🔥 Missed the Bindplane Launch Week? Get caught up on everything we announced! 🔥Explore now

Microsoft Sentinel

Description

The Microsoft Sentinel destination allows you to export logs from Bindplane to Microsoft Sentinel (Azure Log Analytics) using the Log Analytics Ingestion API. Logs are sent to a custom table in your Log Analytics workspace. You can choose to send logs in standard OpenTelemetry Protocol (OTLP) JSON format or as raw log entries, depending on your configuration.

Supported Types

LogsMetricsTracesPersistent QueuingProxy
✓✓

Configuration

ParameterTypeDefaultDescription
endpoint*stringThe DCR/DCE log ingestion endpoint. Learn more
rule_id*stringThe Data Collection Rule (DCR) ID or immutable ID. Learn more
client_id*stringThe Azure client ID for authentication. Learn more
client_secret*stringThe Azure client secret for authentication. Learn more
tenant_id*stringThe Azure tenant ID for authentication. Learn more
stream_name*stringThe name of the custom log table in Log Analytics. Must be prefixed with Custom-. Learn more
raw_log_fieldstringThe field name to use for sending raw logs. If set, logs are sent as { "RawData": ... }.
*required field

Supported Retry and Queuing Settings

This destination supports the following retry and queuing settings:

Sending QueuePersistent QueueRetry on Failure
✓✓✓

How It Works

This destination sends logs to Microsoft Sentinel using the Log Analytics Ingestion API. You must configure a Data Collection Rule (DCR) and a custom table in your Log Analytics workspace. Logs can be sent in two formats:

  • OTLP JSON Format (default): If raw_log_field is not set, logs are sent in standard OpenTelemetry Protocol JSON format. Your custom table must be compatible with this schema.
  • Raw Log Mode: If raw_log_field is set, the exporter extracts the data from the specified field and sends logs as { "RawData": ... }. Your custom table must have a RawData column.

A TimeGenerated field is always included in the schema.

Setup Instructions

1. Register an Azure AD Application (skip if you already have one)

  1. Go to Azure Active Directory > App registrations
  2. Click New registration
  3. Name your application and select account type (usually "Single tenant")
  4. Click Register
  5. Note the Application (client) ID and Directory (tenant) ID
  6. Under Certificates & secrets, create a new client secret and copy its value immediately (you won't be able to see it again)

2. Create a Log Analytics Workspace Table (skip if you already have one)

  1. Go to your Log Analytics workspace

  2. Under Settings, select Tables

  3. Click New Custom Table

  4. Name your table (the stream_name must be prefixed with Custom-, e.g., Custom-my_logs)

  5. Select JSON as the data format

  6. Provide a schema example based on your configuration:

    • If raw_log_field is NOT set (Default): Use the following OTLP log formatted schema:

      json
      1{
2  "resourceLogs": [
3    {
4      "resource": {},
5      "scopeLogs": [
6        {
7          "scope": {},
8          "logRecords": [
9            {
10              "observedTimeUnixNano": "1744314249480007000",
11              "body": {
12                "stringValue": "Tue Mar 04 15:57:06 2020: <14>Mar  4 15:53:03 BAR-NG-VF500 BAR-NG-VF500/box_Firewall_Activity:  Info     BAR-NG-VF500 Remove: type=FWD|proto=UDP|srcIF=eth1|srcIP=192.168.70.7|srcPort=35119|srcMAC=08:00:27:da:d7:9c|dstIP=8.8.8.8|dstPort=53|dstService=domain|dstIF=eth0|rule=InternetAccess/<App>:RestrictTim|info=Balanced Session Idle Timeout|srcNAT=192.168.70.7|dstNAT=8.8.8.8|duration=21132|count=1|receivedBytes=130|sentBytes=62|receivedPackets=1|sentPackets=1|user=|protocol=|application=|target=|content=|urlcat"
13              },
14              "attributes": [
15                {
16                  "key": "log.file.name",
17                  "value": {
18                    "stringValue": "sample.log"
19                  }
20                }
21              ],
22              "traceId": "",
23              "spanId": ""
24            },
25            {
26              "observedTimeUnixNano": "1744314249480014000",
27              "body": {
28                "stringValue": "Tue Mar 04 15:57:06 2020: <14>Mar  4 15:53:04 BAR-NG-VF500 BAR-NG-VF500/box_Firewall_Activity:  Info     BAR-NG-VF500 Remove: type=FWD|proto=UDP|srcIF=eth1|srcIP=192.168.70.7|srcPort=38686|srcMAC=08:00:27:da:d7:9c|dstIP=8.8.8.8|dstPort=53|dstService=domain|dstIF=eth0|rule=InternetAccess/<App>:RestrictTim|info=Session Idle Timeout|srcNAT=192.168.70.7|dstNAT=8.8.8.8|duration=60100|count=1|receivedBytes=0|sentBytes=62|receivedPackets=0|sentPackets=1|user=|protocol=|application=|target=|content=|urlcat="
29              },
30              "attributes": [
31                {
32                  "key": "log.file.name",
33                  "value": {
34                    "stringValue": "sample.log"
35                  }
36                }
37              ],
38              "traceId": "",
39              "spanId": ""
40            }
41          ]
42        }
43      ]
44    }
45  ]
46}

    • If raw_log_field IS set: Use the following simple schema with a RawData field:

      json
      1[
2  {
3    "RawData": "Sample log entry content"
4  }
5]

  7. Click Create

3. Create a Data Collection Rule (DCR)

  1. In Microsoft Sentinel, go to Settings > Data Collection Rules
  2. Click Create
  3. Select your subscription, resource group, and Log Analytics workspace
  4. Choose your custom table
  5. Complete the setup and note the DCR Endpoint URL and Rule ID
    • If you do not see an endpoint URL, try updating the API version in the JSON view of your DCR ruleset. If you still don't see it, you may need to set up a Data Collection Endpoint (DCE). See Azure documentation for more information.

4. Assign Permissions

  1. Go to your DCR
  2. Under Access control (IAM), add a role assignment:
    • Role: Monitoring Metrics Publisher
    • Assign to: your Azure AD application (service principal)
  3. Repeat for the Log Analytics workspace if needed

Now you have all the required information to configure the exporter:

  • endpoint: The DCR Endpoint URL
  • client_id: The Application (client) ID
  • client_secret: The secret value you created
  • tenant_id: The Directory (tenant) ID
  • rule_id: The DCR Rule ID
  • stream_name: The name of your custom table (must be prefixed with Custom-)

Notes

Standalone Destination

yaml
1apiVersion: bindplane.observiq.com/v1
2kind: Destination
3metadata:
4  id: microsoftsentinel
5  name: microsoftsentinel
6spec:
7  type: microsoftsentinel
8  parameters:
9    - name: endpoint
10      value: '<your-log-ingestion-endpoint>'
11    - name: client_id
12      value: '<your-client-id>'
13    - name: client_secret
14      value: '<your-client-secret>'
15    - name: tenant_id
16      value: '<your-tenant-id>'
17    - name: rule_id
18      value: '<your-dcr-id>'
19    - name: stream_name
20      value: '<your-stream-name>'
21    # - name: raw_log_field
22    #   value: body