Skip to main content
This guide walks you through connecting your Microsoft Sentinel (Azure Log Analytics) environment to TruU TOTAL for persona generation and threat detection.

Overview

TOTAL ingests security event data from your Microsoft Sentinel workspace via the Azure Monitor Logs API. We poll your Log Analytics tables using KQL (Kusto Query Language) on a configurable interval to collect, normalize, and correlate events across your environment.

Prerequisites

  • Azure Active Directory (Entra ID) access with permission to create App Registrations
  • Microsoft Sentinel or a Log Analytics workspace with data flowing into it
  • Reader or Log Analytics Reader role on the target workspace
  • Approximately 15 minutes to complete setup

Step 1: Locate Your Log Analytics Workspace

  1. Sign in to the Azure Portal
  2. Navigate to Microsoft Sentinel (or Log Analytics workspaces)
  3. Select your workspace
  4. In the Overview pane, copy the Workspace ID and paste it into the TruU Portal
The Workspace ID is a GUID that looks like 07bdbc78-aaef-410a-a8d9-aa2f54a8c5b0.

Step 2: Register an Application in Entra ID

TOTAL authenticates to your workspace using an Entra ID (Azure AD) service principal. You’ll create a dedicated App Registration for this.
  1. In the Azure Portal, navigate to Microsoft Entra IDApp registrations
  2. Click New registration
  3. Enter:
    • Name: TruU TOTAL - Log Analytics Reader
    • Supported account types: Accounts in this organizational directory only
    • Redirect URI: Leave blank
  4. Click Register
  5. On the app’s Overview page, copy:
    • Application (client) ID
    • Directory (tenant) ID
  6. Paste the Client ID and Tenant ID into the TruU Portal

Step 3: Create a Client Secret

  1. In your new App Registration, go to Certificates & secrets
  2. Click New client secret
  3. Enter:
    • Description: TOTAL integration
    • Expires: Choose your organization’s preferred expiry
  4. Click Add
  5. Immediately copy the secret Value — it will only be shown once
  6. Paste the Client Secret value into the TruU Portal

Step 4: Grant Workspace Permissions

The App Registration needs read access to your Log Analytics workspace.
  1. Navigate to your Log Analytics workspace in the Azure Portal
  2. Go to Access control (IAM)
  3. Click AddAdd role assignment
  4. Select the Log Analytics Reader role
  5. Under Members, click Select members and search for TruU TOTAL - Log Analytics Reader
  6. Select it and click Review + assign
Log Analytics Reader is a read-only role. It cannot modify workspace configuration, create alerts, or write data.

Step 6: Custom Tables

If you have custom Log Analytics tables (e.g., tables ending in _CL) or want to ingest data from a table not in the predefined list above, TOTAL supports custom table mapping. The purpose of custom table mapping is to define the field mappings between your integration’s data and the TOTAL Event Schema — so TOTAL knows what data is coming into the data layer from these tables. Specifically, TOTAL needs to understand:
  • Column names and paths — which columns (and nested JSON paths within those columns) correspond to core TOTAL fields like user ID, timestamp, IP address, device, and status
  • Categorical values — what distinct values exist in fields like status, action type, or severity, and how they map to TOTAL’s normalized categories
  • Event type classification — how records in your table should be categorized into TOTAL event types (authentication, endpoint, admin, alert, etc.)

How It Works

The Custom Log Mapping interface in the TruU portal will guide you through a series of KQL queries against your Sentinel workspace to discover your table’s schema, sample data, and distinct field values. Using that information, the interface walks you through mapping your custom events to TOTAL events by event type. Follow the instructions in the console to complete the mapping — no manual configuration files are needed.

Security & Privacy

What We Access

  • Read-only access to Log Analytics data via the Azure Monitor Logs API
  • Queries are scoped to the specific tables you authorize
  • All queries use TimeGenerated filtering — we only fetch new data since the last poll
  • If configured, TOTAL will run a historical data pull on initial setup to seed user personas before live monitoring begins

What We Don’t Have Access To

  • Write access to your workspace
  • Ability to create, modify, or delete alerts, rules, or workbooks
  • Access to Azure resource management APIs
  • Access to tables you haven’t authorized

Updating or Rotating Credentials

  1. In Azure Portal, go to Entra IDApp registrationsTruU TOTAL - Log Analytics Reader
  2. Go to Certificates & secrets
  3. Click New client secret (create the new one before deleting the old one)
  4. Copy the new secret value
  5. Paste the new secret in the Sentinel section in the TruU Portal
  6. After TOTAL confirms the new secret is active, delete the old secret

Revoke Access

To immediately remove TOTAL’s access:
  1. Option A — Disable in the TruU portal:
    • Go to the TruU Portal → Settings → Connectors
    • Find the Sentinel connector and click Disable
  2. Option B — Remove the role assignment:
    • Go to your Log Analytics workspace → Access control (IAM)
    • Find the TruU TOTAL - Log Analytics Reader assignment and click Remove
  3. Option C — Delete the App Registration:
    • Go to Entra IDApp registrationsTruU TOTAL - Log Analytics Reader
    • Click Delete