# Microsoft Sentinel SIEM Configuration Guide

This guide walks you through configuring Microsoft Sentinel as a SIEM provider with Synqly.

The first step depends on whether you need data ingestion. Select the appropriate tab in Step 1:

- **With data ingestion (recommended):** Use the Synqly CCF Push connector from the Microsoft Sentinel Content Hub. This automatically provisions the Entra application and the resources needed for ingesting data into Sentinel.
- **Without data ingestion:** Manually create a Microsoft Entra ID application.


After the application is created, the remaining steps — permissions, workspace values, and integration configuration — are the same for both paths.

Defender Portal Required
Some Synqly features (such as alerts) require your Sentinel workspace to be connected to the [Microsoft Defender portal](https://security.microsoft.com). Microsoft requires all workspaces to transition by March 31, 2027, and workspaces created after July 2025 are automatically connected.

If your workspace is not yet connected, see our [Microsoft Sentinel Defender Portal Migration Guide](/guides/provider-configuration/microsoft-sentinel-defender-migration) for instructions.

## Step 1: Create the Entra ID Application

CCF Push Connector (Recommended)
The Synqly Integration solution is published in the [Microsoft Sentinel Content Hub](https://portal.azure.com) as a CCF Push connector. Deploying it automatically provisions the Entra application, Data Collection Rule, Data Collection Endpoint, and role assignments in a single step.

**Prerequisites:**

- A Microsoft Sentinel workspace
- **Application Developer** role (or higher) in Microsoft Entra ID — to create an app registration
- **Owner** or **User Access Administrator** on the Azure subscription — to assign the Monitoring Metrics Publisher role on the Data Collection Rule


**Install the solution:**

1. In the Azure portal, navigate to your **Microsoft Sentinel** workspace
2. Go to **Content Hub**
3. Search for **Synqly Integration**
4. Select the solution and click **Install**


Alternatively, find the solution directly in the [Azure Marketplace](https://marketplace.microsoft.com/en-us/product/saas/synqlyinc1759267074521.azure-sentinel-solution-synqly-integration).

**Deploy the connector:**

1. After installation, go to **Configuration** → **Data connectors**
2. Search for and select the Synqly connector
3. Click **Open connector page**
4. Click the **Deploy** button


The deployment automatically creates:

- A Microsoft Entra application with credentials
- A Data Collection Rule (DCR) and Data Collection Endpoint (DCE)
- Required role assignments (Monitoring Metrics Publisher)


**Collect the connection details:**

After deployment completes, the connector page displays the following values. Copy each one — you will need them later:

- **Tenant ID**
- **Application (Client) ID**
- **Client Secret**
- **Data Collection Endpoint URI** (this is the Ingest URL)
- **Data Collection Rule Immutable ID** (this is the Rule ID)
- **Stream Name**


Manual Registration (No Ingestion)
Use this option if you do not need to ingest data into Sentinel.

1. In the [Azure portal](https://portal.azure.com), search for **App Registrations** and navigate there
2. Click **+ New registration**
3. Enter a name for the application and click **Register**
4. Note the **Application (client) ID** and **Directory (tenant) ID**


**Create a client secret:**

1. Under **Manage**, select **Certificates & secrets**
2. Under **Client secrets**, click **+ New client secret**
3. Enter a description, choose an expiration duration, and click **Add**
4. Copy the secret **Value** immediately — it will not be shown again


Without the CCF Push connector, data ingestion is not available. If you later need ingestion, follow the CCF Push Connector tab above to deploy the connector, then update your integration configuration with the new application credentials and ingestion details.

## Step 2: Assign Permissions

Regardless of which option you chose above, the application needs the following permissions:

- **Microsoft Sentinel Contributor** role on the Log Analytics workspace
- **`SecurityAlert.Read.All`** Microsoft Graph API application permission (with admin consent granted)


**Add Azure role assignments on the Log Analytics workspace:**

1. In the [Azure portal](https://portal.azure.com), navigate to the **Log Analytics workspace** used by Sentinel
2. Go to **Access control (IAM)** → **+ Add** → **Add role assignment**
3. Search for a role from the list below, select it, and click **Next**
  - **Microsoft Sentinel Contributor**
4. Click **+ Select members**, add the application from Step 1, and click **Select**
5. Click **Review + assign**
6. Repeat steps 2–5 until all roles above have been assigned


**Add Microsoft Graph API permissions:**

1. Go to **Microsoft Entra ID** → **App registrations**
2. Select the application from Step 1
3. Go to **API permissions** → **Add a permission**
4. Select **Microsoft Graph** → **Application permissions**
5. Search for a permission from the list below, check it, and click **Add permissions**
  - `SecurityAlert.Read.All`
6. Repeat steps 3–5 until all permissions above have been added
7. Back on the API permissions page, click **Grant admin consent for [your tenant]**


The admin consent step requires a Global Administrator or Privileged Role Administrator. This is a one-time action.

## Step 3: Gather the Log Analytics Workspace Values

1. In the Azure portal, navigate to your **Log Analytics workspace**
2. On the Overview page, note the following values:
  - **Resource Group**
  - **Subscription ID**
  - **Workspace Name**
  - **Workspace ID**


## Step 4: Configure the Integration

Create your integration by supplying the following values.

**Tenant ID**
The Directory (tenant) ID from your Entra application (Step 1).

**Client ID**
The Application (client) ID from your Entra application (Step 1).

**Client Secret**
The client secret value from your Entra application (Step 1).

**Resource Group**
The Azure resource group name containing the Sentinel workspace (Step 3).

**Subscription ID**
The Azure subscription ID containing the Sentinel workspace (Step 3).

**Workspace ID**
The Log Analytics workspace ID (Step 3).

**Workspace Name**
The Log Analytics workspace name (Step 3).

**Ingest URL** *(ingestion only)*
The Data Collection Endpoint URI from the CCF Push connector deployment (Step 1, CCF Push Connector tab).

**Rule ID** *(ingestion only)*
The Data Collection Rule Immutable ID from the CCF Push connector deployment (Step 1, CCF Push Connector tab).

**Stream Name** *(ingestion only)*
The Stream Name from the CCF Push connector deployment (Step 1, CCF Push Connector tab).

**Logs URL** *(optional)*
The root URL for the Microsoft Azure Monitor Logs API. Only needed for alternate Microsoft clouds such as GovCloud. Default: `https://api.loganalytics.azure.com`

**Management URL** *(optional)*
The root URL for the Microsoft Azure Management API. Only needed for alternate Microsoft clouds such as GovCloud. Default: `https://management.azure.com`