Microsoft Sentinel

To add a Microsoft Sentinel or Azure Monitor destination to Axoflow, complete the following steps. Axoflow Console can configure your AxoRouters to send data to the built-in syslog table of Azure Monitor.

Prerequisites

• An Azure subscription.
• An Enterprise application defined in Microsoft Entra ID.. You’ll need the Tenant ID, Application ID, and Application Secret of the application to configure the Axoflow destination.
• A Data Collection Endpoint (DCE) and a Data Collection Rule (DCR). We can provide you with ARM templates for both the DCE and the DCR, contact us for details. For information on how to install these, see the Azure Monitor documentation.
• A Log Analytics Workspace in Azure.
• A Microsoft Sentinel workspace (optional).

Steps

1. Create a new destination.

   1. Open the Axoflow Console.
   2. Select Topology.
   3. Select + > Destination.

2. Configure the destination.

   1. Select Sentinel or Azure Monitor.

   2. Enter a name for the destination.

      

   3. Configure the credentials needed for authentication.

      

      • Tenant ID: Directory (tenant) ID of the environment where you’re sending the data. (Practically everything belongs to the tenant ID: the Entra ID application, the Log analytics workspace, Sentinel, the DCE and the DCR, and so on.)
      • Application ID: Application (client) ID of the Microsoft Entra ID application.
      • Application secret: The Client secret of the Microsoft Entra ID application.
      • Scope: The scope for the authentication token. Usually you can leave empty to use the default value (https://monitor.azure.com//.default).

   4. Specify the details of the table to send the data to.

      • DCE Logs Ingestion URI: The URI of your Data Collection Endpoint (DCE).
      • DCR Immutable ID: The immutable ID property of the Azure Monitor Data Collection Rule (DCR) where AxoRouter sends the data.
      • Stream name: The name of the stream where AxoRouter sends the data.

   5. (Optional) Set other options as needed for your environments.

      • Timeout: The number of seconds to wait for a log-forwarding request to complete, and attempt to reconnect the server if exceeded. The default (0) is unlimited. For more details, see the AxoSyslog documentation.
      • Batch Timeout: Maximal time in milliseconds to wait for a batch to be filled before sending it. The default value (-1) means that the batch should be full before sending, which may result in a long wait if the incoming traffic is low. For more details, see the AxoSyslog documentation.
      • Workers: Used for scaling the destination in case of high message load. Specifies the number of worker threads AxoRouter uses for sending messages to the destination. The default is 1. If high message throughput is not a concern, leave it on 1. For maximum performance, increase it up to the number of CPU cores available on AxoRouter. For more details, see the AxoSyslog documentation.

   6. Select Create.

3. Create a flow to connect the new destination to an AxoRouter instance.

   1. Select Flows.

   2. Select Create New Flow.

   3. Enter a name for the flow, for example, my-test-flow.

      

   4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.

   5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.

      By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.

      

   6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:

      1. Add a Reduce step to automatically remove redundant and empty fields from your data.
      2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
      3. Save the processing steps.

      

   7. Select Create.

   8. The new flow appears in the Flows list.