Blog: Export Pulumi Cloud audit logs to Microsoft Sentinel

content/blog/audit-log-export-microsoft-sentinel/index.md

@@ -0,0 +1,50 @@
+---
+title: "Export Pulumi Cloud Audit Logs to Microsoft Sentinel"
+date: 2026-04-08
+meta_desc: "Pulumi Cloud now supports exporting audit logs to Microsoft Sentinel, giving security teams real-time visibility into infrastructure activity in their SIEM."
+meta_image: meta.png
+feature_image: feature.png
+canonical_url: /docs/administration/security-compliance/audit-logs/azure-sentinel/
+authors:
+  - lynn-jung
+tags:
+  - pulumi-cloud
+  - features
+  - security
+  - azure
+no_social: true
+---
+
+[Pulumi Cloud](/product/pulumi-cloud/) audit logs give organization admins a complete record of who did what, when, and from where across their infrastructure. Until now, automated export was limited to AWS S3. Today, we're adding support for exporting audit logs to [Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/overview), bringing Pulumi activity data directly into your SIEM for real-time monitoring and alerting.
+
+<!--more-->
+
+The connector uses Sentinel's managed [Codeless Connector Framework](https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector) — no Azure Functions, Logic Apps, or other compute to manage. Events flow every 5 minutes, and the template includes three pre-built analytic rules for excessive auth failures, stack deletions, and org membership changes.
+
+## Getting started
+
+The connector deploys as a Pulumi program using a template. There are two ways to set it up:
+
+**From the Pulumi Cloud console**: Navigate to **Audit Logs**, click the gear icon, and select **Configure export to Microsoft Sentinel**. Click **Deploy with Pulumi**, fill in your config values, choose Pulumi Deployments as the deployment method, and select **Deploy**.
+
+**From the CLI**:
+
+```bash
+mkdir sentinel-connector && cd sentinel-connector
+pulumi new https://github.com/pulumi/examples/tree/master/azure-ts-sentinel-audit-logs
+pulumi up
+```
+
+Both paths require a Pulumi access token (we recommend an org-scoped service token) and an Azure resource group with a Log Analytics workspace and Sentinel enabled. Full setup instructions are in the [Microsoft Sentinel export guide](/docs/administration/security-compliance/audit-logs/azure-sentinel/).
+
+## What gets ingested
+
+Every audit log event lands in a custom `PulumiAuditLogs_CL` table with typed columns for event metadata, user info, token details, and security flags. Once the connector is deployed, data will start flowing within a few minutes as the poller begins its first poll cycle.
+
+## Try it out
+
+Microsoft Sentinel export is available today for organizations on the [Business Critical](/pricing/) edition.
+
+- [Read the setup guide](/docs/administration/security-compliance/audit-logs/azure-sentinel/) to get started
+- [View the connector source](https://github.com/pulumi/examples/tree/master/azure-ts-sentinel-audit-logs) on GitHub
+- [Join the Community Slack](https://slack.pulumi.com/) to share feedback

content/docs/administration/security-compliance/audit-logs/azure-sentinel.md

@@ -35,7 +35,11 @@ az sentinel onboarding-state create -g <resource-group> -w <workspace-name> -n d
 
 ## Setup option 1: Pulumi Cloud console (recommended)
 
-1. Open the [New Project Wizard with the template pre-selected](https://app.pulumi.com/new?template=https://github.com/pulumi/examples/tree/master/azure-ts-sentinel-audit-logs).
+1. In the Pulumi Cloud console, navigate to **Audit Logs** and click the gear icon. Select **Configure export to Microsoft Sentinel**.
+
+   ![Audit Logs settings dropdown showing the Configure export to Microsoft Sentinel option](audit-log-sentinel-dropdown.png)
+
+1. Click **Deploy with Pulumi**. This opens the New Project Wizard with the template pre-selected.
 
 1. Fill in the config values:
    - **orgName**: Your Pulumi Cloud organization name

data/team/team/lynn-jung.toml

@@ -0,0 +1,7 @@
+id = "lynn-jung"
+name = "Lynn Jung"
+status = "active"
+
+[social]
+github = "hlynnj"
+linkedin = "hahrin-jung"