1) Register the OGO log export application
1. In Azure, type "App Registration" in the search bar. Create an App Registration for Ogo.
2. Create a key in Certificates & Secrets. Copy this key which will be your clientAppSecret in OGO.
⚠️ Note, you will not be able to view it again.
3. In "Overview", also copy "Application (client) ID" which will be your clientAppId, and "Directory (tenant) ID" which will be your tenantId in OGO.
2) Create a Data Collection Endpoint
1. Type "DCE" in the search bar (for "Data Collection Endpoints"). Create an endpoint for Ogo log export.
In "Overview", copy the URI under "Logs Ingestion" which will be your dataCollectionEndpoint in OGO.
3) Create a Data Collection Rule
1. Type "Log analytics workspaces" in the search bar. Choose the workspace of your choice.
Go to "Tables" in the left menu. Then "Create" > "New Custom Log (DCR-Based)".
2. In Data collection rule, create a new collection "ogo-collection".
3. Upload the file "ogo-log-export-example-sentinel-v2.json" that you will find in OGO to My organization > Log Export > Microsoft Sentinel v2.
Complete the creation of the table.
4. Still in "Log analytics workspaces", go to "Access Control IAM".
Then click on "Add Role Assignment". Select the "Monitoring Metrics Publisher" line and click "Next".
5. Via "Select members", search for the OGO application created in 1) via the search input.
Complete via "Review + assign".
6. Go back to the "Overview" of your DCR.
In "JSON View", retrieve "properties.immutableId" which will be your dcrImmutableId, and "dataFlows.streams" which will be your dcrStreamName in OGO.
4) Final configuration example
