Forward Logs to Microsoft Sentinel

1. Provision a Service Principal: To authenticate SLS API calls to Azure, you must provision a service principal. Reference the Microsoft documentation to Create an Azure Entra ID Service Principal and obtain a client secret.

   Under the Redirect URI configuration, leave the type and URL fields completely blank. This is a non-interactive machine-to-machine connection; a redirect path is not required, even if your organization uses a custom or federated Identity Provider (IdP).

2. Assign Ingestion Roles: The App Registration requires permissions to push data into Azure Monitor. In the Azure Portal, assign the Monitoring Metrics Publisher role to your App Registration. You can scope this role to your resource group or directly to the Data Collection Rule (DCR) once created. Reference the Microsoft documentation to Assign Azure roles using the Azure portal.

3. Identify your Data Collection Endpoint (DCE): The DCE serves as the base ingestion URL for incoming logs. Ensure you have an active DCE located in the same Azure region as your Log Analytics Workspace. Reference: Data collection endpoints in Azure Monitor.

4. Create the Custom Log Analytics Table: When integrating with Azure Log Analytics, you must account for naming restrictions. Azure Log Analytics tables do not support hyphens in column names. To avoid requiring a sample JSON payload during portal configuration, use the Azure CLI to instantly create your destination table with its predefined columns.

   To define your data schemas during deployment, you must configure your table structures using an authorized interface.

   • SQL Commands: To configure tables via SQL commands, reference the specific data type structures outlined in Data Types within the Technical Considerations section of this guide.
   • Alternative Methods: To create tables using Azure Resource Manager templates or REST APIs, refer directly to the Microsoft Azure documentation.

   Here is an example of how you can run the command in your Azure Cloud Shell or local Azure CLI terminal.

   Feel free to swap out the columns, table name, resource group, or workspace with your own actual values—just remember that if you are creating a custom table, Azure Log Analytics requires the name to end with _CL (Custom Log).

   az monitor log-analytics workspace table create \
     --resource-group "YourResourceGroupName" \
     --workspace-name "YourWorkspaceName" \
     --name "target_table_name" \
     --columns TimeGenerated=datetime X_Forwarded_ForIP=string SourceAddress=string DestinationAddress=string SourcePort=int DestinationPort=int Protocol=string Action=string RuleName=string \
     --plan Analytics \
     --retention-time 30
   

5. Create a Data Collection Rule: The Data Collection Rule (DCR) processes the pipeline by mapping incoming JSON data streams to your Sentinel workspace.

   1. In the Azure Portal, create a new DCR using the Custom platform type.
   2. Ensure the DCR region matches your workspace, and select your existing DCE on the Basics tab.
   3. On the Resources tab, associate your Log Analytics Workspace.
6. Configure Schema and Transformation: On the Collect and Deliver tab of your DCR, select Custom Text Logs or Logs Ingestion API as your data source, specify your PaloAltoTraffic_CL table, and open the Transformation Editor. Apply the following KQL transformation to map the mandatory timestamp and route hyphenated fields. All other standard fields defined in the table will automatically pass through:

   Example Transformation:

   source
   | extend TimeGenerated = todatetime(TimeGenerated)
   | extend X_Forwarded_ForIP = tostring(['X-Forwarded-ForIP'])
   | project-away ['X-Forwarded-ForIP']
   

7. Configure the Log Forwarding Profile: In the Strata Logging Service console, map the Azure credentials as follows:

   SLS Field	Azure Value
   URL (Destination)	https://<DCE-Name>.<Region>.ingest.monitor.azure.com/dataCollectionRules/<DCR-Immutable-ID>/streams/Custom-PaloAltoTraffic_CL?api-version=2023-01-01
   MS Tenant ID	App Registration Directory (tenant) ID
   Client Request ID	App Registration Application (client) ID
   Client Secret	App Registration Secret Value
   Token Endpoint	https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token
   Scope	https://monitor.azure.com/.default