Semperis Lightning Sentinel Connector

Solution: SemperisLightning

SemperisLightning Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Semperis
Support Tier	Partner
Support Link	https://www.semperis.com/support/
Categories	domains
Version	3.0.0
Author	Semperis
First Published	2026-03-01
Last Updated	2026-03-23
Solution Folder	SemperisLightning
Marketplace	Azure Marketplace · Popularity: ⚪ Very Low (0%)

This custom data connector uses a Function App to pull Semperis Lightning data and uploads it into the selected Log Analytics workspace via the Azure Log Ingestion API.

Data Connectors
Tables Used
Additional Documentation

Data Connectors

This solution provides 1 data connector(s):

Semperis Lightning Logs

Tables Used

This solution uses 7 table(s):

Table	Used By Connectors	Used By Content
`LightningAttackPathLinks_CL`	Semperis Lightning Logs	-
`LightningAttackPaths_CL`	Semperis Lightning Logs	-
`LightningIOEResults_CL`	Semperis Lightning Logs	-
`LightningIOEsMetadata_CL`	Semperis Lightning Logs	-
`LightningIndicatorExecutions_CL`	Semperis Lightning Logs	-
`LightningTier0Attackers_CL`	Semperis Lightning Logs	-
`LightningTier0Nodes_CL`	Semperis Lightning Logs	-

Additional Documentation

📄 Source: SemperisLightning/README.md

Semperis Lightning Connector for Microsoft Sentinel

This connector ingests all data sources from Semperis Lightning into Microsoft Sentinel/Log Analytics: - Tier0 Nodes (Identity Graph) - Attack Paths - Attack Path Links - Tier0 Attackers (Zone Access Objects) - Indicator Executions - IoES Metadata - IoE Results

Prerequisites

Azure Subscription with permissions to create resources
Log Analytics Workspace (existing)
Semperis Lightning API Key from your Semperis instance
Azure CLI (for deployment) or Azure Portal

Deployment

Option 1: Azure Portal (Recommended)

Click the button below or go to Azure Portal https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FSemperisLightning%2FData%2520Connectors%2FSemperisLightningLogs%2Fazuredeploy_Connector_SemperisLightning_AzureFunction.json
Fill in the required parameters: - Log Analytics Workspace Resource ID: Get from your workspace's JSON View - Semperis API Key: Your Semperis Lightning API key - Semperis Zone: Select na (North America) or eu (Europe) - Connector Schedule: Default is 0 * * * * * (every 1 hour)
Click Review + Create then Create

Option 2: Azure CLI

# Set variables
export RESOURCE_GROUP="myResourceGroup"
export WORKSPACE_ID="/subscriptions/xxx/resourcegroups/xxx/providers/microsoft.operationalinsights/workspaces/xxx"
export API_KEY="your-semperis-api-key"
export LOCATION="eastus"

# Deploy
az deployment group create \
  --name semperis-connector \
  --resource-group $RESOURCE_GROUP \
  --template-file azuredeploy_Connector_SemperisLightning_AzureFunction.json \
  --parameters \
    LogAnalyticsWorkspaceResourceID="$WORKSPACE_ID" \
    SemperisApiKey="$API_KEY" \
    SemperisZone="na" \
   ConnectorSchedule="0 * * * * *"

What Gets Created

The template creates: - 7 Custom Log Analytics Tables (all with _CL suffix) - 1 Data Collection Endpoint (DCE) - 7 Data Collection Rules (DCRs) - Azure Function App (Python 3.11, Elastic Premium Plan) - Storage Accounts (for function runtime and state) - Key Vault (for secure API key storage) - Application Insights (for monitoring) - User-Assigned Managed Identity (for authentication)

Data Ingestion Schedule

By default, the connector ingests data every 1 hour. You can modify the schedule using CRON expressions:

Expression	Frequency
`0 * * * * *`	Every 1 hour (default)
`0 /4 * * *`	Every 4 hours
`0 * * * * *`	Every hour
`0 0 * * * *`	Daily at midnight UTC

Monitoring

Application Insights: Check function health in Azure Portal
Log Analytics: Query the custom tables for data kusto LightningTier0Nodes_CL | where TimeGenerated > ago(24h) | count

Field Mappings

Tier0 Nodes

| API Field | Log Analytics Field |

[Content truncated...]

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.0	23-03-2026	Initial Solution Release. Added Semperis Lightning Connector