Microsoft Azure Sentinel
The Tenable integration for Microsoft Azure Sentinel combines Tenable's Cyber Exposure insights with Sentinel's collection, detection, and investigation capabilities. This integration supports Tenable Vulnerability Management and exports asset and vulnerability data from Tenable Vulnerability Management directly to Microsoft Sentinel.
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM), and security orchestration automated response (SOAR) solution. For more information about Microsoft Sentinel, see the Microsoft documentation.
Required User Role: Administrator. For more information, see API Permissions.
Note: The Microsoft Azure Sentinel integration does not export fixed vulnerabilities.
Before you begin:
- You must have a Logs Analytics Workspace with Microsoft Sentinel enabled in your Azure subscription.
- For assistance with launching Microsoft Sentinel, see the Microsoft Sentinel quick start guide.

-
Navigate to Microsoft Sentinel within the Microsoft Azure Portal and click Create Microsoft Sentinel.
The workspace homepage appears:
-
Add a workspace for Microsoft Sentinel. Click Create a new workspace.
-
To create the Log Analytics workspace, you must first create a new Resource Group. Click Create new under Resource Group Connector.
-
Input a Name for the instance detail and select the appropriate Azure Region from the drop-down menu.
Click Review + Create.
The settings are finalized and the page updates:
-
Click Create.
The workspace homepage appears with your new Microsoft Sentinel workspace:
The Log Analytics Workplace for Microsoft Sentinel has been created.

-
In your newly created Tenable App, click Tenable.io Vulnerability Management (using Azure Function) in the content list.
-
Select the name of the connector and in the bottom-right corner, click Open connector page.
-
Deploy the ARM template by clicking Deploy to Azure.
-
Select the Resource Group and populate the remaining four fields.
Note: The Tenable export schedule is set for every 24 hours (1440 minutes) by default. This can be adjusted to suit the requirements needed to gather asset and vulnerability data in a timely manner.
-
Once all fields have been populated, click Review + create.
-
The fields are finalized. Click Create.