Microsoft Sentinel – SIEM Integration
Overview
Superna Data Security Edition + Microsoft Sentinel provides native SIEM ingestion of ransomware alerts using Azure Logic Apps and Log Analytics. Your SOC team can search, correlate, and automatically turn Superna alerts into Sentinel Incidents, enabling unified response across storage, identity, and endpoint signals.
We’ll install and validate this integration at no charge so you can start seeing value immediately.
Next step: use the Book a setup call button at the top of this page.
What You Get
- Native Sentinel ingestion of ransomware alerts.
- Custom Log Analytics table to store structured Superna event fields (user, IPs, shares, files, severity).
- Analytics Rules → Sentinel Incidents based on CRITICAL or MAJOR alert severity.
- Correlation-ready JSON for KQL queries, dashboards, and workbooks.
- SOC-ready workflows that tie storage alerts into Microsoft Defender XDR, UEBA, and Identity logs.
How It Works
-
Webhook → Logic App
Superna Data Security Edition sends a POST webhook to a Logic App HTTPS trigger. -
Transform → Log Analytics
The Logic App stores the payload in a custom table (e.g.,Superna_ZT_CL) inside Azure Log Analytics. -
Analytics Rule → Incident
A Sentinel Analytics Rule detects CRITICAL or MAJOR events in the table and auto-creates a Sentinel Incident. -
SOC Investigation
Analysts can pivot into:- User information
- Client IPs, shares, files
- Defender XDR host context
- Related UEBA/Identity or network events
Architecture / Flow
Components
- Superna Data Security Edition – Detects storage-layer threats and sends alerts via webhook.
- Azure Logic App – Receives webhook payload and writes structured data into a custom Log Analytics table.
- Azure Log Analytics Workspace – Stores all Zero Trust alert details for KQL search, dashboards, and analytics rules.
- Microsoft Sentinel – Runs Analytics Rules that generate Incidents when Zero Trust alerts match defined criteria.
- SOC Analyst Workflow – Investigates incidents and correlates with endpoint, identity, and network telemetry.
FAQs
Do I need to deploy any VM or runtime?
No—this integration is entirely cloud-native. Logic Apps handle ingestion, and Log Analytics stores the alert data.
What table do Zero Trust alerts land in?
A custom table such as Superna_ZT_CL is created in your Log Analytics workspace. All Superna fields are stored as columns or JSON.
How do I create a Sentinel Incident?
You configure a Sentinel Analytics Rule using a KQL query that inspects Superna_ZT_CL for severity thresholds or Zero Trust alert types.
Can I enrich incidents with Defender XDR?
Yes—Sentinel correlates Superna’s storage-layer alerts with identity events, host telemetry, UEBA signals, and any other logs in your workspace.
Can I test the integration?
Yes—Superna can send a test event. It should appear in Log Analytics → Logs and then trigger the Analytics Rule to create a Sentinel Incident.