Microsoft Sentinel
SIEM·Forwarding since 14 Apr 2026
Forwarding
Streams the same normalised events into a Sentinel Log Analytics workspace. OCSF 1.1.0 mapped to a custom table; Sentinel analytics rules can fire on `policy_outcome=denied` rows without any further configuration.
Status
Healthy
No errors in last 7d
Last forward
12s ago
Forwarded (24h)
2,108
Connection
- Endpoint
- https://acme-sec-eu.ods.opinsights.azure.com/api/logs ····
- Index / workspace
- acme-sec-eu
- Sourcetype
- Isochronic_CL
- Format
- OCSF 1.1.0
Forwarding rules
- All policy_outcome events
- All data_access events where data_class ∈ {PII, HR, financial}
- All oauth_grant events
- All config_change events
- usage events: aggregate hourly (not per-event)
- tool_call events: only outcome ≠ allowed
Where these events land
- Sentinel Log Analytics (Isochronic_CL table)
- Sentinel analytics rules on denied outcomes
Recent forwards
- 14:23:01policy_outcomesubagent.spawn · deniedseq 481204
- 14:18:42data_accessdocument.read · HRseq 481203
Errors (last 7d)
None. The destination has acknowledged every batch.