This document describes the steps required to ingest eShare audit logs into a Microsoft Azure Log Analytics Workspace. The following steps will be reviewed:
REQUIREMENT:
This guide assumes the customer already has an Azure Log Analytics Workspace in place and a Microsoft Sentinel instance configured on that workspace. The person performing these steps must have sufficient permissions in Azure Active Directory (Microsoft Entra) and the Azure portal to create app registrations, data collection resources, and private link scopes.
Create an Azure AD Application Registration
Before eShare logs can be ingested from a different organization, an Azure AD Application registration is required to authenticate against the API.
In the Azure portal, navigate to 'Azure Active Directory' (Microsoft Entra) and select 'Applications' > 'App registrations'.
Click '+ New registration' to open the new registration wizard.
.png?sv=2026-02-06&spr=https&st=2026-06-10T02%3A57%3A49Z&se=2026-06-10T03%3A12%3A49Z&sr=c&sp=r&sig=QqeGiJbb52tO7gmCDsNeEUXfmUCpzbGtSBq1Y6od%2BwQ%3D)
Enter a display name for the App registration. Under 'Supported account types', select 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)'. Leave the 'Redirect URI (Optional)' field empty and click 'Register'.
.png?sv=2026-02-06&spr=https&st=2026-06-10T02%3A57%3A49Z&se=2026-06-10T03%3A12%3A49Z&sr=c&sp=r&sig=QqeGiJbb52tO7gmCDsNeEUXfmUCpzbGtSBq1Y6od%2BwQ%3D)
Once registration is complete, navigate to 'Overview'. Copy and save both the 'Application (Client) ID' and the 'Directory (Tenant) ID' — these values will be required in a later step.
Navigate to 'Certificates & secrets'. Select the 'Client secrets' tab and click '+ New client secret'. Enter a description, set the validity duration, and click 'Add'.
Copy and securely store the secret value immediately. This is the only time the value is visible — once you navigate away from this page the value cannot be retrieved, and a new secret will need to be created.
Configure a Data Collection Endpoint (DCE)
Data Collection Endpoints (DCEs) provide a connection point for Azure Monitor data sources and support only Log Analytics workspaces as a destination.
In the Azure portal, search for 'Monitor' and click it to open the Azure Monitor control panel.
In the left column, scroll to the 'Settings' section and select 'Data Collection Endpoints'.
Click '+ Create'. Enter a name for the endpoint, select the target subscription and resource group, and click 'Review + create' to complete the deployment.
.png?sv=2026-02-06&spr=https&st=2026-06-10T02%3A57%3A49Z&se=2026-06-10T03%3A12%3A49Z&sr=c&sp=r&sig=QqeGiJbb52tO7gmCDsNeEUXfmUCpzbGtSBq1Y6od%2BwQ%3D)
Note:
If the subscription is not registered for the Microsoft Insights service, an error will appear during deployment. To register, navigate to the subscription in the Azure portal, select 'Resource providers' under 'Settings', search for microsoft.insights, and click 'Register'.
Once the DCE is created, open it from the 'Data Collection Endpoints' list. From the 'Overview' page, locate and copy the 'Logs Ingestion' URI — this will be required in a later step.
.png?sv=2026-02-06&spr=https&st=2026-06-10T02%3A57%3A49Z&se=2026-06-10T03%3A12%3A49Z&sr=c&sp=r&sig=QqeGiJbb52tO7gmCDsNeEUXfmUCpzbGtSBq1Y6od%2BwQ%3D)
While on the DCE overview page, click 'JSON View' and copy the 'Resource ID'.
Create a Custom Table and Data Collection Rule (DCR)
Before logs can be sent to the Log Analytics workspace, a custom table must be created to store the incoming data. Creating the table also generates the associated Data Collection Rule (DCR).
In the Azure portal, navigate to 'Log Analytics workspaces' and open your workspace. Under 'Settings', select 'Tables', then click '+ Create' > 'New custom log (DCR based)'.
.png?sv=2026-02-06&spr=https&st=2026-06-10T02%3A57%3A49Z&se=2026-06-10T03%3A12%3A49Z&sr=c&sp=r&sig=QqeGiJbb52tO7gmCDsNeEUXfmUCpzbGtSBq1Y6od%2BwQ%3D)
Enter a name for the table. The required _CL suffix will be appended automatically. Under 'Data collection rule', select 'Create a new data collection rule', then select the DCE created in the previous section.
.png?sv=2026-02-06&spr=https&st=2026-06-10T02%3A57%3A49Z&se=2026-06-10T03%3A12%3A49Z&sr=c&sp=r&sig=QqeGiJbb52tO7gmCDsNeEUXfmUCpzbGtSBq1Y6od%2BwQ%3D)
When prompted, upload the sample JSON file provided by eShare. See the Sample JSON section at the end of this article. Proceed through the remaining steps and click 'Create' to complete the table and DCR creation.
In the Azure portal, navigate to 'Monitor' and select 'Data collection rules'. Locate the DCR created in the previous step and open it.
.png?sv=2026-02-06&spr=https&st=2026-06-10T02%3A57%3A49Z&se=2026-06-10T03%3A12%3A49Z&sr=c&sp=r&sig=QqeGiJbb52tO7gmCDsNeEUXfmUCpzbGtSBq1Y6od%2BwQ%3D)
From the 'Overview' page, click 'JSON View' to open the DCR properties.
Locate and copy the value of the 'immutableId' property.
To grant the App registration permission to write to this DCR, select 'Access Control (IAM)' from the DCR navigation menu and click 'Add role assignment'.
In the role search field, type "monitor" and select 'Monitoring Metrics Publisher'. Click 'Next'.
.png?sv=2026-02-06&spr=https&st=2026-06-10T02%3A57%3A49Z&se=2026-06-10T03%3A12%3A49Z&sr=c&sp=r&sig=QqeGiJbb52tO7gmCDsNeEUXfmUCpzbGtSBq1Y6od%2BwQ%3D)
Set 'Assign access to' to 'User, group, or service principal'. Click '+ Select members', choose the App registration created in the first section, and click 'Review + assign'.
Create an Azure Monitor Private Link Scope
An Azure Monitor Private Link Scope (AMPLS) connects a private endpoint to a set of Azure Monitor resources, enabling eShare to forward logs to your Log Analytics workspace over a private network connection.
In the Azure portal, search for 'Azure Monitor Private Link Scopes' and select it.
Click '+ Create' to begin configuring a new link scope.
Select the target subscription and resource group. Under 'Instance Details', enter a name for the link scope. Set both 'Query access mode' and 'Ingestion access mode' to 'Open'. Click 'Review + create', then 'Create'.
Once created, open the AMPLS resource. Select 'Azure Monitor Resources' from the left navigation, then click '+ Add'. In the right pane, select the Log Analytics workspace used for log ingestion and click 'Apply'.
Repeat the previous step to connect the DCE created in the second section to the AMPLS.
With both resources connected, navigate to the AMPLS 'Overview' page and click 'JSON View'. Copy the 'Resource ID' and share it with eShare — this is required for eShare to create the Private Link connection to your organization.
Once eShare creates the Private Link request, navigate to 'Private Endpoint connections' within the AMPLS management pane. Locate the pending request and click 'Approve' to establish the connection. eShare logs will then begin forwarding to the designated Log Analytics workspace.
Information Required by eShare
To finalize the configuration, eShare needs to update its Logstash instance with the values collected during the steps above. Retrieve and share the following information with eShare.
App Registration — Application (Client) ID and Directory (Tenant) ID
Open the App registration created in the first section and navigate to 'Overview'. Copy the 'Application (client) ID' and 'Directory (tenant) ID'.
App Registration — Client Secret Value
Navigate to 'Certificates & secrets' and copy the current client secret value from the 'Client secrets' tab.
.png?sv=2026-02-06&spr=https&st=2026-06-10T02%3A57%3A49Z&se=2026-06-10T03%3A12%3A49Z&sr=c&sp=r&sig=QqeGiJbb52tO7gmCDsNeEUXfmUCpzbGtSBq1Y6od%2BwQ%3D)
Note:
Client secrets expire based on the validity period set at creation. When the current secret expires, a new secret must be generated and the updated value provided to eShare to maintain uninterrupted log ingestion.
Data Collection Endpoint — Logs Ingestion URI
Open the DCE and navigate to 'Overview'. Copy the 'Logs Ingestion' URL.
Data Collection Rule — ImmutableId and Stream Name
Open the DCR and click 'JSON View' from the 'Overview' page. Copy the value of 'immutableId'. Then scroll down and also copy the value of 'dataFlows' > 'streams'.
For additional context on the methodology used in this guide, refer to the Microsoft Sentinel documentation: Use Logstash to stream logs with pipeline transformations via DCR-based API.
Sample JSON
Save the following content as a .json file and upload it when prompted during the custom table creation step in the third section.
{
"TimeGenerated": "2023-06-09T14:02:12.935Z",
"received_from": "10.36.128.8",
"syslog_timestamp": "Jun 09 14:02:12",
"syslog_program": "bancnow-ppe",
"host": "10.36.128.8",
"syslog_hostname": "e-share.us",
"syslog_message": "{\"Organizations\": [\"bancnow-ppe\"], \"AuthType\": \"SESSION\", \"Actor\": \"amy@bancnow.com\", \"Sharing_Policy\": null, \"SessionID\": \"03ydclxc89woztyqxy8f0mpaaz3n6hd3\", \"Version\": {\"Major\": \"2\", \"Minor\": \"0\"}, \"RequestID\": \"429e8d2913b7165e7196ec64b5d53387\", \"Action\": {\"Name\": \"Disable Recipient\", \"OperationID\": \"JnkKs9oB2k8r\"}, \"AddDateTime\": \"2023-06-09T14:02:12.908\", \"DateTime\": \"2023-06-09T14:02:12Z\", \"Event\": {\"Action\": \"Disable Recipient\", \"Category\": \"Trusted Share Actions\", \"Name\": \"anothertestusers023026451as6e8qwe@gmail.com\", \"User\": \"anothertestusers023026451as6e8qwe@gmail.com\"}, \"RemoteIP\": \"173.48.109.114\"}"
}