Microsoft Sentinel Integration

Native integration with Microsoft Sentinel via the Log Analytics Data Collector API. Piscium streams validated exposures, attack graph snapshots, and remediation events into custom Sentinel tables. Analytics rules can correlate Piscium findings with Defender, Entra ID, and Azure activity logs for enriched threat detection.

Back to Features

What You Get

Why Microsoft Sentinel?

Organizations invested in the Microsoft security ecosystem gain unified visibility by combining Sentinel's threat intelligence and SOAR playbooks with Piscium's validated exposure data. Analysts see confirmed exploitable paths alongside their existing Sentinel incidents — no context switching required.

Example Scenario

Sentinel detects a suspicious sign-in from an anomalous location targeting an Azure AD admin account. A Piscium analytics rule correlates this with a validated exposure showing that the same admin account has excessive privileges to an OT management subnet. Sentinel automatically elevates the incident severity and triggers a Logic App that creates a Piscium remediation task to revoke the over-privileged access.

Implementation Notes

Requires a Log Analytics workspace with a registered Entra ID application (client credentials flow). Piscium writes to custom tables prefixed with Piscium_CL. Supports Sentinel workspaces in all Azure commercial regions. Recommended: configure Sentinel analytics rules using Piscium KQL query templates provided in the connector setup wizard.

Webhook Payload Example

{
  "event": "exposure.validated",
  "timestamp": "2026-03-14T09:15:00Z",
  "exposure_id": "EXP-2026-00387",
  "severity": "high",
  "cvss_score": 8.1,
  "cve": "CVE-2025-29813",
  "affected_asset": "az-mgmt-vm-02.corp.local",
  "attack_path_id": "AG-0984",
  "blast_radius": 8,
  "remediation_status": "pending"
}

Ready to Connect Microsoft Sentinel?

See the integration running live in your environment.

Request a Demo All Features