Skip to main content

Sending SlashID Detections to Microsoft Sentinel

SlashID can forward real-time identity security detections directly to your Microsoft Sentinel environment using the Azure Monitor HTTP Data Collector API. This guide walks you through the steps to configure Azure and connect it with SlashID.

Step 1: Locate Your Log Analytics Workspace

  1. Log in to the Azure Portal.
  2. Navigate to Log Analytics workspaces.
  3. Select the workspace that is connected to your Microsoft Sentinel instance.
info

If you don't have a Log Analytics workspace connected to Sentinel yet, create one first by going to Microsoft Sentinel > Create and following the setup wizard.

Step 2: Collect Workspace ID and Shared Key

  1. In your Log Analytics workspace, go to Settings > Agents.
  2. Expand Log Analytics agent instructions.
  3. Note down the following values:
FieldDescription
Workspace IDA unique identifier for your Log Analytics workspace (GUID format)
Primary Key or Secondary KeyThe shared key used for authentication
caution

Keep your shared key secure. Anyone with this key can send data to your workspace. You can use either the Primary or Secondary key - both work identically.

Step 3: Choose a Log Type Name

Decide on a Log Type name for your SlashID detections. This name will be used to create a custom log table in your Log Analytics workspace.

Recommendations:

  • Use a descriptive name like SlashIDDetections or IdentitySecurityFindings
  • Use only alphanumeric characters (no spaces or special characters)
  • The table will appear in Sentinel with a _CL suffix (e.g., SlashIDDetections_CL)

Step 4: Configure SlashID to Send Detections

  1. In the SlashID Console, go to Identity Protection > Configuration > Integrations.
  2. Click Add Integration and select Microsoft Sentinel from the list.
  3. Fill in the integration details:
SlashID Console FieldDescription
Workspace IDThe Log Analytics Workspace ID from Step 2
Shared KeyThe Primary or Secondary key from Step 2
Log TypeYour chosen log type name (e.g., SlashIDDetections)
  1. Select which types of detections (Risk Category) and severity levels you want to sync.
  2. Click Connect to save and activate the integration.

Step 5: Verify Data in Microsoft Sentinel

Once configured, SlashID will stream detection events to your Sentinel instance. To verify the integration is working:

  1. In the Azure Portal, navigate to your Log Analytics workspace.
  2. Go to Logs and run the following query (replace with your log type name):
SlashIDDetections_CL
| take 10
info

It may take a few minutes for the first events to appear. Custom log tables are created automatically when the first data is received.

Data Format

SlashID sends detections in the OCSF Detection Finding format. Each event includes:

FieldDescription
TimeGeneratedTimestamp of when the detection was generated
DataThe full detection payload in OCSF format

The Data field contains detailed information about the detection, including:

  • Detection type and category
  • Severity and confidence score
  • Affected entities and resources
  • Remediation recommendations

Troubleshooting

Events not appearing in Sentinel

  1. Verify your Workspace ID is correct (it should be a GUID)
  2. Check that your Shared Key hasn't been rotated
  3. Ensure your Log Analytics workspace has sufficient capacity
  4. Wait at least 5 minutes for initial data ingestion

Authentication errors

If you see authentication errors in SlashID:

  1. Regenerate your Shared Key in the Azure Portal
  2. Update the key in the SlashID Console
  3. Verify the Workspace ID matches exactly (case-sensitive)

Need Help?

If you run into issues during setup or need assistance with custom configurations, reach out to support@slashid.dev.