Migrate to Innovate Summit:
Learn how migrating and modernizing to Azure can boost your business's performance, resilience, and security, enabling you to fully embrace AI.Register now
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
apifirewall_log_1_CL
| where TimeGenerated >= ago(30d)
| where Status_d == 429
API requests generating a server error
Kusto
apifirewall_log_1_CL
| where TimeGenerated >= ago(30d)
| where Status_d >= 500and Status_d <= 599
API requests failing JWT validation
Kusto
apifirewall_log_1_CL
| where TimeGenerated >= ago(30d)
| where Error_Message_s contains"missing [\"x-access-token\"]"
Vendor installation instructions
Step 1 : Read the detailed documentation
The installation process is documented in great detail in the GitHub repository Microsoft Sentinel integration. The user should consult this repository further to understand installation and debug of the integration.
Step 2: Retrieve the workspace access credentials
The first installation step is to retrieve both your Workspace ID and Primary Key from the Microsoft Sentinel platform.
Copy the values shown below and save them for configuration of the API log forwarder integration.
Step 3: Install the 42Crunch protection and log forwarder
The next step is to install the 42Crunch protection and log forwarder to protect your API. Both components are available as containers from the 42Crunch repository. The exact installation depends on your environment, consult the 42Crunch protection documentation for full details. Two common installation scenarios are described below:
In order to test the data ingestion the user should deploy the sample httpbin application alongside the 42Crunch protection and log forwarder described in detail here.
4.1 Install the sample
The sample application can be installed locally using a Docker compose file which installs the httpbin API server, the 42Crunch API protection, and the Microsoft Sentinel log forwarder. Set the environment variables as required using the values copied from step 2.
4.2 Run the sample
Verify the API protection is connected to the 42Crunch platform, and then exercise the API locally on the localhost at port 8080 using curl, or similar. You should see a mixture of passing and failing API calls.
4.3 Verify the data ingestion on Log Analytics
After approximately 20 minutes access the Log Analytics workspace on your Microsoft Sentinel installation, and locate the Custom Logs section verify that a apifirewall_log_1_CL table exists. Use the sample queries to examine the data.
Next steps
For more information, go to the related solution in the Azure Marketplace.
Learn about supported data connectors, like Microsoft Defender XDR (formerly Microsoft 365 Defender), Microsoft 365 and Office 365, Microsoft Entra ID, ATP, and Defender for Cloud Apps to Microsoft Sentinel.