The **Azure Sentinel Connector** for UiPath allows you to automate interaction with Microsoft Azure Sentinel directly from your UiPath workflows. 

It provides a comprehensive set of activities to manage security incidents - enabling security teams to streamline threat response, maintain incident records and enhance SOC operations through automation.

The Azure Sentinel connector for UiPath allows you to interact with the Azure Sentinel API directly from your UiPath workflows. 

Microsoft Sentinel is Microsoft’s cloud-native SIEM and security operations platform for threat detection, investigation, hunting, and response. In UiPath, this application fits process templates that create, update, list, enrich, modify, and close security incidents, helping teams automate SOC intake, triage, escalation, and case-management workflows across security operations.

Create and tag UiPath process templates for Microsoft Sentinel incident intake, enrichment, triage, updates, closures, and SOC workflow automation.

Microsoft Sentinel Integration for UiPath

Product Manager

Organizations that accept files from external suppliers face significant security risk at every entry point. The solution addresses this by automating the entire file vetting lifecycle from ingestion to response.

1. When a new file arrives — through email attachment, an **OneDrive** upload, or a **SharePoint** document library — the solution first verifies that no active threat case already exists for that supplier to prevent duplicate investigations. The file is then uploaded to Azure Blob.
2. Storage, where **Azure Defender for Cloud** performs a malware scan. The solution polls for scan completion and, once the results are available, routes them to an AI Agent that performs a secondary contextual evaluation based on the scan summary, filename, and file extension — returning a structured verdict and plain-language reasoning.
3. If the file is clean, it is automatically promoted to the Production blob container. If a threat is detected, it is moved to an isolated Quarantine container with forensic labeling. Regardless of the verdict, the full response sequence is executed: an alert email is dispatched via **Outlook**, an **Azure Sentinel** incident is created for the SOC, a STIX-format **Threat Intelligence** indicator is published, an **Action Center** task is created for human analyst review via a custom UiPath App, and an Orchestrator queue item records the case.
4. Once the analyst completes their review, the queue transaction is formally closed, unblocking the supplier for future submissions.

The solution is built entirely on UiPath Studio Web using Agentic Process Orchestration, Trigger Processes, Sub-processes, an AI Agent, an API Process, a Web App, and a Queue Consumer — making it a complete, production-ready reference architecture for automated file security operations.

End-to-end SOAR solution that scans supplier files from email, OneDrive, and SharePoint using Azure Defender and AI Agent, then automatically quarantines threats and triggers full security response.

This Studio Web template automates threat analysis for files provided from a local path. The process accepts a local file path as input, uploads it to Azure Blob Storage, initiates malware scanning with Microsoft Defender for Cloud, enriches the results with Microsoft Sentinel Threat Intelligence, and supports incident response actions in Microsoft Azure Sentinel.

It is intended for analyst-driven or ad hoc file inspection scenarios where a local file must be checked quickly through a standardized SOAR workflow. The template connects manual file submission with automated scanning, enrichment, and response support.

This makes it useful for intake scenarios, investigation support, and rapid triage of suspicious files.



**Requirements**

- Configure the Microsoft Azure connection for the storage
- Configure Azure Defender for Cloud connection
- Configure Microsoft Azure Sentinel connection
- Configure Microsoft Sentinel Threat Intelligence connection
- Create an asset of a secret type containing a secret for the Blob Storage container and configure it for the Get Secret activity inside the template

Upload local files for malware scanning, enrich findings with Microsoft Sentinel Threat Intelligence, and support response in Microsoft Sentinel.

This Studio Web template automates threat analysis for email attachments received through Gmail. The process retrieves the newest email, downloads its attachments, uploads the files to Azure Blob Storage, initiates malware scanning with Microsoft Defender for Cloud, enriches the results using Microsoft Sentinel Threat Intelligence, and supports incident response actions in Microsoft Azure Sentinel.

The template is intended for organizations that want to accelerate attachment triage and build repeatable SOAR workflows for email-driven threats. It connects email intake, file inspection, threat enrichment, and security response in a single flow.

It is a strong starting point for teams that need a reusable template for suspicious attachment handling and email-based threat investigation.



**Requirements**

- Configure the Microsoft Azure connection for the storage
- Configure the Google Mail connection
- Configure Azure Defender for Cloud connection
- Configure Microsoft Azure Sentinel connection
- Configure Microsoft Sentinel Threat Intelligence connection
- Create an asset of a secret type containing a secret for the Blob Storage container and configure it for the Get Secret activity inside the template

Download Gmail attachments, scan them with Microsoft Defender for Storage, enrich findings with Microsoft Sentinel Threat Intelligence, and support response in Microsoft Sentinel.

This Studio Web template automates file-based threat analysis for files stored in Google Drive. The process retrieves the target file from Google Drive, uploads it to Azure Blob Storage, initiates a malware scan with Microsoft Defender for Cloud, enriches the investigation with Microsoft Sentinel Threat Intelligence, and supports incident response actions in Microsoft Azure Sentinel.

This template is designed for security and to standardize how files are inspected, enriched, and escalated across cloud-based environments. It provides a practical starting point for building SOAR workflows that connect file intake, malware scanning, threat intelligence, and response.

By combining Google Drive with Microsoft security services, the template helps reduce manual triage effort and speeds up investigation of potentially malicious files.



**Requirements**

- Configure the Microsoft Azure connection for the storage
- Configure the Google Drive connection
- Configure Azure Defender for Cloud connection
- Configure Microsoft Azure Sentinel connection
- Configure Microsoft Sentinel Threat Intelligence connection
- Create an asset of a secret type containing a secret for the Blob Storage container and configure it for the Get Secret activity inside the template

Retrieve files from Google Drive, upload them to Azure Blob Storage, trigger malware scanning with Microsoft Defender for Cloud, enrich findings with Microsoft Sentinel Threat Intelligence, and support incident response in Microsoft Azure Sentinel.

This Studio Web template automates threat analysis for attachments received through Outlook. The process retrieves the newest email, downloads its attachments, uploads the files to Azure Blob Storage, initiates malware scanning with Microsoft Defender for Cloud, enriches the investigation with Microsoft Sentinel Threat Intelligence, and supports incident response actions in Microsoft Azure Sentinel.

The template is suited for organizations that want repeatable security workflows for email attachment analysis in Microsoft-centric environments. It combines email intake, file scanning, threat enrichment, and response support in one process.

It can be used as a foundation for broader SOAR scenarios involving suspicious attachments, analyst triage, and automated escalation.



**Requirements**

- Configure the Microsoft Azure connection for the storage
- Configure the Microsoft Outlook connection
- Configure Azure Defender for Cloud connection
- Configure Microsoft Azure Sentinel connection
- Configure Microsoft Sentinel Threat Intelligence connection
- Create an asset of a secret type containing a secret for the Blob Storage container and configure it for the Get Secret activity inside the template

Download Outlook attachments, scan them with Microsoft Defender for Storage, enrich findings with Microsoft Sentinel Threat Intelligence, and support response in Microsoft Sentinel.

	Template	Apps	Used in
	SOAR Threat Analysis – Scan Local Files Upload local files for malware scanning, enrich findings with Microsoft Sentinel Threat Intelligence, and support response in Microsoft Sentinel.		<100 automations
	SOAR Threat Analysis – Scan Files from Gmail Attachments Download Gmail attachments, scan them with Microsoft Defender for Storage, enrich findings with Microsoft Sentinel Threat Intelligence, and support response in Microsoft Sentinel.		<100 automations
	SOAR Threat Analysis – Scan Files from Google Drive Retrieve files from Google Drive, upload them to Azure Blob Storage, trigger malware scanning with Microsoft Defender for Cloud, enrich findings with Microsoft Sentinel Threat Intelligence, and support incident response in Microsoft Azure Sentinel.		<100 automations
	SOAR Threat Analysis – Scan Files from Outlook Attachments Download Outlook attachments, scan them with Microsoft Defender for Storage, enrich findings with Microsoft Sentinel Threat Intelligence, and support response in Microsoft Sentinel.		<100 automations

Automate SOC workflows in Microsoft Sentinel with incident-driven UiPath processes.

Azure Sentinel connector

Explore Studio Web templates

Explore Studio Desktop listings

Similar apps

Security Orchestration, Automation, and Response

Security Orchestration, Automation, and Response