Ctrlk
PricingSign inRequest a Demo
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Microsoft Sentinel

Send logs to Microsoft Sentinel (Azure Log Analytics) via the Log Analytics Ingestion API.

Description

The Microsoft Sentinel destination allows you to export logs from Bindplane to Microsoft Sentinel (Azure Log Analytics) using the Log Analytics Ingestion API.

Two modes are supported:

ASIM: logs are routed per-record to one of ten native Microsoft Sentinel ASIM tables (e.g. ASimAuthenticationEventLogs, ASimNetworkSessionLogs). Requires the companion asim_standardization processor, which sets the sentinel_stream_name attribute Bindplane uses for routing. Bindplane provisions a single consolidatd DCR covering all ten tables via an ARM template the wizard generates for you.

Basic: logs go to a single custom table you provision yourself. Output is either OTLP JSON or raw lines.

Pick ASIM if you want native Sentinel analytics rules, workbooks, and hunting queries to work out of the box. Pick Basic if you want a flat custom table and full control over the schema.

Supported Types

Logs
Metrics
Traces
Persistent Queuing
Proxy

Configuration

Parameter
Type
Default
Description

mode*

string

basic

Controls schema + routing behavior.

endpoint*

string

The DCR/DCE log ingestion endpoint. Learn more

rule_id*

string

The Data Collection Rule (DCR) ID or immutable ID. Learn more

client_id*

string

The Azure client ID for authentication. Learn more

client_secret*

string

The Azure client secret for authentication. Learn more

tenant_id*

string

The Azure tenant ID for authentication. Learn more

stream_name*

string

The name of the custom log table in Log Analytics. Must be prefixed with Custom-. Learn more

raw_log_field

string

The field name to use for sending raw logs. If set, logs are sent as { "RawData": ... }.

*required field

Supported Retry and Queuing Settings

This destination supports the retry settings, the sending queue settings, and the persistent queue settings.

Sending Queue
Persistent Queue
Retry on Failure

Mode: ASIM

How It Works

Direct source → ASIM table mapping via a wizard, a consolidated DCR, and the asim_standardization processor.

A single consolidated DCR provisions ten native ASIM tables in one go:

Schema
Sentinel Table

authentication

ASimAuthenticationEventLogs

network_session

ASimNetworkSessionLogs

dns_activity

ASimDnsActivityLogs

process_event

ASimProcessEventLogs

file_event

ASimFileEventLogs

audit_event

ASimAuditEventLogs

web_session

ASimWebSessionLogs

dhcp_event

ASimDhcpEventLogs

registry_event

ASimRegistryEventLogs

user_management

ASimUserManagementActivityLogs

Setup Instructions (Configuring ASIM destination)

1. Start the destination wizard

In the Bindplane UI, add a new destination → pick Microsoft Sentinel → set Mode: ASIM. The Sentinel ASIM setup panel appears.

Bindplane docs - Microsoft Sentinel - Add Destination panel in ASIM mode

The Quick Setup Wizard guides you through generating and deploying the Azure resources, then auto-fills the destination fields.

Bindplane docs - Microsoft Sentinel - ASIM Quick Setup Wizard

2. Download the ARM template

Click Download ARM template. Bindplane generates a single consolidated template that provisions:

  • 1 Data Collection Rule with 10 streamDeclarations and 10 dataFlows

  • 1 role assignment (Monitoring Metrics Publisher) for the service principal you specify

Bindplane docs - Microsoft Sentinel - Download Azure setup template

3. Deploy the ARM template in Azure

Deploy via the Azure portal (Deploy a custom template), Azure CLI (az deployment group create), or Terraform. Provide:

  • Target resource group

  • Service principal object ID (so the role assignment lands on the right identity)

Wait for the deployment to finish and copy the deployment output JSON.

4. Paste the deployment output

Paste the deployment output JSON into the wizard. Bindplane parses it and auto-fills:

  • rule_id (DCR immutable ID)

  • endpoint (DCE ingestion endpoint)

  • tenant_id

Bindplane docs - Microsoft Sentinel - Upload deployment output

5. Add credentials

Enter client_id and client_secret for your Azure AD application (these are not in the deployment output).

6. Add the asim_standardization processor

Bindplane surfaces a recommended processor: asim_standardization. Add it to your configuration. Either:

  • Pick a resource preset:

    • asim_windows_security — Windows Security events (4624, 4625, 4688, 4720, 4726, …) → Authentication / Process / UserManagement tables

    • asim_linux_syslog — Linux auth / sshd / sudo / login syslog → Authentication / Audit tables

    • asim_cef — CEF-formatted security events → Authentication / NetworkSession / FileEvent tables

  • Or define custom event_mappings (list of { filter, targetTable, fieldMappings })

The processor's runtime_validation parameter (default true) verifies each record satisfies the ASIM column contract before export.

Mode: Basic

How It Works

This destination sends logs to Microsoft Sentinel using the Log Analytics Ingestion API. You must configure a Data Collection Rule (DCR) and a custom table in your Log Analytics workspace. Logs can be sent in two formats:

  • OTLP JSON Format (default): If raw_log_field is not set, logs are sent in standard OpenTelemetry Protocol JSON format. Your custom table must be compatible with this schema.

  • Raw Log Mode: If raw_log_field is set, the exporter extracts the data from the specified field and sends logs as { "RawData": ... }. Your custom table must have a RawData column.

A TimeGenerated field is always included in the schema.

Setup Instructions (Custom Table)

1. Register an Azure AD Application (skip if you already have one)

  1. Go to Azure Active Directory > App registrations

  2. Click New registration

  3. Name your application and select account type (usually "Single tenant")

  4. Click Register

  5. Note the Application (client) ID and Directory (tenant) ID

  6. Under Certificates & secrets, create a new client secret and copy its value immediately (you won't be able to see it again)

2. Create a Log Analytics Workspace Table (skip if you already have one)

  1. Go to your Log Analytics workspace

  2. Under Settings, select Tables

  3. Click New Custom Table

  4. Name your table (the stream_name must be prefixed with Custom-, e.g., Custom-my_logs)

  5. Select JSON as the data format

  6. Provide a schema example based on your configuration:

    • If raw_log_field is NOT set (Default): Use the following OTLP log formatted schema:

    • If raw_log_field IS set: Use the following simple schema with a RawData field:

  7. Click Create

3. Create a Data Collection Rule (DCR)

  1. In Microsoft Sentinel, go to Settings > Data Collection Rules

  2. Click Create

  3. Select your subscription, resource group, and Log Analytics workspace

  4. Choose your custom table

  5. Complete the setup and note the DCR Endpoint URL and Rule ID

    • If you do not see an endpoint URL, try updating the API version in the JSON view of your DCR ruleset. If you still don't see it, you may need to set up a Data Collection Endpoint (DCE). See Azure documentation for more information.

4. Assign Permissions

  1. Go to your DCR

  2. Under Access control (IAM), add a role assignment:

    • Role: Monitoring Metrics Publisher

    • Assign to: your Azure AD application (service principal)

  3. Repeat for the Log Analytics workspace if needed

Now you have all the required information to configure the exporter:

  • endpoint: The DCR Endpoint URL

  • client_id: The Application (client) ID

  • client_secret: The secret value you created

  • tenant_id: The Directory (tenant) ID

  • rule_id: The DCR Rule ID

  • stream_name: The name of your custom table (must be prefixed with Custom-)

Notes

Standalone Destination

PreviousLogz.ioNextMiddleware

Last updated

Was this helpful?