{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"type":"markdown"},"seo":{"title":"Microsoft Sentinel Integration","description":"Control the power of AI Agents in runtime.","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"microsoft-sentinel-integration","__idx":0},"children":["Microsoft Sentinel Integration"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Forward Capsule Security alerts into Microsoft Sentinel so your SOC can triage AI agent and shadow-AI signals alongside the rest of your security telemetry."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"overview","__idx":1},"children":["Overview"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Unlike Capsule's discovery integrations, this is an ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["outbound"]}," integration: Capsule sends policy-violation alerts ",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["into"]}," your Microsoft Sentinel workspace rather than reading data out of it. Delivery uses the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Azure Monitor Logs Ingestion API"]},", writing each alert as a row in a custom Log Analytics table (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["CapsuleAlert_CL"]},") on your Sentinel-enabled workspace. From there, your existing Sentinel analytics rules and incident workflows can act on Capsule alerts."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Capsule authenticates as an approved ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Microsoft Entra ID"]}," application using the client-credentials flow. The application is granted a single, narrowly scoped Azure role on the data collection rule — it cannot read your workspace, query data, or access anything else in your tenant."]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"header":{"controls":{"copy":{}}},"source":"Capsule policy violation\n  → Capsule sends to your Data Collection Endpoint\n  → Data Collection Rule routes the record\n  → CapsuleAlert_CL table in your Log Analytics workspace\n  → Microsoft Sentinel analytics rules / incidents\n"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"prerequisites","__idx":2},"children":["Prerequisites"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Before you begin, ensure you have:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Microsoft Sentinel"]}," enabled on a Log Analytics workspace"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Azure permissions to create a Data Collection Endpoint, a Data Collection Rule, and a custom table — typically ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Monitoring Contributor"]}," (or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Contributor"]},") on the resource group"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The ability to assign Azure RBAC roles on the data collection rule — ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["User Access Administrator"]}," or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Owner"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Microsoft Entra ID"]}," account with ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Application Administrator"]}," or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Global Administrator"]}," role (to grant admin consent to the Capsule application)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Capsule Security"]}," account with admin access"]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-1-create-the-custom-table","__idx":3},"children":["Step 1: Create the Custom Table"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In your Sentinel-enabled Log Analytics workspace, create a custom table named ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["CapsuleAlert_CL"]}," with the schema below. The Logs Ingestion API requires a ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["TimeGenerated"]}," column of type ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["datetime"]},"."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Column"},"children":["Column"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Type"},"children":["Type"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["TimeGenerated"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["datetime"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["When the violation occurred"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Title"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["string"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Alert title"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Description"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["string"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Alert detail"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Severity"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["string"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Informational"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Low"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Medium"]},", or ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["High"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["PolicyName"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["string"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The Capsule policy that triggered the alert"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["EntityName"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["string"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The affected agent or resource"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["SourceUrl"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["string"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Deep link back into the Capsule portal"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["TenantId"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["string"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Your Capsule tenant identifier"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["PolicyId"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["string"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Capsule policy identifier"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["EntityId"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["string"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Capsule entity identifier"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["IssueId"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["string"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Capsule issue identifier"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["AdditionalContext"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["dynamic"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Remaining alert metadata as JSON"]}]}]}]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-2-create-a-data-collection-endpoint","__idx":4},"children":["Step 2: Create a Data Collection Endpoint"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Create a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Data Collection Endpoint (DCE)"]}," in the same region as your workspace. After creation, record its ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Logs Ingestion URI"]}," — Capsule sends alerts to this address."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-3-create-a-data-collection-rule","__idx":5},"children":["Step 3: Create a Data Collection Rule"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Create a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Data Collection Rule (DCR)"]}," that validates incoming alerts and routes them to the custom table."]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Associate the DCR with the endpoint from Step 2."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Define an input stream named ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Custom-CapsuleAlert_CL"]}]}," using the schema from Step 1."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Set the destination to your Log Analytics workspace, output table ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["CapsuleAlert_CL"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A pass-through transformation (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["source"]},") is sufficient unless you want to reshape rows."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After creation, record the DCR's ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["immutable ID"]}," (for example, ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["dcr-xxxxxxxxxxxxxxxx"]},")."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-4-grant-admin-consent-and-assign-permissions","__idx":6},"children":["Step 4: Grant Admin Consent and Assign Permissions"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Authorize the Capsule application and grant it the single role it needs to publish alerts."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"grant-admin-consent","__idx":7},"children":["Grant admin consent"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Sign in with your Microsoft Entra ID account that has the required administrator role (see Prerequisites)."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Review the access requested by the Capsule application."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Accept"]}," to grant admin consent for your organization. This creates the Capsule application's service principal in your tenant."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"assign-the-publishing-role","__idx":8},"children":["Assign the publishing role"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Assign the following Azure RBAC role to the Capsule application's service principal, scoped to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["data collection rule"]}," from Step 3:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Role"},"children":["Role"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Role definition ID"},"children":["Role definition ID"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Scope"},"children":["Scope"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Monitoring Metrics Publisher"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["3913510d-42f4-4e42-8a64-420c390055eb"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The data collection rule (DCR)"]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This is the only permission Capsule requires:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["No Microsoft Graph permissions are needed."]}," Log ingestion uses the Azure Monitor data plane (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://monitor.azure.com"]},"), not Microsoft Graph — so the application requests no mailbox, directory, or device permissions."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Scope the role to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["DCR"]},", not the subscription. Following least privilege, the Monitoring Metrics Publisher role only allows Capsule to publish records through that rule; it cannot read your workspace or query any data."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Allow a few minutes for the role assignment to propagate before testing."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-5-configure-the-integration-in-capsule","__idx":9},"children":["Step 5: Configure the Integration in Capsule"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Log in to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Capsule Security"]}," portal."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Go to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings > Notifications"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Find ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Microsoft Sentinel"]}," and click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Set up"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Enter the connection values:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Where it comes from"},"children":["Where it comes from"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Data Collection Endpoint URI"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["DCE Logs Ingestion URI (Step 2)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["DCR immutable ID"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["DCR immutable ID (Step 3)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Stream name"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Custom-CapsuleAlert_CL"]}," (Step 3)"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Test Connection"]},". Capsule posts a synthetic record to the stream; success confirms the endpoint, rule, stream, and role assignment are all correct."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Link the Sentinel destination to the policies whose violations you want forwarded."]}]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"after-setup","__idx":10},"children":["After Setup"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Once configured, Capsule forwards alerts for linked policies as they occur. To confirm records are arriving, run this query in your workspace:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"kql","header":{"controls":{"copy":{}}},"source":"CapsuleAlert_CL\n| sort by TimeGenerated desc\n| take 20\n","lang":"kql"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Ingestion latency is typically a few minutes for a newly created custom table. From here, build Sentinel analytics rules on ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["CapsuleAlert_CL"]}," to raise incidents from Capsule alerts."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"troubleshooting","__idx":11},"children":["Troubleshooting"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"common-issues","__idx":12},"children":["Common Issues"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["403 Forbidden"]}," when sending alerts"]}]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The Monitoring Metrics Publisher role is not assigned to the Capsule service principal on this DCR, or the assignment hasn't propagated yet."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["404 Not Found"]}," when sending alerts"]}]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The DCR immutable ID or stream name is incorrect, or the DCR isn't associated with the data collection endpoint."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["401 Unauthorized"]}]}]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Confirm admin consent was granted so the Capsule service principal exists in your tenant."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Test passes, but no rows appear in ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["CapsuleAlert_CL"]}]}]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The stream schema doesn't match the table columns, or the DCR transformation is dropping rows. Review the DCR transform and the table schema from Step 1."]}]}]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"support","__idx":13},"children":["Support"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For help with this integration:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Email"]},": support@capsule.security"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Include"]},": Your organization ID, Entra tenant ID, Log Analytics workspace ID, and any error messages"]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"references","__idx":14},"children":["References"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview"},"children":["Logs Ingestion API in Azure Monitor"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-endpoint-overview"},"children":["Data collection endpoints"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview"},"children":["Data collection rules"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#monitoring-metrics-publisher"},"children":["Monitoring Metrics Publisher built-in role"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent"},"children":["Grant admin consent to applications"]}]}]}]},"headings":[{"value":"Microsoft Sentinel Integration","id":"microsoft-sentinel-integration","depth":1},{"value":"Overview","id":"overview","depth":2},{"value":"Prerequisites","id":"prerequisites","depth":2},{"value":"Step 1: Create the Custom Table","id":"step-1-create-the-custom-table","depth":2},{"value":"Step 2: Create a Data Collection Endpoint","id":"step-2-create-a-data-collection-endpoint","depth":2},{"value":"Step 3: Create a Data Collection Rule","id":"step-3-create-a-data-collection-rule","depth":2},{"value":"Step 4: Grant Admin Consent and Assign Permissions","id":"step-4-grant-admin-consent-and-assign-permissions","depth":2},{"value":"Grant admin consent","id":"grant-admin-consent","depth":3},{"value":"Assign the publishing role","id":"assign-the-publishing-role","depth":3},{"value":"Step 5: Configure the Integration in Capsule","id":"step-5-configure-the-integration-in-capsule","depth":2},{"value":"After Setup","id":"after-setup","depth":2},{"value":"Troubleshooting","id":"troubleshooting","depth":2},{"value":"Common Issues","id":"common-issues","depth":3},{"value":"Support","id":"support","depth":2},{"value":"References","id":"references","depth":2}],"frontmatter":{"seo":{"title":"Microsoft Sentinel Integration"}},"lastModified":"2026-06-09T21:38:37.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/microsoft-sentinel","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}