Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article lists all supported, out-of-the-box data connectors and links to each connector's deployment steps.
Important
Noted Microsoft Sentinel data connectors are currently in Preview. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Data connectors are available as part of the following offerings:
Solutions: Many data connectors are deployed as part of Microsoft Sentinel solution together with related content like analytics rules, workbooks, and playbooks. For more information, see the Microsoft Sentinel solutions catalog.
Community connectors: More data connectors are provided by the Microsoft Sentinel community and can be found in the Azure Marketplace. Documentation for community data connectors is the responsibility of the organization that created the connector.
Custom connectors: If you have a data source that isn't listed or currently supported, you can also create your own, custom connector. For more information, see Resources for creating Microsoft Sentinel custom connectors.
Each data connector has its own set of prerequisites. Prerequisites might include that you must have specific permissions on your Azure workspace, subscription, or policy. Or, you must meet other requirements for the partner data source you're connecting to.
Prerequisites for each data connector are listed on the relevant data connector page in Microsoft Sentinel.
Azure Monitor agent (AMA) based data connectors require an internet connection from the system where the agent is installed. Enable port 443 outbound to allow a connection between the system where the agent is installed and Microsoft Sentinel.
Log collection from many security appliances and devices are supported by the data connectors Syslog via AMA or Common Event Format (CEF) via AMA in Microsoft Sentinel. To forward data to your Log Analytics workspace for Microsoft Sentinel, complete the steps in Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent. These steps include installing the Microsoft Sentinel solution for a security appliance or device from the Content hub in Microsoft Sentinel. Then, configure the Syslog via AMA or Common Event Format (CEF) via AMA data connector that's appropriate for the Microsoft Sentinel solution you installed. Complete the setup by configuring the security device or appliance.
Contact the solution provider for more information or where information is unavailable for the appliance or device.
Filter and ingest logs in text-file format from network or security applications installed on Windows or Linux machines by using the Custom Logs via AMA connector in Microsoft Sentinel. For more information, see the following articles:
Note
The following table lists the data connectors that are available in the Microsoft Sentinel Content hub. The connectors are supported by the product vendor. For support, see the link in the Supported by column in the following table.
| Connector | Supported by |
|---|---|
AliCloud (using Azure Functions)The AliCloud data connector provides the capability to retrieve logs from cloud applications using the Cloud API and store events into Microsoft Sentinel through the REST API. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): Data collection rule support: Prerequisites: - REST API Credentials/permissions: AliCloudAccessKeyId and AliCloudAccessKey are required for making API calls. |
Microsoft Corporation |
Azure ActivityAzure Activity Log is a subscription log that provides insight into subscription-level events that occur in Azure, including events from Azure Resource Manager operational data, service health events, write operations taken on the resources in your subscription, and the status of activities performed in Azure. Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Azure FirewallConnect to Azure Firewall. Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Azure Key VaultAzure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. This connector lets you stream your Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Azure Kubernetes Service (AKS)Azure Kubernetes Service (AKS) is an open-source, fully-managed container orchestration service that allows you to deploy, scale, and manage Docker containers and container-based applications in a cluster environment. This connector lets you stream your Azure Kubernetes Service (AKS) diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Azure SQL DatabasesAzure SQL is a fully managed, Platform-as-a-Service (PaaS) database engine that handles most database management functions, such as upgrading, patching, backups, and monitoring, without necessitating user involvement. This connector lets you stream your Azure SQL databases audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Azure Storage AccountAzure Storage account is a cloud solution for modern data storage scenarios. It contains all your data objects: blobs, files, queues, tables, and disks. This connector lets you stream Azure Storage accounts diagnostics logs into your Microsoft Sentinel workspace, allowing you to continuously monitor activity in all your instances, and detect malicious activity in your organization. Log Analytics table(s): Data collection rule support: Prerequisites: |
Microsoft Corporation |
Azure Web Application Firewall (WAF)Connect to the Azure Web Application Firewall (WAF) for Application Gateway, or CDN. This WAF protects your applications from common web vulnerabilities such as SQL injection and cross-site scripting, and lets you customize rules to reduce false positives. Instructions to stream your Microsoft Web application firewall logs into Microsoft Sentinel are shown during the installation process. Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Cisco ASA/FTD via AMA (Preview)The Cisco ASA firewall connector allows you to easily connect your Cisco ASA logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. Log Analytics table(s): Data collection rule support: Prerequisites: |
Microsoft Corporation |
DNSThe DNS log connector allows you to easily connect your DNS analytic and audit logs with Microsoft Sentinel, and other related data, to improve investigation. When you enable DNS log collection you can: - Identify clients that try to resolve malicious domain names. - Identify stale resource records. - Identify frequently queried domain names and talkative DNS clients. - View request load on DNS servers. - View dynamic DNS registration failures. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Elastic Agent (Standalone)The Elastic Agent data connector provides the capability to ingest Elastic Agent logs, metrics, and security data into Microsoft Sentinel. Log Analytics table(s): Data collection rule support: Prerequisites: |
Microsoft Corporation |
F5 BIG-IPThe F5 firewall connector allows you to easily connect your F5 logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. Log Analytics table(s): Data collection rule support: |
F5 Networks |
Microsoft 365 (formerly, Office 365)The Microsoft 365 (formerly, Office 365) activity log connector provides insight into ongoing user activities. You will get details of operations such as file downloads, access requests sent, changes to group events, set-mailbox and details of the user who performed the actions. By connecting Microsoft 365 logs into Microsoft Sentinel you can use this data to view dashboards, create custom alerts, and improve your investigation process. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Microsoft Entra IDGain insights into Microsoft Entra ID by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Microsoft Entra ID scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Microsoft Entra ID Management activities like user, group, role, app management using our Audit logs table. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Palo Alto Prisma Cloud CSPM (using Azure Functions)The Palo Alto Prisma Cloud CSPM data connector provides the capability to ingest Prisma Cloud CSPM alerts and audit logs into Microsoft sentinel using the Prisma Cloud CSPM API. Refer to Prisma Cloud CSPM API documentation for more information. Log Analytics table(s): Data collection rule support: Prerequisites: - Palo Alto Prisma Cloud API Credentials: Prisma Cloud API Url, Prisma Cloud Access Key ID, Prisma Cloud Secret Key are required for Prisma Cloud API connection. See the documentation to learn more about creating Prisma Cloud Access Key and about obtaining Prisma Cloud API Url |
Microsoft Corporation |
Threat intelligence - TAXIIMicrosoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send the supported STIX object types from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the Microsoft Sentinel documentation >. Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Windows DNS Events via AMAThe Windows DNS log connector allows you to easily filter and stream all analytics logs from your Windows DNS servers to your Microsoft Sentinel workspace using the Azure Monitoring agent (AMA). Having this data in Microsoft Sentinel helps you identify issues and security threats such as: - Trying to resolve malicious domain names. - Stale resource records. - Frequently queried domain names and talkative DNS clients. - Attacks performed on DNS server. You can get the following insights into your Windows DNS servers from Microsoft Sentinel: - All logs centralized in a single place. - Request load on DNS servers. - Dynamic DNS registration failures. Windows DNS events are supported by Advanced SIEM Information Model (ASIM) and stream data into the ASimDnsActivityLogs table. Learn more. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Windows FirewallWindows Firewall is a Microsoft Windows application that filters information coming to your system from the Internet and blocking potentially harmful programs. The software blocks most programs from communicating through the firewall. Users simply add a program to the list of allowed programs to allow it to communicate through the firewall. When using a public network, Windows Firewall can also secure the system by blocking all unsolicited attempts to connect to your computer. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Windows Firewall Events via AMAWindows Firewall is a Microsoft Windows application that filters information coming to your system from the internet and blocking potentially harmful programs. The firewall software blocks most programs from communicating through the firewall. To stream your Windows Firewall application logs collected from your machines, use the Azure Monitor agent (AMA) to stream those logs to the Microsoft Sentinel workspace. A configured data collection endpoint (DCE) is required to be linked with the data collection rule (DCR) created for the AMA to collect logs. For this connector, a DCE is automatically created in the same region as the workspace. If you already use a DCE stored in the same region, it's possible to change the default created DCE and use your existing one through the API. DCEs can be located in your resources with SentinelDCE prefix in the resource name. For more information, see the following articles: - Data collection endpoints in Azure Monitor - Microsoft Sentinel documentation Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Windows Forwarded EventsYou can stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA). This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Windows Security Events via AMAYou can stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Wiz (using Azure Functions)The Wiz connector allows you to easily send Wiz Issues, Vulnerability Findings, and Audit logs to Microsoft Sentinel. Log Analytics table(s): Data collection rule support: Prerequisites: - Wiz Service Account credentials: Ensure you have your Wiz service account client ID and client secret, API endpoint URL, and auth URL. Instructions can be found on Wiz documentation. |
Wiz |
Note
The following table lists the deprecated and legacy data connectors. Deprecated connectors are no longer supported.
| Connector | Supported by |
|---|---|
Security Events via Legacy AgentYou can stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Subscription-based Microsoft Defender for Cloud (Legacy)Microsoft Defender for Cloud is a security management tool that allows you to detect and quickly respond to threats across Azure, hybrid, and multi-cloud workloads. This connector allows you to stream your security alerts from Microsoft Defender for Cloud into Microsoft Sentinel, so you can view Defender data in workbooks, query it to produce alerts, and investigate and respond to incidents. For more information> Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
Syslog via Legacy AgentSyslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace. Learn more > Log Analytics table(s): Data collection rule support: |
Microsoft Corporation |
For more information, see: