Events
May 19, 6 PM - May 23, 12 AM
Calling all developers, creators, and AI innovators to join us in Seattle @Microsoft Build May 19-22.
Register todayFind your Microsoft Sentinel data connector
This article lists all supported, out-of-the-box data connectors and links to each connector's deployment steps.
Important
- Noted Microsoft Sentinel data connectors are currently in Preview. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
- Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see Microsoft Sentinel in the Microsoft Defender portal.
Data connectors are available as part of the following offerings:
Solutions: Many data connectors are deployed as part of Microsoft Sentinel solution together with related content like analytics rules, workbooks, and playbooks. For more information, see the Microsoft Sentinel solutions catalog.
Community connectors: More data connectors are provided by the Microsoft Sentinel community and can be found in the Azure Marketplace. Documentation for community data connectors is the responsibility of the organization that created the connector.
Custom connectors: If you have a data source that isn't listed or currently supported, you can also create your own, custom connector. For more information, see Resources for creating Microsoft Sentinel custom connectors.
Note
For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.
Each data connector has its own set of prerequisites. Prerequisites might include that you must have specific permissions on your Azure workspace, subscription, or policy. Or, you must meet other requirements for the partner data source you're connecting to.
Prerequisites for each data connector are listed on the relevant data connector page in Microsoft Sentinel.
Azure Monitor agent (AMA) based data connectors require an internet connection from the system where the agent is installed. Enable port 443 outbound to allow a connection between the system where the agent is installed and Microsoft Sentinel.
Log collection from many security appliances and devices are supported by the data connectors Syslog via AMA or Common Event Format (CEF) via AMA in Microsoft Sentinel. To forward data to your Log Analytics workspace for Microsoft Sentinel, complete the steps in Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent. These steps include installing the Microsoft Sentinel solution for a security appliance or device from the Content hub in Microsoft Sentinel. Then, configure the Syslog via AMA or Common Event Format (CEF) via AMA data connector that's appropriate for the Microsoft Sentinel solution you installed. Complete the setup by configuring the security device or appliance. Find instructions to configure your security device or appliance in one of the following articles:
- CEF via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion
- Syslog via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion
Contact the solution provider for more information or where information is unavailable for the appliance or device.
Filter and ingest logs in text-file format from network or security applications installed on Windows or Linux machines by using the Custom Logs via AMA connector in Microsoft Sentinel. For more information, see the following articles:
- Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel
- Custom Logs via AMA data connector - Configure data ingestion to Microsoft Sentinel from specific applications
The following connectors use the current codeless connector platform but don't have a specific documentation page generated. They're available from the content hub in Microsoft Sentinel as part of a solution. For instructions on how to configure these data connectors, review the instructions available with each data connector within Microsoft Sentinel.
| Codeless connector name | Azure Marketplace solution |
|---|---|
| Atlassian Jira Audit (using REST API) (Preview) | Atlassian Jira Audit |
| Auth0 | Auth0 |
| Box | Box Solution |
| Cisco Meraki (using Rest API) | Cisco Meraki Events via REST API |
| Ermes Browser Security Events | Ermes Browser Security for Microsoft Sentinel |
| Google Cloud Platform Firewall Logs | Google Cloud Platform Firewall Logs |
| Google Cloud Platform Load Balancer (including WAF aka Cloud Armour logs) (Preview) | Google Cloud Platform Load Balancer Logs (Preview) |
| Okta Single Sign-On (Preview) | Okta Single Sign-On Solution |
| Palo Alto Corex XDR | Palo Alto Cortex XDR CCP |
| SentinelOne | SentinelOne |
| Sophos Endpoint Protection (using REST API) (Preview) | Sophos Endpoint Protection Solution |
| VMWare Carbon Black | VMware Carbon Black Cloud |
| Workday User Activity (Preview) | Workday (Preview) |
For more information about the codeless connector platform, see Create a codeless connector for Microsoft Sentinel.
- Armis Activities (using Azure Functions)
- Armis Alerts (using Azure Functions)
- Armis Alerts Activities (using Azure Functions)
- Armis Devices (using Azure Functions)
- Cisco ASA/FTD via AMA (Preview)
- Cisco Duo Security (using Azure Functions)
- Cisco Secure Endpoint (AMP) (using Azure Functions)
- Cisco Umbrella (using Azure Functions)
- CrowdStrike Falcon Adversary Intelligence (using Azure Functions)
- Crowdstrike Falcon Data Replicator (using Azure Functions)
- Crowdstrike Falcon Data Replicator V2 (using Azure Functions)
- Google Cloud Platform DNS (using Azure Functions)
- Google Cloud Platform IAM (using Azure Functions)
- Google Cloud Platform Cloud Monitoring (using Azure Functions)
- Google ApigeeX (using Azure Functions)
- Google Workspace (G Suite) (using Azure Functions)
- [Recommended] Infoblox Cloud Data Connector via AMA
- [Recommended] Infoblox SOC Insight Data Connector via AMA
- Infoblox Data Connector via REST API (using Azure Functions)
- Infoblox SOC Insight Data Connector via REST API
- Island Enterprise Browser Admin Audit (Polling CCP)
- Island Enterprise Browser User Activity (Polling CCP)
- Lookout (using Azure Function)
- Lookout Cloud Security for Microsoft Sentinel (using Azure Functions)
- Automated Logic WebCTRL
- Microsoft Entra ID
- Microsoft Entra ID Protection
- Azure Activity
- Azure Cognitive Search
- Azure DDoS Protection
- Azure Key Vault
- Azure Kubernetes Service (AKS)
- Microsoft Purview (Preview)
- Azure Storage Account
- Azure Web Application Firewall (WAF)
- Azure Batch Account
- Common Event Format (CEF) via AMA
- Windows DNS Events via AMA
- Azure Event Hubs
- Microsoft 365 Insider Risk Management
- Azure Logic Apps
- Microsoft Defender for Identity
- Microsoft Defender XDR
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Endpoint
- Subscription-based Microsoft Defender for Cloud (Legacy)
- Tenant-based Microsoft Defender for Cloud (Preview)
- Microsoft Defender for Office 365 (Preview)
- Microsoft Power BI
- Microsoft Project
- Microsoft Purview Information Protection
- Network Security Groups
- Microsoft 365
- Windows Security Events via AMA
- Azure Service Bus
- Azure Stream Analytics
- Syslog via AMA
- Microsoft Defender Threat Intelligence (Preview)
- Premium Microsoft Defender Threat Intelligence (Preview)
- Threat intelligence - TAXII
- Threat Intelligence Platforms
- Threat Intelligence Upload Indicators API (Preview)
- Microsoft Defender for IoT
- Windows Firewall
- Windows Firewall Events via AMA (Preview)
- Windows Forwarded Events
- Exchange Security Insights Online Collector (using Azure Functions)
- Exchange Security Insights On-Premises Collector
- IIS Logs of Microsoft Exchange Servers
- Microsoft Active-Directory Domain Controllers Security Event Logs
- Microsoft Exchange Admin Audit Logs by Event Logs
- Microsoft Exchange HTTP Proxy Logs
- Microsoft Exchange Logs and Events
- Microsoft Exchange Message Tracking Logs
- Forcepoint DLP
- MISP2Sentinel
- Mimecast Audit (using Azure Functions)
- Mimecast Awareness Training (using Azure Functions)
- Mimecast Cloud Integrated (using Azure Functions)
- Mimecast Audit & Authentication (using Azure Functions)
- Mimecast Secure Email Gateway (using Azure Functions)
- Mimecast Intelligence for Microsoft - Microsoft Sentinel (using Azure Functions)
- Mimecast Targeted Threat Protection (using Azure Functions)
- Netskope (using Azure Functions)
- Netskope Data Connector (using Azure Functions)
- Netskope Web Transactions Data Connector (using Azure Functions)
- Qualys Vulnerability Management (using Azure Functions)
- Qualys VM KnowledgeBase (using Azure Functions)
For more information, see: