Integrating Microsoft Sentinel

Microsoft Sentinel is a cloud-native security information and event management (SIEM) solution for proactive threat detection, investigation, and response. You can integrate Microsoft Sentinel with the Delinea Platform by using webhooks.

Prerequisites

Ensure that the following requirements for the integration are met:

  • Admin access to the Delinea Platform to configure a webhook endpoint.

  • Azure subscription with Microsoft Sentinel enabled on a Log Analytics workspace in a supported region.

  • Access to the Microsoft Sentinel portal.

  • Admin access to Log Analytics with the permission to create a workspace.

This integration does not rely on the deprecated Log Analytics Agent, which was retired on August 31, 2024. Instead, it leverages HTTP requests to trigger Azure Logic Apps workflows that generate custom log entries or alerts in Microsoft Sentinel. This integration does not depend on either the deprecated Log Analytics Agent or the Azure Monitor Agent (AMA), ensuring a modern, agentless solution.

Configuration

To configure this integration, perform the following steps:

Step 1: Configuring Microsoft Sentinel

You can configure the Microsoft Sentinel integration in one of two ways:

Option 1: Configuring Microsoft Sentinel Using a Logic App

This configuration method involves creating a logic app in Microsoft Sentinel and setting up a log analytics workspace.

Creating a Logic App in Microsoft Sentinel

To create a logic app:

  1. Log in to the Azure portal dashboard.

  2. In the services section, select Create a resource.

  3. Enter Logic App in the search area, and then select Logic App.

  4. Select Create.

  5. Select the Workflow Service Plan check box.

  6. Click Select.

  7. Fill in the required information for your Logic App and select Review + Create.

  8. Once the deployment is done, your Logic App is created in Sentinel.

Setting Up a Sentinel Log Analytics Workspace

To set up a Sentinel log analytics workspace:

  1. In the Logic App, go to Workflows and select Add to add a new workflow. The Create Workflow window opens.

  2. Enter the Workflow Name and select Stateless as the state type.

  3. Select Create. Note: Depending on screen resolution, the Create button might be hidden at the bottom of the app tile.

  4. Open the newly-created workflow.

  5. Navigate to Tools Designer.

  6. On the Designer page, select the plus sign, then select Add trigger.

  7. Search for "HTTP" and select When an HTTP request is received in the Request section. You will use this trigger later when setting up a webhook on the Delinea Platform.


  8. Select the Use sample payload to generate schema hyperlink.

  9. Paste the following code into the field. (Alternatively, you can retrieve the schema payload from the Marketplace >Test webhook Request body) :

    Copy 


      "AuditEventMessageId": "87b928df-ccc5-46ed-8cc5-b2e88866a2b5", 

      "TenantId": "7968fc7c-9205-4bd8-ad41-1432ffb8f7d3", 

      ... 

      "ForceCompress": false 

  10. Select Done , then select Save.

  11. Select the plus sign and then select Add an action.

  12. Search for "Log Analytics" and select Send Data. The Create a connection page opens.

  13. Provide the Workspace ID and Shared Key. Where to Find Your Workspace ID and Key:

    1. In the Sentinel portal, go to Home > Microsoft Sentinel.

    2. Navigate to Settings > Workspace settings > Settings > Agents.

    3. Click the arrow icon to expand the Log Analytics agent instructions.

  14. Copy your Workspace ID and either the Primary Key or Secondary Key.

  15. Paste the Workspace ID into the Create new connection page.

  16. Select Create New.

  17. The Send Data page opens. Under the Parameters tab, select the JSON Request Body field, and select the second option.

  18. Select the Dynamic content tab and enter 'Body' in the Search field.

  19. Select the body then select Add.

  20. Provide a new name for the Custom Log Name (e.g. MarketPlace Event)

  21. Select Save.

Option 2: Configuring Microsoft Sentinel Using a DCR (Recommended)

This option uses an Azure logic app to forward Delinea platform logs to Microsoft Sentinel through the Azure Monitor Logs Ingestion API.

The integration uses the following data flow:

  1. A Delinea webhook sends platform logs to the HTTPS URL of a logic app.

  2. The logic app forwards the data to the Logs Ingestion API, which is tied to a data collection rule (DCR) and a data collection endpoint (DCE).

  3. The data is stored in a custom table (for example, DelineaPlatformEvents_CL) in a Log Analytics workspace. The full original JSON is preserved in a column for flexible KQL querying.

For more information about the Logs Ingestion API, see Logs Ingestion API in Azure Monitor. For more information about DCRs, see Data collection rules (DCRs) in Azure Monitor.

Additional Prerequisites

Before beginning, verify the following additional requirements:

  • All Azure resources (workspace, DCE, DCR, and logic app) are deployed in the same Azure region.

  • The administrator has Contributor permissions on the resource group.

  • The administrator has the ability to assign RBAC roles.

To configure the Microsoft Sentinel integration by using a DCR:

  1. Identify the Log Analytics workspace.

    In the Azure portal, navigate to Microsoft SentinelSettingsWorkspace. Record the following values.

    • Workspace name

    • Resource group

    • Region

    The region is critical — the DCE, DCR, and logic app created in the following steps must all be in the same region as this workspace.

  2. Create a data collection endpoint (DCE).

    In the Azure portal, navigate to Azure MonitorData Collection EndpointsCreate.

    • Name: Enter a name for the endpoint, for example DCE-Delinea.

    • Resource group: Select the same resource group as the Sentinel workspace.

    • Region: Select the same region as the workspace.

    After the endpoint is created, copy the Logs Ingestion URI from the DCE overview. It follows this format:

    https://<dce-name>.<region>-1.ingest.monitor.azure.com

    For more information about DCEs, see Data collection endpoints in Azure Monitor.

  3. Create a custom table and data collection rule (DCR).

    Do not create the DCR from Azure MonitorData Collection Rules. That path creates a standalone DCR without the required custom table binding, causing ingestion failures.

    In the Azure portal, navigate to Log Analytics workspaceTablesCreateNew custom log (DCR based).

    In the creation wizard, when prompted for a sample file, upload a JSON file with the following content:

    [{"TimeGenerated":"2025-01-01T00:00:00Z","RawData":"{\"event_type\":\"sample\"}"}]

    The RawData value must be a JSON-encoded string (with escaped quotes), not a raw JSON object. This ensures Azure creates a string column, which provides reliable storage of the full Delinea payload regardless of schema changes.

    For Table name, enter a name such as DelineaPlatformEvents. Azure appends the _CL suffix automatically, so the resulting table name is DelineaPlatformEvents_CL.

    Azure automatically creates the following resources when this step is complete:

    • A data collection rule (DCR) linked to this table

    • A stream name for use in the Logs Ingestion API

  4. Record the DCR values.

    In the Azure portal, open the DCR created in the previous step. Navigate to OverviewJSON View and record the following values.

    • immutableId — the DCR identifier, in the format dcr-xxxxxxxxxxxxxxxx.

    • Stream name — for example, Custom-DelineaPlatformEvents_CL.

    The stream name is case-sensitive. Copy it exactly as shown in the JSON view. Use the immutableId value — not the DCR display name — in the ingestion API URI.

  5. Create a logic app.

    In the Azure portal, create a Consumption logic app (recommended).

    • Name: Enter a name, for example la-delinea-sentinel.

    • Region: Select the same region as the workspace.

    For more information, see the Azure Logic Apps documentation.

  6. Enable the managed identity.

    In the logic app, navigate to IdentitySystem-assigned and set the status to On, then select Save.

    The managed identity must be enabled before RBAC roles can be assigned to it in the next step.

  7. Assign RBAC permissions.

    Assign the Monitoring Metrics Publisher role to the logic app's system-assigned managed identity. Scope the assignment to the data collection rule, not to the workspace or resource group.

    The role must be scoped to the DCR. This grants the required Microsoft.Insights/dataCollectionRules/data/write permission per the Microsoft Logs Ingestion API documentation.

  8. Configure the logic app workflow.

    1. Add the HTTP trigger.

      In the logic app designer, add the trigger When an HTTP request is received. Leave the request body JSON schema empty. Save the logic app to generate the public HTTPS URL.

      Copy this URL for use when configuring the webhook in step 9.

    2. Add the HTTP action for the Logs Ingestion API.

      Add an HTTP action with the following configuration:

      • Method: POST

      • URI:

        https://<DCE-URI>/dataCollectionRules/<DCR-immutableId>/streams/<StreamName>?api-version=2023-01-01

        Replace <DCE-URI> with the Logs Ingestion URI from step 2, <DCR-immutableId> with the immutable ID from step 4, and <StreamName> with the stream name from step 4.

      • Headers:

        Content-Type: application/json

      • Authentication:

        Authentication type: Managed Identity
        Managed Identity: System-assigned
        Audience: https://monitor.azure.com

      • Body:

        [{"TimeGenerated":"@{utcNow()}","RawData":"@{string(triggerBody())}"}]

      The body format wraps the incoming Delinea payload in the schema expected by the DCR. The string() function serializes the payload as a JSON string, matching the RawData column type defined in the custom table. Using utcNow() for the timestamp avoids ingestion failures that can occur when the incoming payload does not include a timestamp field.

      A successful ingestion returns HTTP status 204 (No Content).

    3. (Optional) Add basic guards:

      • Size check and chunking if Delinea sends large batches.

      • Simple filtering or normalization before forwarding.

  9. Configure the Delinea Platform webhook.

    In the Delinea Platform, navigate to SettingsWebhooks and create a new webhook with the following configuration:

    • Endpoint: Paste the logic app trigger URL copied in step 8.

    • Services: Select All (recommended).

    • Levels: Select Info, Warning, and Error.

    No custom headers are required. The logic app authenticates to the Logs Ingestion API through its managed identity, not through headers on the inbound webhook request.

Validating the DCR Integration

After completing the configuration, verify that data is flowing from the Delinea Platform through the logic app to Sentinel.

  1. In the Delinea Platform, trigger an action that produces an audit event.

  2. In the Azure portal, open the logic app and check the Run history. Confirm that a trigger was fired and that the HTTP action returned a 204 status code.

  3. In Microsoft Sentinel, navigate to Logs and run the following KQL query:

    DelineaPlatformEvents_CL
    | order by TimeGenerated desc
    | take 20

  4. Verify that rows appear with populated TimeGenerated and RawData columns.

To parse individual fields from the stored payload, use parse_json() in KQL queries. For example:

DelineaPlatformEvents_CL
| extend EventType = tostring(parse_json(RawData).event_type)
| project TimeGenerated, EventType, RawData

Step 2: Configuring the Delinea Platform

To configure the Delinea Platform for the integration with Microsoft Sentinel, you must create a webhook in the platform.

  1. Log in to the Delinea Platform.

  2. From the left navigation menu, navigate Settings > Webhooks.

  3. On the Webhooks page, select Create Webhook.

  4. Complete the following webhook configuration fields:

    • Name: A name for the webhook.

    • Endpoint URL: Set to the Logic App trigger URL.

    • Description: Optional (for example, “Forwards logs to Microsoft Sentinel”).

    • Webhook State: Select Enabled.

    • Triggers: Select the services and event levels (Info, Warning, Error) to send to Microsoft Sentinel.



    If Delinea provides a sample schema, you can still forward it as-is; the Logic App will embed it into the RawData column.​

  5. (Optional) If authentication is required, under Custom Headers, add a custom header:

    • Key: Authorization

    • Value: Bearer

  6. Select Save to complete the webhook configuration.

Validating Event Data

  1. In the Delinea Platform, navigate to Settings > General setup > Webhooks.

  2. Select the Microsoft Sentinel webhook.

  3. In the panel on the right, select View webhook logs.

  4. Select a log entry and in the panel on the right, select View Payload.

    Example Delinea Webhook Payload

    Copy 
    {
    "event_type": "SecretAccessed",
    "service": "Secret Management",
    "level": "info",
    "details": {
    "user": "frank",
    "secret_id": "A1B2C3",
    "timestamp": "2025-09-16T16:55:00Z"
    }
    }

Verification

Verify that the Delinea Platform events are being collected for Microsoft Sentinel.

  1. Log in to the Delinea Platform and trigger an action to produce an audit event.

  2. In Azure Logic Apps, open your logic app.

  3. In the Logic App run history, confirm that a trigger was fired and a POST request to Logs Ingestion succeeded (a 2xx status code).

  4. Go to the Sentinel dashboard in the Microsoft Sentinel Portal.

  5. From the left navigation menu, select Logs.

  6. In the query editor, enter the following KQL query:

    DelineaPlatformEvents_CL
    | order by TimeGenerated desc
    | take 20

  7. Verify that the log is displayed.

    The TimeGenerated and RawData columns should be populated.​