Azure Sentinel
TapPass ships audit events to Azure Sentinel via the Log Analytics HTTP Data Collector API. Events land in a custom log table you can query with KQL alongside everything else in your Sentinel workspace.
1. Get workspace credentials
Section titled “1. Get workspace credentials”Azure → Log Analytics workspace → Settings → Agents → Log Analytics agent instructions:
- Workspace ID
- Primary or secondary key
2. Configure TapPass
Section titled “2. Configure TapPass”exports: - name: sentinel-prod destination: azure_sentinel format: json # Sentinel parses JSON natively batch: max_size: 500 max_wait_seconds: 10 azure_sentinel: workspace_id: "${AZURE_WORKSPACE_ID}" shared_key: "${AZURE_WORKSPACE_KEY}" log_type: TapPass # becomes "TapPass_CL" in Sentinel3. Validate
Section titled “3. Validate”tappass observability test --export sentinel-prodWait ~2 minutes (ingestion delay). Query in Sentinel:
TapPass_CL| where TimeGenerated > ago(10m)| take 20Event structure
Section titled “Event structure”Every event becomes a row with columns derived from JSON keys:
| Column | Source field |
|---|---|
TimeGenerated | timestamp |
AuditId_s | audit_id |
EventKind_s | event_kind |
AgentId_s | agent_id |
Severity_s | severity |
PolicyResult_s | policy_result.verdict |
DetectionsJson_s | JSON of detections array |
Analytic rules
Section titled “Analytic rules”Example: alert when more than 5 policy blocks hit a single agent in 5 minutes:
TapPass_CL| where EventKind_s == "policy_block"| summarize Blocks = count() by AgentId_s, bin(TimeGenerated, 5m)| where Blocks > 5Turn this into a Sentinel analytic rule for automatic incident creation.
Retention
Section titled “Retention”Use Sentinel’s standard table retention (default 30 days; up to 2 years). TapPass’s own audit trail retention is independent — it’s the durable record of truth; Sentinel is for investigation speed.