Microsoft Sentinel & ThreatLocker Detect

5 min. readlast update: 05.28.2025

Table of Contents

Note: Although this document utilizes Microsoft Sentinel’s API, the bearer token functionality in Threatlocker Detect can be used for any REST API that implements OAuth 2.0.

This document will demonstrate the process for using ThreatLocker Detect to call a rest API for Microsoft Sentinel. 

To start, we assume a proper Microsoft Sentinel setup. You can consult the following article from Microsoft for assistance:

Quickstart: Onboard to Microsoft Sentinel | Microsoft Learn

Some Highlights from Microsoft's documentation are: 

Prerequisites 

  • Active Azure Subscription. 

  • Log Analytics workspace. 

Permissions 

  • To enable Microsoft Sentinel, you need contributor permissions to the subscription in which the Microsoft Sentinel workspace resides. 

  • To use Microsoft Sentinel, you need either Microsoft Sentinel Contributor or Microsoft Sentinel Reader permissions on the resource group that the workspace belongs to. 

  • To install or manage solutions in the content hub, you need the Microsoft Sentinel Contributor role on the resource group that the workspace belongs to. 

Next, consult the Microsoft documentation here to construct the API URL: 

Logs Ingestion API in Azure Monitor - Azure Monitor | Microsoft Learn

This Microsoft documentation lists the Header details and format of the JSON Body as shown below: 

Header 

Required? 

Description 

Authorization 

Yes 

Bearer token obtained through the client credentials flow. Use the token audience value for your cloud: 
 
Azure public cloud - https://monitor.azure.com 
Microsoft Azure operated by 21Vianet cloud - https://monitor.azure.cn 
Azure US Government cloud - https://monitor.azure.us 

Content-Type 

Yes 

application/json 

Content-Encoding 

No 

gzip 

x-ms-client-request-id 

No 

String-formatted GUID. This is a request ID that can be used by Microsoft for any troubleshooting purposes. 

 

An Example Body JSON as provided by Microsoft: 

[
{
    "TimeGenerated": "2023-11-14 15:10:02",
    "Column01": "Value01",
    "Column02": "Value02"
}

Constructing the API URL for the Detect Policy Action 

First, we want to obtain the format for the URL that this api call will use. For example:

{Endpoint}/dataCollectionRules/{DCR Immutable ID}/streams/{Stream Name}?api-version=2023-01-01 

  • The endpoint variable is the logs ingestion URL from the Overview page of your Data Collection Endpoint (DCE). For example, in our test tenant, it appeared in the following format:

https://{DCE Name}-xl7k.eastus-1.ingest.monitor.azure.com 

  • The DCR Immutable ID can be found in your Data Collection Rule (DCR) overview page. Ours followed the format of {dcr-GUID}. 
  • The Stream Name variable is also found on the DCR overview page, but you must select 'JSON view' and scroll down to see it. It is called “streams” and is surrounded by square brackets [ ] and quotes.

Obtaining a Bearer Token for Authorization 

Additionally, you will need a bearer token for authorization. To obtain this, you will need an entirely new rest API call. For this, please consult the Microsoft documentation below: 

The items you will need to make a call for a bearer token successfully are: 

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

  • Client_id: This is the application ID, which can be found in the Microsoft Entra Admin Center under Applications > App registrations and selecting the overview page for your app registration.

  • Scope: This is the URI of the resource you will call with the token with .default added to the end. For posting logs, it would be the following:

https://monitor.azure.com/.default

For deleting logs, it would be the following:

https://management.azure.com/.default

  • Grant_type: This must be set to 'client_credentials' for use with an app secret. 

At this point, all the information needed to make the two API calls required to post log information to Microsoft Sentinel is collected.

IMPORTANT: It is highly recommended that the calls be tested before using them in ThreatLocker Detect with an API application such as Postman or Talend. To do so, follow the instructions below: 

  • Per the OAuth 2.0 specification, the returned string should be placed in the authorization parameter of the header of our next API POST call, preceded by the work Bearer and a space.

Picture 

  • The body of this call will be the custom schema of your custom table in the Log Analytics workspace. It must also be surrounded by square brackets [ ]. If all goes well, you should receive a 204 response with no further content. 

Picture 

Unfortunately, this does not mean it worked. You must check the Log Analytic workspace to see if the log was processed. You can either navigate to the Log Analytic workspace or check the entry circled below from the Microsoft Sentinel Overview page. 

Picture

This should bring up a query showing recent log entries, for example:

Picture 

Once we are sure our API calls are working as expected, we can build the ThreatLocker Detect Policy. The following is an example: 

Picture 

Note: The text here needs to be exact, including newline characters, or it will fail. 

The second action is an alert to assist with debugging. This is especially true if you are passing variables into the bodies of the calls.

Picture 

Save and deploy your policies, activate the condition, and you should see logs in your Log Analytics workspace. Please note that there may be a slight delay of about 30 seconds.

Picture 

In addition, if you set up the second action, you will see the alert in the Response Center. 

Picture

Was this article helpful?