This guide explains how to ingest Axur Platform feeds into Microsoft Sentinel using a Logic App (Consumption), a Data Collection Endpoint (DCE), a Data Collection Rule (DCR), and a custom table in a Log Analytics Workspace.
Note: This tutorial assumes you already have access to the Axur Platform and the required API Key.
Prerequisites
Azure subscription with permission to create Logic Apps, DCE, DCR, and Log Analytics resources.
Axur Platform API Key and a Feed ID.
Cost and billing considerations
Important: Deploying and running this integration in your Microsoft Azure subscription may incur charges. All costs are billed by Microsoft to your subscription and are the user’s responsibility. Axur does not bill for, manage, or assume responsibility for Azure charges.
Common cost drivers:
Logic Apps (Consumption): billed per trigger/execution and per action. See the official pricing at Azure Logic Apps pricing.
Log ingestion (Azure Monitor / Log Analytics): billed per GB ingested and for data retention beyond the free period. See Azure Monitor pricing and Log Analytics pricing.
Microsoft Sentinel: additional analytics charges per GB ingested into a Sentinel-enabled workspace, plus optional features. See Microsoft Sentinel pricing.
Tips to control cost:
Start with a longer recurrence interval and narrower feed filters to limit volume.
Use staging/test subscriptions and set budgets and cost alerts in Azure Cost Management.
Review ingestion volume in the Log Analytics workspace and adjust as needed (filters, schedule, data shaping).
Tip: A glossary of Azure terms used in this tutorial is available at the end of the document.
1) Create the Axur Platform Feed
Create an API Key and a Feed directly on the Axur Platform. Keep both values at hand for later steps.
Generate an API Key
In the Axur Platform, go to API Keys configuration.
Create a new API key and copy the API Key value securely.
Note: The feed only returns data that the API key user has permission to access.
Screenshots:
Create the Feed and copy its ID
In the Axur Platform, go to API & Integrations → Feeds.
Create a new feed according to your use case (e.g., phishing, brand abuse, credential leaks), setting the desired filters.
After saving, open the newly created feed. Copy only the Feed ID from the URL and save it for later.
Screenshots:
(Optional) Validate the feed via API Use curl to confirm the feed returns data using your API Key and Feed ID:
curl -sS \ -H "Authorization: Bearer YOUR_AXUR_API_KEY" \ -H "Accept: application/json" \ "https://api.axur.com/gateway/1.0/api/integration-feed/feeds/feed/YOUR_FEED_ID" | jq '.'
On
API & Integrations→Feeds, you can also monitor feed status over time (e.g., last request timestamp).If no events are returned, verify the feed filters and the API key user’s permissions.
From this point onward (Step 2+), all configuration is performed in the Microsoft Azure cloud using the Azure portal.
Option 1: Deploy via custom template
If you prefer a plug-and-play deployment via the Azure Portal, use this custom template. It creates: Log Analytics Workspace (and enables Microsoft Sentinel), Data Collection Endpoint (DCE), custom Table (DCR-based), Data Collection Rule (DCR) with the KQL transform, Logic App (Consumption) with managed identity, and the IAM role assignment on the DCR.
How to deploy (copy & paste):
In the Azure Portal, search for
Deploy a custom template.Click
Build your own template in the editor.Paste the JSON below →
Save.Fill in:
workspaceName,logicAppName,tableName,feedId,apiKey(secure), and choose location/RG → Deploy.
Notes: - Permissions parameter: dcrIngestRoleDefinitionIdOptional (optional). Leave empty to use Monitoring Metrics Publisher (default). To force another role (e.g., Monitoring Data Sender), paste its RoleDefinitionId (GUID). Hover text explains how to retrieve it quickly via Azure CLI. - Propagation: after deployment, DCR/table registration can take a few minutes. Initial Logic App runs may fail with 401/403 or InvalidOutputTable until permissions and configuration propagate. Wait 20–30 minutes. - You can check Run History in the Logic App to see if it is running successfully. - After deployment, skip to the Validation section below (manual Steps 2–7 are not needed if you used this template).
Template JSON:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
},
"workspaceName": {
"type": "string",
"defaultValue": "wk-axur-integration"
},
"logicAppName": {
"type": "string",
"defaultValue": "la-axur-ingest"
},
"tableName": {
"type": "string",
"defaultValue": "AxurIntegration"
},
"prefix": {
"type": "string",
"defaultValue": "axur-sentinel"
},
"feedId": {
"type": "string",
"defaultValue": "GET_FROM_AXUR_PLATFORM_FEED_ID"
},
"apiKey": {
"type": "securestring",
"defaultValue": ""
},
"recurrenceFrequency": {
"type": "string",
"defaultValue": "Minute",
"allowedValues": [ "Minute", "Hour", "Day" ]
},
"recurrenceInterval": {
"type": "int",
"defaultValue": 5,
"minValue": 1
},
"dcrIngestRoleDefinitionIdOptional": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Optional. Paste a RoleDefinitionId (GUID) to use for DCR ingest (e.g., Monitoring Data Sender). Leave empty to fallback to Monitoring Metrics Publisher."
}
}
},
"variables": {
"streamName": "[concat('Custom-', parameters('tableName'), '_CL')]"
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2022-10-01",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"properties": {
"retentionInDays": 30,
"features": {
"enableDataExport": true
}
},
"sku": {
"name": "PerGB2018"
}
},
{
"type": "Microsoft.OperationsManagement/solutions",
"apiVersion": "2015-11-01-preview",
"name": "[concat('SecurityInsights(', parameters('workspaceName'), ')')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
],
"plan": {
"name": "[concat('SecurityInsights(', parameters('workspaceName'), ')')]",
"publisher": "Microsoft",
"product": "OMSGallery/SecurityInsights",
"promotionCode": ""
},
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
}
},
{
"type": "Microsoft.Insights/dataCollectionEndpoints",
"apiVersion": "2022-06-01",
"name": "[concat(parameters('prefix'), '-dce')]",
"location": "[parameters('location')]",
"properties": {
"networkAcls": {
"publicNetworkAccess": "Enabled"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/tables",
"apiVersion": "2022-10-01",
"name": "[concat(parameters('workspaceName'), '/', parameters('tableName'), '_CL')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
],
"properties": {
"tableType": "DataCollectionRule",
"schema": {
"name": "[concat(parameters('tableName'), '_CL')]",
"columns": [
{ "name": "TimeGenerated", "type": "datetime" },
{ "name": "last_update_date", "type": "datetime" },
{ "name": "open_date", "type": "datetime" },
{ "name": "ticket_reference", "type": "string" },
{ "name": "ticket_key", "type": "string" },
{ "name": "customer_key", "type": "string" },
{ "name": "collector", "type": "string" },
{ "name": "detection_type", "type": "string" },
{ "name": "status", "type": "string" },
{ "name": "assets", "type": "dynamic" },
{ "name": "attachments", "type": "dynamic" },
{ "name": "ticket_raw", "type": "dynamic" },
{ "name": "detection_raw", "type": "dynamic" },
{ "name": "feed_meta", "type": "dynamic" },
{ "name": "feed_id", "type": "string" }
]
}
}
},
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2022-06-01",
"name": "[concat(parameters('prefix'), '-dcr')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Insights/dataCollectionEndpoints', concat(parameters('prefix'), '-dce'))]",
"[resourceId('Microsoft.OperationalInsights/workspaces/tables', parameters('workspaceName'), concat(parameters('tableName'), '_CL'))]"
],
"properties": {
"dataCollectionEndpointId": "[resourceId('Microsoft.Insights/dataCollectionEndpoints', concat(parameters('prefix'), '-dce'))]",
"destinations": {
"logAnalytics": [
{
"name": "la",
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
}
]
},
"dataSources": {
"customLogs": [
{
"name": "custom",
"streams": [
"[variables('streamName')]"
]
}
]
},
"dataFlows": [
{
"streams": [
"[variables('streamName')]"
],
"destinations": [
"la"
],
"transformKql": "source\n| extend\n last_update_date = todatetime(last_update_date),\n open_date = todatetime(open_date)\n| project\n TimeGenerated,\n last_update_date,\n open_date,\n ticket_reference,\n ticket_key,\n customer_key,\n collector,\n detection_type,\n status,\n assets,\n attachments,\n ticket_raw,\n detection_raw,\n feed_meta,\n feed_id"
}
]
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2019-05-01",
"name": "[parameters('logicAppName')]",
"location": "[parameters('location')]",
"identity": { "type": "SystemAssigned" },
"dependsOn": [
"[resourceId('Microsoft.Insights/dataCollectionRules', concat(parameters('prefix'), '-dcr'))]",
"[resourceId('Microsoft.Insights/dataCollectionEndpoints', concat(parameters('prefix'), '-dce'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/schemas/2016-06-01/workflowdefinition.json#",
"triggers": {
"Recurrence": {
"type": "Recurrence",
"recurrence": {
"frequency": "[parameters('recurrenceFrequency')]",
"interval": "[parameters('recurrenceInterval')]"
},
"evaluatedRecurrence": {
"frequency": "[parameters('recurrenceFrequency')]",
"interval": "[parameters('recurrenceInterval')]"
}
}
},
"actions": {
"HTTP_GET_Feed": {
"type": "Http",
"inputs": {
"uri": "https://api.axur.com/gateway/1.0/api/integration-feed/feeds/feed/@{parameters('feed_id')}",
"method": "GET",
"headers": {
"Authorization": "Bearer @{parameters('api_token')}",
"Accept": "application/json"
}
}
},
"Parse_JSON": {
"runAfter": { "HTTP_GET_Feed": [ "Succeeded" ] },
"type": "ParseJson",
"inputs": {
"content": "@body('HTTP_GET_Feed')",
"schema": {
"type": "object",
"properties": {
"feedData": { "type": "object" },
"collectionData": {
"type": "object",
"properties": {
"tickets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"ticket": { "type": "object" },
"detection": { "type": "object" },
"attachments": { "type": "array" },
"texts": { "type": "array" }
}
}
}
}
}
}
}
}
},
"Select_Tickets": {
"runAfter": { "Parse_JSON": [ "Succeeded" ] },
"type": "Select",
"inputs": {
"from": "@body('Parse_JSON')?['collectionData']?['tickets']",
"select": {
"TimeGenerated": "@item()?['ticket']?['last-update.date']",
"last_update_date": "@item()?['ticket']?['last-update.date']",
"open_date": "@item()?['detection']?['open.date']",
"ticket_reference": "@item()?['ticket']?['reference']",
"ticket_key": "@item()?['ticket']?['ticketKey']",
"customer_key": "@item()?['ticket']?['customerKey']",
"collector": "@item()?['ticket']?['creation.collector']",
"detection_type": "@item()?['detection']?['type']",
"status": "@item()?['detection']?['status']",
"assets": "@item()?['detection']?['assets']",
"attachments": "@item()?['attachments']",
"ticket_raw": "@item()?['ticket']",
"detection_raw": "@item()?['detection']",
"feed_meta": "@body('Parse_JSON')?['feedData']",
"feed_id": "@{parameters('feed_id')}"
}
}
},
"HTTP_POST_to_Sentinel": {
"runAfter": { "Select_Tickets": [ "Succeeded" ] },
"type": "Http",
"inputs": {
"uri": "@{parameters('dce_ingestion_base_url')}/dataCollectionRules/@{parameters('dcr_immutable_id')}/streams/@{parameters('stream_name')}?api-version=2023-01-01",
"method": "POST",
"headers": { "Content-Type": "application/json" },
"body": "@body('Select_Tickets')",
"authentication": {
"type": "ManagedServiceIdentity",
"audience": "https://monitor.azure.com"
}
}
}
},
"outputs": {},
"parameters": {
"feed_id": { "type": "String" },
"api_token": { "type": "SecureString" },
"dce_ingestion_base_url": { "type": "String" },
"dcr_immutable_id": { "type": "String" },
"stream_name": { "type": "String" },
"$connections": { "type": "Object", "defaultValue": {} }
}
},
"parameters": {
"feed_id": { "value": "[parameters('feedId')]" },
"api_token": { "value": "[parameters('apiKey')]" },
"dce_ingestion_base_url": { "value": "[reference(resourceId('Microsoft.Insights/dataCollectionEndpoints', concat(parameters('prefix'), '-dce'))).logsIngestion.endpoint]" },
"dcr_immutable_id": { "value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', concat(parameters('prefix'), '-dcr'))).immutableId]" },
"stream_name": { "value": "[variables('streamName')]" },
"$connections": { "value": {} }
}
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(resourceId('Microsoft.Insights/dataCollectionRules', concat(parameters('prefix'), '-dcr')), parameters('logicAppName'), 'dcr-ingest-role')]",
"scope": "[resourceId('Microsoft.Insights/dataCollectionRules', concat(parameters('prefix'), '-dcr'))]",
"dependsOn": [
"[resourceId('Microsoft.Logic/workflows', parameters('logicAppName'))]"
],
"properties": {
"roleDefinitionId": "[if(equals(parameters('dcrIngestRoleDefinitionIdOptional'), ''), subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('dcrIngestRoleDefinitionIdOptional')))]",
"principalId": "[reference(resourceId('Microsoft.Logic/workflows', parameters('logicAppName')), '2019-05-01', 'Full').identity.principalId]",
"principalType": "ServicePrincipal"
}
}
],
"outputs": {
"table": { "type": "string", "value": "[concat(parameters('tableName'), '_CL')]" },
"stream": { "type": "string", "value": "[variables('streamName')]" },
"dceIngestUrl": { "type": "string", "value": "[reference(resourceId('Microsoft.Insights/dataCollectionEndpoints', concat(parameters('prefix'), '-dce'))).logsIngestion.endpoint]" },
"dcrImmutableId": { "type": "string", "value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', concat(parameters('prefix'), '-dcr'))).immutableId]" }
}
}Screenshots:
Option 2: Manual deployment
Follow the steps below to provision each Azure resource manually via the portal.
(Optional) In Azure: Create a Resource Group
Creating a dedicated Resource Group (RG) before provisioning resources helps organization, access control, and lifecycle management.
In the Azure portal:
Search for
Resource groups→Create.Select the target
Subscriptionand choose aResource groupname (e.g.,rg-sentinel-axur-prod).Pick a Region aligned with where you plan to create Logic App, DCE, DCR, and Log Analytics →
Review + create→Create.
You will select this RG in the following steps when creating the Logic App, DCE, and Workspace.
Screenshots:
2) In Azure: Create the Logic App (Consumption)
Create a new Logic App (Consumption). Enable system-assigned managed identity so it can authenticate to Azure Monitor ingestion.
In the Azure portal:
Search for and select
Logic apps→Add.
Hosting option
During creation, Azure shows a “Hosting option” for Logic Apps:
Consumption(multi-tenant/serverless, billed per action) orStandard(single-tenant on App Service, different runtime/features and pricing).For this tutorial, select
Consumption.Learn more: see Microsoft Docs for Logic Apps plans and hosting: https://learn.microsoft.com/azure/logic-apps/logic-apps-overview#plans-and-hosting and the single-tenant overview: https://learn.microsoft.com/azure/logic-apps/single-tenant-overview
Basics: choose the correct
Subscription(for billing/governance), select yourResource group(or create one as above), set aLogic app name, and pick aRegion(keep the same region you will use for Log Analytics). SetPlantoConsumption→Review + create→Create.After deployment, go to the Logic App resource.
Enable Managed Identity:
Identity→System assigned→Status: On→Save.
Create the workflow to pull the Axur feed and send to Azure Monitor ingestion using Managed Identity.
In the Logic App, open
Development Tools→Logic App Code viewand paste the definition below, then save. For now, leave “parameters” as it is. We will fullfill them later.
{
"definition": {
"$schema": "https://schema.management.azure.com/schemas/2016-06-01/workflowdefinition.json#",
"triggers": {
"Recurrence": {
"recurrence": {
"frequency": "Minute",
"interval": 1
},
"evaluatedRecurrence": {
"frequency": "Minute",
"interval": 1
},
"type": "Recurrence"
}
},
"actions": {
"HTTP_GET_Feed": {
"runAfter": {},
"type": "Http",
"inputs": {
"uri": "https://api.axur.com/gateway/1.0/api/integration-feed/feeds/feed/@{parameters('feed_id')}",
"method": "GET",
"headers": {
"Authorization": "Bearer @{parameters('api_token')}",
"Accept": "application/json"
}
}
},
"Parse_JSON": {
"runAfter": {
"HTTP_GET_Feed": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('HTTP_GET_Feed')",
"schema": {
"type": "object",
"properties": {
"feedData": {
"type": "object"
},
"collectionData": {
"type": "object",
"properties": {
"tickets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"ticket": {
"type": "object"
},
"detection": {
"type": "object"
},
"attachments": {
"type": "array"
},
"texts": {
"type": "array"
}
}
}
}
}
}
}
}
}
},
"Select_Tickets": {
"runAfter": {
"Parse_JSON": [
"Succeeded"
]
},
"type": "Select",
"inputs": {
"from": "@body('Parse_JSON')?['collectionData']?['tickets']",
"select": {
"TimeGenerated": "@item()?['ticket']?['last-update.date']",
"last_update_date": "@item()?['ticket']?['last-update.date']",
"open_date": "@item()?['detection']?['open.date']",
"ticket_reference": "@item()?['ticket']?['reference']",
"ticket_key": "@item()?['ticket']?['ticketKey']",
"customer_key": "@item()?['ticket']?['customerKey']",
"collector": "@item()?['ticket']?['creation.collector']",
"detection_type": "@item()?['detection']?['type']",
"status": "@item()?['detection']?['status']",
"assets": "@item()?['detection']?['assets']",
"attachments": "@item()?['attachments']",
"ticket_raw": "@item()?['ticket']",
"detection_raw": "@item()?['detection']",
"feed_meta": "@body('Parse_JSON')?['feedData']",
"feed_id": "@{parameters('feed_id')}"
}
}
},
"HTTP_POST_to_Sentinel": {
"runAfter": {
"Select_Tickets": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"uri": "@{parameters('dce_ingestion_base_url')}/dataCollectionRules/@{parameters('dcr_immutable_id')}/streams/@{parameters('stream_name')}?api-version=2023-01-01",
"method": "POST",
"headers": {
"Content-Type": "application/json"
},
"body": "@body('Select_Tickets')",
"authentication": {
"type": "ManagedServiceIdentity",
"audience": "https://monitor.azure.com"
}
}
}
},
"outputs": {},
"parameters": {
"feed_id": {
"type": "String"
},
"api_token": {
"type": "SecureString"
},
"dce_ingestion_base_url": {
"type": "String"
},
"dcr_immutable_id": {
"type": "String"
},
"stream_name": {
"type": "String"
},
"$connections": {
"type": "Object",
"defaultValue": {}
}
}
},
"parameters": {
"feed_id": { "value": "YOUR_FEED_ID" },
"api_token": { "value": "YOUR_AXUR_API_KEY" },
"dce_ingestion_base_url": { "value": "YOUR_DCE_INGEST_URL" },
"dcr_immutable_id": { "value": "YOUR_DCR_IMMUTABLE_ID" },
"stream_name": { "value": "Custom-YOUR_TABLE_NAME" },
"$connections": { "type": "Object", "value": {} }
}
}Screenshots:
3) In Azure: Create the Data Collection Endpoint (DCE)
Create a DCE in the same region as your Log Analytics Workspace. Copy the ingestion endpoint URL (base URL).
In the Azure portal:
Search for
Data collection endpoints→Create.Basics: select the correct
Subscription, choose yourResource group(preferably the same one as the Logic App), set aName, and choose theRegion(match your Log Analytics region) →Review + create→Create.After deployment, open the DCE. In
Overview,copy theIngestion (Data Collection)endpoint base URL; you will paste it asdce_ingestion_base_urlin the Logic App.
Screenshots:
4) In Azure: Create the Log Analytics Workspace and enable Microsoft Sentinel
Create or identify a Log Analytics Workspace connected to Microsoft Sentinel.
In the Azure portal:
Search for
Log Analytics workspaces→Create(or select an existing one).Basics: select the correct
Subscription, choose yourResource group(ideally the same used for Logic App/DCE), set aName, and pick theRegion(keep consistent with the DCE and Logic App) →Review + create→Create.Enable Sentinel: go to
Microsoft Sentinel→Create→ choose the workspace created/selected above →Add.
Screenshots:
5) In Azure: Create the custom Table (automatically creates the DCR)
Create a custom log table and define the schema and transformation to match the payload from the Logic App. Azure will automatically create a Data Collection Rule (DCR) attached to this table.
In the Azure portal:
Open your
Log Analytics workspace→ click on the created workspace →Settings→Tables→Create→ selectCustom log (DCR-based).Name the table (for example,
AxurTickets). In Logs, the table will appear with a_CLsuffix (e.g.,AxurTickets_CL).When prompted, select the DCE you created for ingestion routing.
In
Schema and transformations:Click
Upload sample data, copy the JSON sample below into a file (for example,sample_output.json), and upload it:
[
{
"TimeGenerated": "2025-09-11T13:57:30Z",
"last_update_date": "2025-09-11T13:57:30Z",
"open_date": "2025-09-11T13:57:09Z",
"ticket_reference": "https://example.com/path/sample-1",
"ticket_key": "abc123",
"customer_key": "CUSTOMER_X",
"collector": "urlscan",
"detection_type": "phishing",
"status": "closed",
"assets": [
"BRAND123"
],
"attachments": [
{
"name": "screenshot_example_com_01.jpg",
"url": "https://api.axur.com/gateway/1.0/api/files/file/screenshot_example_com_01.jpg"
},
{
"name": "html_example_com_01.html",
"url": "https://api.axur.com/gateway/1.0/api/files/file/html_example_com_01.html"
},
{
"name": "whois_example_com_01.txt",
"url": "https://api.axur.com/gateway/1.0/api/files/file/whois_example_com_01.txt"
}
],
"ticket_raw": {
"reference": "https://example.com/path/sample-1",
"ticketKey": "abc123",
"customerKey": "CUSTOMER_X",
"creation.collector": "urlscan",
"last-update.date": "2025-09-11T13:57:30Z",
"creation.collection": "10000001",
"creation.originator": "collector",
"creation.date": "2023-12-07T02:01:36Z"
},
"detection_raw": {
"creation.user": "3",
"close.date": "2025-09-11T13:57:30Z",
"resolution.reason": "dns-down",
"open.date": "2025-09-11T13:57:09Z",
"assets": [
"BRAND123"
],
"type": "phishing",
"resolution": "discarded",
"status": "closed"
},
"feed_meta": {
"id": "11111111-1111-1111-1111-111111111111",
"title": "Sample feed",
"url": "https://api.axur.com/gateway/1.0/api/integration-feed/feeds/feed/11111111-1111-1111-1111-111111111111",
"lastDataRetrieved": "sample",
"createdAt": 1700000000000,
"lastRequest": 1700000100000,
"isActive": true,
"customerKey": "CUSTOMER_X",
"params": "open.date=ge:2025-09-05",
"eventDate": "open.date",
"nextPage": 2,
"lastDateRetrieved": "2025-09-11T13:57:09",
"feedType": "ticket",
"applyOnDescendants": false
},
"feed_id": "11111111-1111-1111-1111-111111111111"
},
{
"TimeGenerated": "2025-09-11T13:57:11Z",
"last_update_date": "2025-09-11T13:57:11Z",
"open_date": "2025-09-11T13:57:09Z",
"ticket_reference": "https://example.org/contact",
"ticket_key": "def456",
"customer_key": "CUSTOMER_X",
"collector": "google websearch",
"detection_type": "fraudulent-brand-use",
"status": "closed",
"assets": [
"BRAND123"
],
"attachments": [
{
"name": "whois_example_org_01.txt",
"url": "https://api.axur.com/gateway/1.0/api/files/file/whois_example_org_01.txt"
},
{
"name": "html_example_org_01.html",
"url": "https://api.axur.com/gateway/1.0/api/files/file/html_example_org_01.html"
},
{
"name": "screenshot_example_org_01.jpg",
"url": "https://api.axur.com/gateway/1.0/api/files/file/screenshot_example_org_01.jpg"
}
],
"ticket_raw": {
"reference": "https://example.org/contact",
"ticketKey": "def456",
"customerKey": "CUSTOMER_X",
"creation.collector": "google websearch",
"last-update.date": "2025-09-11T13:57:11Z",
"creation.collection": "10000002",
"creation.originator": "collector",
"creation.date": "2023-09-08T00:46:02Z"
},
"detection_raw": {
"creation.user": "3",
"close.date": "2025-09-11T13:57:11Z",
"resolution.reason": "dns-down",
"open.date": "2025-09-11T13:57:09Z",
"assets": [
"BRAND123"
],
"type": "fraudulent-brand-use",
"resolution": "discarded",
"status": "closed"
},
"feed_meta": {
"id": "22222222-2222-2222-2222-222222222222",
"title": "Sample feed",
"url": "https://api.axur.com/gateway/1.0/api/integration-feed/feeds/feed/22222222-2222-2222-2222-222222222222",
"lastDataRetrieved": "sample",
"createdAt": 1700000000000,
"lastRequest": 1700000100000,
"isActive": true,
"customerKey": "CUSTOMER_X",
"params": "open.date=ge:2025-09-05",
"eventDate": "open.date",
"nextPage": 2,
"lastDateRetrieved": "2025-09-11T13:57:09",
"feedType": "ticket",
"applyOnDescendants": false
},
"feed_id": "22222222-2222-2222-2222-222222222222"
},
{
"TimeGenerated": "2025-09-11T13:57:27Z",
"last_update_date": "2025-09-11T13:57:27Z",
"open_date": "2025-09-11T13:57:09Z",
"ticket_reference": "https://shop.example.net/",
"ticket_key": "ghi789",
"customer_key": "CUSTOMER_X",
"collector": "urlscan",
"detection_type": "phishing",
"status": "closed",
"assets": [
"BRAND123"
],
"attachments": [
{
"name": "whois_example_net_01.txt",
"url": "https://api.axur.com/gateway/1.0/api/files/file/whois_example_net_01.txt"
},
{
"name": "screenshot_example_net_01.jpg",
"url": "https://api.axur.com/gateway/1.0/api/files/file/screenshot_example_net_01.jpg"
},
{
"name": "html_example_net_01.html",
"url": "https://api.axur.com/gateway/1.0/api/files/file/html_example_net_01.html"
}
],
"ticket_raw": {
"reference": "https://shop.example.net/",
"ticketKey": "ghi789",
"customerKey": "CUSTOMER_X",
"creation.collector": "urlscan",
"last-update.date": "2025-09-11T13:57:27Z",
"creation.collection": "10000003",
"creation.originator": "collector",
"creation.date": "2023-12-11T15:23:20Z",
"tags": [
"MOBILE INSPECTION"
]
},
"detection_raw": {
"creation.user": "3",
"close.date": "2025-09-11T13:57:27Z",
"resolution.reason": "dns-down",
"open.date": "2025-09-11T13:57:09Z",
"assets": [
"BRAND123"
],
"type": "phishing",
"resolution": "discarded",
"status": "closed"
},
"feed_meta": {
"id": "33333333-3333-3333-3333-333333333333",
"title": "Sample feed",
"url": "https://api.axur.com/gateway/1.0/api/integration-feed/feeds/feed/33333333-3333-3333-3333-333333333333",
"lastDataRetrieved": "sample",
"createdAt": 1700000000000,
"lastRequest": 1700000100000,
"isActive": true,
"customerKey": "CUSTOMER_X",
"params": "open.date=ge:2025-09-05",
"eventDate": "open.date",
"nextPage": 2,
"lastDateRetrieved": "2025-09-11T13:57:09",
"feedType": "ticket",
"applyOnDescendants": false
},
"feed_id": "33333333-3333-3333-3333-333333333333"
}
]
Azure will infer the schema from the sample. Review field types and adjust if needed (e.g., ensure
open_dateandlast_update_datearedatetime).In
Transform and filter, paste the Kusto transformation below, click RUN, check the data and click Apply.
Use this Kusto projection to normalize fields:
source
| extend
last_update_date = todatetime(last_update_date),
open_date = todatetime(open_date)
| project
TimeGenerated,
last_update_date,
open_date,
ticket_reference,
ticket_key,
customer_key,
collector,
detection_type,
status,
assets,
attachments,
ticket_raw,
detection_raw,
feed_meta,
feed_id
Azure will create a DCR attached to the table. Note the stream name (usually Custom-<TableName>) and copy the DCR immutable ID.
Screenshots:
6) In Azure: Assign IAM on the DCR
Grant the Logic App’s Managed Identity permission on the DCR to send data.
Steps:
Go to the DCR →
Access control (IAM)→Add role assignment.Select role: prefer
Monitoring Data Sender. If it is not available in your tenant, useMonitoring Metrics Publisheras a fallback.Next → Members → Select the Logic App’s managed identity (system-assigned).
Review + assign. Wait 1–2 minutes for propagation.
Screenshots:
7) In Azure: Fill Logic App parameters
With the DCR and DCE created, set all required parameters in the Logic App: dce_ingestion_base_url, dcr_immutable_id, stream_name, feed_id, api_token.
Where to set:
In the Logic App, open
Workflow→Parameters(orDevelopment Tools→Logic App Code viewand edit theparametersblock), then input the values below and save.
Values to provide:
DCE ingestion base URL (from the DCE
Overview→Ingestion (Data Collection) endpoint).DCR immutable ID (from the DCR
Properties).Stream name (
Custom-<TableName>, from the custom table/DCR).feed_id: the Feed ID you copied from Axur Platform.
api_token: your Axur API Key (stored as a SecureString parameter in the Logic App).
Screenshots:
After completing all manual steps, proceed to the Validation section to verify the integration is working correctly.
Validation
After running the Logic App (either via template or manual deployment), wait a few minutes. If the feed has events, search the custom table in Logs:
In Sentinel Logs, run a query like:
YOUR_TABLE_NAME_CL | take 10(for example,AxurIntegration_CL).It can take up to ~10 minutes to actually show up the events in the logs after it has been collected from the feed.
You can check
Run Historyin the Logic App to see if it is running successfully.
Troubleshooting tips:
Verify IAM assignment is propagated.
Ensure the Logic App managed identity is enabled.
Confirm DCE/DCR region matches the Log Analytics Workspace.
Check that
stream_namematches the created custom table (prefixCustom-).Inspect Logic App run history for HTTP errors and specifically the
HTTP_POST_to_Sentinelaction.
Screenshots:
Glossary
Subscription
A billing and governance container in Azure. All resources created under it are billed to this subscription and follow its quotas and policies.
Choose the subscription where your security/operations team expects to manage and pay for these resources.
Resource Group (RG)
A logical container within a subscription to organize related resources (e.g., Logic App, DCE, DCR, Log Analytics).
Useful for applying permissions as a set and managing lifecycle (deleting the RG deletes all contained resources).
Recommendations for this tutorial
Billing/governance: Ensure you are deploying into the correct subscription for cost ownership and policy compliance.
Region consistency: Keep Logic App, DCE, DCR, and Log Analytics Workspace in the same region when possible.
Resource group hygiene: Use a dedicated RG (e.g.,
rg-sentinel-axur-<env>) to simplify access control and cleanup.Naming and tags: Apply consistent names and tags (e.g.,
env,owner,costCenter) for tracking and cost attribution.Environments: Validate in a test/staging subscription/RG before promoting to production.
Region
The geographic location where Azure resources run. Keep all components (Logic App, DCE, DCR, Log Analytics Workspace) co-located when possible to reduce latency and issues.
Logic App (Consumption)
An Azure workflow service billed per execution and action. Used here to pull Axur feed data and send it to Azure Monitor ingestion.
Managed Identity (System-assigned)
An identity tied to the Logic App resource, used to securely authenticate to Azure services (e.g., Azure Monitor) without secrets.
Data Collection Endpoint (DCE)
The Azure Monitor ingestion endpoint you post data to. You will copy its ingestion base URL for the Logic App parameter.
Data Collection Rule (DCR) and Immutable ID
A rule defining how data is collected and routed to a Log Analytics table, created when you define the custom table. The DCR has an immutable ID required by the ingestion API.
Stream name (
Custom-<TableName>)The DCR stream associated with your custom table. Use this exact stream name in the Logic App parameters.
Log Analytics Workspace and custom table
Workspace stores logs; custom tables created via DCR-based custom logs appear in Queries with the
_CLsuffix (e.g.,AxurTickets_CL).
Microsoft Sentinel
SIEM/SOAR on top of Log Analytics. Enabling Sentinel on a workspace may introduce additional analytics charges.
Kusto Query Language (KQL)
The query language for Log Analytics. The transformation you add at table creation shapes incoming data; later you query with KQL in
Logs.
IAM role on the DCR
Grant the Logic App’s managed identity
Monitoring Data Senderon the DCR (orMonitoring Metrics Publisheras fallback) so it can send data.
Azure Monitor ingestion
The service receiving data via the DCE. The Logic App posts to the DCR stream using the DCE base URL and DCR immutable ID.
Workflow parameters used here
feed_id:your Axur Feed ID.api_token:your Axur API Key.dce_ingestion_base_url: base URL from the DCE.dcr_immutable_id:the target DCR’s immutable ID.stream_name:the DCR stream (e.g.,Custom-AxurTickets).
If you have any questions, feel free to reach out at [email protected] 😊