Integrating Microsoft Sentinel with NordStellar

This guide walks you through installing and configuring the NordStellar solution for Microsoft Sentinel. Once connected, NordStellar sends alert findings such as leaked credentials, malware infections, dark web mentions, and attack surface vulnerabilities into your Sentinel workspace so your SOC team can query, alert on, and respond to them alongside the rest of your security telemetry.

How the Integration Works

NordStellar is delivered as a Microsoft Sentinel solution. You install it from Microsoft Sentinel Content hub or Azure Marketplace, then configure the included data connector for your NordStellar organization.

At a high level:

Install the NordStellar solution in the Sentinel workspace where you want to receive findings.
Configure the NordStellar data connector from the solution page.
Complete the connection in NordStellar and choose which projects and findings to forward.
Verify that NordStellar events are arriving in your Sentinel workspace.

You do not need to manually create Data Collection Endpoints, Data Collection Rules, or custom Log Analytics tables for a standard setup. Those details are handled by the packaged Sentinel solution and connector experience.

Prerequisites

Before you begin, make sure you have:

A Log Analytics workspace with Microsoft Sentinel enabled.
Permissions in Azure to install Sentinel solutions and configure data connectors for the target workspace.
Organization Admin permissions in NordStellar.
Access to the NordStellar organization and projects whose findings you want to send to Sentinel.

Step 1: Install the NordStellar Solution

Install the solution in the Microsoft Sentinel workspace where NordStellar findings should appear.

Open Content hub

Sign in to the Azure portal (opens in a new tab).
Open Microsoft Sentinel.
Select the workspace where you want to install the integration.
In the workspace menu, go to Content hub.

Find and install NordStellar

Search for NordStellar.
Select the NordStellar solution.
Click Install.
When installation finishes, open the solution and review the included data connector, workbooks, analytics rules, and other content.

Step 2: Configure the Data Connector

Open the connector

In Microsoft Sentinel, open the workspace where you installed the solution.
Go to Data connectors.
Search for NordStellar.
Open the NordStellar connector page.

Follow the connector instructions

ℹ️

The exact connection fields shown in Sentinel can change as Microsoft updates the connector experience. Use the values and instructions shown on the NordStellar connector page for your workspace.

Review the connector instructions.
Copy any workspace, connector, or authorization values that the connector page asks you to provide in NordStellar.
Keep this browser tab open while you finish the setup in NordStellar.

Step 3: Configure the Integration in NordStellar

Now return to the NordStellar Platform to finalize the integration.

Navigate to integration settings

On the NordStellar Platform, go to the Settings section.
In the right-side menu, under Connect, click Integrations.
Click Connect on the Microsoft Sentinel card.

Enter your connector details

Enter a descriptive Integration name.
Provide the Microsoft Sentinel connector values requested by the form.
Use the values from the NordStellar connector page in Sentinel.

Choose scope and options

Apply to all projects: Enable to forward findings from every project in your organization (including projects added later), or disable to select specific projects.
Send existing events: Enable to backfill historical findings. When enabled, choose a Send existing events from date — findings detected on or after that date will be sent in addition to all new findings.
Include consumer credentials' passwords: Enable only if you want plaintext passwords from consumer credential findings included in the forwarded events.

Save the integration

Click Connect to save.
NordStellar will begin forwarding new findings to your Microsoft Sentinel workspace. If you enabled backfill, historical findings are sent shortly after.

Step 4: Verify Data in Microsoft Sentinel

It can take several minutes for the first records to appear. To confirm data is flowing:

Open your Log Analytics workspace in the Azure portal.
Go to Logs and query the NordStellar table created by the solution. The table name is shown on the NordStellar connector page.
```
NordStellar_CL
| sort by TimeGenerated desc
| take 50
```
You should see records with a TimeGenerated value and the NordStellar finding details. You can expand individual properties with KQL, for example:
```
NordStellar_CL
| extend EventType = tostring(Event.type)
| summarize count() by EventType
```

Once data is flowing, you can build Microsoft Sentinel analytics rules, workbooks, and automation playbooks on top of the NordStellar findings.

Troubleshooting

If findings are not appearing in Microsoft Sentinel, review the following:

No data after several minutes:
- Confirm the NordStellar solution is installed in the same Sentinel workspace you are querying.
- Confirm the NordStellar data connector is configured and shows as connected.
- Check that enough time has passed for the first events to be sent and indexed.
Connector setup is incomplete:
- Reopen the NordStellar data connector page in Sentinel and verify that each required step is complete.
- Confirm that the values entered in NordStellar match the values shown by the connector page.
Project scope is too narrow:
- In NordStellar, confirm that the integration applies to the projects whose findings you expect to see.
- If you enabled Send existing events, verify that the selected date range includes the findings you are checking.
Network/Firewall:
- Confirm there are no restrictions preventing NordStellar and Microsoft Sentinel from completing the connector authorization and data ingestion flow.

If you've checked these details and the problem persists, please contact NordStellar support for assistance.

Overview Getting Started