Sentinel

Use the HTTP Sink to integrate your data with Microsoft Sentinel.

Microsoft Sentinel configuration
  1. Create Microsoft Entra application

    1. Save the application Client ID

    2. Save the application Client Secret Value

    3. Get “OAuth 2.0 token endpoint (v2)” from the application endpoints

  1. Create a data collection rule using an ARM template

    1. Once your DCR is created, you must grant access to it for the application that you created in the first step. From the Monitor menu in the Azure portal, select Data Collection rules and then the DCR that you created. Select Access Control (IAM) for the DCR and then select Add role assignment to add the Monitoring Metrics Publisher role.

Select HTTP from the list of Data sink types and click Configuration to start.

Data sink configuration

Now you need to specify how and where to send the data, and how to establish a connection with HTTP.

Metadata

Enter the basic information for the new Data sink.

Parameters
Description

Name*

Enter a name for the new Data sink.

Description

Optionally, enter a description for the Data sink.

Tags

Add tags to easily identify your Data sink. Hit the Enter key after you define each tag


Metrics display

Decide whether or not to include this Data sink info in the metrics and graphs of the Home area.

Click Finish when complete. Your new Data sink will appear in the Data sinks area list.

Pipeline configuration

When it comes to using this Data sink in a Pipeline, you must configure the following output parameters. To do it, simply click the Data sink on the canvas and select Configuration.

Parameter
Description

HTTP method*

POST

URL*

{Data Collection Endpoint URI}/dataCollectionRules/{DCR Immutable ID}/streams/{Stream Name}?api-version=2023-01-01

A URL only points to one single table inside the DCR (Stream Name).

Message

Choose the field containing the message you wish to send on.

Authentication configuration

Parameter
Description

Authentication type*

Choose the OAuth2 authentication type.

  • OAuth URL* - From 1.c

  • OAuth method* - POST

  • Send body as - From URL Encoded

  • OAuth token path* - access_token

  • Query Key / Value pairs

    • grant_type: client_credentials

    • client_id: from 1.a

    • client_secret: from 1.b

    • scope: https://monitor.azure.com/.default

  • Header Key / Value pair

    • Content-Type: application/x-www-form-urlencoded

Last updated

Was this helpful?