Microsoft Sentinel Integration
Forward Noxys AI interaction events and security alerts to Microsoft Sentinel for centralized security monitoring and threat detection.
Overview
This integration enables:
- Real-time event streaming from Noxys to Sentinel via webhook
- Custom analytics rules to detect AI-related threats
- Automated response playbooks for policy violations
- Unified dashboard combining Noxys and Sentinel data
Data Flow:
Noxys (Policy Violations) → Webhook → Sentinel Data Connector → Log Analytics → Alerts/Analytics
Prerequisites
- Azure subscription with Microsoft Sentinel enabled
- Log Analytics workspace created
- Admin role in Noxys
- Admin or Security Admin role in Azure
Step 1: Create Log Analytics Table
Define where Noxys events are stored in Sentinel.
- Navigate to Log Analytics Workspace → Your workspace
- Go to Tables → Create → New custom table (DCR-based)
- Create table named:
NoxysEvents_CL - Define schema:
Column Name | Type
--------------------|--------
TimeGenerated | datetime
EventType | string
TenantId | string
InteractionId | string
PlatformId | string
RiskScore | real
Classifications | dynamic
PolicyDecisions | dynamic
UserId | string
AlertSeverity | string
- Click Create
Step 2: Create Data Connector
Enable webhook endpoint for Noxys to send events.
- In Sentinel → Data Connectors → Create new connector
- Choose API Polling or Webhook (REST API)
- Configure:
Name: Noxys AI Firewall
Webhook Configuration:
Request Method: POST
Content-Type: application/json
Authentication: Bearer token (generated in Noxys)
- Note the Webhook URL (provided by Sentinel)
- Create Data Connector Rule:
{
"name": "NoxysToSentinelRule",
"source": "NoxysEvents_CL",
"schedule": "PT1H"
}
Step 3: Configure Noxys Webhook
Set up event forwarding from Noxys to Sentinel.
- In Noxys Admin Panel → Integrations → Webhooks
- Click Create Webhook
- Configure:
URL: https://your-workspace.eastus2.loganalytics.io/api/logs?api-version=2016-04-01 (from Sentinel)
Events: Select all or specific events:
interaction.createdinteraction.policy_violatedinteraction.high_riskalert.severity_criticalalert.severity_highpolicy.createdpolicy.updated
Headers:
Authorization: Bearer <workspace-key>
Content-Type: application/json
Description: "Microsoft Sentinel integration"
- Click Create
- Test webhook: Click Test
- Verify delivery in Deliveries tab
Step 4: Create Analytics Rules
Define threat detection rules based on Noxys data.
Rule 1: Repeated Policy Violations
In Sentinel:
-
Analytics → Rule templates → Create rule → Scheduled query rule
-
General:
- Name: "High Volume Policy Violations from Noxys"
- Severity: High
-
Set rule logic:
NoxysEvents_CL
| where EventType == "interaction.policy_violated"
| summarize ViolationCount=count() by UserId, PlatformId, bin(TimeGenerated, 1h)
| where ViolationCount > 10
| project TimeGenerated, UserId, PlatformId, ViolationCount
-
Query scheduling: Every 1 hour
-
Alert details:
- Entity mapping:
- Account:
UserId
- Account:
- Alert name:
Multiple policy violations detected
- Entity mapping:
-
Create
Rule 2: High-Risk Interaction from Non-Enterprise Platform
NoxysEvents_CL
| where EventType == "interaction.high_risk"
| where RiskScore > 0.8
| where PlatformId in ("perplexity", "deepseek", "grok")
| project TimeGenerated, UserId, PlatformId, RiskScore, Classifications
| take 100
Rule 3: Blocked Transactions on Unallowed Platforms
NoxysEvents_CL
| where EventType == "interaction.policy_violated"
| where PolicyDecisions contains "block"
| where PlatformId not in ("chatgpt", "claude", "gemini")
| summarize BlockCount=count() by UserId, PlatformId, TimeGenerated
Step 5: Create Playbooks (Automation)
Automatically respond to Noxys alerts.
In Sentinel → Automation → Create automation rule
Example: Create Ticket on Critical Violation
Trigger: Alert created
Filter: Product = "Noxys"
Action: Create ticket in Jira/ServiceNow
Example: Notify Teams on High-Risk Activity
Trigger: Alert created
Filter: Severity = High, AlertSeverity = critical
Action: Post message to Teams
Step 6: Create Dashboards
Visualize Noxys data in Sentinel.
In Sentinel → Workbooks → + Add workbook
Add tiles:
- High-Risk Interactions (24h):
NoxysEvents_CL
| where EventType == "interaction.high_risk"
| where TimeGenerated > ago(24h)
| summarize Count=count() by PlatformId
- Policy Violations by Platform:
NoxysEvents_CL
| where EventType == "interaction.policy_violated"
| summarize ViolationCount=count() by PlatformId
| render barchart
- Risk Score Distribution:
NoxysEvents_CL
| where isnotnull(RiskScore)
| summarize AvgRisk=avg(RiskScore) by bin(TimeGenerated, 1h)
| render timechart
- Top Users with Violations:
NoxysEvents_CL
| where EventType == "interaction.policy_violated"
| summarize ViolationCount=count() by UserId
| top 10 by ViolationCount
| render barchart
Step 7: Verification
Verify integration is working.
-
In Noxys:
- Create test interaction or trigger policy violation
- Check webhook deliveries: Integrations → Webhooks → Deliveries
- Verify status = 200
-
In Sentinel:
- Go to Logs → Run query:
NoxysEvents_CL
| where TimeGenerated > ago(1h)
| take 10- Should see recent events
-
Analytics Rules:
- Trigger a policy violation
- Check Incidents to see if rules fire
Troubleshooting
Events Not Appearing in Sentinel
- Check webhook is active: Admin Panel → Integrations → Webhooks → Status
- Verify webhook URL: Confirm it matches Sentinel's endpoint
- Check authentication: Verify workspace key is correct
- Review deliveries: Admin Panel → Webhooks → Deliveries
- If status ≠ 200, check error message
- Firewall rules: Ensure Noxys IPs can reach Sentinel endpoint
- Wait for sync: LAW may take 1-5 minutes to appear
Analytics Rules Not Triggering
- Check rule is Enabled
- Verify query is valid (test in Log Analytics)
- Check rule schedule is appropriate
- Review rule logic — verify it matches your data
High Latency
- Increase webhook batch size (if applicable)
- Check network connectivity between Noxys and Azure
- Review Log Analytics query performance
Cost Considerations
Sentinel charges for:
- Log ingestion: Per GB ingested
- Analytics rules: Per rule execution
- SOAR playbooks: Per action
Estimate: ~$10-50/month for typical deployment (varies by event volume)
Best Practices
-
Filter events wisely: Only send critical events to reduce costs
interaction.policy_violated,alert.severity_critical- Skip
interaction.created(too verbose)
-
Set appropriate thresholds:
- Alert on 5+ violations/hour
- High risk = RiskScore > 0.8
- Critical severity = Block actions
-
Use entity mapping: Link UserId and PlatformId for investigation
-
Tune analytics rules: Test with historical data first
-
Monitor alert fatigue: Review rules quarterly
Data Retention
In Noxys: Default 90 days In Sentinel: Configurable (typically 30-730 days)
To extend retention in Noxys, contact support or upgrade plan.
Compliance Notes
- GDPR: Events contain hashed data only (no raw prompts)
- SOC 2: Sentinel integration is SOC 2 Type II compliant
- HIPAA: Requires HIPAA-enabled Log Analytics workspace
Sample Webhook Payload
{
"id": "evt_abc123",
"timestamp": "2026-03-20T14:32:00Z",
"event_type": "interaction.policy_violated",
"tenant_id": "tenant-123",
"data": {
"id": "int_abc123",
"platform_id": "chatgpt",
"risk_score": 0.95,
"classifications": [
{
"type": "EMAIL",
"value": "alice@acme.fr",
"score": 0.98
}
],
"policy_decisions": [
{
"policy_id": "pol_abc123",
"policy_name": "Block PII on ChatGPT",
"action": "block"
}
]
}
}
Support & Resources
- Sentinel Docs: https://learn.microsoft.com/en-us/azure/sentinel/
- Custom Connectors: https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector
- Noxys Support: support@noxys.eu
- Status: status.noxys.cloud
Next Steps
- Create custom analytics rules for your use cases
- Set up automated playbooks for incident response
- Build dashboards for security team visibility
- Export reports for compliance audit