Microsoft Sentinel
Choose this destination when your collectors should deliver logs into Microsoft Sentinel using the Azure Monitor Logs Ingestion API. Praxis groups records by the stream you declare on your Data Collection Rule (DCR), gzip-compresses batches, and posts them to your Data Collection Endpoint (DCE). Records are expected to carry OCSF class_uid so they can be routed to the correct DCR stream (including a catch-all stream when you map class_id 0).
Supported types: Logs
In the Praxis UI the node appears under Security / Security data lake style groupings as Microsoft Sentinel. Authentication is configured on the destination (Azure SDK credential modes); you do not select a separate Praxis credential type for this exporter.
Prerequisites in Azure
Before you publish a pipeline, your team should already have:
- A Log Analytics workspace with Sentinel enabled.
- A Data Collection Endpoint (DCE) and its ingestion URI (for example
https://<name>-<region>.ingest.monitor.azure.com). - A Data Collection Rule (DCR) with immutable ID and one or more streams (custom streams typically start with
Custom-). - Permissions for the chosen auth mode to write to that DCR (for example app registration, managed identity, or workload identity).
Authentication modes
| Mode | When to use |
|---|---|
| default | DefaultAzureCredential chain (environment variables, workload identity, managed identity, Azure CLI in dev, and so on). |
| service_principal | Explicit tenant, client ID, and client secret. |
| system_managed_identity | System-assigned managed identity on the host or pod running the collector. |
| user_managed_identity | User-assigned managed identity; client_id identifies the identity. |
| workload_identity | Kubernetes-style federated credentials; tenant_id, client_id, and federated_token_file are required. |
Core configuration
| Parameter | Description |
|---|---|
| Data Collection Endpoint (DCE) URI | Base URI for ingestion (no path beyond what the exporter builds). |
| Data Collection Rule immutable ID | The DCR immutableId from Azure (not the friendly resource name). |
| Stream mappings | For each mapping, set stream name (as declared on the DCR) and OCSF class_uid (class_id). Use 0 for the default stream that receives records without a more specific class_uid match. |
Advanced (optional)
You can tune timeouts, retry, and backpressure queue behavior from the destination form. Defaults match typical production use; adjust if your network or Azure quotas require longer retries or different queue depth.
Collector version
This destination requires a Praxis Collector build that includes the Sentinel exporter (see Supports agent version in the product for your tenant). Upgrade collectors if the UI indicates the node is not supported on the current agent version.
See also
- Integrations — Browse all sources, processors, and destinations.
- AWS Security Lake — OCSF logs to Amazon Security Lake custom sources.
- Google SecOps — Chronicle / SecOps export path (different API and credential model).