![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 7.000000000000001%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,094 questions
Hi ,
Thanks for reaching out to Microsoft Q&A.
Step 1: Set Up Prerequisites
Ensure the following are set up:
- Azure Storage Account: Your application logs are stored in an Azure Blob Storage container.
- Microsoft Sentinel: Installed and running in your Azure Log Analytics workspace.
- Permissions:
- Ensure the Managed Identity or Service Principal accessing the blob storage has Storage Blob Data Reader role.
- The Log Analytics Contributor role is required to write to Sentinel.
- Ensure the Managed Identity or Service Principal accessing the blob storage has Storage Blob Data Reader role.
Step 2: Choose an Ingestion Method
There are three primary methods to ingest logs from Azure Blob Storage into Sentinel:
- Using Azure Sentinel’s Data Connectors (Best for structured logs)
- Using Azure Logic Apps (Best for event-driven log ingestion)
- Using an Azure Function (Best for custom parsing and transformation)
Step 3: Implement the Chosen Approach
Option 1: Use Azure Sentinel’s Blob Storage Data Connector
If your logs are structured and supported by Sentinel's builtin Azure Blob Storage connector, use this:
- Open Microsoft Sentinel.
- Go to Data Connectors and search for Azure Blob Storage.
- Click Open Connector Page and follow these steps:
- Grant Sentinel access to the Azure Storage Account.
- Define the log structure and format.
- Map the blob data to Log Analytics tables.
- Define the log structure and format.
- Grant Sentinel access to the Azure Storage Account.
Limitations: This method supports specific log formats. If your logs are in JSON, CSV, or syslog, it may work well, but unstructured logs might need preprocessing.
- If logs are structured (JSON, CSV), use Sentinel’s built-in connector.
- If event-driven ingestion is needed, use Azure Logic Apps.
- If custom parsing or transformation is required, AzFunc is the best choice.
Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.