Create Workspace for V2 Integrations

You need to create a workspace on Azure Sentinel console for Azure Sentinel integration. After creating a workspace, you can use the workspace details such as workspace ID and primary key during integration.

Register an Application in Entra ID

  1. Navigate to Azure Active Directory > App registrations.
  2. Create a new App Registration.
  3. Record the following values (to be used in later steps):
    1. Application (Client) ID
    2. Directory (Tenant) ID
  4. Assign required API permissions by navigating to API Permission > Add a Permission > APIs my organization uses
    1. Microsoft Graph > ConfigurationMonitoring.ReadWrite.All

  5. Generate a Client Secret 

    Note the following values: Client Secret Value.

Create a Data Collection Endpoint (DCE)

  1. Navigate to Azure Monitor > Data Collection Endpoints (DCE).
  2. Create a new DCE.
  3. Record the Log Ingestion API URL associated with this endpoint.

Create a Data Collection Rule (DCR) and Custom Table

  1. Navigate to Log Analytics workspaces > Tables.
  2. Select Create > New custom log (DCR-based).
    Associate the previously created DCE.
  3. Upload your custom log schema in JSON format.

Example (truncated and masked for security):

{
  "assetCriticalityScore": 75,
  "assetId": "*****",
  "assetUuid": "*****-uuid",
  "category": "SSL/TLS",
  "description": "SSL certificate has expired and needs attention",
  "ip": "XXX.XXX.XXX.XXX",
  "fqdn": "masked.example.com",
  "severity": 5,
  "solution": "Update the SSL certificate with a valid CA-signed certificate."
}
Record the DCR Rule ID.

Verify that the Custom Table (e.g., Custom-azureSentinelV2_CL) is properly configured in the DCR.

Assign IAM Permissions

Navigate to the created DCR > Access Control (IAM).

Assign required roles (for example, Monitoring Metrics Publisher) to the application or managed identity.

Update Data Stream Configuration

Create a file logfile.json with stream details:

[
  {
    "name": "Custom-azureSentinelV2",
    "streams": [ "Custom-azureSentinelV2" ],
    "filePatterns": [ "/var/log/my-custom.log" ],
    "format": "json"
  }
]


Update the DCR using the Azure CLI:

az monitor data-collection rule update \
  --name <data_collector_rule_name> \
  --resource-group <resource_group_name> \
  --set [email protected]

© Qualys, Inc. All rights reserved. Privacy Policy.