Configure Sentinel

To send data from AxoRouter to Microsoft Sentinel, you have to configure a number of things in Sentinel before configuring a destination in AxoConsole. Complete the following steps.

Create an Azure App

Create an Azure (Microsoft Entra) application and credentials for it.

  1. Navigate to App registrations on the Azure Portal.

  2. Click New registration and register an application (for example AxoflowIngestion).

  3. Save the Application (Client) ID and the Directory (Tenant) ID (you’ll need these later to configure Axoflow).

  4. Go to Certificates & secrets > Client secrets > + New client secret.

  5. Add a description and expiration, click Add, and record the secret value (OAuth secret). You’ll need this later to configure Axoflow.

    NOTE: Set a reminder to renew the secret and update your Axoflow configuration before it expires, otherwise your AxoRouters won’t be able to send data to Sentinel, possibly causing data loss.

Enable Microsoft Sentinel on a Log Analytics Workspace

  1. In the Azure Portal search for Microsoft Sentinel.
  2. Select an existing workspace or create a new one (choose Resource Group and Region).
  3. Once added, select the workspace and open Tables.
  4. You should see the CommonSecurityLog, SecurityEvents, Syslog, WindowsEvents built-in tables. Sometimes the Syslog table appears only when it has data.
  5. From the workspace Overview, open JSON View and record the Workspace Resource ID (needed in templates).

Create a Data Collection Endpoint (DCE)

To create a Data Collection Endpoint, complete the following steps. For more details, see the Microsoft Sentinel documentation.

  1. Search for Deploy a custom template in Azure services.
  2. Choose Build your own template in the editor.
  3. Download the Axoflow DCE template, and upload or paste it into the template editor. Click Save.
  4. Set the parameters of the DCE. Make sure Region matches your Sentinel workspace.
  5. After creation, open it and copy its endpoint URL (that’s logsIngestion.endpoint in the JSON view) and its Resource ID (id). You’ll need the endpoint later to configure Axoflow, and the resource ID to configure the data collection rule.

Create a Data Collection Rule (DCR)

To create a Data Collection Rule, complete the following steps. For more details, see the Microsoft Sentinel documentation.

  1. Search for Deploy a custom template in Azure services.
  2. Choose Build your own template in the editor.
  3. Download the Axoflow DCR template, and upload or paste it into the template editor. Click Save.
  4. Set the parameters of the DCR. Enter the Workspace Resource ID and Endpoint Resource ID from the previous steps.
  5. After creation, open it and copy its immutableID from the JSON view. You’ll need it later to configure Axoflow.

Assign Permissions on the DCR

  1. Open Access control (IAM) on the DCR.

  2. Add a role assignment:

    • Role: Monitoring Metrics Publisher
    • Member: the Azure App you created in step 1 (Create an Azure App)

  3. Review and assign. This gives the app permissions to push data into Sentinel via the DCR.

After configuring everything in Sentinel, configure a Sentinel destination in AxoConsole.