Originally published March 30, 2026 | Updated May 4, 2026
What’s new in this update: Both playbooks now deploy from a single consolidated template per repository. Roles are assigned automatically at deployment. Fewer manual steps. Faster time to a running pipeline.
When Your AppSec Data Lives in a Silo
Application security scanning generates critical findings. When those findings sit in a separate platform, disconnected from your SIEM, your security team loses context. Vulnerability data in one tool, audit trails in another, and incident response happening in a third: that fragmentation slows everything down.
We built two open-source playbooks to solve this. They connect Checkmarx One directly into Microsoft Sentinel, pulling both SAST scan results and audit log events into a single, queryable environment. Zero third-party connectors. Zero custom development projects. A clean, automated pipeline that keeps your application security data where your analysts already work.
The Problem: Scattered Data, Slower Response
Checkmarx One runs static analysis scans, tracks vulnerabilities across your codebase, and logs user activity for compliance and forensics. The challenge is that none of that data natively flows into Sentinel.
For teams running their SOC out of Sentinel, that creates a gap. SAST findings that should inform incident triage stay locked in the Checkmarx console. Audit events that could reveal suspicious account activity or unauthorized configuration changes remain invisible to your correlation rules. Analysts toggle between platforms, manually cross-referencing data that should already be centralized.
The real cost is missed correlation. A vulnerability finding paired with unusual login behavior tells a different story than either data point alone. That story stays buried unless both streams flow into the same workspace.
Why We Built These Playbooks
We chose to build rather than wait for a native connector or invest in heavy middleware. The result is two lightweight Logic App playbooks that handle the ingestion automatically.
The first, AS-Checkmarx-SAST-Ingestion, pulls static analysis scan results into a custom Sentinel log table. Every finding lands with full context: severity, CWE classification, CVSS score, source file, line number, compliance mapping, and vulnerability status. Your team can query, trend, and alert on application security findings using the same KQL workflows they already use for everything else.
The second, AS-Checkmarx-Audit-Ingestion, captures audit log events from the Checkmarx platform. Login activity, configuration changes, role assignments, and user actions all flow into Sentinel where they can be correlated with broader identity and access signals. Failed login attempts from an unusual IP address become actionable signals for your detection rules, visible in the same workspace as the rest of your telemetry.
Both playbooks use Microsoft’s current Data Collection Rule and Data Collection Endpoint architecture. This is the ingestion model Microsoft is actively promoting as the standard, and it resolves the concurrency and data integrity issues that teams sometimes encounter with older connector-based approaches.
Faster Deployment, Less Manual Setup
The latest version of both playbooks consolidates what were previously three separate deployment files into a single template per repository. Roles required for the integration are now assigned automatically at deployment, removing manual steps that previously had to be completed after install.
For practitioners, that means a faster path from clone to running pipeline. For security and platform teams reviewing the deployment, it means a smaller, easier-to-audit change set.
One Workspace, Full Context
When your application security telemetry lives alongside your endpoint, identity, network, and cloud signals your team operates with complete visibility. These playbooks make that possible without adding complexity to your daily operations.
With these integrations, you can:
- Ingest Checkmarx SAST findings directly into Sentinel custom log tables, complete with severity, CWE, CVSS, source file, and vulnerability status
- Capture Checkmarx audit events for login monitoring, user activity tracking, configuration audits, and compliance reporting
- Correlate application vulnerabilities with identity signals and infrastructure alerts using native KQL queries
- Automate detection and response workflows using Sentinel’s built-in analytics rules and playbooks
Both playbooks run on a daily recurrence, keeping your Sentinel workspace current without manual intervention. Because they share a common Data Collection Endpoint, deploying both is straightforward: a single DCE supports the full integration.
Explore the Integrations
Both playbooks are free and open-source. Each repository includes the consolidated deployment template, configuration documentation, sample KQL queries, and setup instructions to get your team operational quickly.
➤ Access the SAST Ingestion Repository
➤ Access the Audit Ingestion Repository
Build a More Resilient Security Environment
If your team is working to consolidate security telemetry, automate AppSec workflows, or build stronger correlation between vulnerability data and SOC operations, we can help. Accelerynt works with enterprise security teams to design efficient, automation-driven environments that support Zero Trust and continuous monitoring.
➤ Get in touch with us to learn how we can help you build a more resilient security environment.