Microsoft Sentinel data connectors
After you onboard Microsoft Sentinel into your workspace, use data connectors to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many out of the box connectors for Microsoft services, which integrate in real time. For example, the Microsoft Defender XDR connector is a service-to-service connector that integrates data from Office 365, Microsoft Entra ID, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps.
Built-in connectors enable connection to the broader security ecosystem for non-Microsoft products. For example, use Syslog, Common Event Format (CEF), or REST APIs to connect your data sources with Microsoft Sentinel.
The Microsoft Sentinel Data connectors page shows the full list of connectors and their status for your workspace. Soon this page will only show the list of in-use data connectors. For more information on this upcoming change, see Out-of-the-box content centralization changes
To add more data connectors, install the solution associated with the data connector from the Content Hub. For more information, see the following articles:
- Find your Microsoft Sentinel data connector
- Discover and manage Microsoft Sentinel out-of-the-box content
- Microsoft Sentinel content hub catalog
For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.
Enable a data connector
From the Data connectors page, select the active or custom connector you want to connect, and then select Open connector page. If you don't see the data connector you want, install the solution associated with it from the Content Hub.
Once you fulfill all the prerequisites listed in the Instructions tab, the connector page describes how to ingest the data to Microsoft Sentinel. It may take some time for data to start arriving.
After you connect, you see a summary of the data in the Data received graph, and the connectivity status of the data types.
Learn about your specific data connector in the data connectors reference.
REST API integration for data connectors
Many security technologies provide a set of APIs for retrieving log files, and some data sources can use those APIs to connect to Microsoft Sentinel.
Data connectors that use APIs either integrate from the provider side or integrate using Azure Functions, as described in the following sections.
Learn more about data connectors in the data connectors reference.
REST API integration on the provider side
An API integration built by the provider connects with the provider data sources and pushes data into Microsoft Sentinel custom log tables using the Azure Monitor Data Collector API.
To learn about REST API integration, read your provider documentation and Connect your data source to Microsoft Sentinel's REST-API to ingest data.
REST API integration using Azure Functions
Integrations that use Azure Functions to connect with a provider API first format the data, and then send it to Microsoft Sentinel custom log tables using the Azure Monitor Data Collector API. Learn how to use Azure Functions to connect your data source to Microsoft Sentinel.
Integrations that use Azure Functions may have extra data ingestion costs, because you host Azure Functions on your Azure tenant. Learn more about Azure Functions pricing.
Agent-based integration for data connectors
Microsoft Sentinel can use the Syslog protocol to connect an agent to any data source that can perform real-time log streaming. For example, most on-premises data sources connect using agent-based integration.
The following sections describe the different types of Microsoft Sentinel agent-based data connectors. Follow the steps in each Microsoft Sentinel data connector page to configure connections using agent-based mechanisms.
Learn which firewalls, proxies, and endpoints connect to Microsoft Sentinel through CEF or Syslog in the data connectors reference.
You can stream events from Linux-based, Syslog-supporting devices into Microsoft Sentinel using the Azure Monitor Agent (AMA). Depending on the device type, the agent is installed either directly on the device, or on a dedicated Linux-based log forwarder. The AMA receives events from the Syslog daemon over UDP. The Syslog daemon forwards events to the agent internally, communicating over UDS (Unix Domain Sockets). The AMA then transmits these events to the Microsoft Sentinel workspace.
Here is a simple flow that shows how Microsoft Sentinel streams Syslog data.
- The device's built-in Syslog daemon collects local events of the specified types, and forwards the events locally to the agent.
- The agent streams the events to your Log Analytics workspace.
- After successful configuration, the data appears in the Log Analytics Syslog table.
Common Event Format (CEF)
Log formats vary, but many sources support CEF-based formatting. The Microsoft Sentinel agent, which is actually the Log Analytics agent, converts CEF-formatted logs into a format that Log Analytics can ingest.
For data sources that emit data in CEF, set up the Syslog agent and then configure the CEF data flow. After successful configuration, the data appears in the CommonSecurityLog table.
Learn how to connect CEF-based appliances to Microsoft Sentinel.
For some data sources, you can collect logs as files on Windows or Linux computers using the Log Analytics custom log collection agent.
Follow the steps in each Microsoft Sentinel data connector page to connect using the Log Analytics custom log collection agent. After successful configuration, the data appears in custom tables.
Service-to-service integration for data connectors
Microsoft Sentinel uses the Azure foundation to provide out-of-the-box, service-to-service support for Microsoft services and Amazon Web Services.
Learn how to connect to Azure, Windows, Microsoft, and Amazon services or learn about data connector types in the data connectors reference.
Deploy data connectors as part of a solution
Microsoft Sentinel solutions provide packages of security content, including data connectors, workbooks, analytics rules, playbooks, and more. When you deploy a solution with a data connector, you get the data connector together with related content in the same deployment.
Learn how to centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions or learn about the Microsoft Sentinel solutions catalog.
Data connector support
Both Microsoft and other organizations author Microsoft Sentinel data connectors. Each data connector has one of these support types:
Partners or the Community support data connectors that are authored by any party other than Microsoft.
|Applies to data connectors authored by parties other than Microsoft.
The partner company provides support or maintenance for these data connectors. The partner company can be an Independent Software Vendor, a Managed Service Provider (MSP/MSSP), a Systems Integrator (SI), or any organization whose contact information is provided on the Microsoft Sentinel page for that data connector.
For any issues with a partner-supported data connector, contact the specified data connector support contact.
|Applies to data connectors authored by Microsoft or partner developers that don't have listed contacts for data connector support and maintenance on the specified data connector page in Microsoft Sentinel.
For questions or issues with these data connectors, you can file an issue in the Microsoft Sentinel GitHub community.
Find the support contact for a data connector
- In the Microsoft Sentinel Data connectors page, select the relevant connector.
- To access support and maintenance for the connector, use the support contact link in the Supported by field on the side panel for the connecter.
- To get started with Microsoft Sentinel, you need a subscription to Microsoft Azure. If you don't have a subscription, you can sign up for a free trial.
- Learn how to onboard your data to Microsoft Sentinel and get visibility into your data and potential threats.
- To learn about custom data connectors, see Resources for creating Microsoft Sentinel custom connectors.
- For a basic Infrastructure as Code (IaC) reference of Bicep, ARM and Terraform to deploy data connectors in Microsoft Sentinel, see Microsoft Sentinel data connector IaC reference.