This article walks you through what Azure resources are needed so SafeConsole can send logs into Microsoft Sentinel (via a Log Analytics workspace) using the Azure Monitor Logs Ingestion API.
Why this setup exists (and what you get)
Microsoft Sentinel runs on top of a Log Analytics workspace, so the goal is to land SafeConsole log events into a workspace table where Sentinel can query, alert, and correlate them.
Benefits
Centralized detection & investigation: SafeConsole activity becomes searchable and alertable in Sentinel once it’s in Log Analytics.
Structured, reliable ingestion: The Data Collection Rule (DCR) enforces schema/transformations so your ingested records match your table.
Least-privilege authentication: An Entra ID app registration (service principal) authenticates API calls and is granted access only where needed.
How the pieces fit together (data flow)
SafeConsole sends logs using the Log Ingestion API → Data Collection Endpoint (DCE) receives them → Data Collection Rule (DCR) validates/transforms/routes them → logs land in a Log Analytics custom table.
Prerequisites
You will need the following Azure components available/created in your subscription: (References are at the bottom of this article)
Microsoft Sentinel - SIEM/SOAR solution that runs on top of a Log Analytics workspace in Azure or Microsoft Defender.
Log Analytics Workspace - Stores all logs ingested via the API and used by Sentinel.
Microsoft Entra ID (Azure AD) app registration / service principal - Authenticates API calls via app registration.
Data Collection Endpoint (DCE) - REST endpoint for receiving logs from SC.
Data Collection Rule (DCR) - Defines how logs are transformed and routed to the workspace.
Custom Table in Log Analytics - Stores structured log data for Sentinel to analyze.
SafeConsole SIEM Settings
When enabling SIEM in SafeConsole, be sure to change your SIEM type to “Azure Sentinel”.
Below are the necessary data required to extract from your Azure configuration:
Data Collection Endpoint URL
Log Table Name
Data Collection Rule Id
Application Id
Application Client Secret
Tenant Id
After those are entered you can select your “Events Upload Frequency Type”;
Batch Upload by the Number of Events
Number of events that you can select ranges from 3-1000
Batch Upload by the Byte size (in kilobytes)
Byte size (in kilobytes) that you can select ranges from 2-1000
Batch Upload by Time Interval (in seconds)
Upload Time Interval (in seconds) that you can select ranges from 10-3600
Validation checklist (quick)
You should have all of the following created and ready:
service principal (Entra)
Log Analytics workspace
DCE
DCR
custom table
Troubleshooting tips
If logs don’t appear:
Re-check the table plan is Analytics.
Confirm your payload includes TimeGenerated and matches the expected structure.
Re-check IAM assignments—especially the DCR access (Monitoring Metrics Publisher).
Enable/inspect diagnostics:
Log Analytics workspace diagnostics
DCR diagnostics (to catch invalid JSON / payload issues)
Security and operational best practices
Treat the client secret like a password: store it in a secure vault and rotate it periodically.
Use a dedicated app registration for SIEM ingestion to keep privileges tight and audit trails clean.
Prefer a dedicated workspace/table for operational clarity and easier Sentinel content management.
Reference (Microsoft Learn)
Logs Ingestion API overview: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview
Create Entra app + service principal:
Assign a role to the application:
Create a custom table:
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table