This guide provides a high-level overview of a suggested approach for sending Splashtop SIEM logs to Microsoft Sentinel using Splashtop SIEM Push Mode. It outlines the recommended Azure resources, middleware flow, custom Log Analytics table configuration, and validation steps needed to confirm that Splashtop events are successfully reaching Sentinel.
Supported Subscriptions
- Splashtop Enterprise
- Splashtop AEM (Enterprise)
Before you begin
Splashtop SIEM Push Mode sends logs to a public HTTPS middleware endpoint. The middleware authenticates to Azure, normalizes the request, and forwards the data to the Azure Monitor Logs Ingestion API. Azure then routes the logs through a Data Collection Rule into a custom Log Analytics table used by Microsoft Sentinel.
Integration flow
Prerequisites
- An Azure subscription.
- A Log Analytics workspace.
- Microsoft Sentinel enabled on that workspace.
- Permissions to create custom tables, Data Collection Rules (DCRs), Data Collection Endpoints (DCEs), App Registrations, and IAM role assignments.
- Access to Splashtop SIEM Logging in the Splashtop web console.
Implementation steps
In the Log Analytics workspace, go to:
Settings > Tables > Create > New custom log
| Setting | Recommendation |
|---|---|
| Table plan | Analytics |
| Example name | Splashtop |
| Resulting table | Splashtop_CL |
| Sample format | Elastic Common Schema (ECS) |
Upload the ECS sample JSON when Azure requests a sample file.
Expected warning: Azure may display “TimeGenerated field is not found in the sample provided.” This is expected and must be resolved in the Transformation editor, as shown in the next step, before creating the table.
Open the Transformation editor and use this KQL transformation:
source
| extend TimeGenerated = todatetime(substring(tostring(event.original), 0, 23))
| project TimeGenerated, labels, event, client, destination, user, service, message
This parses the event time from the beginning of
event.original
and creates the mandatory Azure TimeGenerated column.
After running the preview, confirm that TimeGenerated
is populated,
apply the transformation, and continue with table creation.
The Data Collection Endpoint (DCE) provides the Azure ingestion endpoint. The Data Collection Rule (DCR) defines the incoming stream schema, KQL transformation, destination Log Analytics workspace, and output custom table.
Record the following values for the middleware configuration:
- DCE ingestion endpoint.
- DCR immutable ID.
-
Stream name, for example
Custom-Splashtop_CL.
Create a Microsoft Entra App Registration for the middleware. This application will be used by the Azure Function, Logic App, or other middleware service to authenticate to the Azure Monitor Logs Ingestion API.
When creating the App Registration, use:
- Supported account types: Single tenant only.
After the App Registration is created, record the following values:
- Application (client) ID.
- Directory (tenant) ID.
These values will be needed later when the middleware requests an Azure access token.
Next, create a client secret under:
Certificates & secrets > Client secrets > New client secret
Copy and store the client secret value. This value is only shown once and will be required by the middleware. Do not use the secret ID.
The middleware requests an OAuth token using:
https://monitor.azure.com/.default
Assign this app permission to the DCR
The App Registration must be allowed to send data to the Data Collection Rule. On the DCR, go to:
Access control (IAM) > Add role assignment
| Property | Value |
|---|---|
| Role | Monitoring Metrics Publisher |
| Member | The App Registration / Service Principal |
| Scope | The Data Collection Rule |
Assign this role on the DCR used by the ingestion request, not on the custom table. No delegated API permissions or redirect URI are required for this client credentials flow.
The Azure Logs Ingestion API requires Microsoft Entra authentication and expects records to be sent as a JSON array. Customers should therefore not normally enter the DCE/DCR ingestion URL directly in Splashtop.
The middleware must receive the Splashtop request, authenticate to Azure Monitor, wrap the event as an array, forward it to the Logs Ingestion API, and return a successful response to Splashtop.
| Option | Best suited for | Complexity |
|---|---|---|
| Azure Logic Apps Consumption | Low-code setup and low or moderate volume | Low |
| Azure Functions | Custom logic, higher volume, and code-based control | Medium |
| Existing integration platform | Customers with an established webhook, iPaaS, or integration service | Varies |
| Azure API Management | Enterprise API governance and policy control | High |
Customers may use any secure middleware that can obtain an Azure access token and forward the payload in the required format.
Important payload requirement
Azure expects an array of records:
[
{
"message": "Example event"
}
]
Azure ingestion URL pattern
<DCE ingestion endpoint>
/dataCollectionRules/<DCR immutable ID>
/streams/<stream name>
?api-version=2023-01-01
If using Azure Logic Apps Consumption as the middleware, create a workflow that receives the Splashtop request, obtains an Azure access token, wraps the event as a JSON array, and forwards it to the Azure Logs Ingestion API.
At a high level, the Logic App workflow should include the following actions:
-
HTTP trigger: Use the trigger
When an HTTP request is received. This creates the public HTTPS endpoint that will later be entered in Splashtop. -
Compose action: Convert the incoming Splashtop
event into an array before forwarding it to Azure.
createArray(triggerBody()) -
HTTP action to request an Azure token: Send
a
POSTrequest to the Microsoft Entra token endpoint using the App Registration details created earlier.https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/tokenThe request should use the client credentials flow with the following scope:
https://monitor.azure.com/.default -
HTTP action to forward the log to Azure:
Send a
POSTrequest to the Logs Ingestion API URL using the DCE ingestion endpoint, DCR immutable ID, and stream name.<DCE ingestion endpoint> /dataCollectionRules/<DCR immutable ID> /streams/<stream name> ?api-version=2023-01-01
The final HTTP request to Azure should include:
Authorization: Bearer <Azure access token>
Content-Type: application/json
The request body should use the output from the Compose action, so the Splashtop event is sent to Azure as an array.
After saving the Logic App, copy the HTTP trigger URL. This is the URL that should be entered in the Splashtop SIEM Push Mode configuration, not the Azure DCE/DCR ingestion URL.
When configuring the client credentials request, use the client secret value from the App Registration. Do not use the secret ID.
Once the middleware endpoint is available, configure Splashtop to send SIEM events to that endpoint.
In the Splashtop web console, go to:
Management > SIEM Logging > Create
| Setting | Recommendation |
|---|---|
| Mode | Push |
| Integration | Others |
| URL | Middleware HTTPS endpoint |
| Log format | Elastic Common Schema |
| Authentication token | Optional, depending on middleware design |
The Splashtop URL field may already display the
https://
prefix.
Avoid entering it twice. Do not enter the Azure DCE/DCR ingestion
URL directly unless the receiving service can handle Azure
OAuth
authentication and the required array-based payload format.
Generate Splashtop events such as a team member login, remote session start and end, group assignment, file transfer, or configuration change.
Basic validation query
Splashtop_CL
| where ingestion_time() > ago(30m)
| order by ingestion_time() desc
| project TimeGenerated, message, labels, event, client, destination, user, service, ingestion_time()
| take 20
Operational view
Splashtop_CL
| where ingestion_time() > ago(30m)
| order by ingestion_time() desc
| project
TimeGenerated,
IngestionTime = ingestion_time(),
message,
user_email = tostring(user.email),
client_ip = tostring(client.ip),
client_device = tostring(client.user.device),
destination_device = tostring(destination.user.device),
destination_platform = tostring(destination.user.platform),
event_action = tostring(event.action),
event_category = tostring(event.category),
event_original = tostring(event.original)
| take 20
Troubleshooting
Verification fails and the middleware receives no request
- Verify the complete middleware URL.
-
Check for a duplicated
https://prefix. - Confirm all required URL query parameters or signatures are included.
- Confirm the endpoint is publicly reachable.
Middleware succeeds, but logs do not appear
- Confirm the final Azure request returns HTTP 204.
- Confirm the DCR immutable ID and stream name are correct.
- Confirm the App Registration has Monitoring Metrics Publisher on the DCR.
- Confirm the payload is sent as a JSON array.
- Check DCR metrics for ingestion requests and transform errors.
Transform errors appear
- Confirm the incoming payload matches the DCR stream declaration.
- Confirm Elastic Common Schema is selected in Splashtop.
- Confirm the middleware forwards JSON, not a quoted JSON string.
- Confirm the DCR output matches the destination table schema.
Only the message field is populated
This usually means Splashtop Common Schema was selected while the table expects ECS nested fields. Switch the Splashtop Push Mode format to Elastic Common Schema.
Recommended final configuration
| Component | Recommended configuration |
|---|---|
| Splashtop log format | Elastic Common Schema |
| Custom table | Splashtop_CL |
| Table columns | TimeGenerated, labels, event, client, destination, user, service, message |
| DCR transformation |
Parse TimeGenerated from event.original
|
| Middleware | Receive request, authenticate to Azure, wrap as an array, and forward to the Logs Ingestion API. |