DEV Community

Srinivas Kondepudi
Srinivas Kondepudi

Posted on

How to stream Claude Code audit logs into Microsoft Sentinel (with Chron)

#mcp #ai #security #governance

If your team uses Claude Code (or any MCP-based AI tool), those sessions are currently invisible to your security stack. No SIEM events. No audit trail. Nothing.

Chron fixes that. It's an MCP server that logs every AI session to a local SQLite database and can relay structured metadata events to your SIEM. This post walks through the Azure Sentinel integration end to end.

What gets logged

Chron transmits metadata only, never message content:

Event Fields
session_started session ID prefix, AI tool, timestamp, OS
message_logged role (user/assistant), session ID prefix
secret_detected detection type, masked value
Prerequisites

Chron installed (npm install -g chron-mcp or via npx)
Azure subscription with a Log Analytics workspace
App Registration with a client secret
Azure setup (5 steps)

  • Create a Data Collection Endpoint (DCE) — Azure Portal > Monitor > Data Collection Endpoints > Create

  • Create a custom table — Log Analytics workspace > Tables > Create > New custom log (MMA-based) — name it ChronEvents_CL, add columns: EventType, SessionIdPrefix, AiTool, OS, ChronVersion, Computer, Role, DetectionType, MaskedValue (all string type)

  • Create a Data Collection Rule (DCR) — Monitor > Data Collection Rules > Create, point the stream Custom-ChronEvents_CL to your workspace table

  • Assign role — on the DCR resource, add your App Registration as Monitoring Metrics Publisher

  • Note down your Tenant ID, Client ID, Client Secret, DCE URL, and DCR Immutable ID (starts with dcr-)

Connect Chron
chron connect sentinel

The CLI prompts for your credentials, authenticates against Azure AD, sends a test event, and patches ~/.claude.json automatically. You should see the test event in Log Analytics within 5-10 minutes (first ingestion into a new custom table can take up to 15 min).

Verify in Log Analytics

ChronEvents_CL
| order by TimeGenerated desc
| take 10

If the table doesn't appear yet, check the DCR > Monitoring tab for ingestion errors. The most common issue is a missing Monitoring Metrics Publisher role on the DCR (not the workspace).

What you get

Once connected, every Claude Code session generates a real-time stream of events in your Sentinel workspace. You can build workbooks, alerts, and hunting queries on top of it — e.g. alert when EventType == "secret_detected", or track AI tool adoption across your org by machine ID.

Issues can be logged here: https://github.com/SirinivasK/chron

AI Session logs from Chron to Azure

Top comments (0)