Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Attention: All Microsoft Sentinel features will be officially retired in Azure in China regions on August 18, 2026 per the announcement posted by 21Vianet.
This article lists all supported, out-of-the-box data connectors and links to each connector's deployment steps.
Important
Noted Microsoft Sentinel data connectors are currently in Preview. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Data connectors are available as part of the following offerings:
Solutions: Many data connectors are deployed as part of Microsoft Sentinel solution together with related content like analytics rules, workbooks, and playbooks. For more information, see the Microsoft Sentinel solutions catalog.
Community connectors: More data connectors are provided by the Microsoft Sentinel community and can be found in the Azure Marketplace. Documentation for community data connectors is the responsibility of the organization that created the connector.
Custom connectors: If you have a data source that isn't listed or currently supported, you can also create your own, custom connector. For more information, see Resources for creating Microsoft Sentinel custom connectors.
Data connector prerequisites
Each data connector has its own set of prerequisites. Prerequisites might include that you must have specific permissions on your Azure workspace, subscription, or policy. Or, you must meet other requirements for the partner data source you're connecting to.
Prerequisites for each data connector are listed on the relevant data connector page in Microsoft Sentinel.
Azure Monitor agent (AMA) based data connectors require an internet connection from the system where the agent is installed. Enable port 443 outbound to allow a connection between the system where the agent is installed and Microsoft Sentinel.
Syslog and Common Event Format (CEF) connectors
Log collection from many security appliances and devices are supported by the data connectors Syslog via AMA or Common Event Format (CEF) via AMA in Microsoft Sentinel. To forward data to your Log Analytics workspace for Microsoft Sentinel, complete the steps in Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent. These steps include installing the Microsoft Sentinel solution for a security appliance or device from the Content hub in Microsoft Sentinel. Then, configure the Syslog via AMA or Common Event Format (CEF) via AMA data connector that's appropriate for the Microsoft Sentinel solution you installed. Complete the setup by configuring the security device or appliance.
Contact the solution provider for more information or where information is unavailable for the appliance or device.
Custom Logs via AMA connector
Filter and ingest logs in text-file format from network or security applications installed on Windows or Linux machines by using the Custom Logs via AMA connector in Microsoft Sentinel. For more information, see the following articles:
Sentinel data connectors
Note
The following table lists the data connectors that are available in the Microsoft Sentinel Content hub. The connectors are supported by the product vendor. For support, see the link in the Supported by column in the following table.
Azure Activity
Supported by: Microsoft Corporation
Azure Activity Log is a subscription log that provides insight into subscription-level events that occur in Azure, including events from Azure Resource Manager operational data, service health events, write operations taken on the resources in your subscription, and the status of activities performed in Azure.
Log Analytics table(s):
| Table | DCR support |
|---|---|
AzureActivity |
No |
Data collection rule support: Not currently supported
Azure DevOps Audit Logs (via Codeless Connector Framework)
Supported by: Microsoft Corporation
The Azure DevOps Audit Logs data connector allows you to ingest audit events from Azure DevOps into Microsoft Sentinel. This data connector is built using the Microsoft Sentinel Codeless Connector Framework, ensuring seamless integration. It leverages the Azure DevOps Audit Logs API to fetch detailed audit events and supports DCR-based ingestion time transformations. These transformations enable parsing of the received audit data into a custom table during ingestion, improving query performance by eliminating the need for additional parsing. By using this connector, you can gain enhanced visibility into your Azure DevOps environment and streamline your security operations.
Log Analytics table(s):
| Table | DCR support |
|---|---|
ADOAuditLogs_CL |
Yes |
Data collection rule support: Workspace transform DCR
Prerequisites:
- Azure DevOps Prerequisite: Please ensure the following:
1. Register an Entra App in Microsoft Entra Admin Center under App Registrations.
2. In 'API permissions' - add Permissions to 'Azure DevOps - vso.auditlog'.
3. In 'Certificates & secrets' - generate 'Client secret'.
4. In 'Authentication' - add Redirect URI: 'https://portal.azure.cn/TokenAuthorize/ExtensionName/Microsoft_Azure_Security_Insights'.
5. In the Azure DevOps settings - enable audit log and set View audit log for the user. Azure DevOps Auditing.
6. Ensure the user assigned to connect the data connector has the View audit logs permission explicitly set to Allow at all times. This permission is essential for successful log ingestion. If the permission is revoked or not granted, data ingestion will fail or be interrupted.
Azure Firewall
Supported by: Microsoft Corporation
Connect to Azure Firewall. Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
Log Analytics table(s):
| Table | DCR support |
|---|---|
AzureDiagnostics |
No |
AZFWApplicationRule |
Yes |
AZFWFlowTrace |
Yes |
AZFWFatFlow |
Yes |
AZFWNatRule |
Yes |
AZFWDnsQuery |
Yes |
AZFWIdpsSignature |
Yes |
AZFWInternalFqdnResolutionFailure |
Yes |
AZFWNetworkRule |
Yes |
AZFWThreatIntel |
Yes |
Data collection rule support: Workspace transform DCR
Azure Key Vault
Supported by: Microsoft Corporation
Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. This connector lets you stream your Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.
Log Analytics table(s):
| Table | DCR support |
|---|---|
AzureDiagnostics |
No |
Data collection rule support: Not currently supported
Azure Kubernetes Service (AKS)
Supported by: Microsoft Corporation
Azure Kubernetes Service (AKS) is an open-source, fully-managed container orchestration service that allows you to deploy, scale, and manage Docker containers and container-based applications in a cluster environment. This connector lets you stream your Azure Kubernetes Service (AKS) diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.
Log Analytics table(s):
| Table | DCR support |
|---|---|
AzureDiagnostics |
No |
Data collection rule support: Not currently supported
Azure SQL Databases
Supported by: Microsoft Corporation
Azure SQL is a fully managed, Platform-as-a-Service (PaaS) database engine that handles most database management functions, such as upgrading, patching, backups, and monitoring, without necessitating user involvement. This connector lets you stream your Azure SQL databases audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.
Log Analytics table(s):
| Table | DCR support |
|---|---|
AzureDiagnostics |
No |
Data collection rule support: Not currently supported
Azure Storage Account
Supported by: Microsoft Corporation
Azure Storage account is a cloud solution for modern data storage scenarios. It contains all your data objects: blobs, files, queues, tables, and disks. This connector lets you stream Azure Storage accounts diagnostics logs into your Microsoft Sentinel workspace, allowing you to continuously monitor activity in all your instances, and detect malicious activity in your organization.
Log Analytics table(s):
| Table | DCR support |
|---|---|
AzureMetrics |
No |
StorageBlobLogs |
Yes |
StorageQueueLogs |
Yes |
StorageTableLogs |
Yes |
StorageFileLogs |
Yes |
Data collection rule support: Workspace transform DCR
Prerequisites:
- Policy: Owner role assigned for each policy assignment scope
Azure Web Application Firewall (WAF)
Supported by: Microsoft Corporation
Connect to the Azure Web Application Firewall (WAF) for Application Gateway, Front Door, or CDN. This WAF protects your applications from common web vulnerabilities such as SQL injection and cross-site scripting, and lets you customize rules to reduce false positives. Instructions to stream your Microsoft Web application firewall logs into Microsoft Sentinel are shown during the installation process.
Log Analytics table(s):
| Table | DCR support |
|---|---|
AzureDiagnostics |
No |
Data collection rule support: Not currently supported
Cisco ASA/FTD via AMA
Supported by: Microsoft Corporation
The Cisco ASA firewall connector allows you to easily connect your Cisco ASA logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.
Log Analytics table(s):
| Table | DCR support |
|---|---|
CommonSecurityLog |
Yes |
Data collection rule support: Workspace transform DCR
Prerequisites:
- To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. Learn more
Custom logs via AMA
Supported by: Microsoft Corporation
Many applications log information to text or JSON files instead of standard logging services, such as Windows Event logs, Syslog or CEF. The Custom Logs data connector allows you to collect events from files on both Windows and Linux computers and stream them to custom logs tables you created. While streaming the data you can parse and transform the contents using the DCR. After collecting the data, you can apply analytic rules, hunting, searching, threat intelligence, enrichments and more.
NOTE: Use this connector for the following devices: Cisco Meraki, Zscaler Private Access (ZPA), VMware vCenter, Apache HTTP server, Apache Tomcat, Jboss Enterprise application platform, Juniper IDP, MarkLogic Audit, MongoDB Audit, Nginx HTTP server, Oracle Weblogic server, PostgreSQL Events, Squid Proxy, Ubiquiti UniFi, SecurityBridge Threat detection SAP and AI vectra stream.
Log Analytics table(s):
| Table | DCR support | |
|---|---|---|
JBossEvent_CL |
No | |
JuniperIDP_CL |
No | |
ApacheHTTPServer_CL |
No | |
Tomcat_CL |
No | |
meraki_CL |
No | |
VectraStream_CL |
No | |
MarkLogicAudit_CL |
No | |
MongoDBAudit_CL |
No | |
NGINX_CL |
No | |
OracleWebLogicServer_CL |
No | |
PostgreSQL_CL |
No | |
SquidProxy_CL |
No | |
Ubiquiti_CL |
No | |
vcenter_CL |
No | |
ZPA_CL |
No | |
SecurityBridgeLogs_CL |
No |
Data collection rule support: Not currently supported
Prerequisites:
- Permissions: To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. Learn more
DNS
Supported by: Microsoft Corporation
The DNS log connector allows you to easily connect your DNS analytic and audit logs with Microsoft Sentinel, and other related data, to improve investigation.
When you enable DNS log collection you can:
- Identify clients that try to resolve malicious domain names.
- Identify stale resource records.
- Identify frequently queried domain names and talkative DNS clients.
- View request load on DNS servers.
- View dynamic DNS registration failures.
Log Analytics table(s):
| Table | DCR support |
|---|---|
DnsEvents |
Yes |
DnsInventory |
Yes |
Data collection rule support: Workspace transform DCR
Microsoft 365 (formerly, Office 365)
Supported by: Microsoft Corporation
The Microsoft 365 (formerly, Office 365) activity log connector provides insight into ongoing user activities. You will get details of operations such as file downloads, access requests sent, changes to group events, set-mailbox and details of the user who performed the actions. By connecting Microsoft 365 logs into Microsoft Sentinel you can use this data to view dashboards, create custom alerts, and improve your investigation process.
Log Analytics table(s):
| Table | DCR support |
|---|---|
OfficeActivity |
Yes |
Data collection rule support: Workspace transform DCR
Microsoft Entra ID
Supported by: Microsoft Corporation
Gain insights into Microsoft Entra ID by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Microsoft Entra ID scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Microsoft Entra ID Management activities like user, group, role, app management using our Audit logs table.
Log Analytics table(s):
| Table | DCR support |
|---|---|
SigninLogs |
Yes |
AuditLogs |
Yes |
AADNonInteractiveUserSignInLogs |
Yes |
AADServicePrincipalSignInLogs |
Yes |
AADManagedIdentitySignInLogs |
Yes |
AADProvisioningLogs |
Yes |
ADFSSignInLogs |
Yes |
AADUserRiskEvents |
Yes |
AADRiskyUsers |
Yes |
NetworkAccessTraffic |
Yes |
AADRiskyServicePrincipals |
Yes |
AADServicePrincipalRiskEvents |
Yes |
Data collection rule support: Workspace transform DCR
Palo Alto Prisma Cloud CSPM (via Codeless Connector Framework)
Supported by: Microsoft Corporation
The Palo Alto Prisma Cloud CSPM data connector allows you to connect to your Palo Alto Prisma Cloud CSPM instance and ingesting Alerts (https://pan.dev/prisma-cloud/api/cspm/alerts/) & Audit Logs(https://pan.dev/prisma-cloud/api/cspm/audit-logs/) into Microsoft Sentinel.
Log Analytics table(s):
| Table | DCR support |
|---|---|
PaloAltoPrismaCloudAlertV2_CL |
Yes |
Data collection rule support: Workspace transform DCR
Syslog via AMA
Supported by: Microsoft Corporation
Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace.
Log Analytics table(s):
| Table | DCR support | Lake-only ingestion |
|---|---|---|
Syslog |
Yes | Yes |
Data collection rule support: Workspace transform DCR
Threat intelligence - TAXII
Supported by: Microsoft Corporation
Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send the supported STIX object types from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes.
Log Analytics table(s):
| Table | DCR support |
|---|---|
ThreatIntelligenceIndicator |
Yes |
Data collection rule support: Workspace transform DCR
Windows DNS Events via AMA
Supported by: Microsoft Corporation
The Windows DNS log connector allows you to easily filter and stream all analytics logs from your Windows DNS servers to your Microsoft Sentinel workspace using the Azure Monitoring agent (AMA). Having this data in Microsoft Sentinel helps you identify issues and security threats such as:
- Trying to resolve malicious domain names.
- Stale resource records.
- Frequently queried domain names and talkative DNS clients.
- Attacks performed on DNS server.
You can get the following insights into your Windows DNS servers from Microsoft Sentinel:
- All logs centralized in a single place.
- Request load on DNS servers.
- Dynamic DNS registration failures.
Windows DNS events are supported by Advanced SIEM Information Model (ASIM) and stream data into the ASimDnsActivityLogs table. Learn more.
Log Analytics table(s):
| Table | DCR support |
|---|---|
ASimDnsActivityLogs |
Yes |
Data collection rule support: Workspace transform DCR
Windows Firewall
Supported by: Microsoft Corporation
Windows Firewall is a Microsoft Windows application that filters information coming to your system from the Internet and blocking potentially harmful programs. The software blocks most programs from communicating through the firewall. Users simply add a program to the list of allowed programs to allow it to communicate through the firewall. When using a public network, Windows Firewall can also secure the system by blocking all unsolicited attempts to connect to your computer.
Log Analytics table(s):
| Table | DCR support |
|---|
Data collection rule support: Not currently supported
Windows Firewall Events via AMA
Supported by: Microsoft Corporation
Windows Firewall is a Microsoft Windows application that filters information coming to your system from the internet and blocking potentially harmful programs. The firewall software blocks most programs from communicating through the firewall. To stream your Windows Firewall application logs collected from your machines, use the Azure Monitor agent (AMA) to stream those logs to the Microsoft Sentinel workspace.
A configured data collection endpoint (DCE) is required to be linked with the data collection rule (DCR) created for the AMA to collect logs. For this connector, a DCE is automatically created in the same region as the workspace. If you already use a DCE stored in the same region, it's possible to change the default created DCE and use your existing one through the API. DCEs can be located in your resources with SentinelDCE prefix in the resource name.
For more information, see the following articles:
Log Analytics table(s):
| Table | DCR support |
|---|
Data collection rule support: Not currently supported
Windows Forwarded Events
Supported by: Microsoft Corporation
You can stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA). This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.
Log Analytics table(s):
| Table | DCR support |
|---|---|
WindowsEvent |
Yes |
Data collection rule support: Workspace transform DCR
Windows Security Events via AMA
Supported by: Microsoft Corporation
You can stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.
Log Analytics table(s):
| Table | DCR support |
|---|---|
SecurityEvent |
Yes |
Data collection rule support: Workspace transform DCR
Deprecated Sentinel data connectors
Security Events via Legacy Agent
Supported by: Microsoft Corporation
You can stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.
Log Analytics table(s):
| Table | DCR support |
|---|---|
SecurityEvent |
Yes |
Data collection rule support: Workspace transform DCR
Subscription-based Microsoft Defender for Cloud (Legacy)
Supported by: Microsoft Corporation
Microsoft Defender for Cloud is a security management tool that allows you to detect and quickly respond to threats across Azure, hybrid, and multi-cloud workloads. This connector allows you to stream your security alerts from Microsoft Defender for Cloud into Microsoft Sentinel, so you can view Defender data in workbooks, query it to produce alerts, and investigate and respond to incidents.
Log Analytics table(s):
| Table | DCR support |
|---|---|
SecurityAlert |
Yes |
Data collection rule support: Workspace transform DCR
Syslog via Legacy Agent
Supported by: Microsoft Corporation
Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace.
Log Analytics table(s):
| Table | DCR support |
|---|---|
Syslog |
Yes |
Data collection rule support: Workspace transform DCR
Next steps
For more information, see: