Skip to content

Microsoft Sentinel Integration

Trapster has no dedicated Sentinel settings page. Forward events using one of these patterns:

Option 1 - Syslog (Enterprise)

  1. Configure a syslog destination in Trapster: Settings > Integrations > Syslog
  2. Point it at a collector running the Log Analytics agent with CEF or a similar CEF-capable forwarder
  3. Map the CEF stream into your Sentinel workspace

See Syslog for Trapster-side fields.

Option 2 - Custom webhook (Enterprise)

Use Settings > Integrations > Webhooks > Custom to POST incident JSON to an Azure Function, Logic App, or other middleware that calls the Log Analytics Data Collector API.

Option 3 - API logger (Community)

POST events from Community Edition using the API logger, then transform them in your Azure pipeline before ingestion.

Sentinel query examples

After ingestion, field names depend on your parser. Example KQL against a custom table:

kusto
TrapsterEvents_CL
| summarize count() by channel_s, src_ip_s
| order by count_ desc

Adjust table and column names to match your ingestion mapping.