This guide walks you through configuring Microsoft Sentinel as a SIEM provider with Synqly.
The first step depends on whether you need data ingestion. Select the appropriate tab in Step 1:
- With data ingestion (recommended): Use the Synqly CCF Push connector from the Microsoft Sentinel Content Hub. This automatically provisions the Entra application and the resources needed for ingesting data into Sentinel.
- Without data ingestion: Manually create a Microsoft Entra ID application.
After the application is created, the remaining steps — permissions, workspace values, and integration configuration — are the same for both paths.
Some Synqly features (such as alerts) require your Sentinel workspace to be connected to the Microsoft Defender portal. Microsoft requires all workspaces to transition by March 31, 2027, and workspaces created after July 2025 are automatically connected.
If your workspace is not yet connected, see our Microsoft Sentinel Defender Portal Migration Guide for instructions.
The Synqly Integration solution is published in the Microsoft Sentinel Content Hub as a CCF Push connector. Deploying it automatically provisions the Entra application, Data Collection Rule, Data Collection Endpoint, and role assignments in a single step.
Prerequisites:
- A Microsoft Sentinel workspace
- Application Developer role (or higher) in Microsoft Entra ID — to create an app registration
- Owner or User Access Administrator on the Azure subscription — to assign the Monitoring Metrics Publisher role on the Data Collection Rule
Install the solution:
- In the Azure portal, navigate to your Microsoft Sentinel workspace
- Go to Content Hub
- Search for Synqly Integration
- Select the solution and click Install
Alternatively, find the solution directly in the Azure Marketplace.
Deploy the connector:
- After installation, go to Configuration → Data connectors
- Search for and select the Synqly connector
- Click Open connector page
- Click the Deploy button
The deployment automatically creates:
- A Microsoft Entra application with credentials
- A Data Collection Rule (DCR) and Data Collection Endpoint (DCE)
- Required role assignments (Monitoring Metrics Publisher)
Collect the connection details:
After deployment completes, the connector page displays the following values. Copy each one — you will need them later:
- Tenant ID
- Application (Client) ID
- Client Secret
- Data Collection Endpoint URI (this is the Ingest URL)
- Data Collection Rule Immutable ID (this is the Rule ID)
- Stream Name
Regardless of which option you chose above, the application needs the following permissions:
- Microsoft Sentinel Contributor role on the Log Analytics workspace
SecurityAlert.Read.AllMicrosoft Graph API application permission (with admin consent granted)
Add Azure role assignments on the Log Analytics workspace:
- In the Azure portal, navigate to the Log Analytics workspace used by Sentinel
- Go to Access control (IAM) → + Add → Add role assignment
- Search for a role from the list below, select it, and click Next
- Microsoft Sentinel Contributor
- Click + Select members, add the application from Step 1, and click Select
- Click Review + assign
- Repeat steps 2–5 until all roles above have been assigned
Add Microsoft Graph API permissions:
- Go to Microsoft Entra ID → App registrations
- Select the application from Step 1
- Go to API permissions → Add a permission
- Select Microsoft Graph → Application permissions
- Search for a permission from the list below, check it, and click Add permissions
SecurityAlert.Read.All
- Repeat steps 3–5 until all permissions above have been added
- Back on the API permissions page, click Grant admin consent for [your tenant]
The admin consent step requires a Global Administrator or Privileged Role Administrator. This is a one-time action.
- In the Azure portal, navigate to your Log Analytics workspace
- On the Overview page, note the following values:
- Resource Group
- Subscription ID
- Workspace Name
- Workspace ID
Create your integration by supplying the following values.
Tenant ID The Directory (tenant) ID from your Entra application (Step 1).
Client ID The Application (client) ID from your Entra application (Step 1).
Client Secret The client secret value from your Entra application (Step 1).
Resource Group The Azure resource group name containing the Sentinel workspace (Step 3).
Subscription ID The Azure subscription ID containing the Sentinel workspace (Step 3).
Workspace ID The Log Analytics workspace ID (Step 3).
Workspace Name The Log Analytics workspace name (Step 3).
Ingest URL (ingestion only) The Data Collection Endpoint URI from the CCF Push connector deployment (Step 1, CCF Push Connector tab).
Rule ID (ingestion only) The Data Collection Rule Immutable ID from the CCF Push connector deployment (Step 1, CCF Push Connector tab).
Stream Name (ingestion only) The Stream Name from the CCF Push connector deployment (Step 1, CCF Push Connector tab).
Logs URL (optional) The root URL for the Microsoft Azure Monitor Logs API. Only needed for alternate Microsoft clouds such as GovCloud. Default: https://api.loganalytics.azure.com
Management URL (optional) The root URL for the Microsoft Azure Management API. Only needed for alternate Microsoft clouds such as GovCloud. Default: https://management.azure.com