# Configure Sentinel

To send data from AxoRouter to Microsoft Sentinel, you have to configure a number of things in Sentinel before configuring a destination in AxoConsole. Complete the following steps.

## Create an Azure App

Create an Azure (Microsoft Entra) application and credentials for it.

  1. Navigate to **App registrations** on the Azure Portal.

  2. Click **New registration** and register an application (for example `AxoflowIngestion`).

  3. Save the **Application (Client) ID** and the **Directory (Tenant) ID** (you’ll need these later to configure Axoflow).

  4. Go to **Certificates & secrets > Client secrets > \+ New client secret**.

  5. Add a description and expiration, click **Add** , and record the **secret value** (OAuth secret). You’ll need this later to configure Axoflow.

NOTE: Set a reminder to renew the secret and update your Axoflow configuration before it expires, otherwise your AxoRouters won’t be able to send data to Sentinel, possibly causing data loss.




## Enable Microsoft Sentinel on a Log Analytics Workspace

  1. In the Azure Portal search for **Microsoft Sentinel**.
  2. Select an existing workspace or create a new one (choose **Resource Group** and **Region**).
  3. Once added, select the workspace and open **Tables**.
  4. You should see the **CommonSecurityLog** , **SecurityEvents** , **Syslog** , **WindowsEvents** built-in tables. Sometimes the **Syslog** table appears only when it has data.
  5. From the workspace **Overview** , open **JSON View** and record the **Workspace Resource ID** (needed in templates).



## Create a Data Collection Endpoint (DCE)

To create a Data Collection Endpoint, complete the following steps. For more details, see the [Microsoft Sentinel documentation](<https://learn.microsoft.com/en-us/azure/azure-monitor/data-collection/data-collection-endpoint-overview>).

  1. Search for **Deploy a custom template** in Azure services.
  2. Choose **Build your own template** in the editor.
  3. Download the [Axoflow DCE template](../../../../docs/axoflow/destinations/microsoft/sentinel/configure-sentinel/dce-template.json), and upload or paste it into the template editor. Click **Save**.
  4. Set the parameters of the DCE. Make sure **Region** matches your **Sentinel workspace**.
  5. After creation, open it and copy its endpoint URL (that’s `logsIngestion.endpoint` in the JSON view) and its **Resource ID** (`id`). You’ll need the endpoint later to configure Axoflow, and the resource ID to configure the data collection rule.



## Create a Data Collection Rule (DCR)

To create a Data Collection Rule, complete the following steps. For more details, see the [Microsoft Sentinel documentation](<https://learn.microsoft.com/en-us/azure/azure-monitor/data-collection/data-collection-rule-create-edit?tabs=arm>).

  1. Search for **Deploy a custom template** in Azure services.
  2. Choose **Build your own template** in the editor.
  3. Download the [Axoflow DCR template](../../../../docs/axoflow/destinations/microsoft/sentinel/configure-sentinel/dcr-template.json), and upload or paste it into the template editor. Click **Save**.
  4. Set the parameters of the DCR. Enter the **Workspace Resource ID** and **Endpoint Resource ID** from the previous steps.
  5. After creation, open it and copy its `immutableID` from the JSON view. You’ll need it later to configure Axoflow.



## Assign Permissions on the DCR

  1. Open **Access control (IAM)** on the DCR.

  2. Add a role assignment:

     * **Role** : Monitoring Metrics Publisher
     * **Member** : the Azure App you created in step 1 (Create an Azure App)
  3. Review and assign. This gives the app permissions to push data into Sentinel via the DCR.




After configuring everything in Sentinel, configure a [Sentinel destination in AxoConsole](../../../../docs/axoflow/destinations/microsoft/sentinel/index.md).