Lookout Mobile Threat Defense for Microsoft Sentinel

Solution: Lookout

Lookout Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index

Attribute Value
Publisher Lookout
Support Tier Partner
Support Link https://www.lookout.com/support
Categories domains
Version 3.0.2
Author Lookout
First Published 2021-10-18
Last Updated 2026-04-24
Solution Folder Lookout
Marketplace Azure Marketplace · Rating: ★☆☆☆☆ 1.0/5 (2 ratings) · Popularity: 🔵 Medium (50%)

The Lookout solution provides the capability to ingest Lookout events into Microsoft Sentinel through the Mobile Risk API. It can get events which helps to examine potential security risks and more. Refer to API documentation for more information.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor HTTP Data Collector API

b. Microsoft Sentinel Codeless Connector Platform

NOTE: Microsoft recommends installation of "LookoutStreaming_Definition" (via Codeless Connector Framework). This connector is build on the Codeless Connector Framework (CCF), which uses the Log Ingestion API, which replaces ingestion via the deprecated HTTP Data Collector API. CCF-based data connectors also support Data Collection Rules (DCRs) offering transformations and enrichment.

Important: While the updated connector(s) can coexist with their legacy versions, running them together will result in duplicated data ingestion. You can disable the older versions of these connectors to avoid duplication of data.

Contents

Data Connectors

This solution provides 2 data connector(s):

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 2 table(s):

Table Used By Connectors Used By Content
LookoutMtdV2_CL Lookout Mobile Threat Detection Connector (via Codeless Connector Framework) (Preview) Analytics, Hunting, Workbooks
Lookout_CL 🔶 [DEPRECATED] Lookout Analytics

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 12 content item(s):

Content Type Count
Analytic Rules 5
Workbooks 5
Hunting Queries 1
Parsers 1

Analytic Rules

Name Severity Tactics Tables Used
Lookout - Critical Audit and Policy Changes (v2) Medium DefenseEvasion, Persistence, PrivilegeEscalation, Impact LookoutMtdV2_CL
Lookout - Critical Smishing and Phishing Alerts (v2) High InitialAccess, CredentialAccess, Collection, Discovery LookoutMtdV2_CL
Lookout - Device Compliance and Security Status Changes (v2) Medium Discovery, DefenseEvasion, Persistence LookoutMtdV2_CL
Lookout - High Severity Mobile Threats Detected (v2) High Discovery, DefenseEvasion, Persistence, PrivilegeEscalation LookoutMtdV2_CL
Lookout - New Threat events found. High Discovery Lookout_CL

Hunting Queries

Name Tactics Tables Used
Lookout Advanced Threat Hunting - Multi-Vector Attacks Discovery, Persistence, DefenseEvasion LookoutMtdV2_CL

Workbooks

Name Tables Used
LookoutEvents LookoutMtdV2_CL
LookoutEventsV2 LookoutMtdV2_CL
LookoutExecutiveDashboard LookoutMtdV2_CL
LookoutIOAInvestigationDashboard LookoutMtdV2_CL
LookoutSecurityInvestigationDashboard LookoutMtdV2_CL

Parsers

Name Description Tables Used
LookoutEvents - LookoutMtdV2_CL (read)

Additional Documentation

📄 Source: Lookout/README.md

🚀 Overview

The Lookout Mobile Risk API v2 solution provides comprehensive mobile threat detection, device compliance monitoring, and security intelligence for Microsoft Sentinel. This enhanced version leverages the full capabilities of Lookout's Mobile Risk API v2 to deliver advanced threat correlation, smishing detection, and sophisticated security analytics.

✨ What's New in v2

🆕 New Capabilities

📊 Enhanced Components

📁 Solution Structure

``` Solutions/Lookout/ ├── 📋 README.md # This file ├── 🚀 DEPLOYMENT_GUIDE.md # Production deployment guide ├── 🧪 DEV_TESTING_GUIDE.md # Development testing guide ├── 🔌 CODELESS_CONNECTOR_GUIDE.md # 🆕 Codeless Connector Framework guide ├── 📊 UPGRADE_ANALYSIS.md # v1 to v2 upgrade analysis ├── 🗺️ V2_FIELD_MAPPING.md # Complete v2 field mapping ├── 🏗️ ARCHITECTURE_DIAGRAM.md # Solution architecture ├── 📝 TEST_DATA_SAMPLES.md # Test data documentation ├── 📄 TEST_DATA_SAMPLES.json # Sample v2 event data ├── ├── 📊 Data/ │ └── Solution_Lookout.json # Solution metadata ├── ├── 🔌 Data Connectors/ │ ├── requirements.txt # Python dependencies │ ├── LookoutAPISentinelConnector/ # Legacy function app connector │ └── LookoutStreamingConnector_ccp/ # Enhanced CCP connector │ ├── LookoutStreaming_DataConnectorDefinition.json │ ├── LookoutStreaming_DCR.json # Data Collection Rule │ ├── LookoutStreaming_Table.json # Table schema │ └── LookoutStreaming_PollingConfig.json ├── ├── 🔍 Parsers/ │ └── LookoutEvents.yaml # Enhanced v2 parser ├── ├── 🚨 Analytic Rules/ │ ├── LookoutThreatEvent.yaml # Legacy threat detection │ ├── LookoutThreatEventV2.yaml # Enhanced threat detection │ ├── LookoutDeviceComplianceV2.yaml # Device compliance monitoring │ ├── LookoutSmishingAlertV2.yaml # 🆕 Smishing detection │ └── LookoutAuditEventV2.yaml # 🆕 Audit event monitoring ├── ├── 🎯 Hunting Queries/ │ └── LookoutAdvancedThreatHunting.yaml # 🆕 6 advanced hunting scenarios ├── ├── 📊 Workbooks/ │ ├── LookoutEvents.json # Legacy workbook

[Content truncated...]

Release Notes

Version Date Modified (DD-MM-YYYY) Change History
3.0.4 24-04-2026 Fixed APIKey bracket escaping in mainTemplate.json: changed [[parameters('applicationKey')]] to [[parameters('applicationKey')] to prevent ARM expression evaluation error (expected token 'EndOfData' and actual 'RightSquareBracket') when Sentinel instantiates the ResourcesDataConnector template.
3.0.3 23-04-2026 Version bump for certification resubmission. Fixed workspace-location parameter defaultValue to use [resourceGroup().location] ARM expression.
3.0.2 11-03-2026 Updated lastPublishDate across solution metadata and package to 2026-03-11. Cleaned up stale v4.0.0 branches. Resubmission for certification after resolving link discrepancy flagged in Best Practice Test 300.4.1.1. Fixed product branding: updated "Azure Sentinel" to "Microsoft Sentinel" in workbook descriptions. Fixed DCR transform query error: undefined symbol detections corrected to smishing_alert.detections. Aligned data connector version from 1.0.0 to 3.0.2 for consistent version tracking across all solution components. Updated all template version references from 3.0.1 to 3.0.2 in package. Added Parsers and Notebooks steps to the install wizard (createUiDefinition.json) for improved discoverability during solution deployment.
3.0.1 18-12-2025 Parser v3.1.0 with support for Streaming/Polling/REST API field structures. Enhanced workbooks and dashboards. Analytic Rules updated with MITRE ATT&CK mobile tactics. Added Jupyter Notebooks for threat hunting: Mobile Malware, Smishing, Device Compliance, and Audit/Insider Threat analysis.
3.0.0 07-11-2025 New CCF Connector added to Solution - Lookout Mobile Threat Detection Connector.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index