Sentinel Integration

this guide replaces the previous azure sentinel integration the new codeless connector framework (ccf) integration offers a streamlined, "click to deploy" experience available directly within the microsoft sentinel content hub this update significantly reduces the manual configuration required to ingest flare events into azure the ccf enables partners and developers to create robust, custom connectors for seamless data ingestion into microsoft sentinel please note, if you currently are using the flare connector this will create a second table within sentinel it is recommended to sunset the older connector and migrate to this one azure sentinel setup install flare via the content hub the first step is to install the flare solution and deploy the codeless connector this connector automatically receives flare events and transforms them into queryable logs within sentinel navigate to microsoft sentinel > content management > content hub search for “flare” in the search bar select the flare solution and click install deployment typically takes a few seconds once installed, click manage select flare push connector and click open connector page deploy custom resources on the connector page, select deploy custom resources and accept the confirmation prompt this will automatically create azure resources, including an application secret valid for 731 days this is a default value which we do not control in the connector's form see the secrets management section below for more details on how to manage this secret once the deployment is complete, several configuration fields will automatically be populated keep this page open , as you will need these values to link flare to azure sentinel flare setup setup the integration channel in the flare platform, navigate to configure > integrations and select create channel in the modal, select azure sentinel from the dropdown menu copy the values from the sentinel connector page into into the corresponding fields verify and finalize press test channel to verify the connection once the test is successful, click create channel to finalize the integration secrets management when the flare connector is deployed using the one click deployment button, azure automatically creates a data collection endpoint (dce) along with an app registration and a client secret valid for 731 days if a shorter lived secret is required, revoke the existing secret and create a new one by following the steps below in azure, navigate to the app registrations page, then select the relevant app registration to quickly locate it, filter by the application id (entra client id) under manage > credentials & secrets, your existing secrets are listed revoking a secret press the trash icon next to the secret you want to remove this immediately disables the integration any request from flare will be rejected until a new secret is configured creating a secret click new client secret to open the creation form, where you can configure the secret's expiration date once the new secret is created, make sure to update it in flare and verify the integration is working using the test channel button flare solution features the flare solution includes pre packaged analytic rules and workbooks to help you monitor and visualize your data they must be manually deployed through azure sentinel note on initial setup analytic rules and workbooks will likely display error messages until the connector receives its first set of data these components will remain inactive on fresh instances until data ingestion begins analytic rules analytic rules enable automated alerting based on kusto query language (kql) these rules help you identify specific security threats as they appear in your logs they can be configured from azure sentinel > configuration > analytics > rules templates workbooks workbooks provide interactive data visualizations for flare events directly within the sentinel dashboard they are located in azure sentinel > threat management > workbooks > templates flare includes three basic workbooks firework logs by risk score, sources of all documents collected and total leaked credentials received firework logs by risk score this chart displays log activity sourced from flare over the past 30 days, broken down by risk score level each line represents a distinct risk score category sources of all document collected this section displays the origin of all threat intelligence documents ingested over the past 30 days, broken down by source total leaked credentials received this section is deprecated and will be removed in the next release it displays a time series of credential leak events flare solution schema to understand how flare data is structured or to build your own custom queries, you can inspect the data model using the following kql command in the logs interface accessible under azure sentinel > logs fireworkv2 cl \| getschema for reference, here is the latest schema column name type example timegenerated datetime (utc) 2026 02 17t15 06 35 7076596z eventvendor string flare eventproduct string firework eventschemaversion string 0 1 eventseverity string informational eventoriginaluid string domain/driller dnstwist/clare io eventoriginaltype string domain riskscore int 1 url optional string https //app flare io/events/test social media account timestamp optional string 2026 01 20t20 07 44 0633340+00 00 timestamp formatted optional string first crawled at optional string 2026 01 20t20 07 44 0633340+00 00 materialized at optional string 2026 01 20t20 13 20 7334390+00 00 url optional string event title optional string clare io event type optional string domain source optional string driller dnstwist source name optional string dnstwist id optional string clare io keyword optional string category name optional string domain content preview optional dynamic object domain clare io content optional string alert content optional string highlights optional dynamic object {"identifier domain" \["\<mark>flare io\</mark>"]} risk optional dynamic object {"score" 1,"unit score" 0 1,"risk score" 1,"service score" 1} tags optional dynamic object \[] related optional dynamic object \[] user risk score optional int user notes optional string data optional dynamic object {"username" "@fake example corp","platform" "twitter","followers" 1500} uid optional string domain/driller dnstwist/clare io external url optional string \[{"id" 14771403,"type" "domain","name" "flare io","group"\ null}] sort optional string wze3njg5ndawmda3mzmsicjkb21haw4vzhjpbgxlcl9kbnn0d2lzdc9jbgfyzs5pbyjd identifiers optional dynamic object asset uuids optional dynamic object code optional dynamic object author id optional string project name optional string sha optional string actor optional string www victim name optional string tenantid optional string ea21e035 057f 483d aad9 f436617a24a6 type optional string fireworkv2 cl resourceid optional string