Log Analytics. Must be prefixed with Custom-. Learn more
raw_log_field
string
The field name to use for sending raw logs. If set, logs are sent as { "RawData": ... }.
*required field
Supported Retry and Queuing Settings
This destination supports the following retry and queuing settings:
✓
✓
✓
How It Works
This destination sends logs to Microsoft Sentinel using the Log Analytics Ingestion API. You must configure a Data Collection Rule (DCR) and a custom table in your Log Analytics workspace. Logs can be sent in two formats:
OTLP JSON Format (default): If
raw_log_fieldis not set, logs are sent in standard OpenTelemetry Protocol JSON format. Your custom table must be compatible with this schema.Raw Log Mode: If
raw_log_fieldis set, the exporter extracts the data from the specified field and sends logs as{ "RawData": ... }. Your custom table must have aRawDatacolumn.
A TimeGenerated field is always included in the schema.
Setup Instructions
1. Register an Azure AD Application (skip if you already have one)
Go to Azure Active Directory > App registrations
Click New registration
Name your application and select account type (usually "Single tenant")
Click Register
Note the Application (client) ID and Directory (tenant) ID
Under Certificates & secrets, create a new client secret and copy its value immediately (you won't be able to see it again)
2. Create a Log Analytics Workspace Table (skip if you already have one)
Go to your Log Analytics workspace
Under Settings, select Tables
Click New Custom Table
Name your table (the
stream_namemust be prefixed withCustom-, e.g.,Custom-my_logs)Select JSON as the data format
Provide a schema example based on your configuration:
If
raw_log_fieldis NOT set (Default): Use the following OTLP log formatted schema:{ "resourceLogs": [ { "resource": {}, "scopeLogs": [ { "scope": {}, "logRecords": [ { "observedTimeUnixNano": "1744314249480007000", "body": { "stringValue": "Tue Mar 04 15:57:06 2020: <14>Mar 4 15:53:03 BAR-NG-VF500 BAR-NG-VF500/box_Firewall_Activity: Info BAR-NG-VF500 Remove: type=FWD|proto=UDP|srcIF=eth1|srcIP=192.168.70.7|srcPort=35119|srcMAC=08:00:27:da:d7:9c|dstIP=8.8.8.8|dstPort=53|dstService=domain|dstIF=eth0|rule=InternetAccess/<App>:RestrictTim|info=Balanced Session Idle Timeout|srcNAT=192.168.70.7|dstNAT=8.8.8.8|duration=21132|count=1|receivedBytes=130|sentBytes=62|receivedPackets=1|sentPackets=1|user=|protocol=|application=|target=|content=|urlcat" }, "attributes": [ { "key": "log.file.name", "value": { "stringValue": "sample.log" } } ], "traceId": "", "spanId": "" }, { "observedTimeUnixNano": "1744314249480014000", "body": { "stringValue": "Tue Mar 04 15:57:06 2020: <14>Mar 4 15:53:04 BAR-NG-VF500 BAR-NG-VF500/box_Firewall_Activity: Info BAR-NG-VF500 Remove: type=FWD|proto=UDP|srcIF=eth1|srcIP=192.168.70.7|srcPort=38686|srcMAC=08:00:27:da:d7:9c|dstIP=8.8.8.8|dstPort=53|dstService=domain|dstIF=eth0|rule=InternetAccess/<App>:RestrictTim|info=Session Idle Timeout|srcNAT=192.168.70.7|dstNAT=8.8.8.8|duration=60100|count=1|receivedBytes=0|sentBytes=62|receivedPackets=0|sentPackets=1|user=|protocol=|application=|target=|content=|urlcat=" }, "attributes": [ { "key": "log.file.name", "value": { "stringValue": "sample.log" } } ], "traceId": "", "spanId": "" } ] } ] } ] }If
raw_log_fieldIS set: Use the following simple schema with aRawDatafield:[ { "RawData": "Sample log entry content" } ]
Click Create
3. Create a Data Collection Rule (DCR)
In Microsoft Sentinel, go to Settings > Data Collection Rules
Click Create
Select your subscription, resource group, and Log Analytics workspace
Choose your custom table
Complete the setup and note the DCR Endpoint URL and Rule ID
If you do not see an endpoint URL, try updating the API version in the JSON view of your DCR ruleset. If you still don't see it, you may need to set up a Data Collection Endpoint (DCE). See Azure documentation for more information.
4. Assign Permissions
Go to your DCR
Under Access control (IAM), add a role assignment:
Role: Monitoring Metrics Publisher
Assign to: your Azure AD application (service principal)
Repeat for the Log Analytics workspace if needed
Now you have all the required information to configure the exporter:
endpoint: The DCR Endpoint URLclient_id: The Application (client) IDclient_secret: The secret value you createdtenant_id: The Directory (tenant) IDrule_id: The DCR Rule IDstream_name: The name of your custom table (must be prefixed withCustom-)
Notes
The first export of logs to a new table may take 5–15 minutes to appear in Microsoft Sentinel.
Only logs are supported for this destination.
For more details, see the Azure Log Analytics Ingestion API documentation.
Standalone Destination
apiVersion: bindplane.observiq.com/v1
kind: Destination
metadata:
id: microsoftsentinel
name: microsoftsentinel
spec:
type: microsoftsentinel
parameters:
- name: endpoint
value: '<your-log-ingestion-endpoint>'
- name: client_id
value: '<your-client-id>'
- name: client_secret
value: '<your-client-secret>'
- name: tenant_id
value: '<your-tenant-id>'
- name: rule_id
value: '<your-dcr-id>'
- name: stream_name
value: '<your-stream-name>'
# - name: raw_log_field
# value: bodyLast updated
Was this helpful?