Integrating Microsoft Sentinel

Microsoft Sentinel is a cloud-native security information and event management (SIEM) solution for proactive threat detection, investigation, and response. You can integrate Microsoft Sentinel with the Delinea Platform by using webhooks.

Prerequisites

Ensure that the following requirements for the integration are met:

Admin access to the Delinea Platform to configure a webhook endpoint.
Azure subscription with Microsoft Sentinel enabled on a Log Analytics workspace in a supported region.
Access to the Microsoft Sentinel portal.
Admin access to Log Analytics with the permission to create a workspace.

This integration does not rely on the deprecated Log Analytics Agent, which was retired on August 31, 2024. Instead, it leverages HTTP requests to trigger Azure Logic Apps workflows that generate custom log entries or alerts in Microsoft Sentinel. This integration does not depend on either the deprecated Log Analytics Agent or the Azure Monitor Agent (AMA), ensuring a modern, agentless solution.

Configuration

To configure this integration, perform the following steps:

Step 1: Configure Microsoft Sentinel.
Step 2: Configure the Delinea Platform.

Step 1: Configuring Microsoft Sentinel

You can configure the Microsoft Sentinel integration in one of two ways:

Option 1: Configuring Microsoft Sentinel Using a Logic App: This method uses the HTTP Data Collector API to forward log data to Microsoft Sentinel.

OR
Option 2: Configuring Microsoft Sentinel Using a DCR (Recommended): This is the recommended configuration method that uses a data collection rule (DCR) in Azure Monitor.

Option 1: Configuring Microsoft Sentinel Using a Logic App

This configuration method involves creating a logic app in Microsoft Sentinel and setting up a log analytics workspace.

Creating a Logic App in Microsoft Sentinel

To create a logic app:

Log in to the Azure portal dashboard.
In the services section, select Create a resource.
Enter Logic App in the search area, and then select Logic App.
Select Create.
Select the Workflow Service Plan check box.
Click Select.
Fill in the required information for your Logic App and select Review + Create.
Once the deployment is done, your Logic App is created in Sentinel.

Setting Up a Sentinel Log Analytics Workspace

To set up a Sentinel log analytics workspace:

In the Logic App, go to Workflows and select Add to add a new workflow. The Create Workflow window opens.
Enter the Workflow Name and select Stateless as the state type.
Select Create. Note: Depending on screen resolution, the Create button might be hidden at the bottom of the app tile.
Open the newly-created workflow.
Navigate to Tools > Designer.
On the Designer page, select the plus sign, then select Add trigger.
Search for "HTTP" and select When an HTTP request is received in the Request section. You will use this trigger later when setting up a webhook on the Delinea Platform.
Select the Use sample payload to generate schema hyperlink.

Paste the following code into the field. (Alternatively, you can retrieve the schema payload from the Marketplace >Test webhook Request body) :

Copy

{ 

  "AuditEventMessageId": "87b928df-ccc5-46ed-8cc5-b2e88866a2b5", 

  "TenantId": "7968fc7c-9205-4bd8-ad41-1432ffb8f7d3", 

  ... 

  "ForceCompress": false 

}

Select Done , then select Save.
Select the plus sign and then select Add an action.
Search for "Log Analytics" and select Send Data. The Create a connection page opens.
Provide the Workspace ID and Shared Key. Where to Find Your Workspace ID and Key:
1. In the Sentinel portal, go to Home > Microsoft Sentinel.
2. Navigate to Settings > Workspace settings > Settings > Agents.
3. Click the arrow icon to expand the Log Analytics agent instructions.
Copy your Workspace ID and either the Primary Key or Secondary Key.
Paste the Workspace ID into the Create new connection page.
Select Create New.
The Send Data page opens. Under the Parameters tab, select the JSON Request Body field, and select the second option.
Select the Dynamic content tab and enter 'Body' in the Search field.
Select the body then select Add.
Provide a new name for the Custom Log Name (e.g. MarketPlace Event)
Select Save.

Option 2: Configuring Microsoft Sentinel Using a DCR (Recommended)

A Delinea webhook sends platform logs to the HTTPS URL configured in a logic app in Azure. The logic app receives the log data and forwards it to the Azure Monitor Logs Ingestion API tied to a data collection rule (DCR) and a data collection endpoint (DCE). The received log data is then stored in a custom table (for example, DelineaPlatformEvents_CL) in a Log Analytics workspace, with the full original JSON available in a dynamic column for flexible KQL querying.

For more information about the Logs Ingestion API, see Logs Ingestion API in Azure Monitor in the Azure Monitor documentation. For more information about DCRs, see Data collection rules (DCRs) in Azure Monitor.

To configure the Microsoft Sentinel integration by using a DCR:

Prepare a Log Analytics workspace and regions.
- Identify the Log Analytics workspace connected to Microsoft Sentinel and its region. Make sure that the DCE and DCR are created in the same region as the workspace.
- Make a note of the workspace ID and resource group.
Create a data collection endpoint (DCE).
- In Azure, create a data collection endpoint in the same region as the workspace. Make a note of its Base URI (for example, https://<dce-name>.<region>-1.ingest.monitor.azure.com).
- For details of creating a DCE, see Data collection endpoints in Azure Monitor in the Azure Monitor documentation.
Create a data collection rule (DCR) for custom JSON.

Make sure that the DCR is created in the same region as the workspace. In the DCR, do the following:
- Reference the DCE that you created in step 2.
- Target your Log Analytics workspace as the destination.
- Define a custom logs stream mapped to a table name, for example, DelineaPlatformEvents_CL (custom table suffix _CL).
- Consider the following schema recommendation for raw ingestion:
  - TimeGenerated column (dateTime).
  - RawData column (dynamic) to store the entire incoming Delinea payload unchanged.
  - Optional additional columns for key top-level fields if you want easy filters, but keep RawData for completeness.
For details of creating a DCR, see Create data collection rules (DCRs) in Azure Monitor in the Azure Monitor documentation.
Grant sender permissions.

Decide how the forwarding call will authenticate to the Logs Ingestion API. You can choose one of the following ways:
- Use the Logic App managed identity (the recommended method). Assign this identity the “Monitoring Metrics Publisher” role on the DCR.
- Use a trusted app registration with the same role.
Configure the Logs Ingestion endpoint URL.
- The call pattern must be https://{DCE-Base-URI}/dataCollectionRules/{DCR-ImmutableId}/streams/{StreamName}?api-version=2023-01-01.
- Collect the DCR immutable ID and the stream name that you defined for the custom logs stream.
In the Azure portal, create a Consumption or Standard logic app as your public webhook:
1. Add a trigger “When an HTTP request is received.” Save once to get the public HTTPS URL.
2. Add an action to call the Logs Ingestion API:
  - Use “HTTP” action or a custom connector with Managed Identity authentication.
  - Method: POST.
  - URI: the URL of your DCR stream.
  - Headers: Content-Type: application/json.
  - Authentication: Managed Identity (System-assigned or User-assigned) that has the “Monitoring Metrics Publisher” role on the DCR.
  - Wrap the incoming payload in an array and map to your DCR schema. For example, compose the following body:
    
    [ { "TimeGenerated": "@{coalesce(triggerBody()?['timestamp'], utcNow())}", "RawData": "@{triggerBody()}" } ]
    
    Ensure the output matches the DCR schema exactly and is always a JSON array, even for single events.
3. (Optional) Add basic guards:
  - Size check and chunking if Delinea can send large batches.
  - Simple filtering and normalization before forwarding.
For details of creating a Consumption or Standard logic app, see the Azure Logic Apps documentation.

Step 2: Configuring the Delinea Platform

To configure the Delinea Platform for the integration with Microsoft Sentinel, you must create a webhook in the platform.

Log in to the Delinea Platform.
From the left navigation menu, navigate Settings > Webhooks.
On the Webhooks page, select Create Webhook.
Complete the following webhook configuration fields:
- Name: A name for the webhook.
- Endpoint URL: Set to the Logic App trigger URL.
- Description: Optional (for example, “Forwards logs to Microsoft Sentinel”).
- Webhook State: Select Enabled.
- Triggers: Select the services and event levels (Info, Warning, Error) to send to Microsoft Sentinel.
If Delinea provides a sample schema, you can still forward it as-is; the Logic App will embed it into the RawData column.
(Optional) If authentication is required, under Custom Headers, add a custom header:
- Key: Authorization
- Value: Bearer
Select Save to complete the webhook configuration.

Validating Event Data

In the Delinea Platform, navigate to Settings > General setup > Webhooks.
Select the Microsoft Sentinel webhook.
In the panel on the right, select View webhook logs.

Select a log entry and in the panel on the right, select View Payload.

Example Delinea Webhook Payload

Copy

{
"event_type": "SecretAccessed",
"service": "Secret Management",
"level": "info",
"details": {
"user": "frank",
"secret_id": "A1B2C3",
"timestamp": "2025-09-16T16:55:00Z"
}
}

Verification

Verify that the Delinea Platform events are being collected for Microsoft Sentinel.

Log in to the Delinea Platform and trigger an action to produce an audit event.
In Azure Logic Apps, open your logic app.
In the Logic App run history, confirm that a trigger was fired and a POST request to Logs Ingestion succeeded (a 2xx status code).
Go to the Sentinel dashboard in the Microsoft Sentinel Portal.
From the left navigation menu, select Logs.
In the query editor, enter the following KQL query:

DelineaPlatformEvents_CL | order by TimeGenerated desc | take 20
Verify that the log is displayed.

The TimeGenerated and RawData columns should be populated.