Set up Splashtop SIEM with Microsoft Sentinel

This guide provides a high-level overview of a suggested approach for sending Splashtop SIEM logs to Microsoft Sentinel using Splashtop SIEM Push Mode. It outlines the recommended Azure resources, middleware flow, custom Log Analytics table configuration, and validation steps needed to confirm that Splashtop events are successfully reaching Sentinel.

Supported Subscriptions

  • Splashtop Enterprise
  • Splashtop AEM (Enterprise)

Before you begin

Splashtop SIEM Push Mode sends logs to a public HTTPS middleware endpoint. The middleware authenticates to Azure, normalizes the request, and forwards the data to the Azure Monitor Logs Ingestion API. Azure then routes the logs through a Data Collection Rule into a custom Log Analytics table used by Microsoft Sentinel.

Integration flow

Splashtop SIEM Push ModeMiddleware HTTPS endpointAzure Logs Ingestion APIDCE + DCRLog Analytics table: Splashtop_CLMicrosoft Sentinel

Prerequisites

  • An Azure subscription.
  • A Log Analytics workspace.
  • Microsoft Sentinel enabled on that workspace.
  • Permissions to create custom tables, Data Collection Rules (DCRs), Data Collection Endpoints (DCEs), App Registrations, and IAM role assignments.
  • Access to Splashtop SIEM Logging in the Splashtop web console.

Implementation steps

1. Create the custom Log Analytics table

In the Log Analytics workspace, go to:

Settings > Tables > Create > New custom log
Setting Recommendation
Table plan Analytics
Example name Splashtop
Resulting table Splashtop_CL
Sample format Elastic Common Schema (ECS)

Upload the ECS sample JSON when Azure requests a sample file.

Download ECS sample JSON

Expected warning: Azure may display “TimeGenerated field is not found in the sample provided.” This is expected and must be resolved in the Transformation editor, as shown in the next step, before creating the table.

2. Configure the KQL transformation

Open the Transformation editor and use this KQL transformation:

source
| extend TimeGenerated = todatetime(substring(tostring(event.original), 0, 23))
| project TimeGenerated, labels, event, client, destination, user, service, message

This parses the event time from the beginning of event.original and creates the mandatory Azure TimeGenerated column.

After running the preview, confirm that TimeGenerated is populated, apply the transformation, and continue with table creation.

3. Create or select the Data Collection Endpoint and Data Collection Rule

The Data Collection Endpoint (DCE) provides the Azure ingestion endpoint. The Data Collection Rule (DCR) defines the incoming stream schema, KQL transformation, destination Log Analytics workspace, and output custom table.

Record the following values for the middleware configuration:

  • DCE ingestion endpoint.
  • DCR immutable ID.
  • Stream name, for example Custom-Splashtop_CL.
4. Configure Microsoft Entra authentication

Create a Microsoft Entra App Registration for the middleware. This application will be used by the Azure Function, Logic App, or other middleware service to authenticate to the Azure Monitor Logs Ingestion API.

When creating the App Registration, use:

  • Supported account types: Single tenant only.

After the App Registration is created, record the following values:

  • Application (client) ID.
  • Directory (tenant) ID.

These values will be needed later when the middleware requests an Azure access token.

Next, create a client secret under:

Certificates & secrets > Client secrets > New client secret

Copy and store the client secret value. This value is only shown once and will be required by the middleware. Do not use the secret ID.

The middleware requests an OAuth token using:

https://monitor.azure.com/.default

Assign this app permission to the DCR

The App Registration must be allowed to send data to the Data Collection Rule. On the DCR, go to:

Access control (IAM) > Add role assignment
Property Value
Role Monitoring Metrics Publisher
Member The App Registration / Service Principal
Scope The Data Collection Rule

Assign this role on the DCR used by the ingestion request, not on the custom table. No delegated API permissions or redirect URI are required for this client credentials flow.

5. Middleware options and payload requirements

The Azure Logs Ingestion API requires Microsoft Entra authentication and expects records to be sent as a JSON array. Customers should therefore not normally enter the DCE/DCR ingestion URL directly in Splashtop.

The middleware must receive the Splashtop request, authenticate to Azure Monitor, wrap the event as an array, forward it to the Logs Ingestion API, and return a successful response to Splashtop.

Option Best suited for Complexity
Azure Logic Apps Consumption Low-code setup and low or moderate volume Low
Azure Functions Custom logic, higher volume, and code-based control Medium
Existing integration platform Customers with an established webhook, iPaaS, or integration service Varies
Azure API Management Enterprise API governance and policy control High

Customers may use any secure middleware that can obtain an Azure access token and forward the payload in the required format.

Important payload requirement

Azure expects an array of records:

[
  {
    "message": "Example event"
  }
]

Azure ingestion URL pattern

<DCE ingestion endpoint>
/dataCollectionRules/<DCR immutable ID>
/streams/<stream name>
?api-version=2023-01-01
6. Example middleware setup using Azure Logic Apps Consumption

If using Azure Logic Apps Consumption as the middleware, create a workflow that receives the Splashtop request, obtains an Azure access token, wraps the event as a JSON array, and forwards it to the Azure Logs Ingestion API.

At a high level, the Logic App workflow should include the following actions:

  1. HTTP trigger: Use the trigger When an HTTP request is received. This creates the public HTTPS endpoint that will later be entered in Splashtop.
  2. Compose action: Convert the incoming Splashtop event into an array before forwarding it to Azure.
    createArray(triggerBody())
  3. HTTP action to request an Azure token: Send a POST request to the Microsoft Entra token endpoint using the App Registration details created earlier.
    https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/token

    The request should use the client credentials flow with the following scope:

    https://monitor.azure.com/.default
  4. HTTP action to forward the log to Azure: Send a POST request to the Logs Ingestion API URL using the DCE ingestion endpoint, DCR immutable ID, and stream name.
    <DCE ingestion endpoint>
    /dataCollectionRules/<DCR immutable ID>
    /streams/<stream name>
    ?api-version=2023-01-01

The final HTTP request to Azure should include:

Authorization: Bearer <Azure access token>
Content-Type: application/json

The request body should use the output from the Compose action, so the Splashtop event is sent to Azure as an array.

After saving the Logic App, copy the HTTP trigger URL. This is the URL that should be entered in the Splashtop SIEM Push Mode configuration, not the Azure DCE/DCR ingestion URL.

When configuring the client credentials request, use the client secret value from the App Registration. Do not use the secret ID.

7. Configure Splashtop SIEM Push Mode

Once the middleware endpoint is available, configure Splashtop to send SIEM events to that endpoint.

In the Splashtop web console, go to:

Management > SIEM Logging > Create
Setting Recommendation
Mode Push
Integration Others
URL Middleware HTTPS endpoint
Log format Elastic Common Schema
Authentication token Optional, depending on middleware design

The Splashtop URL field may already display the https:// prefix. Avoid entering it twice. Do not enter the Azure DCE/DCR ingestion URL directly unless the receiving service can handle Azure OAuth authentication and the required array-based payload format.

8. Validate the integration

Generate Splashtop events such as a team member login, remote session start and end, group assignment, file transfer, or configuration change.

Basic validation query

Splashtop_CL
| where ingestion_time() > ago(30m)
| order by ingestion_time() desc
| project TimeGenerated, message, labels, event, client, destination, user, service, ingestion_time()
| take 20

Operational view

Splashtop_CL
| where ingestion_time() > ago(30m)
| order by ingestion_time() desc
| project
    TimeGenerated,
    IngestionTime = ingestion_time(),
    message,
    user_email = tostring(user.email),
    client_ip = tostring(client.ip),
    client_device = tostring(client.user.device),
    destination_device = tostring(destination.user.device),
    destination_platform = tostring(destination.user.platform),
    event_action = tostring(event.action),
    event_category = tostring(event.category),
    event_original = tostring(event.original)
| take 20

Troubleshooting

Troubleshooting

Verification fails and the middleware receives no request

  • Verify the complete middleware URL.
  • Check for a duplicated https:// prefix.
  • Confirm all required URL query parameters or signatures are included.
  • Confirm the endpoint is publicly reachable.

Middleware succeeds, but logs do not appear

  • Confirm the final Azure request returns HTTP 204.
  • Confirm the DCR immutable ID and stream name are correct.
  • Confirm the App Registration has Monitoring Metrics Publisher on the DCR.
  • Confirm the payload is sent as a JSON array.
  • Check DCR metrics for ingestion requests and transform errors.

Transform errors appear

  • Confirm the incoming payload matches the DCR stream declaration.
  • Confirm Elastic Common Schema is selected in Splashtop.
  • Confirm the middleware forwards JSON, not a quoted JSON string.
  • Confirm the DCR output matches the destination table schema.

Only the message field is populated

This usually means Splashtop Common Schema was selected while the table expects ECS nested fields. Switch the Splashtop Push Mode format to Elastic Common Schema.

Component Recommended configuration
Splashtop log format Elastic Common Schema
Custom table Splashtop_CL
Table columns TimeGenerated, labels, event, client, destination, user, service, message
DCR transformation Parse TimeGenerated from event.original
Middleware Receive request, authenticate to Azure, wrap as an array, and forward to the Logs Ingestion API.
2 out of 2 found this helpful