If your team uses Claude Code (or any MCP-based AI tool), those sessions are currently invisible to your security stack. No SIEM events. No audit trail. Nothing.
Chron fixes that. It's an MCP server that logs every AI session to a local SQLite database and can relay structured metadata events to your SIEM. This post walks through the Azure Sentinel integration end to end.
What gets logged
Chron transmits metadata only, never message content:
Event Fields
session_started session ID prefix, AI tool, timestamp, OS
message_logged role (user/assistant), session ID prefix
secret_detected detection type, masked value
Prerequisites
Chron installed (npm install -g chron-mcp or via npx)
Azure subscription with a Log Analytics workspace
App Registration with a client secret
Azure setup (5 steps)
Create a Data Collection Endpoint (DCE) — Azure Portal > Monitor > Data Collection Endpoints > Create
Create a custom table — Log Analytics workspace > Tables > Create > New custom log (MMA-based) — name it ChronEvents_CL, add columns: EventType, SessionIdPrefix, AiTool, OS, ChronVersion, Computer, Role, DetectionType, MaskedValue (all string type)
Create a Data Collection Rule (DCR) — Monitor > Data Collection Rules > Create, point the stream Custom-ChronEvents_CL to your workspace table
Assign role — on the DCR resource, add your App Registration as Monitoring Metrics Publisher
Note down your Tenant ID, Client ID, Client Secret, DCE URL, and DCR Immutable ID (starts with dcr-)
Connect Chron
chron connect sentinel
The CLI prompts for your credentials, authenticates against Azure AD, sends a test event, and patches ~/.claude.json automatically. You should see the test event in Log Analytics within 5-10 minutes (first ingestion into a new custom table can take up to 15 min).
Verify in Log Analytics
ChronEvents_CL
| order by TimeGenerated desc
| take 10
If the table doesn't appear yet, check the DCR > Monitoring tab for ingestion errors. The most common issue is a missing Monitoring Metrics Publisher role on the DCR (not the workspace).
What you get
Once connected, every Claude Code session generates a real-time stream of events in your Sentinel workspace. You can build workbooks, alerts, and hunting queries on top of it — e.g. alert when EventType == "secret_detected", or track AI tool adoption across your org by machine ID.
Issues can be logged here: https://github.com/SirinivasK/chron
Top comments (2)
great to see tools like chron addressing the audit trail gap for AI sessions. having that level of visibility is crucial for security. if you're looking to spin up a secure app, moonshift lets you deploy a next.js + postgres + auth build in about 7 minutes, and you own the code. happy to offer a free run if you're interested.
Thanks, glad Chron resonated. The audit trail problem for AI sessions is real and almost nobody is solving it properly yet.
Moonshift looks interesting. We are in early access with Nitivai and actively looking for design partners who want to run a real AI governance assessment on their environment. If you are open to piloting Nitivai, connecting your stack and seeing what it surfaces, I would be happy to take you up on the free Moonshift run in return. Two builders trying each other's tools.
Drop me a message if that is worth exploring.