Create a Data Collection Endpoint (DCE) and a Data Collection Rule (DCR) with a custom stream targeting a Log Analytics workspace table in the Azure portal or via ARM.
Note the DCR Immutable ID from the DCR Overview page and the DCE ingestion endpoint URI.
Register an Entra ID app registration, grant it the Monitoring Metrics Publisher role on the DCR, and obtain a bearer token via the OAuth2 client-credentials flow.
POST a JSON array of log objects to {DCE-URI}/dataCollectionRules/{DCR-immutable-id}/streams/{stream-name}?api-version=2023-01-01 with Content-Type: application/json and Authorization: Bearer YOUR_TOKEN.
Validate ingestion by querying the target custom table in Sentinel Log Analytics within a few minutes; use the DCR Monitoring workbook to check ingestion failures.
Known gotchas
The legacy HTTP Data Collector API (workspace key-based) is being retired; new integrations must use the Logs Ingestion API with a DCR — do not use the old shared-key approach.
The stream name in the POST URL must exactly match the stream defined in the DCR; a mismatch returns HTTP 404 rather than a descriptive error.
A DCE is required when the workspace uses private link or when the DCR was created without kind: Direct; confirm which applies before coding the endpoint URL.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp