# Legacy Azure Sentinel

{% hint style="danger" %}
Microsoft has deprecated this logging API. Please see the [Microsoft Sentinel](https://docs.keeper.io/en/enterprise-guide/event-reporting/microsoft-sentinel/microsoft-sentinel-with-azure-marketplace) integration page.
{% endhint %}

### Overview

Keeper supports event streaming into Azure Sentinel / Log Analytics environments. This document describes the legacy method of streaming logs, which is being deprecated in 2025. Use the [Azure Monitor](https://docs.keeper.io/event-reporting/microsoft-sentinel/azure-monitor.md) or [Microsoft Sentinel with Azure Marketplace](https://docs.keeper.io/en/enterprise-guide/event-reporting/microsoft-sentinel/microsoft-sentinel-with-azure-marketplace) method instead.

To proceed with this method... in Azure, go to Log Analytics workspaces > Select Workspace > Classic "Agents Management". From here you can retrieve a Workspace ID and Key. Provide these two fields to Keeper to start streaming logs to your selected workspace.

![Workspace ID and Key](https://4290574019-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LO5CAzpxoaEquZJBpYz%2F-MkEx4vXiPu26bSQKXWq%2F-MkExISi9NUIw9g_dPB_%2FScreen%20Shot%202021-09-22%20at%204.56.51%20PM.png?alt=media\&token=43e98964-a259-41a7-9aee-6616f07b5f8c)

<figure><img src="https://4290574019-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LO5CAzpxoaEquZJBpYz%2Fuploads%2FKI35hleFnzARHFWRZE2A%2Fimage.png?alt=media&#x26;token=ee8e3700-b5a8-4345-82f0-62e37d388d78" alt=""><figcaption><p>Azure Sentinel Integration Settings</p></figcaption></figure>

Keeper will immediately start sending event data to the designated Azure Log Analytics workspace, under a custom table named `Keeper_CL`.

To view the logs, open the **Log Analytics Workspace** > **Logs** > select the `Keeper_CL` table.

<figure><img src="https://4290574019-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LO5CAzpxoaEquZJBpYz%2Fuploads%2F9VPkPN60qNOSv115CQWZ%2FScreenshot%202025-02-03%20at%208.38.56%E2%80%AFPM.png?alt=media&#x26;token=d409f839-e696-4588-a282-75156b742b3d" alt=""><figcaption><p>Log Analytics Workspace Logs</p></figcaption></figure>

### Troubleshooting

If you need to troubleshoot the event log APIs, the below Python script will simulate the Keeper backend system sending event logs to your Azure environment. Replace the Workspace ID and Workspace Key before testing it.

{% code lineNumbers="true" %}

```python
import base64
import datetime
import hmac
import hashlib
import requests
import json

# Configuration
workspace_id = 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx'
workspace_key = 'xxxxxx'
log_type = 'Keeper'

# Sample body
body = [
{
  "audit_event": "role_created",
  "remote_address": "11.22.33.44",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "username": "user@company.com",
  "enterprise_id": 6557,
  "timestamp": "2025-01-12T00:03:44.743Z",
  "role_id": "28162100560074"
},
{
  "audit_event": "role_enforcement_changed",
  "remote_address": "11.22.33.55",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "timestamp": "2025-01-13T00:03:44.743Z",
  "username": "user@company.com",
  "enterprise_id": 6557,
  "role_id": "28162100560074",
  "enforcement": "RESEND_ENTERPRISE_INVITE_IN_X_DAYS",
  "value": "7"
},
{
  "audit_event": "role_enforcement_changed",
  "remote_address": "11.22.33.66",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "timestamp": "2025-01-14T00:03:44.776Z",
  "username": "user@company.com",
  "enterprise_id": 6557,
  "role_id": "28162100560074",
  "enforcement": "SEND_BREACH_WATCH_EVENTS",
  "value": "ON"
},
{
  "audit_event": "role_enforcement_changed",
  "remote_address": "11.22.33.77",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "timestamp": "2025-01-15T00:03:44.835Z",
  "username": "user@company.com",
  "enterprise_id": 6557,
  "role_id": "28162100560074",
  "enforcement": "GENERATED_PASSWORD_COMPLEXITY",
  "value": "[{\"domains\":[\"_default_\"],\"length\":20,\"lower-use\":false,\"lower-min\":5}]"
},
{
  "audit_event": "audit_alert_sent",
  "category": "usage",
  "client_version": "Keeper Service.1.2.0",
  "username": "ALERT",
  "enterprise_id": 6557,
  "timestamp": "2025-01-16T01:31:11.123Z",
  "origin": "admin_permission_added",
  "name": "XXX123",
  "recipient": "user@company.com,+19165551212",
  "username_new": true,
  "client_version_new": true
}]

body_json = json.dumps(body)
method = 'POST'
content_type = 'application/json'
resource = '/api/logs'
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body_json)

signature_string = f"{method}\n{content_length}\n{content_type}\nx-ms-date:{rfc1123date}\n{resource}"
decoded_key = base64.b64decode(workspace_key)
signature = base64.b64encode(hmac.new(decoded_key, signature_string.encode('utf-8'), hashlib.sha256).digest()).decode('utf-8')

headers = {
    'Content-Type': content_type,
    'Authorization': f'SharedKey {workspace_id}:{signature}',
    'Log-Type': log_type,
    'x-ms-date': rfc1123date
}

uri = f'https://{workspace_id}.ods.opinsights.azure.com/api/logs?api-version=2016-04-01'

response = requests.post(uri, data=body_json, headers=headers)
print(f"Response code: {response.status_code}")
print(f"Response message: {response.text}")
```

{% endcode %}