This guide walks you through how to install and configure the Valimail Microsoft Sentinel Connector in your Azure environment using the Azure Marketplace.
Overview
The Valimail Microsoft Sentinel Connector retrieves security and authentication events from your Valimail account and ingests them into your Microsoft Sentinel workspace for monitoring and analysis. Events refresh approximately every 5 minutes, following Microsoft's recommended cadence.
Installation is a two-part process, both completed in the Azure Portal:
1. Deploy the Valimail solution from the Azure Marketplace.
2. Configure the data connector in Microsoft Sentinel. After deployment, the Valimail connector appears in your Sentinel workspace under Data connectors, where you enter your credentials.
No scripts, manual deployments, or support-issued URLs are required.
Estimated installation time: 10–15 minutes
Prerequisites
Before starting the installation, please make sure you have the following items ready.
1. Azure Account Access & Permissions
The user performing the installation must have access to the Azure Portal and one of the following roles:
Owner
Contributor (or a custom role with equivalent permissions)
A Resource Group with a Log Analytics Workspace in it is required. Creating it is a two-step process (if you don't already have one):
1. Go to Sentinel > Create > Create a new workspace. That will create a workspace in a new or existing Resource Group (this will be needed during the deployment).
2. Go to Sentinel > Create > Select the workspace created at step 1, and click Add Sentinel.
2. Valimail Reporting API Keys
The connector uses Valimail Reporting API keys to retrieve event data from your Valimail account.
To obtain a Reporting API Key:
Log in to the Valimail Web Application
Navigate to Account Settings
Open the API Keys section from the side menu.
Generate a new Reporting API Key.
Store the key securely.
No additional permissions or scopes need to be configured for this key.
Installation Steps
Step 1: Open the Azure Marketplace Listing
Navigate to the Valimail Enforce Events solution in the Azure Marketplace by clicking on the button below:
Click on Get It Now and sign in to the Azure Portal when prompted. This will launch the guided Azure deployment experience.
Note: Please use the Marketplace link above to access the solution. The Valimail solution may not yet appear when searching in the Microsoft Sentinel Content Hub.
Step 2: Deploy the Solution
In the Azure deployment wizard, you will be prompted to:
Select an Azure Subscription.
Select the Resource Group mentioned above. IT also asks for the Workspace in a dropdown. It will show the Workspace created.
The user can select any existing Resource Group created previously, as long as it has a Workspace in it.
Review the deployment summary.
Click Create.
Estimated deployment time: 10–15 minutes
Step 3: Configure the Data Connector in Microsoft Sentinel
Once deployment completes, the Valimail connector becomes available in your Sentinel workspace.
1. In the Azure Portal, open Microsoft Sentinel and select your workspace.
2. Navigate to Data connectors.
3. Locate and select the Valimail Enforce Events connector.
4. Enter the following values:
Valimail Account Slug
Valimail API Client ID
Valimail API App ID
Note: Please be mindful of the field input names as they are similar.
To retrieve your account slug, log into Valimail Enforce and go to the Account Overview page from the side menu. The account slug is located in the URL in the browser's address bar.
https://app.valimail.com/app/{account_slug}/dmarc/overview
5. Save the configuration.
The connector will begin retrieving events from Valimail immediately and ingesting them into your Sentinel workspace.
Completion & Validation
After configuration, events from your Valimail account will start flowing into Microsoft Sentinel automatically. By default, the connector retrieves events from the last 7 days at first run, then refreshes approximately every 5 minutes.
Note: It may take 5–6 minutes for the first events and logs to appear.
Note: The Data Connector should display “Status: Connected”. We are only retrieving configuration events (creation, deletion, etc) as events happen, so there may not be immediate data population if these events have not occurred.
Events sent:
Service Enabled
Service Deleted
Domain Added
Domain Deleted
User Added
User Deleted
DKIM Key Added
DKIM Key Deleted
DMARC Policy Change
SPF Delegation Started
SPF Delegation Stopped
To validate ingestion:
Confirm the deployment completed successfully in Azure.
In the connector configuration, there is a "go to analytics" link. There is also a link to analytics in the Sentinel instance. It can take some time for the table to be created, as it requires events to be received.
Important: The deployment creates a dedicated Application Insights instance for the connector. Logs will not appear in a global or pre-existing Application Insights resource.
Troubleshooting Tips
If data does not appear after configuration:
Allow at least 5–6 minutes for logs and events to appear.
Ensure the API Client ID and API App ID are valid
Check the Application Insights traces logs for errors.
If you entered an incorrect Valimail Reporting API Key during connector configuration and the connection failed, the connector has to be disconnected and removed from the Connector configuration. You will then find the Valimail connector in the Content Hub for Sentinel, marked as installed. You then select it and click "re-install". Contact Valimail Support if you encounter this.
Note: By default, the connector retrieves events from the last 7 days. If there were no events during that period, no data will appear in Sentinel, and Application Insights logs may show no errors.
If you have questions about the Microsoft Sentinel integration, please do not hesitate to contact the Valimail Support team.