Semperis Lightning Sentinel Connector
Solution: SemperisLightning
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
| Attribute | Value |
|---|---|
| Publisher | Semperis |
| Support Tier | Partner |
| Support Link | https://www.semperis.com/support/ |
| Categories | Security - Cloud Security,Security - Threat Intelligence |
| Version | 3.0.0 |
| Author | Semperis |
| First Published | 2026-03-01 |
| Last Updated | 2026-03-23 |
| Solution Folder | SemperisLightning |
| Marketplace | Azure Marketplace · Popularity: ⚪ Very Low (0%) |
This custom data connector uses a Function App to pull Semperis Lightning data and uploads it into the selected Log Analytics workspace via the Azure Log Ingestion API.
Contents
Data Connectors
This solution provides 1 data connector(s):
Tables Used
This solution uses 7 table(s):
Additional Documentation
📄 Source: SemperisLightning/README.md
Semperis Lightning Connector for Microsoft Sentinel
This connector ingests all data sources from Semperis Lightning into Microsoft Sentinel/Log Analytics:
- Tier0 Nodes (Identity Graph)
- Attack Paths
- Attack Path Links
- Tier0 Attackers (Zone Access Objects)
- Indicator Executions
- IoES Metadata
- IoE Results
Prerequisites
- Azure Subscription with permissions to create resources
- Log Analytics Workspace (existing)
- Semperis Lightning API Key from your Semperis instance
- Azure CLI (for deployment) or Azure Portal
Deployment
Option 1: Azure Portal (Recommended)
Click the button below or go to Azure Portal
https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FSemperisLightning%2FData%2520Connectors%2FSemperisLightningLogs%2Fazuredeploy_Connector_SemperisLightning_AzureFunction.jsonFill in the required parameters:
- Log Analytics Workspace Resource ID: Get from your workspace's JSON View
- Semperis API Key: Your Semperis Lightning API key
- Semperis Zone: Select na (North America) or eu (Europe)
- Connector Schedule: Default is
0 * * * * *(every 1 hour)
Click Review + Create then Create
Option 2: Azure CLI
# Set variables
export RESOURCE_GROUP="myResourceGroup"
export WORKSPACE_ID="/subscriptions/xxx/resourcegroups/xxx/providers/microsoft.operationalinsights/workspaces/xxx"
export API_KEY="your-semperis-api-key"
export LOCATION="eastus"
# Deploy
az deployment group create \
--name semperis-connector \
--resource-group $RESOURCE_GROUP \
--template-file azuredeploy_Connector_SemperisLightning_AzureFunction.json \
--parameters \
LogAnalyticsWorkspaceResourceID="$WORKSPACE_ID" \
SemperisApiKey="$API_KEY" \
SemperisZone="na" \
ConnectorSchedule="0 * * * * *"
What Gets Created
The template creates:
- 7 Custom Log Analytics Tables (all with
_CLsuffix) - 1 Data Collection Endpoint (DCE)
- 7 Data Collection Rules (DCRs)
- Azure Function App (Python 3.11, Elastic Premium Plan)
- Storage Accounts (for function runtime and state)
- Key Vault (for secure API key storage)
- Application Insights (for monitoring)
- User-Assigned Managed Identity (for authentication)
Data Ingestion Schedule
By default, the connector ingests data every 1 hour. You can modify the schedule using CRON expressions:
| Expression | Frequency |
|---|---|
0 * * * * * |
Every 1 hour (default) |
0 */4 * * * * |
Every 4 hours |
0 * * * * * |
Every hour |
0 0 * * * * |
Daily at midnight UTC |
Monitoring
- Application Insights: Check function health in Azure Portal
- Log Analytics: Query the custom tables for data
LightningTier0Nodes_CL | where TimeGenerated > ago(24h) | count
Field Mappings
Tier0 Nodes
| API Field | Log Analytics Field |
[Content truncated...]
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.0 | 23-03-2026 | Initial Solution Release. Added Semperis Lightning Connector |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊