Security teams face increasing pressure to maintain visibility and control across complex, hybrid environments. With data spread across multiple systems, detecting threats, correlating incidents, and enforcing governance can become fragmented and time-consuming—especially as organizations accelerate their cloud adoption and AI transformations.

Today, we’re happy to announce that MongoDB Atlas now integrates directly with Microsoft Sentinel, Microsoft’s cloud-native and AI-ready SIEM, SOAR, UEBA, and TI platform trusted by thousands of enterprises worldwide. This native integration allows teams to automatically ingest MongoDB Atlas logs into Microsoft Sentinel with just a few clicks—with no manual connectors or scripts required. 

The MongoDB Atlas Data Connector, available via the Microsoft Marketplace or the Sentinel Content Hub, uses an Azure Function to pull logs from Atlas clusters through the Atlas Admin API and to stream them into Sentinel via the Log Ingestion API. Once in Microsoft Sentinel, the logs appear in your Log Analytics Workspace, ready for query, visualization, and automation using KQL, workbooks, and Logic Apps.

By combining MongoDB Atlas’s rich monitoring and alerting capabilities with Microsoft Sentinel’s AI-driven analytics, graph correlation, and automated response workflows, security teams gain unified visibility across their Atlas workloads and the rest of their cloud estate.

Giving teams a single security view

This integration gives enterprises a single, AI-ready security operations view across applications and data. By leveraging the integration, customers can:

• Simplify incident detection and response, reducing mean time to resolution.

• Strengthen governance and compliance through centralized monitoring and automated reporting.

• Accelerate time-to-value by deploying directly from the Microsoft Marketplace with unified billing and familiar Azure management.

Together, MongoDB Atlas and Microsoft Sentinel eliminate visibility gaps, streamline SecOps, and empower organizations to operate securely and confidently across their Azure environments.

Setting up the integration

The integration’s setup experience is designed for simplicity and speed:

• Create a Log Analytics Workspace and connect it to your Microsoft Sentinel instance.

• Search for “MongoDB Atlas Data Connector” in the Microsoft Marketplace or Sentinel Content Hub, then install the solution.

• In Microsoft Sentinel, navigate to Data Connectors → MongoDB Atlas Data Connector, and select Deploy to Azure.

• Provide:

• Your Log Analytics workspace details.

• MongoDB Project ID and the list of clusters to monitor.

• Service Account credentials (or a Key Vault reference) for API authentication.

• Optionally also configure:

• Log categories filters (NETWORK, ACCESS, QUERY).

• Exclusions for specific Category IDs.

• Polling frequency for the Azure Function based on log volume and activity.

Once deployed, the function app, DCE, DCR, storage account, and Key Vault are automatically created, and logs begin flowing into Microsoft Sentinel per your defined schedule.

Technical deep dive

The technical diagram below illustrates the following integration components:

• UI of Connector captures the Log analytics workspace, Atlas specifics, and schedule

• Azure Function periodically retrieves MongoDB logs

• JobState Table maintains the last run timestamp to ensure incremental log collection

• DCE and DCR handle data transformation before ingestion into MDBALogTable_CL.

• Azure Key Vault securely stores the MongoDB API credentials

This architecture ensures security and scalability, while aligning with enterprise compliance requirements.

The MongoDB Atlas logs have the schema that includes timestamp, category, severity, category id, message, and additional attributes as detailed here. Below is a screenshot of the logs as ingested into the MDBALogTable_CL table.

Once available in Microsoft Sentinel, these logs can be queried, filtered, or visualized in dashboards. Analysts can build custom workbooks, define alerts on specific severity levels or categories, and trigger automated playbooks for real-time remediation.

Unifying data and security management

Modern security operations demand centralized visibility, intelligent analytics, and automated response without compromising on flexibility or developer agility.

The MongoDB Atlas Data Connector for Microsoft Sentinel empowers organizations to unify their data and security management, ensuring MongoDB workloads benefit from the same advanced protection, analytics, and automation as the rest of their cloud ecosystem.

With this integration, customers can now:

• Simplify log ingestion and monitoring for Atlas workloads

• Enhance incident detection and investigation

• Apply consistent policies and automation across their entire enterprise environment

By bringing MongoDB Atlas into the Microsoft Sentinel ecosystem, security teams can finally manage, monitor, and respond to database security events from a single, intelligent, AI-powered platform.