Sentinel Replication
Sandfly supports the replication of results data to an external Sentinel database for independent, long-term storage and analysis.
INFO: Upgrade Feature - Sentinel Replication
The ability to configure and use Sentinel Replication requires an upgraded plan. Please see https://www.sandflysecurity.com/get-sandfly/ for details.
Configure Sentinel for Result Replication
Prepare the Azure Workspace
To send events from Sandfly to Microsoft Sentinel, there are four main steps required to configure the Azure Monitor.
- Create Credentials via Azure App Registration
- Application (client) ID
- Directory (tenant) ID
- Application Secret Value
- Configure the Role Assignment for the Application
- Create a Data Collection Endpoint (DCE)
- Logs ingestion endpoint URL
- Create Custom Tables for Sandfly Events
- Data Collection Rule (DCR)
- Custom Table Stream Name
- Results Table
- Host Assets Table (optional)
- SSH Keys Table (optional)
Once all the steps are complete, there will be 6-8 artifacts required to configure the Sandfly Server connection to Azure Sentinel.
- Application (client) ID
- Directory (tenant) ID
- Application Secret Value
- Logs Ingestion Endpoint URL
- Data Collection Rule (DCR) Immutable ID
- Results Custom Table Stream Name
- Host Assets Custom Table Stream Name (optional)
- SSH Keys Custom Table Stream Name (optional)
Create Credentials via Azure App Registration
- Navigate to the Azure Portal Home as an
Administrator
- Search for and navigate to the portal App registrations section
- Click on New registration
- Name the application, for example: app-SandflyReplication
- Select Accounts in this organizational directory only
- Ignore the Redirect URI
- Click on Register
- On the Overview blade
- Save the Application (client) ID
- Save the Directory (tenant) ID
- On the Overview blade, click on Add a certificate or secret
- Click on New client secret
- Enter a Description
- Select the Expires value (Recommended default is 180 days)
- NOTE: Save the Value now as you will not be able to view it later
NOTE: Make sure you have saved the following values from this section:
- Application (client) ID
- Directory (tenant) ID
- Application Secret Value
Configure the Role Assignment for the Application
- Navigate to the Azure Portal Home
- Open Subscriptions and select the Subscription Name
- Click on Access Control (IAM)
- Select Add > Add role assignment
- Search for and select Monitoring Metrics Publisher
- Click Next
- On the Add role assignment blade, verify the role is Monitoring Metrics Publisher
- Click Select Members
- In the Search by name or email address type the name of the Application (app-SandflyReplication)
- Click on the Application Name
- Verify the Application is listed under Selected members
- Click Select
- Verify the Application is listed under the Members section
- Click Review + assign and verify the Application is listed under the Members section
- Click Review + assign again
- Select the Role assignments tab, click Refresh and verify the Application is listed under Monitoring Metrics Publisher
Create a Data Collection Endpoint
- In the Azure Portal, search for and navigate to Data collection endpoints
- Click Create
- Enter the Endpoint Name, for example: dce-SandflyReplication
- Select the Subscription
- Select or Create new Resource Group, for example: rg-SandflyReplication
- Select the Region
- Click Review + create
- Review the details and click Create
- Click Refresh to verify the new DCE has been created
- Select the newly created DCE
- On the Overview blade
- Save the Logs Ingestion endpoint URL (e.g.,
https://dce-sandflyreplication-abcd.eastus2-1.ingest.monitor.azure.com
) - Endpoint URL Format:
https://<Endpoint-Name>-<Identifier>.<Region>.ingest.monitor.azure.com
- Save the Logs Ingestion endpoint URL (e.g.,
NOTE: make sure you have saved the following values from this section:
- Logs Ingestion Endpoint URL
Create a Custom Table for Sandfly Results
- In the Azure Portal, search for and navigate to the Log Analytics workspaces and select your workspace
- Expand the Settings section and select Tables
- Click on Create > New custom log (DCR-based)
- Enter the Table Name, for example: SandflyResults (Note: do not add the
_CL
extension, it is added automatically) - Enter the (Optional) Description
- Click Create a new data collection rule
- Select the Subscription and Resource group
- Enter the Name, for example: dcr-SandflyReplication
- Click Done
- Select the Data collection endpoint created previously
- Click Next
- On the Schema and transformation blade
- Select Upload sample file and browse for the sentinel_template.json file, which is included in the sandfly-setup bundle in the following directory:
sandfly-setup/integrations/sentinel/
- Select Upload sample file and browse for the sentinel_template.json file, which is included in the sandfly-setup bundle in the following directory:
- Verify the fields and data are uploaded correctly
- Click Next
- Click Create
- In the Filter by name box, type
_CL
to verify the new Custom Table appears in the Tables list (may need to refresh the page) - Select the Table and click on the three dots in the far right column and select Manage table
- Click on the Data Collection Rule created in Step 6 above
- On the DCR Overview blade
- Save the DCR Immutable Id (e.g.,
dcr-15f5913c29774ff18b2ab926829741bf
) - Click on JSON View and save the streamDeclarations custom table stream name (e.g.,
Custom-SandflyResults_CL
)
- Save the DCR Immutable Id (e.g.,
NOTE: make sure you have saved the following values from this section:
- Data Collection Rule Immutable ID
- Custom Table Stream Name (Results)
Create a Custom Table for Sandfly Host Assets (optional)
- In the Azure Portal, search for and navigate to the Log Analytics workspaces and select your workspace
- Expand the Settings section and select Tables
- Click on Create > New custom log (DCR-based)
- Enter the Table Name, for example: SandflyHostAssets (Note: do not add the
_CL
extension, it is added automatically) - Enter the (Optional) Description
- Select the Data collection rule created in the above section for the Results.
- Click Next
- On the Schema and transformation blade
- Select Upload sample file and browse for the JSON file sandfly_template_hosts.json file, which is included in the sandfly-setup bundle in the following directory:
sandfly-setup/integrations/sentinel/
- Select Upload sample file and browse for the JSON file sandfly_template_hosts.json file, which is included in the sandfly-setup bundle in the following directory:
- Verify the fields and data are uploaded correctly
- Click Next
- Click Create
- In the Filter by name box, type
_CL
to verify the new Custom Table appears in the Tables list (may need to refresh the page) - Select the Table and click on the three dots in the far right column and select Manage table
- Click on the Data Collection Rule
- On the DCR Overview blade, click on JSON View
- Scroll down until you find the table in the streamDeclarations section, and save the new custom table stream name (e.g.,
Custom-SandflyHostAssets_CL
) (may need to refresh the page)
- Scroll down until you find the table in the streamDeclarations section, and save the new custom table stream name (e.g.,
NOTE: make sure you have saved the following values from this section:
- Custom Table Stream Name (Host Assets)
Create a Custom Table for Sandfly SSH Keys (optional)
- In the Azure Portal, search for and navigate to the Log Analytics workspaces and select your workspace
- Expand the Settings section and select Tables
- Click on Create > New custom log (DCR-based)
- Enter the Table Name, for example: SandflySSHKeys (Note: do not add the
_CL
extension, it is added automatically) - Enter the (Optional) Description
- Select the Data collection rule created in the above section for the Results.
- Click Next
- On the Schema and transformation blade
- Select Upload sample file and browse for the JSON file _sandfly_template_sshkey.json file, which is included in the sandfly-setup bundle in the following directory:
sandfly-setup/integrations/sentinel/
- Select Upload sample file and browse for the JSON file _sandfly_template_sshkey.json file, which is included in the sandfly-setup bundle in the following directory:
- Verify the fields and data are uploaded correctly
- Click Next
- Click Create
- In the Filter by name box, type
_CL
to verify the new Custom Table appears in the Tables list (may need to refresh the page) - Select the Table and click on the three dots in the far right column and select Manage table
- Click on the Data Collection Rule
- On the DCR Overview blade, click on JSON View
- Scroll down until you find the table in the streamDeclarations section, and save the new custom table stream name (e.g.,
Custom-SandflySSHKeys_CL
) (may need to refresh the page)
- Scroll down until you find the table in the streamDeclarations section, and save the new custom table stream name (e.g.,
NOTE: make sure you have saved the following values from this section:
- Custom Table Stream Name (SSH Keys)
Sentinel Replication - Sandfly Server Settings

Sentinel Replication Settings
The Sentinel Replication tab, available via the Settings > Server Configuration menu, contains the following settings that can be edited:
- Microsoft Sentinel Replication Enabled - Set it to true to enable access to the Sentinel Replication settings and activate the replication service.
- Application (Client) ID- Enter the value from the Sentinel configuration steps.
- Directory (Tenant) ID - Enter the value from the Sentinel configuration steps.
- Logs Ingestion Endpoint URL - The replication URL of the external Sentinel server with the general format of
https://<Endpoint-Name>-<Identifier>.<Region>.ingest.monitor.azure.com
similar to the reference image. - Data Collection Rule (DCR) Immutable ID - Enter the value from the Sentinel configuration steps.
- Custom Table Stream Name - Enter the value from the Sentinel configuration steps for the Results custom table.
- Set Secret (optional) - If an Application Secret Value is set, toggle the switch on and enter the value.
- Alerts Only - Toggle whether to send only alert results or all results.
- SSH Enabled (optional) - Toggle to enable SSH Key replication.
- SSH Stream Name (optional) - When SSH Enabled is enabled, enter the value from the Sentinel configuration steps for the SSH Keys custom table.
- Host Enabled (optional) - Toggle to enable Host Assets replication.
- Host Stream Name (optional) - when Host Enabled is enabled, enter the value from the Sentinel configuration steps for the Host Assets custom table.
Updated 17 days ago