Microsoft Sentinel Integration
Forward database audit events to Microsoft Sentinel via the Log Analytics Data Collector API. Leverage Azure's cloud-native SIEM for advanced threat detection and security orchestration.
Cloud-Native Integration
Direct integration with Azure Log Analytics for seamless cloud security operations.
KQL Queries
Query audit events using Kusto Query Language for powerful analytics and investigations.
Analytics Rules
Create scheduled analytics rules to detect threats from database activity patterns.
Configuration Reference
1 Connection Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| name | string | Yes | - | A unique name for this SIEM connection (e.g., "sentinel-prod") |
| provider | select | Yes | sentinel | SIEM provider - select "Microsoft Sentinel" |
| enabled | boolean | No | true | Enable or disable event forwarding |
| workspace_id | string | Yes | - | Log Analytics workspace ID (GUID format) |
| shared_key | password | Yes | - | Log Analytics workspace shared key (primary or secondary) |
2 Sentinel-Specific Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| log_type | string | No | DBaudit_CL | Custom log table name (will have _CL suffix in Sentinel) |
| resource_id | string | No | - | Azure resource ID for correlation (optional) |
| time_generated_field | string | No | timestamp | Field to use as TimeGenerated in Sentinel |
3 Event Filtering
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| event_types | multiselect | No | all | Event types to forward: audit_events, alerts, ai_detections, policy_violations, classification_findings |
| severity_filter | multiselect | No | all | Filter by severity: critical, warning, info |
| database_filter | array | No | - | Limit to specific databases (empty = all databases) |
4 Batching & Reliability
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| batch_size | number | No | 100 | Number of events per batch (1-1000) |
| flush_interval_seconds | number | No | 30 | Maximum time between flushes (5-300 seconds) |
| retry_attempts | number | No | 3 | Number of retry attempts on failure |
Setup Instructions
Get Workspace ID
Retrieve your Log Analytics workspace ID from Azure Portal or CLI.
# Get workspace ID from Azure Portal:
# 1. Navigate to Log Analytics workspaces
# 2. Select your workspace
# 3. Go to Agents management
# 4. Copy the Workspace ID
# Or via Azure CLI:
az monitor log-analytics workspace show \
--resource-group myResourceGroup \
--workspace-name myWorkspace \
--query customerId -o tsv
Get Shared Key
Retrieve the workspace shared key for authentication.
# Get shared key from Azure Portal:
# 1. Navigate to Log Analytics workspaces
# 2. Select your workspace
# 3. Go to Agents management
# 4. Copy the Primary key or Secondary key
# Or via Azure CLI:
az monitor log-analytics workspace get-shared-keys \
--resource-group myResourceGroup \
--workspace-name myWorkspace
Security Note: Store the shared key securely. Consider using Azure Key Vault for production environments.
Configure in DB Audit
Add the Microsoft Sentinel integration in the DB Audit dashboard.
- Navigate to Integrations → SIEM in DB Audit
- Click Add SIEM Integration
- Select Microsoft Sentinel as the provider
- Enter your workspace ID and shared key
- Configure the custom log type name (default: DBaudit_CL)
- Select event types to forward
- Test the connection and save
Verify in Sentinel
After configuration, events should appear in your Log Analytics workspace within a few minutes.
// Check for DB Audit events
DBaudit_CL
| take 10
Note: Custom log tables may take up to 15 minutes to appear in Sentinel on first ingestion.
Event Format
Events are formatted with flattened field names suitable for Log Analytics custom logs.
{
"TimeGenerated": "2024-01-15T10:30:45.123Z",
"event_type": "audit_event",
"severity": "warning",
"source_database": "production-postgres",
"source_db_type": "postgresql",
"source_host": "db.example.com",
"actor_user": "app_user",
"actor_client_ip": "10.0.1.50",
"actor_application": "backend-api",
"action_type": "SELECT",
"action_object": "customers",
"action_schema": "public",
"action_statement": "SELECT * FROM customers WHERE...",
"action_rows_affected": 1500,
"contains_pii": true,
"data_types": "email,phone"
}
Sample KQL Queries
Use these Kusto Query Language (KQL) queries to analyze DB Audit events in Sentinel.
// Query all DB Audit events
DBaudit_CL
| where TimeGenerated > ago(24h)
| order by TimeGenerated desc
// Filter by severity
DBaudit_CL
| where severity_s == "critical"
| project TimeGenerated, actor_user_s, action_type_s, source_database_s
// Find suspicious queries (large data access)
DBaudit_CL
| where action_rows_affected_d > 10000
| summarize count() by actor_user_s, source_database_s
| order by count_ desc
// User activity timeline
DBaudit_CL
| where actor_user_s == "specific_user"
| project TimeGenerated, action_type_s, action_object_s
| order by TimeGenerated asc
// Failed authentication attempts
DBaudit_CL
| where event_type_s == "auth_failure"
| summarize FailedAttempts = count() by actor_client_ip_s, bin(TimeGenerated, 1h)
| where FailedAttempts > 5
// PII access monitoring
DBaudit_CL
| where contains_pii_b == true
| summarize PIIAccessCount = count() by actor_user_s, source_database_s
| order by PIIAccessCount desc
Sample Analytics Rule
Create a scheduled analytics rule to detect potential data exfiltration.
// Sentinel Analytics Rule - Suspicious Data Exfiltration
let threshold = 10000;
DBaudit_CL
| where TimeGenerated > ago(1h)
| where action_type_s == "SELECT"
| where action_rows_affected_d > threshold
| extend AccountCustomEntity = actor_user_s
| extend IPCustomEntity = actor_client_ip_s
| extend HostCustomEntity = source_host_s
Troubleshooting
Events not appearing in Sentinel
Custom log tables can take up to 15 minutes to appear on first ingestion. Verify the workspace ID and shared key are correct.
Authentication error (403)
The shared key may be incorrect or expired. Regenerate the key in Azure Portal and update the configuration.
Custom log type not found
Custom log types have a "_CL" suffix automatically appended. Query using "DBaudit_CL" instead of "DBaudit".
Field types incorrect
Log Analytics automatically infers field types. String fields have "_s" suffix, numbers have "_d", booleans have "_b".
Ready to Integrate with Microsoft Sentinel?
Start forwarding database audit events to Sentinel in minutes.