Skip to main content

Configuring Audit Log SIEM Integration (i.e. Microsoft Sentinel)

Written by Josh Chua

NextStage can forward a workspace's audit logs to your own SIEM for centralized security monitoring and compliance. Streaming is per-workspace and opt-in, configured under Admin → Integrations → SIEM / Audit Log Streaming.

If the SIEM integration menu is not available to you, reach out to support to have the feature enabled.

How it works

Audit events are written durably to NextStage's audit log, then forwarded to your

configured SIEM. Forwarding is event-triggered (near-real-time as events are

written), with a background safety poll (~every 2 minutes) as a backstop. Delivery

is at-least-once: each record carries a stable `EventId` (UUID) so you can dedup

on the rare resend (e.g. after a NextStage deploy).

Coverage starts when you enable streaming. Turning streaming on begins the feed from that moment. The audit history from before you enabled it is not

backfilled. (Your full history remains in NextStage's own audit log.)

Failures auto-pause and auto-recover. If your SIEM endpoint becomes unreachable or rejects records, streaming for that workspace automatically pauses with exponential backoff (1 minute up to a 30-minute cap) rather than stopping. It keeps its place and automatically resumes and delivers the backlog once the endpoint recovers. No manual re-enable required. Workspace admins are emailed when failures persist.

Supported destinations:

  • Microsoft Sentinel via the Azure Monitor Logs Ingestion API (DCE + DCR).

  • NextStage can support custom destinations upon request. Endpoints must be internet-reachable over HTTPS. Endpoint URLs are validated over TLS.

Record schema

All records follow NextStageAudit_CL.schema.json. For Sentinel, your DCR stream declaration must match these columns.

Microsoft Sentinel setup (incl. GCC High)

GCC High customers: perform these steps in Azure Government (https://portal.azure.us). Endpoints will be on `*.ingest.monitor.azure.us` and you must choose US Government for the Azure cloud in the NextStage form. Azure Government is internet-reachable, so no special networking is required on your side.

  1. Deploy the resources. Download and use azure-sentinel-deploy.bicep against your Sentinel (Log Analytics) workspace. It creates a Data Collection Endpoint (DCE), the `NextStageAudit_CL` custom table, and a Data Collection Rule (DCR), and outputs the DCE URL, DCR immutable ID, stream name, and the DCR resource id.

  2. Register an app. In Entra ID, create an app registration and a client secret. Note the Directory (tenant) ID, Application (client) ID, and the secret value.

  3. Grant permission. On the DCR (the `dcrId` output), assign the app the Monitoring Metrics Publisher role.

  4. Configure NextStage. In the SIEM settings form choose Microsoft Sentinel, select the correct Azure cloud, and paste tenant id, client id, client secret, DCE URL, DCR immutable id, and stream name. Click Save, then Test connection.

  5. Verify. A test record appears in the `NextStageAudit_CL` table. First-time ingestion into a new custom table can take a few minutes.

Client secrets expire (max ~24 months). When one lapses, ingestion fails and the UI

shows the error. Rotate the secret in Entra ID and update it in NextStage.

Did this answer your question?