Forward Logs to Microsoft Sentinel

1. To authenticate SLS API calls to Azure, you must provision a service principal. Reference the Microsoft documentation to Create an Azure Entra ID Service Principal and obtain a client secret.
2. The App Registration requires permissions to push data into Azure Monitor. You can apply this role to the Data Collection Rule (DCR) or at the Resource Group level. Reference the Microsoft documentation to Assign Azure roles using the Azure portal.
3. The Data Collection Endpoint (DCE) serves as the ingestion URL for incoming logs. You can use the default DCE provided by the DCR or create a custom endpoint. Reference: Data collection endpoints in Azure Monitor.
4. Create the Custom Log Analytics Table: When integrating with Azure Log Analytics, you must account for naming restrictions. Azure Log Analytics tables do not support hyphens in column names. To ensure successful data ingestion:

   1. Define the Schema: Use underscores instead of hyphens when defining your table (for example, use X_Forwarded_ForIP instead of X-Forwarded-ForIP).
   2. Map the Data: Use a KQL transform to map the incoming field from the log forwarder to the supported table column.

   Example KQL Transform:

   source
   | extend X_Forwarded_ForIP = ['X-Forwarded-ForIP']
   | project-away ['X-Forwarded-ForIP']

5. Create a Data Collection Rule: The Data Collection Rule (DCR) processes the pipeline by mapping incoming JSON data to the Sentinel table.
6. Configure Schema and Transformation: Apply transformations to incoming traffic before the data is stored in the tables.

   Example Transformation:

   "source | extend TimeGenerated = todatetime(TimeGenerated) | 
   extend TimeReceived = todatetime(TimeReceived) | 
   extend X_Forwarded_ForIP = tostring(['X-Forwarded-ForIP']) | 
   extend SessionID = tostring(SessionID) | 
   extend SourcePort = tostring(SourcePort) | 
   extend DestinationPort = tostring(DestinationPort)", "outputStream": "Custom-PaloAltoTraffic_CL"

7. Configure the Log Forwarding Profile: In the Strata Logging Service console, map the Azure credentials as follows:

   SLS Field	Azure Value
   URL (Destination)	https://<DCE-Name>.<Region>.ingest.monitor.azure.com/dataCollectionRules/<DCR-Immutable-ID>/streams/<target_table>?api-version=2023-01-01
   MS Tenant ID	App Registration Directory ID
   Client Request ID	App Registration Application ID
   Client Secret	App Registration Secret Value
   Token Endpoint	https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token
   Scope	https://monitor.azure.com/.default