Connect Microsoft Sentinel (Logging)

This article outlines the steps required to connect Microsoft Sentinel for Log Ingestion from Cloud Control Center. 
(Sample Use Case) Audit Logs and Event Logs are shared to a custom table within Microsoft Sentinel which can then be incorporated into business processes like accounting and alerting. 

Prerequisites

Before beginning the integration, ensure that the following components are already deployed and accessible in the customer’s Azure environment:

• Azure Subscription
  The customer must have an active subscription with appropriate permissions to create and manage resources in Microsoft Sentinel and Entra ID (formerly Azure AD).

• Log Analytics Workspace
  A Log Analytics Workspace must be provisioned. This is where the custom table for Elisity CCC log ingestion will reside.

• Microsoft Sentinel Enabled
  Sentinel must be enabled on the same Log Analytics Workspace that will store the ingested logs.

• Resource Group
  Identify or create a Resource Group where all relevant components—such as the DCE, DCR, and App Registration—will be logically grouped and managed.

• Elisity Cloud Control Center (CCC) Access
  The user performing the integration must have access to the Elisity Cloud Control Center in order to input the necessary authentication and ingestion parameters.

Creating a DCE (Data Collection Endpoint)

Microsoft Sentinel uses a Data Collection Endpoint (DCE) to securely receive custom log data. This component serves as the transport layer for incoming logs via Azure Monitor’s HTTP Data Collector API.

To begin, navigate to the Azure Portal and go to Monitor > Data Collection Endpoints. Click + Create to open the configuration panel.

In the Basics tab, enter the following:

• Endpoint Name: Use a name such as Elisity-Demo-Logs-DCE (letters, numbers, and hyphens only)

• Subscription: Select the applicable subscription

• Resource Group: Choose an existing group or create a new one (e.g., DEMO_MS_SENTINEL_RG)

• Region: This should match your Log Analytics Workspace’s region

Click Review + create, then Create once validation completes.

Note: A single DCE can support multiple Data Collection Rules (DCRs), so you can reuse this endpoint for other integrations if needed.

Creating a DCR-based Custom Log Table

This custom log table in your Log Analytics Workspace will be the destination for logs ingested from Cloud Control Center. The table must be DCR-based and named precisely, as the integration depends on an exact match.

Navigate to your Log Analytics Workspace and select Tables from the left menu. Click + Create and choose New custom log (DCR-based).

Basic Configuration

• Table name: ElisityCCCLogs (must match exactly, as this is hardcoded in Cloud Control Center)

• Description: Optional—for example, "Logging table from Cloud Control Center Monitoring - contains audit/event logs"

• Data Collection Endpoint: Select the DCE created in the previous step

• Data Collection Rule: Click Create a new data collection rule, name it (e.g., DCR_ELISITY), and ensure it’s created in the same Resource Group as the DCE

Schema and Transformation

Click Next to move to the Schema and transformation step. Click Upload sample file and upload a JSON-formatted example of Elisity logs. Save the sample schema below into a .json file and upload.

[
  {
    "id": "00000000-0000-0000-0000-000000000000",
    "action": "TEST",
    "level": "INFO",
    "eventType": "AUDIT_LOG",
    "category": "Table Setup",
    "username": "TEST_USER",
    "role": "SYSTEM",
    "context": {},
    "TimeGenerated": "2025-06-13T13:47:52.675679Z"
  }
]

Click Next, review, and finalize the table creation. Once complete, you should see ElisityCCCLogs_CL listed under your custom log tables.

Copy and Save Credentials from the DCR and DCE

After the DCR and DCE have been created, you will need to retrieve two values required for log ingestion configuration in Cloud Control Center:

1. DCR Immutable ID

Navigate to Monitor > Data Collection Rules in the Azure Portal. Select the DCR created in the previous step. In the Overview tab, copy the Immutable ID.

2. Log Ingestion URL

Next, navigate to the Data Collection Endpoint that was created earlier. In the Overview tab, copy the Log Ingestion URL. This URL will be used as the base for API operations.

Save both the Immutable ID and Log Ingestion URL in a secure location. These values will be needed to authenticate log ingestion requests from Cloud Control Center.

Create an App Registration

An application must be registered in Microsoft Entra to allow Cloud Control Center to authenticate securely to Azure and post logs to Microsoft Sentinel. This step establishes a trusted identity that CCC will use to obtain access tokens for the log ingestion API.

Register the Application

1. In the Azure Portal, go to Microsoft Entra Admin Center > App registrations.

2. Click + New registration.

3. Enter the following:

   • Name: For example, Elisity_Demo_CCC_Log_Ingestion

   • Supported account types: Select Accounts in this organizational directory only (Single tenant)

   • Redirect URI: Leave blank (optional)

4. Click Register to create the application.

After registration, you will retrieve the Client ID and create a Client Secret, both of which will be required when completing the connector setup in Cloud Control Center.

Note: This guide follows the most commonly used single-tenant registration model. Organizations may adapt the registration settings—such as account type, redirect URI, or conditional access policies—based on internal security and compliance requirements.

An application needs to be registered and a client secret created to be used for Cloud Control Center to authenticate to Azure. 

Create a Client Secret for the Application

After registering the application, a client secret must be generated. This secret acts as the authentication credential that Cloud Control Center will use when requesting tokens to post data to Microsoft Sentinel.

1. In the Entra Admin Center, go to the newly created application.

2. Select Certificates & secrets from the menu.

3. Click + New client secret.

4. Enter a description and select an expiration duration that aligns with your organization’s key management policies (e.g., 6 or 12 months).

5. Click Add.

Once the secret is created, the secret value will be shown for a short period.

Important: Immediately copy the Client Secret Value and store it securely.

Gathering the App Client ID and Tenant ID

Once the app registration and client secret are created, you will need to retrieve two additional identifiers required for authentication from Cloud Control Center.

1. Navigate to the Overview tab of the registered application in Microsoft Entra Admin Center.

2. Copy the following values:

   • Application (client) ID – Used as the identifier for the application requesting tokens

   • Directory (tenant) ID – Used to direct authentication requests to the correct Azure AD instance

Save both values securely. Along with the client secret, they will be used when configuring the Sentinel connector in Cloud Control Center.

Adding IAM Permissions

The final step before registering the connector in Cloud Control Center is assigning the correct IAM role to the Enterprise Application you created earlier.

Some organizations may choose to assign the role directly to specific Azure resources (such as the Log Analytics workspace or the DCR), but for simplicity, this guide applies the role at the Resource Group level.

1. Navigate to the Resource Group containing the DCE, DCR, and Log Analytics Workspace.

2. Click Access Control (IAM).

3. Select + Add and choose Add role assignment.

4. Under the Role tab, search for and select Monitoring Metrics Publisher, then click Next.

5. In the Members tab:

   • Choose User, group, or service principal

   • Click + Select members

   • Find and select your Enterprise Application (created earlier)

   • Click Next

6. Review and click Review + assign. After creating the role, you should see the newly created entry.

Add the Microsoft Sentinel Connector in Cloud Control Center

With Azure configuration complete, the final step is to add the Microsoft Sentinel connector in Cloud Control Center.

To begin, navigate to Settings > Connectors, then click + Add Connector.

From the connector list, select Microsoft Sentinel and click Configure.

You will be prompted to enter the following values:

• Tenant ID – Found in Microsoft Entra Admin Center > App Overview

• Client ID – From the Overview page of the registered application

• Client Secret – Generated under Certificates & Secrets (must have been copied during creation)

• DCR Immutable ID – Found in the Overview tab of the Data Collection Rule (DCR)

• Log Ingestion URL – Found in the Overview tab of the Data Collection Endpoint (DCE)

• Log Table Name – Must exactly match the table created earlier (e.g., ElisityCCCLogs_CL)

Reminder: These values should have been copied and saved in earlier steps. If any were missed, revisit the corresponding Azure resources to retrieve them.

After completing the form, click Submit.

If all configurations are correct, the connector will appear in the list with a status of Active, indicating a successful connection.

Verify Log Ingestion in Microsoft Sentinel

Once the Microsoft Sentinel connector is active in Cloud Control Center, you can verify that logs are successfully reaching Microsoft Sentinel via the Log Analytics Workspace.

Navigate to the Log Analytics Workspace used during setup and select Logs from the left-hand menu.

In the query pane, expand the Tables list and locate the custom table named ElisityCCCLogs_CL.

Select the table and run a basic query to confirm whether entries are present. You should begin to see audit and event logs from Cloud Control Center.

If no data appears after a few minutes, return to Cloud Control Center and confirm the connector is listed as Active. You may also want to recheck the IAM role assignment, the DCR and DCE configuration, and ensure that logs are being generated in the environment for ingestion.