Microsoft Sentinel
Synopsis
Creates a target that ingests log messages into Microsoft Sentinel workspace tables using Data Collection Rules (DCRs). Supports automatic table selection based on input type and ASIM normalization.
Schema
- id: <numeric>
name: <string>
description: <string>
type: sentinel
pipelines: <pipeline[]>
status: <boolean>
properties:
tenant_id: <string>
client_id: <string>
client_secret: <string>
rule_id: <string>
endpoint: <string>
stream: <string[]>
buffer_size: <numeric>
Configuration
The following are the minimum requirements to define the target.
| Field | Required | Default | Description |
|---|---|---|---|
id | Y | Unique identifier | |
name | Y | Target name | |
description | N | - | Optional description |
type | Y | Must be sentinel | |
pipelines | N | - | Optional post-processor pipelines |
status | N | true | Enable/disable the target |
Azure
| Field | Required | Default | Description |
|---|---|---|---|
tenant_id | Y | Azure tenant ID | |
client_id | Y | Azure client ID | |
client_secret | Y | Azure client secret | |
rule_id | Y | Data Collection Rule (DCR) ID | |
endpoint | Y | DCR ingestion endpoint |
Streams
| Field | Required | Default | Description |
|---|---|---|---|
stream | N | auto | Target table streams |
buffer_size | N | 1048576 | Buffer size in bytes (1MB) |
When the buffer size limit is reached, the current batch is sent to Sentinel and a new batch is started. Setting an appropriate buffer size is important for performance.
Tables
When stream is not specified, the appropriate tables are automatically selected based on the input type:
| Input Type | Target Table |
|---|---|
| Windows Event Log | Custom-WindowsEvent |
| Windows Application Log | Custom-WindowsEvent |
| Windows System Log | Custom-WindowsEvent |
| Windows Security Log | Custom-SecurityEvent |
| Syslog | Custom-Syslog |
| Linux Audit Report | Custom-CommonSecurityLog |
| Windows Audit Report | Custom-CommonSecurityLog |
You can also specify one or more of these explicitly:
Standard - Prefix: Custom-
WindowsEventSecurityEventCommonSecurityLogSyslog
ASIM - Prefix: Custom- or Microsoft-
ASimAuditEventLogsASimAuthenticationEventLogsASimAuditEventLogsASimAuditEventLogsASimAuditEventLogsASimAuthenticationEventLogsASimAuthenticationEventLogsASimDhcpEventLogsASimDnsActivityLogsASimFileEventLogsASimNetworkSessionLogsASimProcessEventLogsASimRegistryEventLogsASimUserManagementActivityLogs
All data is automatically normalized to the ASIM format before ingestion. This ensures consistency across different data sources.
If a message exceeds the maximum allowed size, it will be temporarily stored and retried in the finalization phase.
Examples
Basic
The minimum configuration using automatic table selection:
- id: 1
name: auto_sentinel
type: sentinel
properties:
tenant_id: "00000000-0000-0000-0000-000000000000"
client_id: "00000000-0000-0000-0000-000000000000"
client_secret: "your-client-secret"
rule_id: "dcr-00000000-0000-0000-0000-000000000000"
endpoint: "https://your-dcr-endpoint"
Specific
Configuration for specific ASIM table ingestion:
- id: 2
name: specific_sentinel
type: sentinel
properties:
tenant_id: "00000000-0000-0000-0000-000000000000"
client_id: "00000000-0000-0000-0000-000000000000"
client_secret: "your-client-secret"
rule_id: "dcr-00000000-0000-0000-0000-000000000000"
endpoint: "https://your-dcr-endpoint"
stream:
- "Custom-ASimProcessEventLogs"
- "Custom-ASimFileEventLogs"
- "Custom-ASimNetworkSessionLogs"
Optimized
Configuration with custom buffer size:
- id: 3
name: optimized_sentinel
type: sentinel
pipelines:
- checkpoint
properties:
tenant_id: "00000000-0000-0000-0000-000000000000"
client_id: "00000000-0000-0000-0000-000000000000"
client_secret: "your-client-secret"
rule_id: "dcr-00000000-0000-0000-0000-000000000000"
endpoint: "https://your-dcr-endpoint"
buffer_size: 5242880 # 5MB