Docs
HomeGitHubSign Up
Start typing to search…

MS Sentinel

Forward ARMO Security & Runtime Events to Microsoft Sentinel

Overview

The ARMO Platform integrates with Microsoft Sentinel to forward security events, runtime detections, and operational signals into your Sentinel Log Analytics Workspace. This enables:

  • Centralized visibility across Kubernetes, cloud, and infrastructure
  • Unified threat detection and investigation workflows
  • Correlation of ARMO runtime alerts with other Azure and on-prem logs
  • Automated incident creation and analytics in Sentinel

The integration uses Azure’s Log Analytics ingestion API, authenticated via Workspace ID and Primary Key.

Prerequisites

Before configuring the integration, ensure the following:

  • Make sure you have access to an existing Log Analytics Workspace. You will need the Workspace ID and Primary Key to authenticate ARMO’s data forwarding.
  • Access to the ARMO Platform with Manager or Admin permissions

1. Retrieve Your Sentinel Workspace Credentials

Follow these steps to obtain the credentials ARMO requires for ingestion.

1.1 Log In to Azure

Sign in to the Azure Portal.

1.2 Open Microsoft Sentinel

Navigate to:

Azure Portal → Microsoft Sentinel

Select the Sentinel workspace you want ARMO to send events to.

1.3 Open the Log Analytics Workspace

Inside your Sentinel instance:

  1. Click Log Analytics Workspace
  2. The workspace page will open

1.4 Navigate to Agents Management

In the workspace:

Settings → Agents management

Under the Windows servers tab, note the following:

  • Workspace ID
  • Primary Key

These two values are required for ARMO authentication.

2. Configure the Integration in the ARMO Platform

Once you have the Workspace ID and Primary Key:

2.1 Open the SIEM Integrations Page

In the ARMO Platform, navigate to:

Settings → Integrations → SIEM Integrations

2.2 Add the Microsoft Sentinel Integration

  1. Click Connect on the Microsoft Sentinel card
  2. Click Add Workspace

2.3 Fill in the Required Fields

FieldDescription
NameFriendly name for your integration (e.g., Sentinel-Prod, Azure-Security)
Workspace IDPaste the ID copied from Azure
Primary KeyPaste the Primary Key copied from Azure

Click Save to complete integration setup.

ARMO will begin forwarding runtime and security events to your Sentinel workspace.

3. Validate the Integration

3.1 Send a Test Event from ARMO

From the Sentinel integration table:

  • Click the Send Test Message icon
  • ARMO sends a sample event

3.2 Verify Logs in Microsoft Sentinel

In the Azure Portal:

  1. Open your Log Analytics Workspace
  2. Go to Logs
  3. Run a query such as:
ARMOAlerts_CL
| sort by TimeGenerated desc

This table contains all ARMO-forwarded events.

Allow 10 minutes for the test event to appear.

What Events Are Streamed?

https://hub.armosec.io/docs/siem#/


Troubleshooting

IssueCauseResolution
No logs in SentinelAzure ingestion delaysWait 10 minutes
No logs in SentinelIntegration disabledEnable the integration
Authentication errorsIncorrect Workspace ID or Primary KeyRe-copy values from Azure

Summary

By completing this setup, you can:

  • Centralize ARMO alerts and runtime events in MS Sentinel
  • Correlate multi-layer signals with infrastructure logs
  • Build dashboards, alerts, and workflows
  • Strengthen incident investigation and response

The MS Sentinel integration provides unified, real-time visibility into your Kubernetes and cloud security operations powered by ARMO’s Threat Detection & Response.


Updated 7 days ago