Home / Knox Asset Intelligence / Dashboard / Security / SOC enablement / Sentinel /

Configure Knox Asset Intelligence

Last updated August 5th, 2025

This step requires data from your Sentinel environment. Do not proceed unless you’ve completed all of the steps in the Sentinel configuration process.

Connect to Sentinel

After you’ve configured Sentinel, you’re ready to configure your Knox Asset Intelligence console. From your Dashboard Settings, do the following:

  1. Go to the Security tab, then enable Microsoft Sentinel Integration.

  2. Enter your Sentinel deployment data in the appropriate fields.

    • Azure tenant ID = Directory ID in Entra ID applications.

    • Client ID = Application ID in Entra ID applications.

    • Client secret = Secret ID in Entra ID applications.

      If you set up Certificate authentication in your Entra ID app, click the Certificate-based authentication method and skip this field.

    • Sentinel URL (Data Collection Endpoint) = Log ingestion URL in Sentinel data connectors.

    • Sentinel Data Collections Rule (DCR) ID = Immutable ID in Sentinel data connectors.

      To help prevent a disconnection with your Microsoft Sentinel environment, you’ll receive a reminder email when your authentication certificate nears its expiration date. By default, the reminder is sent 60 days before certificate expiration.

  3. Click TEST CONNECTION. If the information you entered matches the data in your Sentinel environment, then you’ll see a Connected status.

    KAI settings

    When Security center detects a connection error with your Microsoft Sentinel environment, you’ll see a Not connected status, along with a failure reason. If the connection failure is note resolved within seven days, your connection will be terminated (the Enable Microsoft Sentinel Integration option will be toggled off).

Configure Security log settings

Essential security events

After you’ve established a connection with Sentinel, you can choose which events get sent to your Security Operations Center. To do this:

  1. (Optional) Select the Device group you want to send data for. If no groups is selected, then security events will be sent for all devices in the fleet.

  2. Select your event types:

    • Essential Security Events: When you select this option, a list of 13 events curated by the Samsung Knox team is automatically selected for you. This list balances both device performance and log pressure in your Sentinel environment.
    • Advanced Configuration: When you select this option, the Essential Security Events are automatically selected. You can choose to add additional advanced security events, remove essential events, or send all security event signals to your Sentinel environment. Click Update to add advanced security events.

    advanced security events

    Selecting all events will increase your log sizes and Sentinel data consumption.

  3. Click SAVE to confirm your security log settings.

On this page

Is this page helpful?