Microsoft Sentinel Integration for PolicyPak Logs

What is a one sentence summary of your feature request?

Add event forwarding integrations for Microsoft Sentinel

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

Currently, PolicyPak Cloud includes a built-in event forwarder that can send specific log channels directly to Splunk. Organizations that do not use Splunk have no equivalent option for integrating log forwarding with their SIEM of choice.

A native Microsoft Sentinel connector—or equivalent configuration option—would enable direct forwarding of PolicyPak events to a Sentinel Log Analytics workspace, mirroring the existing Splunk configuration. This would eliminate the need for custom pipelines, reduce setup time, lower infrastructure costs, and minimize maintenance overhead. It would also make it significantly easier for customers to centralize, analyze, and alert on PolicyPak events within Microsoft’s security ecosystem.

Even if direct Sentinel integration is not implemented, enhancements are needed to address the limitations of logs stored in the PolicyPak Cloud dashboard. Currently, customers cannot manage or retain this data, log history is limited to a short duration, and there is no built-in capability for automation or alerts.

How do you currently solve the challenges you have by not having this feature?

When using Microsoft Sentinel, we must deploy and maintain additional infrastructure, tools, and policies to try and create our own log forwarding. This is either:

Setting up Windows Event Forwarding to a central collector server running Azure Monitor Agent (extra hardware and management overhead
or
Deploy Azure Monitor Agent manually to endpoints with Intune and custom Data Collection Rules, which requires packaging, version management, and more complex configuration.

Upload any supporting images that you think should be considered in this idea.