Export DNSFilter data to Microsoft Sentinel

Minetta Gould Community Team DNSFilter Staff

• April 28, 2025 22:37
• Edited

Data Export is an account add-on that must be enabled to complete these steps, and is not included as a feature through distributors. Account users with admin permissions or higher follow these setup and configure steps to export from DNSFilter to Microsoft Sentinel / Azure Monitor the using Logs Ingestion API.

Limitations

• Maximum payload size: 1MB
• Rate limits: “The limits are currently set to 500 MB of data per minute for both compressed and uncompressed data and 300,000 requests per minute“

Prerequisites

• A Log Analytics workspace where you have at least contributor rights
• Permissions to create DCR objects in the workspace

Setup Sentinel/Azure Monitoring

Complete the Sentinel/Azure Monitoring side of this configuration first because several IDs and object names are necessary to complete the integration in the DNSFilter dashboard. 

Review Microsoft's support content for any questions about configuring their products. 

1. Create a MS Entra application
2. Note these IDs and values:
   1. Directory (tenant) ID
   2. Application (client) ID
   3. Client Secret Value
   4. Client Secret ID
3. Create the Data Collection Endpoint 
4. Capture Log Ingestion and API Version values:
   1. Data Collection Endpoint from the JSON
5. Create a new data collection rule-based custom log (DCR)
   1. Save this payload of data (e.g. config_payload.json) to configure the schema of the table:

   2. {"Time":"2023-11-22T18:02:09.789986662Z","ClientMac":"","ClientType":"","IP4":"","IP6":"","Protocol":"","RequestAddress":"","Region":"","FQDN":"","Domain":"","QuestionType":"","Code":"","Allowed":true,"Threat":false,"ResponseIPs":"","ClientID":"","UserID":"","NetworkID":"","CollectionID":"","ScheduledPolicyID":"","PolicyID":"","OrganizationID":"","ApplicationID":"","ApplicationCategoryID":"","Client":"","Username":"","Organization":"","Network":"","Collection":"","ScheduledPolicy":"","Seccats":"","Blockcats":"","Secallowcats":"","Blockallowcats":"","Method":"","Policy":"","ApplicationName":"","ApplicationCategoryName":""}

   3. In the Transform editor step, rename Time to TimeGenerated with this query: 

      source 
      | extend TimeGenerated = todatetime(Time) 
      | project-away Time

   4. All log tables within Azure Monitor Logs are required to have a TimeGenerated column populated with the timestamp of the logged event
6. Collect these values from the DCR:
   1. Stream Name (same as the log analytics Table Name)
   2. Immutable ID
7. Add the Monitoring Metrics Publisher role to the DCR

Once these steps are complete and the values saved, navigate to the DNSFilter dashboard to complete the integration. 

Configure the Microsoft Sentinel integration in the DNSFilter app

1. From the DNSFilter dashboard, navigate to Integrations and select Microsoft Sentinel
2. Select Get Started
3. Select Configure Data Export
4. Select Microsoft Sentinel
5. Select Continue
6. Enter the collected values:
   1. Directory (tenant) ID
   2. Application (client) ID
   3. Client Secret
   4. Data Collection Endpoint (DCE). This is the full URL, not just the DCE name
   5. Table Name
   6. Data Collection Rule (DCR) Immutable ID
      
7. Select Verify & Test Account
   
    
8. Once the test is complete, a success message will populate:
   
   If an error message populates, check the values match in Sentinel and the application details and retry the test. 
   
    
9. With a success message, select finalize to complete the configuration

The setup is now complete and data will begin exporting to Sentinel.

• Related to:
• Data Export
• Integrations
• Administrator

print

• 

  Jason Rybicki

  • October 17, 2024 17:46

  None of the integrations appear to work. If you follow the instructions as soon as you click on "Get Started" you are sent to the Tools > SSL Certificate page.  This makes no sense and seems to have broken the ability to integrate ANYTHING with DNSFilter. There are several others who are seeing the same issues and we have not received any updates yet on what the fix is. 

  0
• 

  Bailey Taylor Community Manager DNSFilter Staff

  • October 18, 2024 12:49

  

  Jason Rybicki it appears that you may have purchased DNSFilter through a distributor. At this time, we do not provide Data Export functionality to that specific customer base, which may explain the issues you're encountering with our SIEM integrations.

  We sincerely apologize for the confusing and misleading in-app experience you’ve encountered when trying to access these features; we are actively working on adjustments to improve the experience and provide clearer messaging within the platform.

  0
• 

  Sherese Woodfine

  • April 16, 2025 00:15

  I've followed the instructions above and still get red error there was an issue verifying and testing your account.

  0
• 

  Minetta Gould Community Team DNSFilter Staff

  • April 16, 2025 21:54

  Hi Sherese Woodfine , sorry you're running into issues with Data Export, but our engineers have a work around for you to try using an API key. 

  Call this endpoint (inserting your organization ID): /v1/exports/{{orgID}}/setting 

  And send this json body, replacing your organization's Sentinel values anywhere it says “place-holder”. This example uses Postman:

  	{ 
      	"setting": { 
      		"backend": "ms_sentinel", 
      		"backend_type": "ms_sentinel", 
      		"metadata": { 
      			"tenant_id": "place-holder", 
      			"dce": "https://qe-de-ms-sentinel-endpoint-3omz.eastus-1.ingest.monitor.azure.com", 
      			"dcr_immutable_id": "place-holder", 
      			"stream_name": "Custom-qedemssentineldcrtable_CL", 
      			"client_id": "place-holder", 
      			"client_secret": "place-holder", 
      			"compression_enabled": "true" 
      			} 
      		} 
      	}

  Let us know if this does the trick, and if not we can continue to troubleshoot! 

  0
• 

  Sherese Woodfine

  • April 17, 2025 15:19

  Hi Minetta,
  Thanks for the reply. 

  I was able to create the API key but we are still unclear from your instructions what to do next. I currently have ticket open since last week for this #200906.  Can someone please contact me so we can close this loop in our project. 

  Thanks,

  Sherese

  0
• 

  Minetta Gould Community Team DNSFilter Staff

  • April 17, 2025 21:04

  Hi Sherese Woodfine! Apologies that the steps were vague, here’s a more detailed step by step to help you complete the API call. This example will use Postman, which should be translatable into any tool you use for API calls.  

  To complete this process, you'll need to make a POST request to the following API endpoint, replacing {{orgID}} with your actual organization ID:

  /v1/exports/{{orgID}}/setting

  Next, you’ll send structured configuration data in JSON format as part of the API request. In this case, you're sending the required settings to configure your export to Microsoft Sentinel. The values that say "YOUR-XXX" need to be replaced with your actual Sentinel values, just like in the in-app configuration method.

  Here’s how to do it in Postman:

  1. Open Postman and create a new POST request. Set the request URL to:

  https://api.yourdomain.com/v1/exports/{{your_org_id}}/setting

            a. Replace {{your_org_id}} with your actual organization ID.

  2. Go to the Headers tab and set any required headers (e.g., Authorization, Content-Type: application/json).

  3. Go to the Body tab, choose raw, and select JSON as the type.

  Paste in the JSON body below, replacing all "YOUR-XXX" values with your actual Microsoft Sentinel values:

  	{
   	 "setting": {
     	 "backend": "ms_sentinel",
     	 "backend_type": "ms_sentinel",
     	 "metadata": {
       	"tenant_id": "YOUR-TENANT-ID",
       	"dce": "https://qe-de-ms-sentinel-endpoint-3omz.eastus-1.ingest.monitor.azure.com",
        	"dcr_immutable_id": "YOUR-DCR-IMMUTABLE-ID",
        	"stream_name": "Custom-qedemssentineldcrtable_CL",
        	"client_id": "YOUR-CLIENT-ID",
       	"client_secret": "YOUR-CLIENT-SECRET",
        	"compression_enabled": "true"
      }
    }
  }

  If the request is successful:

  • You should receive a 200 OK or 201 Created response.
  • Your export configuration will be saved and linked to your organization's Sentinel destination.
  • From this point on, data will begin exporting to the configured Sentinel destination (depending on any additional activation steps required on your end).

  If the request fails:

  • You’ll receive an error response. The error message should help you identify missing or incorrect values (like an invalid client ID or tenant ID).
  • Make sure all fields are correctly filled, and credentials are valid.

  Let us know if this helps, and happy to provide more detail—just let us know!

  0
• 

  Brian Gilstrap

  • April 23, 2025 16:52

  Good Afternoon all!

  Just to close the loop on Sherese's problem, it was due to an incorrect DCE URL. We didn't display that error message correctly on our end (working with my engineering team on that). However you can view this response by going into Dev Tools > Network and reviewing the Response to the bad request! Hope this helps other in the future!

  0

Please sign in to leave a comment.