# Feed events to Microsoft Sentinel

You can feed data to Microsoft Sentinel via [Mosaic Data Connector](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/transmitsecurity.microsoft-sentinel-solution-transmitsecurity?tab=Overview). This plugin will help you keep track of activity by polling [Event streaming API](/openapi/risk/activities.openapi).

## Step 1: Configure a management app

In your Mosaic tenant, [configure a management app](/guides/user/management_apps). Give the app a suitable name, for example, `MyAzureSentinelLogStream`.

Note
After saving the management app, open it again and note the **Client ID** and **Client Secret** values. You’ll need these parameters to configure the Azure Sentinel Solution.

## Step 2: Create event streams

Before you can start feeding events to Sentinel, you have to create event streams in Mosaic. You can create as many event streams as needed.

1. In the Admin Portal, navigate to **Events streaming** and select **Create stream**.
2. Complete the stream configuration by providing the stream identifier, event type to collect, and batch size. Set the stream destination to **Sentinel**. For more details, see [About events streaming](/guides/user/platform/activities_streaming#stream-settings).
3. Obtain the request URL by clicking ![](/assets/action_icon.1ecac3af0cbb5a99cfdd0e9a3a7067f9df88a26acab052d3eced16c35ad4626a.9c1bb791.svg) next to the stream name and then **Copy URL**.


## Step 3: Install the solution

1. Log in to the Azure Portal.
2. Navigate to **Microsoft Sentinel** within your resource group.
3. Go to the **Content Hub** and search for the **Mosaic Data Connector**.
4. Select the solution and click **Install**.


![](/assets/sentinel-data-connector.27e5a8a2e3924859e98d98f8e643a6d302e0ac6ba8da0a4ffe0a152d1ebae9b7.de26799e.png)

## Step 4: Configure the connector

1. Open **Microsoft Sentinel** in your Azure Portal.
2. Navigate to **Data Connectors** and find **Mosaic Security Connector (using Azure Functions)**.
3. Click the **Open connector page** to begin configuration.
4. Follow the provided guide to complete the setup.


![](/assets/sentinel-data-connector_02.174f4ed18bfc9f3883b9d37720f85e89e43f4aa11cf07dd54c61cac4b482cbeb.de26799e.png)

## Step 5: Deploy the connector

Choose one of the following deployment options:

- [Automated](#option-1-automated)
- [Manual](#option-2-manual)


### Option 1: Automated

details
summary
b
Deploy using Azure Resource Manager (ARM) template
Use this method for automated deployment of the Mosaic connector.

1. Click the **Deploy to Azure**.
2. Select the appropriate **Subscription**, **Resource Group**, and **Location**.
3. Ensure that the **Resource Group** doesn't contain any existing Windows apps if deploying in the same region.
4. Provide the following parameters:
  * **TransmitSecurityClientID**: Client ID acquired in [Step 1](#step-1-configure-a-management-app)
  * **TransmitSecurityClientSecret**: Client Secret acquired in [Step 1](#step-1-configure-a-management-app)
  * **TransmitSecurityUserActivityEndpoint**: Provide the URL you obtained upon creating a stream in Mosaic. For example, `https://api.transmitsecurity.io/activities/v1/activities/collect?type=cis&stream_id=12345&batch_size=50`.
  * **TransmitSecurityAdminActivityEndpoint**: Provide the URL you obtained upon creating a stream in Mosaic. For example, `https://api.transmitsecurity.io/activities/v1/activities/collect?type=admin&stream_id=54321&batch_size=50`.
  * **logAnalyticsUri**: Obtained from **Log Analytic Workspace > Properties**
5. Agree to the terms and conditions, then select **Create to deploy**.


Note
If you are interested in collecting all platform events, you'll have to set up several connectors as you can only feed events from two streams to each connector.

### Option 2: Manual

details
summary
b
Deploy with Azure Functions
Follow these steps for a manual deployment via Visual Studio Code.

**1. Deploy a Function App**

1. Make sure you have VS Code up&running.
2. Download and extract the **Azure Function App** file to your local computer.
3. In VS Code, open the extracted folder.
4. In the **Activity Bar**, select the **Azure** icon, then click **Deploy to Function App**.
5. If not signed in, sign in to Azure.
6. Provide the required information:
  * **Select Folder**: Choose the folder containing your Function App.
  * **Select Subscription**: Choose your Azure subscription.
  * **Function App Name**: Enter a globally unique name.
  * **Runtime**: Choose Python 3.8.
  * **Location**: Select the same region as your Microsoft Sentinel for better performance.


After completing these steps, deployment will begin, and you’ll be notified once it’s done.

**2. Configure the Function App**

1. In the Azure Portal, navigate to your Function App.
2. Select **Configuration** under your Function App Name.
3. Add the following environment variables with their respective values:
  * **TransmitSecurityClientID**: Client ID acquired in [Step 1](#step-1-configure-a-management-app)
  * **TransmitSecurityClientSecret**: Client Secret acquired in [Step 1](#step-1-configure-a-management-app)
  * **TransmitSecurityUserActivityEndpoint**: Provide the URL you obtained upon creating a stream in Mosaic. For example, `https://api.transmitsecurity.io/activities/v1/activities/collect?type=cis&stream_id=12345&batch_size=50`.
  * **TransmitSecurityAdminActivityEndpoint**: Provide the URL you obtained upon creating a stream in Mosaic. For example, `https://api.transmitsecurity.io/activities/v1/activities/collect?type=admin&stream_id=54321&batch_size=50`.
  * **TransmitSecurityTokenEndpoint**: `https://api.transmitsecurity.io/oidc/token` (use `api.eu.transmitsecurity.io` for the EU and `api.ca.transmitsecurity.io` for Canada).
  * **WorkspaceID**: Obtained in [Step 4](#step-4-configure-the-connector) from the Data Connector page
  * **WorkspaceKey**: Obtained in [Step 4](#step-4-configure-the-connector) from the Data Connector page
  * **logAnalyticsUri** (optional for dedicated cloud environments): Obtained from **Log Analytic Workspace > Properties**
4. Click **Apply** to save the settings.


Note
If you are interested in collecting all platform events (cis, verify, risk, and admin), you'll have to set up several connectors as you can only feed events from two streams to each connector.

## Step 6: Check the operation

1. Go to **Log Analytics** in your Azure Portal.
2. Run the following query to check for ingested data:



```shell
TransmitSecurityAdminActivity_CL | where TimeGenerated > ago(1h)
TransmitSecurityUserActivity_CL | where TimeGenerated > ago(1h)
```

Troubleshooting
If no logs are found, ensure the Data Connector is configured correctly and that the Client ID and Client Secret values are accurate. You can also inspect the Azure Functions invocations logs for errors.