Search code examples
azuresecurityauditazure-sentinel

How to forward custom logs to Azure Sentinel

We use Azure Sentinel to monitor IaaS event logs and Azure resources. As an application developer, I want to use the same platform to monitor our bespoke applications. I'd like to send custom event from an Azure Function or App Service, to (preferably) a HTTP endpoint. e.g.

{
"user":"John",
"resource":"recordabc",
"result":"approved",
"time":"1 Jan 2020"
}

Is this possible, or is Azure Sentinel not the right technology?

Solution

  • Since Sentinel is using the same Log Analytics infrastructure as for example Azure Monitor (Or Application Insights) you can do all of this.

    There are several ways to do this:

    1. Create a custom Azure Function that will submit the data to the Log Analytics workspace of Azure Sentinel
    2. Directly call the Log Analytics workspace from your Functions and App Services

    Some links from Microsoft on using Azure Functions to do this:

    https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector#connect-with-azure-functions

    https://zimmergren.net/log-custom-application-security-events-log-analytics-ingested-in-azure-sentinel/

    With the code: https://github.com/Zimmergren/LogAnalytics.Client

    It boils down to these steps:

    logger.SendLogEntry(new TestEntity
{
    Category = GetCategory(),
    TestString = $"String Test",
    TestBoolean = true,
    TestDateTime = DateTime.UtcNow,
    TestDouble = 2.1,
    TestGuid = Guid.NewGuid()
}, "demolog").Wait();