Export alerts to Microsoft Sentinel

Integrate Corelight Investigator with Microsoft Sentinel to stream network alerts directly into your Azure environment. This integration uses the Azure Log Analytics HTTP Data Collector API to ingest alerts into custom tables, making network data available for analysis alongside your other security telemetry.

The configuration process involves retrieving a Workspace ID and Shared Key from your Azure Log Analytics workspace and entering them into the Investigator UI to establish a secure data flow.

Note

This integration uses the deprecated HTTP Data Collector API. This integration will cease to function 9/14/2026. An updated integration using the Logs Ingestion API will be available Summer 2026.

Prerequisites

Before you begin, ensure you have the following:

  • Azure: An active Azure subscription and an existing Log Analytics workspace.

  • Corelight: An operational Corelight Investigator instance.

  • Permissions:

    • In Azure: A user role with rights to view workspace properties and manage shared keys (typically Log Analytics Contributor or higher).

    • In Investigator: Administrator privileges to configure data exporters. Analyst-level users can only view existing configurations.

Step 1: Collect Azure Credentials

To configure the exporter, you must retrieve specific identifiers from the Azure Portal.

Retrieve the Customer ID (Workspace ID)

  1. Log in to your Azure portal with valid credentials.

  2. Search for Log Analytics workspaces in the top search bar.

  3. Select the workspace you intend to use for Corelight alerts.

  4. From the left navigation menu, click the Overview section.

  5. Copy the Workspace ID. This will be used as the Customer ID in Investigator.

Retrieve the Shared Key

  1. Navigate to the Microsoft documentation link for Shared Keys - Regenerate and click Try It.

  2. Sign in with your Azure account.

  3. Provide the required resourceGroupName, subscriptionID, and workspaceName.

  4. Click Run.

  5. From the response, copy the Primary Key to be used as the Shared key in Investigator.

Step 2: Configure the alert exporter in Investigator

Use the credentials gathered from Azure to set up the connection in the Investigator UI.

  1. Log in to the Corelight Investigator instance using valid credentials.

  2. From System Settings in the left navigation, choose Integration and click the Alert Exports tab.

  3. Click the MS Sentinel tile.

  4. Toggle the Enabled switch to the On position.

  5. Provide a Name for the exporter; by default, it is New.

  6. Enter the Customer ID (Workspace ID) you copied in Step 1.

  7. Enter the Log Type: Enter the record type with the suffix _CL to define the name of your custom log within the Azure portal (for example, Corelight_Alerts_CL).

  8. Enter the Shared key retrieved from the Azure API.

  9. (Optional) Configure additional settings:

    • Resource ID (Optional): Enter the Azure Resource ID used to identify the specific resource for this data entry. This is found by clicking Properties in the left navigation of your Log Analytics workspace.

    • Host (Optional): Enter a custom host URL for dedicated Azure environments. If left blank, ods.opinsights.azure.com is used by default.

  10. Click Save to finalize the configuration.

Step 3: Verify the connection

  1. Log in to the Azure portal and navigate to your Log Analytics Workspace.

  2. Click Logs in the left sidebar.

  3. Run a KQL query using the Log Type name you configured (for example, Corelight_Alerts_CL).

  4. Verify that events from Corelight appear in the results.

Important

Alerts may not appear in Sentinel custom tables immediately. Please allow for a latency period of several minutes to a couple of hours depending on the system load.

Note

This integration uses the HTTP Data Collector API. Ensure your network allows Investigator to communicate with the Azure ingest endpoints.