# Azure Monitor for Microsoft Sentinel (for GovCloud)

{% hint style="warning" %}
For Keeper GovCloud organizations only. For all other organizations, see the [Microsoft Sentinel](https://docs.keeper.io/en/enterprise-guide/event-reporting/microsoft-sentinel/microsoft-sentinel-with-azure-marketplace) integration page.
{% endhint %}

## Overview

Azure Monitor and Microsoft Sentinel are related as Sentinel leverages Azure Monitor's infrastructure for log management and data collection. Azure Monitor provides the foundational platform, including [Log Analytics](https://www.google.com/search?sca_esv=d16c61d435099b34\&cs=0\&sxsrf=AE3TifP9dkvGVVnv8tOTF6P2Ol5yFQq3vQ%3A1751561028999\&q=Log+Analytics\&sa=X\&ved=2ahUKEwjv6omnkaGOAxUkGDQIHRCEDVEQxccNegQIBBAB\&mstk=AUtExfA68v5flpho2dB-iI29UnLQx7lzHn8jIbGTgSHps2VjROE4JxqWE5lcjFQzraGh-tdcxH22KoGF2cf2a3zLj6ENedePt4YxBMAKPNi5VcqpXt-B8QrrWHkzrP2AuRrYTiqBKHxF7lwlqAcK2CQRZAiv0uulx7EZRtSVY7V-CRA_q9HEuernsG-4T5YcX_mO3VrV0aPmt0DzwLavqLKAmea2rEMqyXr08C7DQw8XM9F3QCnnOpPApskGLeeN8m6VQhjsMHXhHJQCMlS8itf9v4IVjoSxc9K2dqeumcrG2GOLWQ\&csui=3) and the [Azure Monitor Agent](https://www.google.com/search?sca_esv=d16c61d435099b34\&cs=0\&sxsrf=AE3TifP9dkvGVVnv8tOTF6P2Ol5yFQq3vQ%3A1751561028999\&q=Azure+Monitor+Agent\&sa=X\&ved=2ahUKEwjv6omnkaGOAxUkGDQIHRCEDVEQxccNegQIBBAC\&mstk=AUtExfA68v5flpho2dB-iI29UnLQx7lzHn8jIbGTgSHps2VjROE4JxqWE5lcjFQzraGh-tdcxH22KoGF2cf2a3zLj6ENedePt4YxBMAKPNi5VcqpXt-B8QrrWHkzrP2AuRrYTiqBKHxF7lwlqAcK2CQRZAiv0uulx7EZRtSVY7V-CRA_q9HEuernsG-4T5YcX_mO3VrV0aPmt0DzwLavqLKAmea2rEMqyXr08C7DQw8XM9F3QCnnOpPApskGLeeN8m6VQhjsMHXhHJQCMlS8itf9v4IVjoSxc9K2dqeumcrG2GOLWQ\&csui=3), on which Sentinel is built. Sentinel then uses this data for security information and event management (SIEM) capabilities.

Keeper supports event streaming directly into Azure Monitor Log Analytics Workspace tables using the Azure [Logs Ingestion API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview). As of January 2025, this is the preferred method and API used for streaming event data into Azure logs.

## Setup Instructions

Go to the[ Azure Portal](https://portal.azure.com/) to begin the setup.

### Step 1. Create an App Registration

The Azure App Registration is  to authenticate API requests to the Logs Ingestion API.

* Navigate to [**App registrations**](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) > **New Registration**.

Fill out the form:

* Name: `KeeperLogging`
* Supported Account Types: Use the default option (Single tenant).
* Leave Redirect URI blank for now.
* Click **Register**.

After registering:

* Expand Manage
* Click on "**Expose an API**"
* Click "Add" for the Application ID URI
* Accept the default suggested URI (it should be something like api://\[client-id])

### Step 2. Create Client Secret

From the [App Registrations](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) section of Azure, go to **Manage** > **Certificates & Secrets** > **New Client Secret**.

* Add a description and expiration period.
* Copy the generated "Value" and store it in your Keeper vault.
* Save this value for the last step ("Client Secret Value").

On the "Overview" screen, also note the Tenant ID and Display Name.

{% hint style="info" %}
Save the following entries for later:

* Application (client) ID
* Client Secret ID
* Client Secret Value
* Directory (tenant) ID on the App registrations page.
  {% endhint %}

### Step 3. Create Log Analytics Workspace

A Log Analytics Workspace is the core resource where Azure Monitor collects and stores log data. If you already have one, you can skip this step.

* From Azure, go to [**Log Analytics Workspaces**](https://portal.azure.com/#browse/Microsoft.OperationalInsights%2Fworkspaces)
* Click **Create** and configure:
  * **Subscription:** Choose your Azure subscription.
  * **Resource Group:** Create a new resource group or select an existing one.
  * **Name:** Give your workspace a meaningful name (e.g., KeeperLogsWorkspace).
  * **Region:** Choose a region
  * Click **Review + Create** and then **Create**.

### Step 4. Assign Role to App Registration

You need to assign the KeeperLogging application with the role of "Log Analytics Contributor" to the Log Analytics Workspace. From the Log Analytics Workspace:

* Click on the Log Analytics workspace creted in (3)
* Select Access control (IAM)
* Select **Role assignments**
* Click **Add** > **Add role assignment**
* Type "**Log Analytics Contributor**" and select that role
* Click "Next"
* Click "**+Select members**" and select the KeeperLogging application from the list
* Click "Select"
* Chose "Review + assign"
* Verify "Added Role assignment" success

### Step 5. Create a Data Collection Endpoint (DCE)

The Data Collection Endpoint is required before you can create a Data Collection Rule.

* From Azure, open [Data Collection Endpoint](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionendpoints) (DCE)
* Search for "**Data Collection Endpoints**" and click **Create**.

Configure the following:

* **Subscription:** Select your Azure subscription.
* **Resource Group:** Use the same resource group you plan to use for the DCR.
* **Region:** Choose a region
* **Name:** Give it a meaningful name (e.g., `KeeperLogsEndpoint`).

Note the "Logs Ingestion URL" which is used later.

Example: keeperlogsendpoint-mcag.eastus-1.ingest.monitor.azure.com

### Step 6. Create a Table and DCR

From the Log Analytics workspaces, open the Keeper workspace and select "**Tables**" and Create a new table.

```
[
  {
    "TimeGenerated": "2025-01-23T01:31:11.123Z",
    "audit_event": "some_event",
    "remote_address": "10.15.12.192",
    "category": "some_category_id",
    "client_version": "EMConsole.17.0.0",
    "username": "email@company.com",
    "enterprise_id": 1234,
    "timestamp": "2025-01-23T01:31:11.123Z",
    "data": {
      "node_id": "abc12345",
      "record_uid": "B881237126",
      "folder_uid": "BCASD12345",
      "some_flag": true
    }
  },
  {
    "TimeGenerated": "2025-01-23T01:31:11.124Z",
    "audit_event": "some_event",
    "remote_address": "10.15.12.192",
    "category": "some_category_id",
    "client_version": "EMConsole.17.0.0",
    "username": "email@company.com",
    "enterprise_id": 1234,
    "timestamp": "2025-01-23T01:31:11.123Z",
    "data": {
      "node_id": "abc12345",
      "record_uid": "B881237126",
      "folder_uid": "BCASD12345",
      "some_flag": true
    }
  },
  {
    "TimeGenerated": "2025-01-23T01:31:11.125Z",
    "audit_event": "some_event",
    "remote_address": "10.15.12.192",
    "category": "some_category_id",
    "client_version": "EMConsole.17.0.0",
    "username": "email@company.com",
    "enterprise_id": 1234,
    "timestamp": "2025-01-23T01:31:11.123Z",
    "data": {
      "node_id": "abc12345",
      "record_uid": "B881237126",
      "folder_uid": "BCASD12345",
      "some_flag": true
    }
  }
]
```

Review the change and submit the request to create the table.

In this example, it shows up as **KeeperLogs\_CL** (Azure appends the \_CL).

### Step 7. Assign App Permissions to DCR

From the [Data collection rules](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules) (DCR) area of Azure:

* Click on the DCR (e.g. KeeperDCR)
* Navigate to Access control (IAM)
* Select **Role assignments**
* Click **Add** > **Add role assignment**
* Type "**Monitoring Metrics Publisher**" and select that role
* Click "Next"
* Click "**+Select members**" and select the KeeperLogging application from the list
* Assign it to the "KeeperLogging" application

Repeat this process and add "Monitoring Contributor" and "Monitoring Reader".

### Step 8. Assign App Permissions to DCE

From the [Data collection endpoints](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionendpoints) (DCE) area of Azure:

* Click on the DCE (e.g. KeeperLogsEndpoint)
* Select **Role assignments**
* Click **Add** > **Add role assignment**
* Type "**Monitoring Metrics Publisher**" and select that role
* Click "**+Select members**" and select the "**KeeperLogging"** application from the list
* Assign it to the "KeeperLogging" application

Repeat this process and add "Monitoring Contributor".

At this point, everything is configured on the Azure side. Next, set up the Admin Console.

### Step 9. Update Admin Console

In the [Keeper Admin Console](https://keepersecurity.com/console/), login as the Keeper Administrator. Then go to **Reporting & Alerts** and select "**Azure Monitor Logs**".

Provide the following information from [Step 2](#id-2-create-client-secret) above into the Admin Console:

* **Azure Tenant ID:** You can find this from Azure's "Subscriptions" area.
* **Application (client) ID:** This is located in the App registration (KeeperLogging) overview screen
* **Client Secret Value:** This is the Client Secret Value from the app registration secrets.
* **Endpoint URL:** This is a URL that is created in the following specific format:\ <mark style="color:red;">https\://</mark><mark style="color:red;">**\<collection\_url>**</mark><mark style="color:red;">/dataCollectionRules/</mark><mark style="color:red;">**\<dcr\_id>**</mark><mark style="color:red;">/streams/</mark><mark style="color:red;">**\<table>**</mark><mark style="color:red;">?api-version=2023-01-01</mark>

To assemble the Endpoint URL:

* **\<Collection URL>** This comes from [Step (5)](#id-5-create-a-data-collection-endpoint-dce) above
* **\<DCR\_ID>** From the Data Collector Rule, copy the "Immutable Id" value, e.g. `dcr-xxxxxxx`
* **\<TABLE>** This is the table name created by Azure, e.g. `Custom-KeeperLogs_CL`

```
https://<Collection_URL>/dataCollectionRules/<DCR_ID>/streams/<TABLE>?api-version=2023-01-01
```

### Setup Complete!

When SIEM logs are sent from Keeper to Azure Monitor, the data will begin to populate in the Custom Logs table in a few minutes.

***

## Troubleshooting

Just for the purpose of testing, you can generate a Bearer Token and send an API request to Azure Monitor API to understand how the process works.

### Get a Bearer Token

Replace the following:

**\<Tenant\_ID>** Your Tenant ID from Step 9 above

**\<Application\_ID>** The Application (client) ID from Step 9 above

**\<Client\_Secret\_Value>** This is this Client Secret Value from Step 9 above

```
curl -X POST 'https://login.microsoftonline.com/<Tenant_ID>/oauth2/v2.0/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=<Application_ID>' \
--data-urlencode 'client_secret=Client_Secret_Value' \
--data-urlencode 'scope=https://monitor.azure.com/.default'
```

{% hint style="info" %}
The scope must change based on the environment:

* Azure public cloud: **<https://monitor.azure.com>**
* Azure US Government cloud: **<https://monitor.azure.us>**
  {% endhint %}

Executing this curl request will produce a token:

{"token\_type":"Bearer","expires\_in":3599,"ext\_expires\_in":3599,"access\_token":"**xxxxx**"}

Use the token and send a Curl request for a Keeper event log in the next step.

### Send SIEM Events

Send a Curl request as seen below, Replace the below:

**\<ENDPOINT\_URL>** The constructed URL from [Step 9](#id-9-update-admin-console) above.

**\<TOKEN>** The Bearer token from above

```
curl -X POST "<ENDPOINT_URL>" \
-H "Authorization: Bearer <TOKEN>" \
-H "Content-Type: application/json" \
-d '[
    {
      "TimeGenerated": "2025-01-23T01:31:11.123Z",
      "audit_event": "event_one",
      "remote_address": "10.15.12.192",
      "category": "msp",
      "client_version": "EMConsole.17.0.0",
      "username": "email@company.com",
      "enterprise_id": 1234,
      "timestamp": "2025-01-23T01:31:11.123Z",
      "data": {
        "node_id": "abc12345",
        "record_uid": "B881237126",
        "folder_uid": "BCASD12345",
        "some_flag": true
      }
    },
    {
      "TimeGenerated": "2025-01-23T01:31:11.124Z",
      "audit_event": "event_two",
      "remote_address": "10.15.12.192",
      "category": "general",
      "client_version": "EMConsole.17.0.0",
      "username": "email@company.com",
      "enterprise_id": 1234,
      "timestamp": "2025-01-23T01:31:11.123Z",
      "data": {
        "node_id": "abc12345",
        "record_uid": "B881237126",
        "folder_uid": "BCASD12345",
        "some_flag": true
      }
    },
    {
      "TimeGenerated": "2025-01-23T01:31:11.125Z",
      "audit_event": "event_three",
      "remote_address": "10.15.12.192",
      "category": "security",
      "client_version": "EMConsole.17.0.0",
      "username": "email@company.com",
      "enterprise_id": 1234,
      "timestamp": "2025-01-23T01:31:11.123Z",
      "data": {
        "node_id": "abc12345",
        "record_uid": "B881237126",
        "folder_uid": "BCASD12345",
        "some_flag": true
      }
    }
  ]'
```

Note: The bearer token will expire after 1 hour.

The events will show up in Log Analytics Workspace after a few minutes.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/enterprise-guide/event-reporting/microsoft-sentinel/azure-monitor.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.