> ## Documentation Index > Fetch the complete documentation index at: https://docs.truu.ai/llms.txt > Use this file to discover all available pages before exploring further. # Microsoft Sentinel This guide walks you through connecting your Microsoft Sentinel (Azure Log Analytics) environment to TruU TOTAL for persona generation and threat detection. *** ## Overview TOTAL ingests security event data from your Microsoft Sentinel workspace via the Azure Monitor Logs API. We poll your Log Analytics tables using KQL (Kusto Query Language) on a configurable interval to collect, normalize, and correlate events across your environment. *** ## Prerequisites * **Azure Active Directory** (Entra ID) access with permission to create App Registrations * **Microsoft Sentinel** or a **Log Analytics workspace** with data flowing into it * **Reader** or **Log Analytics Reader** role on the target workspace * Approximately **15 minutes** to complete setup *** ## Step 1: Locate Your Log Analytics Workspace 1. Sign in to the [Azure Portal](https://portal.azure.com) 2. Navigate to **Microsoft Sentinel** (or **Log Analytics workspaces**) 3. Select your workspace 4. In the **Overview** pane, copy the **Workspace ID** and paste it into the TruU Portal > The Workspace ID is a GUID that looks like `07bdbc78-aaef-410a-a8d9-aa2f54a8c5b0`. *** ## Step 2: Register an Application in Entra ID TOTAL authenticates to your workspace using an Entra ID (Azure AD) service principal. You'll create a dedicated App Registration for this. 1. In the Azure Portal, navigate to **Microsoft Entra ID** → **App registrations** 2. Click **New registration** 3. Enter: * **Name**: `TruU TOTAL - Log Analytics Reader` * **Supported account types**: *Accounts in this organizational directory only* * **Redirect URI**: Leave blank 4. Click **Register** 5. On the app's **Overview** page, copy: * **Application (client) ID** * **Directory (tenant) ID** 6. Paste the Client ID and Tenant ID into the TruU Portal *** ## Step 3: Create a Client Secret 1. In your new App Registration, go to **Certificates & secrets** 2. Click **New client secret** 3. Enter: * **Description**: `TOTAL integration` * **Expires**: Choose your organization's preferred expiry 4. Click **Add** 5. Immediately copy the secret **Value** — it will only be shown once 6. Paste the Client Secret value into the TruU Portal *** ## Step 4: Grant Workspace Permissions The App Registration needs read access to your Log Analytics workspace. 1. Navigate to your **Log Analytics workspace** in the Azure Portal 2. Go to **Access control (IAM)** 3. Click **Add** → **Add role assignment** 4. Select the **Log Analytics Reader** role 5. Under **Members**, click **Select members** and search for `TruU TOTAL - Log Analytics Reader` 6. Select it and click **Review + assign** > **Log Analytics Reader** is a read-only role. It cannot modify workspace configuration, create alerts, or write data. *** ## Step 5: Custom Tables If you have custom Log Analytics tables (e.g., tables ending in `_CL`) or want to ingest data from a table not in the predefined list above, TOTAL supports custom table mapping. The purpose of custom table mapping is to define the **field mappings between your integration's data and the TOTAL Event Schema** — so TOTAL knows what data is coming into the data layer from these tables. Specifically, TOTAL needs to understand: * **Column names and paths** — which columns (and nested JSON paths within those columns) correspond to core TOTAL fields like user ID, timestamp, IP address, device, and status * **Categorical values** — what distinct values exist in fields like status, action type, or severity, and how they map to TOTAL's normalized categories * **Event type classification** — how records in your table should be categorized into TOTAL event types (authentication, endpoint, admin, alert, etc.) ### How It Works The **Custom Log Mapping** interface in the TruU portal will guide you through a series of KQL queries against your Sentinel workspace to discover your table's schema, sample data, and distinct field values. Using that information, the interface walks you through mapping your custom events to TOTAL events by event type. Follow the instructions in the console to complete the mapping — no manual configuration files are needed. *** ## Security & Privacy ### What We Access * **Read-only access** to Log Analytics data via the Azure Monitor Logs API * Queries are scoped to the specific tables you authorize * All queries use `TimeGenerated` filtering — we only fetch new data since the last poll * If configured, TOTAL will run a historical data pull on initial setup to seed user personas before live monitoring begins ### What We Don't Have Access To * Write access to your workspace * Ability to create, modify, or delete alerts, rules, or workbooks * Access to Azure resource management APIs * Access to tables you haven't authorized *** ## Updating or Rotating Credentials ### Rotate Client Secret (Recommended: Before expiry) 1. In Azure Portal, go to **Entra ID** → **App registrations** → `TruU TOTAL - Log Analytics Reader` 2. Go to **Certificates & secrets** 3. Click **New client secret** (create the new one before deleting the old one) 4. Copy the new secret value 5. Paste the new secret in the Sentinel section in the TruU Portal 6. After TOTAL confirms the new secret is active, delete the old secret ### Revoke Access To immediately remove TOTAL's access: 1. **Option A** — Disable in the TruU portal: * Go to the TruU Portal → **Settings → Connectors** * Find the Sentinel connector and click **Disable** 2. **Option B** — Remove the role assignment: * Go to your Log Analytics workspace → **Access control (IAM)** * Find the `TruU TOTAL - Log Analytics Reader` assignment and click **Remove** 3. **Option C** — Delete the App Registration: * Go to **Entra ID** → **App registrations** → `TruU TOTAL - Log Analytics Reader` * Click **Delete**