Find your Microsoft Sentinel data connector

This article describes how to deploy data connectors in Microsoft Sentinel, listing all supported, out-of-the-box data connectors, together with links to generic deployment procedures, and extra steps required for specific connectors.

Some data connectors are deployed only via solutions. For more information, see the Discover and deploy Microsoft Sentinel out-of-the-box content and solutions. You can also find other, community-built data connectors in the Microsoft Sentinel GitHub repository.

How to use this guide

  1. First, locate and select the connector for your product, service, or device in the headings menu to the right.

    The first piece of information you'll see for each connector is its data ingestion method. The method that appears there will be a link to one of the following generic deployment procedures, which contain most of the information you'll need to connect your data sources to Microsoft Sentinel:

    Data ingestion method Linked article with instructions
    Azure service-to-service integration Connect to Azure, Windows, Microsoft, and Amazon services
    Common Event Format (CEF) over Syslog Get CEF-formatted logs from your device or appliance into Microsoft Sentinel
    Microsoft Sentinel Data Collector API Connect your data source to the Microsoft Sentinel Data Collector API to ingest data
    Azure Functions and the REST API Use Azure Functions to connect Microsoft Sentinel to your data source
    Syslog Collect data from Linux-based sources using Syslog
    Custom logs Collect data in custom log formats to Microsoft Sentinel with the Log Analytics agent

    Note

    The Azure service-to-service integration data ingestion method links to three different sections of its article, depending on the connector type. Each connector's section below specifies the section within that article that it links to.

  2. When deploying a specific connector, choose the appropriate article linked to its data ingestion method, and use the information and extra guidance in the relevant section below to supplement the information in that article.

Tip

  • Many data connectors can also be deployed as part of a Microsoft Sentinel solution, together with related analytics rules, workbooks and playbooks. For more information, see the Microsoft Sentinel solutions catalog.

  • More data connectors are provided by the Microsoft Sentinel community and can be found in the Azure Marketplace. Documentation for community data connectors is the responsibility of the organization that created the connector.

  • If you have a data source that isn't listed or currently supported, you can also create your own, custom connector. For more information, see Resources for creating Microsoft Sentinel custom connectors.

Important

Noted Microsoft Sentinel data connectors are currently in Preview. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Data connector prerequisites

Each data connector will have its own set of prerequisites, such as required permissions on your Azure workspace, subscription, or policy, and so on, or other requirements for the partner data source you're connecting to.

Prerequisites for each data connector are listed on the relevant data connector page in Microsoft Sentinel, on the Instructions tab.

Agari Phishing Defense and Brand Protection (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST API Before deployment: Enable the Security Graph API (Optional). After deployment: Assign necessary permissions to your Function App
Log Analytics table(s) agari_bpalerts_log_CLagari_apdtc_log_CLagari_apdpolicy_log_CL
DCR support Not currently supported
Azure Function App code https://aka.ms/Sentinel-agari-functionapp
API credentials Client IDClient Secret(Optional: Graph Tenant ID, Graph Client ID, Graph Client Secret)
Vendor documentation/installation instructions Quick StartAgari Developers Site
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Application settings clientIDclientSecretworkspaceIDworkspaceKeyenableBrandProtectionAPI (true/false)enablePhishingResponseAPI (true/false)enablePhishingDefenseAPI (true/false)resGroup (enter Resource group)functionNamesubId (enter Subscription ID)enableSecurityGraphSharing (true/false; see below)Required if enableSecurityGraphSharing is set to true (see below):GraphTenantIdGraphClientIdGraphClientSecretlogAnalyticsUri (optional)
Supported by Agari

Enable the Security Graph API (Optional)

Important

If you perform this step, do this before you deploy your data connector.

The Agari Function App allows you to share threat intelligence with Microsoft Sentinel via the Security Graph API. To use this feature, you'll need to enable the Sentinel Threat Intelligence Platforms connector and also register an application in Azure Active Directory.

This process will give you three pieces of information for use when deploying the Function App: the Graph tenant ID, the Graph client ID, and the Graph client secret (see the Application settings in the table above).

Assign necessary permissions to your Function App

The Agari connector uses an environment variable to store log access timestamps. In order for the application to write to this variable, permissions must be assigned to the system assigned identity.

  1. In the Azure portal, navigate to Function App.
  2. In the Function App page, select your Function App from the list, then select Identity under Settings in the Function App's navigation menu.
  3. In the System assigned tab, set the Status to On.
  4. Select Save, and an Azure role assignments button will appear. Select it.
  5. In the Azure role assignments screen, select Add role assignment. Set Scope to Subscription, select your subscription from the Subscription drop-down, and set Role to App Configuration Data Owner.
  6. Select Save.

AI Analyst (AIA) by Darktrace (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog Configure CEF log forwarding for AI Analyst
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Supported by Darktrace

Configure CEF log forwarding for AI Analyst

Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Log Analytics agent.

  1. Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin.
  2. From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.
  3. A configuration window will open. Locate Microsoft Sentinel Syslog CEF and select New to reveal the configuration settings, unless already exposed.
  4. In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls.
  5. Configure any alert thresholds, time offsets, or extra settings as required.
  6. Review any extra configuration options you may wish to enable that alter the Syslog syntax.
  7. Enable Send Alerts and save your changes.

AI Vectra Detect (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog Configure CEF log forwarding for AI Vectra Detect
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Supported by Vectra AI

Configure CEF log forwarding for AI Vectra Detect

Configure Vectra (X Series) Agent to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Log Analytics agent.

From the Vectra interface, navigate to Settings > Notifications and choose Edit Syslog configuration. Follow the instructions below to set up the connection:

  • Add a new Destination (the hostname of the log forwarder)
  • Set the Port as 514
  • Set the Protocol as UDP
  • Set the format to CEF
  • Set Log types (select all log types available)
  • Select Save

You can select the Test button to force the sending of some test events to the log forwarder.

For more information, see the Cognito Detect Syslog Guide, which can be downloaded from the resource page in Detect UI.

Akamai Security Events (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto function parser
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Kusto function alias: AkamaiSIEMEvent
Kusto function URL: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Akamai%20Security%20Events/Parsers/AkamaiSIEMEvent.txt
Vendor documentation/installation instructions Configure Security Information and Event Management (SIEM) integrationSet up a CEF connector.
Supported by Akamai

Alcide kAudit

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) alcide_kaudit_activity_1_CL - Alcide kAudit activity logsalcide_kaudit_detections_1_CL - Alcide kAudit detectionsalcide_kaudit_selections_count_1_CL - Alcide kAudit activity countsalcide_kaudit_selections_details_1_CL - Alcide kAudit activity details
DCR support Not currently supported
Vendor documentation/installation instructions Alcide kAudit installation guide
Supported by Alcide

Alsid for Active Directory

Connector attribute Description
Data ingestion method Log Analytics agent - custom logs Extra configuration for Alsid
Log Analytics table(s) AlsidForADLog_CL
DCR support Not currently supported
Kusto function alias: afad_parser
Kusto function URL: https://aka.ms/Sentinel-alsidforad-parser
Supported by Alsid

Extra configuration for Alsid

  1. Configure the Syslog server

    You will first need a linux Syslog server that Alsid for AD will send logs to. Typically you can run rsyslog on Ubuntu.

    You can then configure this server as you wish, but we recommend that to be able to output AFAD logs in a separate file. Alternatively you can use a Quickstart template to deploy the Syslog server and the Microsoft agent for you. If you do use the template, you can skip the agent installation instructions.

  2. Configure Alsid to send logs to your Syslog server

    On your Alsid for AD portal, go to System, Configuration, and then Syslog. From there, you can create a new Syslog alert toward your Syslog server.

    Once you've created a new Syslog alert, check that the logs are correctly gathered on your server in a separate file. For example, to check your logs, you can use the Test the configuration button in the Syslog alert configuration in AFAD. If you used the Quickstart template, the Syslog server will by default listen on port 514 in UDP and 1514 in TCP, without TLS.

Amazon Web Services

Connector attribute Description
Data ingestion method Azure service-to-service integration: Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data (Top connector article)
Log Analytics table(s) AWSCloudTrail
DCR support Workspace transformation DCR
Supported by Microsoft

Amazon Web Services S3 (Preview)

Connector attribute Description
Data ingestion method Azure service-to-service integration: Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data (Top connector article)
Log Analytics table(s) AWSCloudTrailAWSGuardDutyAWSVPCFlow
DCR support Workspace transformation DCR
Supported by Microsoft

Apache HTTP Server

Connector attribute Description
Data ingestion method Log Analytics agent - custom logs
Log Analytics table(s) ApacheHTTPServer_CL
DCR support Not currently supported
Kusto function alias: ApacheHTTPServer
Kusto function URL: https://aka.ms/Sentinel-apachehttpserver-parser
Custom log sample file: access.log or error.log

Apache Tomcat

Connector attribute Description
Data ingestion method Log Analytics agent - custom logs
Log Analytics table(s) Tomcat_CL
DCR support Not currently supported
Kusto function alias: TomcatEvent
Kusto function URL: https://aka.ms/Sentinel-ApacheTomcat-parser
Custom log sample file: access.log or error.log

Aruba ClearPass (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto function parser
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Kusto function alias: ArubaClearPass
Kusto function URL: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Aruba%20ClearPass/Parsers/ArubaClearPass.txt
Vendor documentation/installation instructions Follow Aruba's instructions to configure ClearPass.
Supported by Microsoft

Atlassian Confluence Audit (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST API
Log Analytics table(s) Confluence_Audit_CL
DCR support Not currently supported
Azure Function App code https://aka.ms/Sentinel-confluenceauditapi-functionapp
API credentials ConfluenceAccessTokenConfluenceUsernameConfluenceHomeSiteName
Vendor documentation/installation instructions API DocumentationRequirements and instructions for obtaining credentialsView the audit log
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Kusto function alias ConfluenceAudit
Kusto function URL/Parser config instructions https://aka.ms/Sentinel-confluenceauditapi-parser
Application settings ConfluenceUsernameConfluenceAccessTokenConfluenceHomeSiteNameWorkspaceIDWorkspaceKeylogAnalyticsUri (optional)
Supported by Microsoft

Atlassian Jira Audit (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST API
Log Analytics table(s) Jira_Audit_CL
DCR support Not currently supported
Azure Function App code https://aka.ms/Sentinel-jiraauditapi-functionapp
API credentials JiraAccessTokenJiraUsernameJiraHomeSiteName
Vendor documentation/installation instructions API Documentation - Audit recordsRequirements and instructions for obtaining credentials
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Kusto function alias JiraAudit
Kusto function URL/Parser config instructions https://aka.ms/Sentinel-jiraauditapi-parser
Application settings JiraUsernameJiraAccessTokenJiraHomeSiteNameWorkspaceIDWorkspaceKeylogAnalyticsUri (optional)
Supported by Microsoft

Azure Active Directory

Connector attribute Description
Data ingestion method Azure service-to-service integration: Connect Azure Active Directory data to Microsoft Sentinel (Top connector article)
License prerequisites/Cost information Azure Active Directory P1 or P2 license for sign-in logsAny Azure AD license (Free/O365/P1/P2) for other log typesOther charges may apply
Log Analytics table(s) SigninLogsAuditLogsAADNonInteractiveUserSignInLogsAADServicePrincipalSignInLogsAADManagedIdentitySignInLogsAADProvisioningLogsADFSSignInLogs
DCR support Workspace transformation DCR
Supported by Microsoft

Azure Active Directory Identity Protection

Connector attribute Description
Data ingestion method Azure service-to-service integration: API-based connections
License prerequisites/Cost information Azure AD Premium P2 subscriptionOther charges may apply
Log Analytics table(s) SecurityAlert
DCR support Workspace transformation DCR
Supported by Microsoft

Azure Activity

Connector attribute Description
Data ingestion method Azure service-to-service integration: Diagnostic settings-based connections, managed by Azure PolicyUpgrade to the new Azure Activity connector
Log Analytics table(s) AzureActivity
DCR support Not currently supported
Supported by Microsoft

Upgrade to the new Azure Activity connector

Data structure changes

This connector recently changed its back-end mechanism for collecting Activity log events. It is now using the diagnostic settings pipeline. If you're still using the legacy method for this connector, you are strongly encouraged to upgrade to the new version, which provides better functionality and greater consistency with resource logs. See the instructions below.

The diagnostic settings method sends the same data that the legacy method sent from the Activity log service, although there have been some changes to the structure of the AzureActivity table.

Here are some of the key improvements resulting from the move to the diagnostic settings pipeline:

  • Improved ingestion latency (event ingestion within 2-3 minutes of occurrence instead of 15-20 minutes).
  • Improved reliability.
  • Improved performance.
  • Support for all categories of events logged by the Activity log service (the legacy mechanism supports only a subset - for example, no support for Service Health events).
  • Management at scale with Azure Policy.

See the Azure Monitor documentation for more in-depth treatment of Azure Activity log and the diagnostic settings pipeline.

Disconnect from old pipeline

Before setting up the new Azure Activity log connector, you must disconnect the existing subscriptions from the legacy method.

  1. From the Microsoft Sentinel navigation menu, select Data connectors. From the list of connectors, select Azure Activity, and then select the Open connector page button on the lower right.

  2. Under the Instructions tab, in the Configuration section, in step 1, review the list of your existing subscriptions that are connected to the legacy method (so you know which ones to add to the new), and disconnect them all at once by clicking the Disconnect All button below.

  3. Continue setting up the new connector with the instructions linked in the table above.

Azure DDoS Protection

Connector attribute Description
Data ingestion method Azure service-to-service integration: Diagnostic settings-based connections
License prerequisites/Cost information You must have a configured Azure DDoS Standard protection plan.You must have a configured virtual network with Azure DDoS Standard enabledOther charges may apply
Log Analytics table(s) AzureDiagnostics
DCR support Not currently supported
Recommended diagnostics DDoSProtectionNotificationsDDoSMitigationFlowLogsDDoSMitigationReports
Supported by Microsoft

Note

The Status for Azure DDoS Protection Data Connector changes to Connected only when the protected resources are under a DDoS attack.

Azure Defender

See Microsoft Defender for Cloud.

Azure Firewall

Connector attribute Description
Data ingestion method Azure service-to-service integration: Diagnostic settings-based connections
Log Analytics table(s) AzureDiagnostics
DCR support Not currently supported
Recommended diagnostics AzureFirewallApplicationRuleAzureFirewallNetworkRuleAzureFirewallDnsProxy
Supported by Microsoft

Azure Information Protection (Preview)

Connector attribute Description
Data ingestion method Azure service-to-service integration
Log Analytics table(s) InformationProtectionLogs_CL
DCR support Not currently supported
Supported by Microsoft

Note

The Azure Information Protection (AIP) data connector uses the AIP audit logs (public preview) feature. As of March 18, 2022, we are sunsetting the AIP analytics and audit logs public preview, and moving forward will be using the Microsoft 365 auditing solution. Full retirement is scheduled for September 30, 2022.

For more information, see Removed and retired services.

Azure Key Vault

Connector attribute Description
Data ingestion method Azure service-to-service integration: Diagnostic settings-based connections, managed by Azure Policy
Log Analytics table(s) KeyVaultData
DCR support Not currently supported
Supported by Microsoft

Azure Kubernetes Service (AKS)

Connector attribute Description
Data ingestion method Azure service-to-service integration: Diagnostic settings-based connections, managed by Azure Policy
Log Analytics table(s) kube-apiserverkube-auditkube-audit-adminkube-controller-managerkube-schedulercluster-autoscalerguard
DCR support Not currently supported
Supported by Microsoft

Microsoft Purview

Connector attribute Description
Data ingestion method Azure service-to-service integration: Diagnostic settings-based connectionsFor more information, see Tutorial: Integrate Microsoft Sentinel and Microsoft Purview.
Log Analytics table(s) PurviewDataSensitivityLogs
DCR support Not currently supported
Supported by Microsoft

Azure SQL Databases

Connector attribute Description
Data ingestion method Azure service-to-service integration: Diagnostic settings-based connections, managed by Azure Policy Also available in the Azure SQL and Microsoft Sentinel for SQL PaaS solutions
Log Analytics table(s) SQLSecurityAuditEventsSQLInsightsAutomaticTuningQueryStoreWaitStatisticsErrorsDatabaseWaitStatisticsTimeoutsBlocksDeadlocksBasicInstanceAndAppAdvancedWorkloadManagementDevOpsOperationsAudit
DCR support Not currently supported
Supported by Microsoft

Azure Storage Account

Connector attribute Description
Data ingestion method Azure service-to-service integration: Diagnostic settings-based connectionsNotes about storage account diagnostic settings configuration
Log Analytics table(s) StorageBlobLogsStorageQueueLogsStorageTableLogsStorageFileLogs
Recommended diagnostics Account resourceTransactionBlob/Queue/Table/File resourcesStorageReadStorageWriteStorageDeleteTransaction
DCR support Not currently supported
Supported by Microsoft

Notes about storage account diagnostic settings configuration

The storage account (parent) resource has within it other (child) resources for each type of storage: files, tables, queues, and blobs.

When configuring diagnostics for a storage account, you must select and configure, in turn:

  • The parent account resource, exporting the Transaction metric.
  • Each of the child storage-type resources, exporting all the logs and metrics (see the table above).

You will only see the storage types that you actually have defined resources for.

Azure Web Application Firewall (WAF)

Connector attribute Description
Data ingestion method Azure service-to-service integration: Diagnostic settings-based connections
Log Analytics table(s) AzureDiagnostics
DCR support Not currently supported
Recommended diagnostics Application GatewayApplicationGatewayAccessLogApplicationGatewayFirewallLogFront DoorFrontdoorAccessLogFrontdoorWebApplicationFirewallLogCDN WAF policyWebApplicationFirewallLogs
Supported by Microsoft

Barracuda CloudGen Firewall

Connector attribute Description
Data ingestion method Syslog
Log Analytics table(s) Syslog
DCR support Workspace transformation DCR
Kusto function alias: CGFWFirewallActivity
Kusto function URL: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Barracuda%20CloudGen%20Firewall/Parsers/CGFWFirewallActivity
Vendor documentation/installation instructions https://aka.ms/Sentinel-barracudacloudfirewall-connector
Supported by Barracuda

Barracuda WAF

Connector attribute Description
Data ingestion method Syslog
Log Analytics table(s) CommonSecurityLog (Barracuda)Barracuda_CL
Vendor documentation/installation instructions https://aka.ms/asi-barracuda-connector
Supported by Barracuda

See Barracuda instructions - note the assigned facilities for the different types of logs and be sure to add them to the default Syslog configuration.

BETTER Mobile Threat Defense (MTD) (Preview)

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) BetterMTDDeviceLog_CLBetterMTDIncidentLog_CLBetterMTDAppLog_CLBetterMTDNetflowLog_CL
DCR support Not currently supported
Vendor documentation/installation instructions BETTER MTD DocumentationThreat Policy setup, which defines the incidents that are reported to Microsoft Sentinel:In Better MTD Console, select Policies on the side bar.Select the Edit button of the Policy that you are using.For each Incident type that you want to be logged, go to Send to Integrations field and select Sentinel.
Supported by Better Mobile

Beyond Security beSECURE

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) beSECURE_ScanResults_CLbeSECURE_ScanEvents_CLbeSECURE_Audit_CL
DCR support Not currently supported
Vendor documentation/installation instructions Access the Integration menu:Select the More menu option.Select ServerSelect IntegrationEnable Microsoft SentinelPaste the Workspace ID and Primary Key values in the beSECURE configuration.Select Modify.
Supported by Beyond Security

BlackBerry CylancePROTECT (Preview)

Connector attribute Description
Data ingestion method Syslog
Log Analytics table(s) Syslog
DCR support Workspace transformation DCR
Kusto function alias: CylancePROTECT
Kusto function URL: https://aka.ms/Sentinel-cylanceprotect-parser
Vendor documentation/installation instructions Cylance Syslog Guide
Supported by Microsoft

Broadcom Symantec Data Loss Prevention (DLP) (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto function parser
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Kusto function alias: SymantecDLP
Kusto function URL: https://aka.ms/Sentinel-symantecdlp-parser
Vendor documentation/installation instructions Configuring the Log to a Syslog Server action
Supported by Microsoft

Common Event Format (CEF) via AMA

Connector attribute Description
Data ingestion method Azure monitor Agent-based connection
Log Analytics table(s) CommonSecurityLog
DCR support Standard DCR
Supported by Microsoft

Check Point

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog Available from the Check Point solution
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Log Exporter - Check Point Log Export
Supported by Check Point

Cisco ASA

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog Available in the Cisco ASA solution
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Cisco ASA Series CLI Configuration Guide
Supported by Microsoft

Cisco Firepower eStreamer (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog Extra configuration for Cisco Firepower eStreamer
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions eStreamer eNcore for Sentinel Operations Guide
Supported by Cisco

Extra configuration for Cisco Firepower eStreamer

  1. Install the Firepower eNcore client
    Install and configure the Firepower eNcore eStreamer client. For more information, see the full Cisco install guide.

  2. Download the Firepower Connector from GitHub
    Download the latest version of the Firepower eNcore connector for Microsoft Sentinel from the Cisco GitHub repository. If you plan on using python3, use the python3 eStreamer connector.

  3. Create a pkcs12 file using the Azure/VM IP Address
    Create a pkcs12 certificate using the public IP of the VM instance in Firepower under System > Integration > eStreamer. For more information, see the install guide.

  4. Test Connectivity between the Azure/VM Client and the FMC
    Copy the pkcs12 file from the FMC to the Azure/VM instance and run the test utility (./encore.sh test) to ensure a connection can be established. For more information, see the setup guide.

  5. Configure eNcore to stream data to the agent
    Configure eNcore to stream data via TCP to the Log Analytics Agent. This configuration should be enabled by default, but extra ports and streaming protocols can be configured depending on your network security posture. It is also possible to save the data to the file system. For more information, see Configure eNcore.

Cisco Meraki (Preview)

Connector attribute Description
Data ingestion method Syslog Available in the Cisco ISE solution
Log Analytics table(s) Syslog
DCR support Workspace transformation DCR
Kusto function alias: CiscoMeraki
Kusto function URL: https://aka.ms/Sentinel-ciscomeraki-parser
Vendor documentation/installation instructions Meraki Device Reporting documentation
Supported by Microsoft

Cisco Umbrella (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST API Available in the Cisco Umbrella solution
Log Analytics table(s) Cisco_Umbrella_dns_CLCisco_Umbrella_proxy_CLCisco_Umbrella_ip_CLCisco_Umbrella_cloudfirewall_CL
DCR support Not currently supported
Azure Function App code https://aka.ms/Sentinel-CiscoUmbrellaConn-functionapp
API credentials AWS Access Key IDAWS Secret Access KeyAWS S3 Bucket Name
Vendor documentation/installation instructions Logging to Amazon S3
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Kusto function alias Cisco_Umbrella
Kusto function URL/Parser config instructions https://aka.ms/Sentinel-ciscoumbrella-function
Application settings WorkspaceIDWorkspaceKeyS3BucketAWSAccessKeyIdAWSSecretAccessKeylogAnalyticsUri (optional)
Supported by Microsoft

Cisco Unified Computing System (UCS) (Preview)

Connector attribute Description
Data ingestion method Syslog
Log Analytics table(s) Syslog
DCR support Workspace transformation DCR
Kusto function alias: CiscoUCS
Kusto function URL: https://aka.ms/Sentinel-ciscoucs-function
Vendor documentation/installation instructions Set up Syslog for Cisco UCS - Cisco
Supported by Microsoft

Citrix Analytics (Security)

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) CitrixAnalytics_SAlerts_CL​
DCR support Not currently supported
Vendor documentation/installation instructions Connect Citrix to Microsoft Sentinel
Supported by Citrix Systems

Citrix Web App Firewall (WAF) (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions To configure WAF, see Support WIKI - WAF Configuration with NetScaler.To configure CEF logs, see CEF Logging Support in the Application Firewall.To forward the logs to proxy, see Configuring Citrix ADC appliance for audit logging.
Supported by Citrix Systems

Cognni (Preview)

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) CognniIncidents_CL
DCR support Not currently supported
Vendor documentation/installation instructions Connect to CognniGo to Cognni integrations page.Select Connect on the Microsoft Sentinel box.Paste workspaceId and sharedKey (Primary Key) to the fields on Cognni's integrations screen.Select the Connect button to complete the configuration.
Supported by Cognni

Continuous Threat Monitoring for SAP (Preview)

Connector attribute Description
Data ingestion method Only available after installing the Continuous Threat Monitoring for SAP solution
Log Analytics table(s) See Microsoft Sentinel SAP solution data reference
Vendor documentation/installation instructions Deploy SAP continuous threat monitoring
Supported by Microsoft

CyberArk Enterprise Password Vault (EPV) Events (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Security Information and Event Management (SIEM) Applications
Supported by CyberArk

Cyberpion Security Logs (Preview)

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) CyberpionActionItems_CL
DCR support Not currently supported
Vendor documentation/installation instructions Get a Cyberpion subscriptionIntegrate Cyberpion security alerts into Microsoft Sentinel
Supported by Cyberpion

DNS (Preview)

See Windows DNS Events via AMA (Preview) or Windows DNS Server (Preview).

Dynamics 365

Connector attribute Description
Data ingestion method Azure service-to-service integration: API-based connections Also available as part of the Microsoft Sentinel 4 Dynamics 365 solution
License prerequisites/Cost information Microsoft Dynamics 365 production license. Not available for sandbox environments.At least one user assigned a Microsoft/Office 365 E1 or greater license.Other charges may apply
Log Analytics table(s) Dynamics365Activity
DCR support Workspace transformation DCR
Supported by Microsoft

ESET Enterprise Inspector (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST APICreate an API user
Log Analytics table(s) ESETEnterpriseInspector_CL​
DCR support Not currently supported
API credentials EEI UsernameEEI PasswordBase URL
Vendor documentation/installation instructions ESET Enterprise Inspector REST API documentation
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) template
Supported by ESET

Create an API user

  1. Log into the ESET Security Management Center / ESET PROTECT console with an administrator account, select the More tab and the Users subtab.
  2. Select the ADD NEW button and add a native user.
  3. Create a new user for the API account. Optional: Select a Home group other than All to limit what detections are ingested.
  4. Under the Permission Sets tab, assign the Enterprise Inspector reviewer permission set.
  5. Sign out of the administrator account and log into the console with the new API credentials for validation, then sign out of the API account.

ESET Security Management Center (SMC) (Preview)

Connector attribute Description
Data ingestion method SyslogConfigure the ESET SMC logs to be collected Configure OMS agent to pass Eset SMC data in API formatChange OMS agent configuration to catch tag oms.api.eset and parse structured dataDisable automatic configuration and restart agent
Log Analytics table(s) eset_CL
DCR support Not currently supported
Vendor documentation/installation instructions ESET Syslog server documentation
Supported by ESET

Configure the ESET SMC logs to be collected

Configure rsyslog to accept logs from your Eset SMC IP address.

    sudo -i
    # Set ESET SMC source IP address
    export ESETIP={Enter your IP address}

    # Create rsyslog configuration file
    cat > /etc/rsyslog.d/80-remote.conf << EOF
    \$ModLoad imudp
    \$UDPServerRun 514
    \$ModLoad imtcp
    \$InputTCPServerRun 514
    \$AllowedSender TCP, 127.0.0.1, $ESETIP
    \$AllowedSender UDP, 127.0.0.1, $ESETIP user.=alert;user.=crit;user.=debug;user.=emerg;user.=err;user.=info;user.=notice;user.=warning  @127.0.0.1:25224
    EOF

    # Restart rsyslog
    systemctl restart rsyslog

Configure OMS agent to pass Eset SMC data in API format

In order to easily recognize Eset data, push it to a separate table and parse at agent to simplify and speed up your Microsoft Sentinel query.

In the /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsagent.conf file, modify the match oms.** section to send data as API objects, by changing the type to out_oms_api.

The following code is an example of the full match oms.** section:

    <match oms.** docker.**>
      type out_oms_api
      log_level info
      num_threads 5
      run_in_background false

      omsadmin_conf_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsadmin.conf
      cert_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/certs/oms.crt
      key_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/certs/oms.key

      buffer_chunk_limit 15m
      buffer_type file
      buffer_path /var/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/state/out_oms_common*.buffer

      buffer_queue_limit 10
      buffer_queue_full_action drop_oldest_chunk
      flush_interval 20s
      retry_limit 10
      retry_wait 30s
      max_retry_wait 9m
    </match>

Change OMS agent configuration to catch tag oms.api.eset and parse structured data

Modify the /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsagent.d/syslog.conf file.

For example:

    <source>
      type syslog
      port 25224
      bind 127.0.0.1
      protocol_type udp
      tag oms.api.eset
    </source>

    <filter oms.api.**>
      @type parser
      key_name message
      format /(?<message>.*?{.*})/
    </filter>

    <filter oms.api.**>
      @type parser
      key_name message
      format json
    </filter>

Disable automatic configuration and restart agent

For example:

    # Disable changes to configuration files from Portal
    sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'

    # Restart agent
    sudo /opt/microsoft/omsagent/bin/service_control restart

    # Check agent logs
    tail -f /var/opt/microsoft/omsagent/log/omsagent.log

Configure Eset SMC to send logs to connector

Configure Eset Logs using BSD style and JSON format.

  • Go to the Syslog server configuration configure the Host (your connector), Format BSD, and Transport TCP
  • Go to the Logging section and enable JSON

For more information, see the Eset documentation.

Exabeam Advanced Analytics (Preview)

Connector attribute Description
Data ingestion method Syslog
Log Analytics table(s) Syslog
DCR support Workspace transformation DCR
Kusto function alias: ExabeamEvent
Kusto function URL: https://aka.ms/Sentinel-Exabeam-parser
Vendor documentation/installation instructions Configure Advanced Analytics system activity notifications
Supported by Microsoft

ExtraHop Reveal(x)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions ExtraHop Detection SIEM Connector
Supported by ExtraHop

F5 BIG-IP

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) F5Telemetry_LTM_CLF5Telemetry_system_CLF5Telemetry_ASM_CL
DCR support Not currently supported
Vendor documentation/installation instructions Integrating the F5 BIG-IP with Microsoft Sentinel
Supported by F5 Networks

F5 Networks (ASM)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Configuring Application Security Event Logging
Supported by F5 Networks

Forcepoint Cloud Access Security Broker (CASB) (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Forcepoint CASB and Microsoft Sentinel
Supported by Forcepoint

Forcepoint Cloud Security Gateway (CSG) (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Forcepoint Cloud Security Gateway and Microsoft Sentinel
Supported by Forcepoint

Forcepoint Data Loss Prevention (DLP) (Preview)

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) ForcepointDLPEvents_CL
DCR support Not currently supported
Vendor documentation/installation instructions Forcepoint Data Loss Prevention and Microsoft Sentinel
Supported by Forcepoint

Forcepoint Next Generation Firewall (NGFW) (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Forcepoint Next-Gen Firewall and Microsoft Sentinel
Supported by Forcepoint

ForgeRock Common Audit (CAUD) for CEF (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Install this first! ForgeRock Common Audit (CAUD) for Microsoft Sentinel
Supported by ForgeRock

Fortinet

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog Send Fortinet logs to the log forwarder Available in the Fortinet Fortigate solution)
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Fortinet Document LibraryChoose your version and use the Handbook and Log Message Reference PDFs.
Supported by Fortinet

Send Fortinet logs to the log forwarder

Open the CLI on your Fortinet appliance and run the following commands:

config log syslogd setting
set status enable
set format cef
set port 514
set server <ip_address_of_Forwarder>
end
  • Replace the server ip address with the IP address of the log forwarder.
  • Set the syslog port to 514 or the port set on the Syslog daemon on the forwarder.
  • To enable CEF format in early FortiOS versions, you might need to run the command set csv disable.

GitHub (Preview)

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector APIOnly available after installing the Continuous Threat Monitoring for GitHub solution.
Log Analytics table(s) GitHubAuditLogPolling_CL
DCR support Not currently supported
API credentials GitHub access token
Connector deployment instructions Extra configuration for the GitHub connector
Supported by Microsoft

Extra configuration for the GitHub connector

Prerequisite: You must have a GitHub enterprise account and an accessible organization in order to connect to GitHub from Microsoft Sentinel.

  1. Install the Continuous Threat Monitoring for GitHub solution in your Microsoft Sentinel workspace. For more information, see Centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions (Public preview).

  2. Create a GitHub personal access token for use in the Microsoft Sentinel connector. For more information, see the relevant GitHub documentation.

  3. In the Microsoft Sentinel Data connectors area, search for and locate the GitHub connector. On the right, select Open connector page.

  4. On the Instructions tab, in the Configuration area, enter the following details:

    • Organization Name: Enter the name of the organization who's logs you want to connect to.
    • API Key: Enter the GitHub personal access token you'd created earlier in this procedure.
  5. Select Connect to start ingesting your GitHub logs to Microsoft Sentinel.

Google Workspace (G-Suite) (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST APIExtra configuration for the Google Reports API
Log Analytics table(s) GWorkspace_ReportsAPI_admin_CLGWorkspace_ReportsAPI_calendar_CLGWorkspace_ReportsAPI_drive_CLGWorkspace_ReportsAPI_login_CLGWorkspace_ReportsAPI_mobile_CLGWorkspace_ReportsAPI_token_CLGWorkspace_ReportsAPI_user_accounts_CL
DCR support Not currently supported
Azure Function App code https://aka.ms/Sentinel-GWorkspaceReportsAPI-functionapp
API credentials GooglePickleString
Vendor documentation/installation instructions API DocumentationGet credentials at Perform Google Workspace Domain-Wide Delegation of AuthorityConvert token.pickle file to pickle string
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Kusto function alias GWorkspaceActivityReports
Kusto function URL/Parser config instructions https://aka.ms/Sentinel-GWorkspaceReportsAPI-parser
Application settings GooglePickleStringWorkspaceIDworkspaceKeylogAnalyticsUri (optional)
Supported by Microsoft

Extra configuration for the Google Reports API

Add http://localhost:8081/ under Authorized redirect URIs while creating Web application credentials.

  1. Follow the instructions to obtain the credentials.json.
  2. To get the Google pickle string, run this Python script (in the same path as credentials.json).
  3. Copy the pickle string output in single quotes and save. It will be needed for deploying the Function App.

Illusive Attack Management System (AMS) (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Illusive Networks Admin Guide
Supported by Illusive Networks

Imperva WAF Gateway (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog Available in the Imperva Cloud WAF solution
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Steps for Enabling Imperva WAF Gateway Alert Logging to Microsoft Sentinel
Supported by Imperva

Infoblox Network Identity Operating System (NIOS) (Preview)

Connector attribute Description
Data ingestion method Syslog available in the InfoBlox Threat Defense solution
Log Analytics table(s) Syslog
DCR support Workspace transformation DCR
Kusto function alias: InfobloxNIOS
Kusto function URL: https://aka.ms/sentinelgithubparsersinfoblox
Vendor documentation/installation instructions NIOS SNMP and Syslog Deployment Guide
Supported by Microsoft

Juniper SRX (Preview)

Connector attribute Description
Data ingestion method Syslog
Log Analytics table(s) Syslog
DCR support Workspace transformation DCR
Kusto function alias: JuniperSRX
Kusto function URL: https://aka.ms/Sentinel-junipersrx-parser
Vendor documentation/installation instructions Configure Traffic Logging (Security Policy Logs) for SRX Branch DevicesConfigure System Logging
Supported by Juniper Networks

Lookout Mobile Threat Defense (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST API Only available after installing the Lookout Mobile Threat Defense for Microsoft Sentinel solution
Log Analytics table(s) Lookout_CL
DCR support Not currently supported
API credentials Lookout Application Key
Vendor documentation/installation instructions Installation Guide (sign-in required)API Documentation (sign-in required)Lookout Mobile Endpoint Security
Supported by Lookout

Microsoft 365 Defender

Connector attribute Description
Data ingestion method Azure service-to-service integration:Connect data from Microsoft 365 Defender to Microsoft Sentinel (Top connector article)
License prerequisites/Cost information Valid license for Microsoft 365 Defender
Log Analytics table(s) Alerts:SecurityAlertSecurityIncidentDefender for Endpoint events:DeviceEventsDeviceFileEventsDeviceImageLoadEventsDeviceInfoDeviceLogonEventsDeviceNetworkEventsDeviceNetworkInfoDeviceProcessEventsDeviceRegistryEventsDeviceFileCertificateInfoDefender for Office 365 events:EmailAttachmentInfoEmailUrlInfoEmailEventsEmailPostDeliveryEventsDefender for Identity events:IdentityDirectoryEventsIdentityInfoIdentityLogonEventsIdentityQueryEventsDefender for Cloud Apps events:CloudAppEventsDefender alerts as events:AlertInfoAlertEvidence
DCR support Not currently supported
Supported by Microsoft

Microsoft Purview Insider Risk Management (IRM) (Preview)

Connector attribute Description
Data ingestion method Azure service-to-service integration: API-based connectionsAlso available in the Microsoft Purview Insider Risk Management solution
License and other prerequisites Valid subscription for Microsoft 365 E5/A5/G5, or their accompanying Compliance or IRM add-ons.Microsoft Purview Insider Risk Management fully onboarded, and IRM policies defined and producing alerts.Microsoft 365 IRM configured to enable the export of IRM alerts to the Office 365 Management Activity API in order to receive the alerts through the Microsoft Sentinel connector.)
Log Analytics table(s) SecurityAlert
Data query filter SecurityAlert| where ProductName == "Microsoft Purview Insider Risk Management"
Supported by Microsoft

Microsoft Defender for Cloud

Connector attribute Description
Data ingestion method Azure service-to-service integration:Connect security alerts from Microsoft Defender for Cloud (Top connector article)
Log Analytics table(s) SecurityAlert
Supported by Microsoft

Microsoft Defender for Cloud Apps

Connector attribute Description
Data ingestion method Azure service-to-service integration: API-based connectionsFor Cloud Discovery logs, enable Microsoft Sentinel as your SIEM in Microsoft Defender for Cloud Apps
Log Analytics table(s) SecurityAlert - for alertsMcasShadowItReporting​ - for Cloud Discovery logs
Supported by Microsoft

Microsoft Defender for Endpoint

Connector attribute Description
Data ingestion method Azure service-to-service integration: API-based connections
License prerequisites/Cost information Valid license for Microsoft Defender for Endpoint deployment
Log Analytics table(s) SecurityAlert
DCR support Workspace transformation DCR
Supported by Microsoft

Microsoft Defender for Identity

Connector attribute Description
Data ingestion method Azure service-to-service integration: API-based connections
Log Analytics table(s) SecurityAlert
DCR support Workspace transformation DCR
Supported by Microsoft

Microsoft Defender for IoT

Connector attribute Description
Data ingestion method Azure service-to-service integration: API-based connections
Log Analytics table(s) SecurityAlert
DCR support Workspace transformation DCR
Supported by Microsoft

Microsoft Defender for Office 365

Connector attribute Description
Data ingestion method Azure service-to-service integration: API-based connections
License prerequisites/Cost information You must have a valid license for Office 365 ATP Plan 2
Log Analytics table(s) SecurityAlert
DCR support Workspace transformation DCR
Supported by Microsoft

Microsoft Office 365

Connector attribute Description
Data ingestion method Azure service-to-service integration: API-based connections
License prerequisites/Cost information Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace.Other charges may apply.
Log Analytics table(s) OfficeActivity
DCR support Workspace transformation DCR
Supported by Microsoft

Microsoft Power BI (Preview)

Connector attribute Description
Data ingestion method Azure service-to-service integration: API-based connections
License prerequisites/Cost information Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace.Other charges may apply.
Log Analytics table(s) PowerBIActivity
Supported by Microsoft

Microsoft Project (Preview)

Connector attribute Description
Data ingestion method Azure service-to-service integration: API-based connections
License prerequisites/Cost information Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace.Other charges may apply.
Log Analytics table(s) ProjectActivity
Supported by Microsoft

Microsoft Sysmon for Linux (Preview)

Connector attribute Description
Data ingestion method Syslog, with, ASIM parsers based on Kusto functions
Log Analytics table(s) Syslog
DCR support Workspace transformation DCR
Supported by Microsoft

Morphisec UTPP (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto function parser
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Kusto function alias: Morphisec
Kusto function URL https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Parsers/Morphisec/
Supported by Morphisec

Netskope (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST API
Log Analytics table(s) Netskope_CL
DCR support Not currently supported
Azure Function App code https://aka.ms/Sentinel-netskope-functioncode
API credentials Netskope API Token
Vendor documentation/installation instructions Netskope Cloud Security PlatformNetskope API DocumentationObtain an API Token
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Kusto function alias Netskope
Kusto function URL/Parser config instructions https://aka.ms/Sentinel-netskope-parser
Application settings apikeyworkspaceIDworkspaceKeyuri (depends on region, follows schema: https://<Tenant Name>.goskope.com) timeInterval (set to 5)logTypeslogAnalyticsUri (optional)
Supported by Microsoft

NGINX HTTP Server (Preview)

Connector attribute Description
Data ingestion method Log Analytics agent - custom logs
Log Analytics table(s) NGINX_CL
DCR support Not currently supported
Kusto function alias: NGINXHTTPServer
Kusto function URL https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NGINX%20HTTP%20Server/Parsers/NGINXHTTPServer.txt
Vendor documentation/installation instructions Module ngx_http_log_module
Custom log sample file: access.log or error.log
Supported by Microsoft

NXLog Basic Security Module (BSM) macOS (Preview)

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) BSMmacOS_CL
DCR support Not currently supported
Vendor documentation/installation instructions NXLog Microsoft Sentinel User Guide
Supported by NXLog

NXLog DNS Logs (Preview)

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) DNS_Logs_CL
DCR support Not currently supported
Vendor documentation/installation instructions NXLog Microsoft Sentinel User Guide
Supported by NXLog

NXLog LinuxAudit (Preview)

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) LinuxAudit_CL
DCR support Not currently supported
Vendor documentation/installation instructions NXLog Microsoft Sentinel User Guide
Supported by NXLog

Okta Single Sign-On (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST API
Log Analytics table(s) Okta_CL
DCR support Not currently supported
Azure Function App code https://aka.ms/sentineloktaazurefunctioncodev2
API credentials API Token
Vendor documentation/installation instructions Okta System Log API DocumentationCreate an API tokenConnect Okta SSO to Microsoft Sentinel
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Application settings apiTokenworkspaceIDworkspaceKeyuri (follows schema https://<OktaDomain>/api/v1/logs?since=. Identify your domain namespace.) logAnalyticsUri (optional)
Supported by Microsoft

Onapsis Platform (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto lookup and enrichment functionConfigure Onapsis to send CEF logs to the log forwarder
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Kusto function alias: incident_lookup
Kusto function URL https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Onapsis%20Platform/Parsers/OnapsisLookup.txt
Supported by Onapsis

Configure Onapsis to send CEF logs to the log forwarder

Refer to the Onapsis in-product help to set up log forwarding to the Log Analytics agent.

  1. Go to Setup > Third-party integrations > Defend Alarms and follow the instructions for Microsoft Sentinel.
  2. Make sure your Onapsis Console can reach the log forwarder machine where the agent is installed. Logs should be sent to port 514 using TCP.

One Identity Safeguard (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions One Identity Safeguard for Privileged Sessions Administration Guide
Supported by One Identity

Oracle WebLogic Server (Preview)

Connector attribute Description
Data ingestion method Log Analytics agent - custom logs
Log Analytics table(s) OracleWebLogicServer_CL
DCR support Not currently supported
Kusto function alias: OracleWebLogicServerEvent
Kusto function URL: https://aka.ms/Sentinel-OracleWebLogicServer-parser
Vendor documentation/installation instructions Oracle WebLogic Server documentation
Custom log sample file: server.log
Supported by Microsoft

Orca Security (Preview)

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) OrcaAlerts_CL
DCR support Not currently supported
Vendor documentation/installation instructions Microsoft Sentinel integration
Supported by Orca Security

OSSEC (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto function parser
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Kusto function alias: OSSECEvent
Kusto function URL: https://aka.ms/Sentinel-OSSEC-parser
Vendor documentation/installation instructions OSSEC documentationSending alerts via syslog
Supported by Microsoft

Palo Alto Networks

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog Also available in the Palo Alto PAN-OS and Prisma solutions
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Common Event Format (CEF) Configuration GuidesConfigure Syslog Monitoring
Supported by Palo Alto Networks

Perimeter 81 Activity Logs (Preview)

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) Perimeter81_CL
DCR support Not currently supported
Vendor documentation/installation instructions Perimeter 81 documentation
Supported by Perimeter 81

Proofpoint On Demand (POD) Email Security (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST API Also available in the Proofpoint POD solution
Log Analytics table(s) ProofpointPOD_message_CLProofpointPOD_maillog_CL
DCR support Not currently supported
Azure Function App code https://aka.ms/Sentinel-proofpointpod-functionapp
API credentials ProofpointClusterIDProofpointToken
Vendor documentation/installation instructions Sign in to the Proofpoint CommunityProofpoint API documentation and instructions
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Kusto function alias ProofpointPOD
Kusto function URL/Parser config instructions https://aka.ms/Sentinel-proofpointpod-parser
Application settings ProofpointClusterIDProofpointTokenWorkspaceIDWorkspaceKeylogAnalyticsUri (optional)
Supported by Microsoft

Proofpoint Targeted Attack Protection (TAP) (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST API Also available in the Proofpoint TAP solution
Log Analytics table(s) ProofPointTAPClicksPermitted_CLProofPointTAPClicksBlocked_CLProofPointTAPMessagesDelivered_CLProofPointTAPMessagesBlocked_CL
DCR support Not currently supported
Azure Function App code https://aka.ms/sentinelproofpointtapazurefunctioncode
API credentials API UsernameAPI Password
Vendor documentation/installation instructions Proofpoint SIEM API Documentation
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Application settings apiUsernameapiUsernameuri (set to https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=300)WorkspaceIDWorkspaceKeylogAnalyticsUri (optional)
Supported by Microsoft

Pulse Connect Secure (Preview)

Connector attribute Description
Data ingestion method Syslog
Log Analytics table(s) Syslog
DCR support Workspace transformation DCR
Kusto function alias: PulseConnectSecure
Kusto function URL: https://aka.ms/sentinelgithubparserspulsesecurevpn
Vendor documentation/installation instructions Configuring Syslog
Supported by Microsoft

Qualys VM KnowledgeBase (KB) (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST APIExtra configuration for the Qualys VM KB Also available in the Qualys VM solution
Log Analytics table(s) QualysKB_CL
DCR support Not currently supported
Azure Function App code https://aka.ms/Sentinel-qualyskb-functioncode
API credentials API UsernameAPI Password
Vendor documentation/installation instructions QualysVM API User Guide
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Kusto function alias QualysKB
Kusto function URL/Parser config instructions https://aka.ms/Sentinel-qualyskb-parser
Application settings apiUsernameapiUsernameuri (by region; see API Server list. Follows schema https://<API Server>/api/2.0.WorkspaceIDWorkspaceKeyfilterParameters (add to end of URI, delimited by &. No spaces.)logAnalyticsUri (optional)
Supported by Microsoft

Extra configuration for the Qualys VM KB

  1. Log into the Qualys Vulnerability Management console with an administrator account, select the Users tab and the Users subtab.
  2. Select the New drop-down menu and select Users.
  3. Create a username and password for the API account.
  4. In the User Roles tab, ensure the account role is set to Manager and access is allowed to GUI and API
  5. Sign out of the administrator account and sign into the console with the new API credentials for validation, then sign out of the API account.
  6. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to GUI.
  7. Save all changes.

Qualys Vulnerability Management (VM) (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST APIExtra configuration for the Qualys VM Manual deployment - after configuring the Function App
Log Analytics table(s) QualysHostDetection_CL
DCR support Not currently supported
Azure Function App code https://aka.ms/sentinelqualysvmazurefunctioncode
API credentials API UsernameAPI Password
Vendor documentation/installation instructions QualysVM API User Guide
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Application settings apiUsernameapiUsernameuri (by region; see API Server list. Follows schema https://<API Server>/api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=.WorkspaceIDWorkspaceKeyfilterParameters (add to end of URI, delimited by &. No spaces.)timeInterval (set to 5. If you modify, change Function App timer trigger accordingly.)logAnalyticsUri (optional)
Supported by Microsoft

Extra configuration for the Qualys VM

  1. Log into the Qualys Vulnerability Management console with an administrator account, select the Users tab and the Users subtab.
  2. Select the New drop-down menu and select Users.
  3. Create a username and password for the API account.
  4. In the User Roles tab, ensure the account role is set to Manager and access is allowed to GUI and API
  5. Sign out of the administrator account and log into the console with the new API credentials for validation, then sign out of the API account.
  6. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to GUI.
  7. Save all changes.

Manual deployment - after configuring the Function App

Configure the host.json file

Due to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five minutes. Increase the default timeout duration to the maximum of 10 minutes, under the Consumption Plan, to allow more time for the Function App to execute.

  1. In the Function App, select the Function App Name and select the App Service Editor page.
  2. Select Go to open the editor, then select the host.json file under the wwwroot directory.
  3. Add the line "functionTimeout": "00:10:00", above the managedDependancy line.
  4. Ensure SAVED appears on the top-right corner of the editor, then exit the editor.

If a longer timeout duration is required, consider upgrading to an App Service Plan.

Salesforce Service Cloud (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST API
Log Analytics table(s) SalesforceServiceCloud_CL
DCR support Not currently supported
Azure Function App code https://aka.ms/Sentinel-SalesforceServiceCloud-functionapp
API credentials Salesforce API UsernameSalesforce API PasswordSalesforce Security TokenSalesforce Consumer KeySalesforce Consumer Secret
Vendor documentation/installation instructions Salesforce REST API Developer GuideUnder Set up authorization, use Session ID method instead of OAuth.
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Kusto function alias SalesforceServiceCloud
Kusto function URL/Parser config instructions https://aka.ms/Sentinel-SalesforceServiceCloud-parser
Application settings SalesforceUserSalesforcePassSalesforceSecurityTokenSalesforceConsumerKeySalesforceConsumerSecretWorkspaceIDWorkspaceKeylogAnalyticsUri (optional)
Supported by Microsoft

Security events via Legacy Agent (Windows)

Connector attribute Description
Data ingestion method Azure service-to-service integration: Log Analytics agent-based connections (Legacy)
Log Analytics table(s) SecurityEvents
DCR support Workspace transformation DCR
Supported by Microsoft

For more information, see:

SentinelOne (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST API Extra configuration for SentinelOne
Log Analytics table(s) SentinelOne_CL
DCR support Not currently supported
Azure Function App code https://aka.ms/Sentinel-SentinelOneAPI-functionapp
API credentials SentinelOneAPITokenSentinelOneUrl (https://<SOneInstanceDomain>.sentinelone.net)
Vendor documentation/installation instructions https://<SOneInstanceDomain>.sentinelone.net/api-doc/overviewSee instructions below
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Kusto function alias SentinelOne
Kusto function URL/Parser config instructions https://aka.ms/Sentinel-SentinelOneAPI-parser
Application settings SentinelOneAPITokenSentinelOneUrlWorkspaceIDWorkspaceKeylogAnalyticsUri (optional)
Supported by Microsoft

Extra configuration for SentinelOne

Follow the instructions to obtain the credentials.

  1. Sign-in to the SentinelOne Management Console with Admin user credentials.
  2. In the Management Console, select Settings.
  3. In the SETTINGS view, select USERS
  4. Select New User.
  5. Enter the information for the new console user.
  6. In Role, select Admin.
  7. Select SAVE
  8. Save credentials of the new user for using in the data connector.

SonicWall Firewall (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Log > SyslogSelect facility local4 and ArcSight as the Syslog format.
Supported by SonicWall

Sophos Cloud Optix (Preview)

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) SophosCloudOptix_CL
DCR support Not currently supported
Vendor documentation/installation instructions Integrate with Microsoft Sentinel, skipping the first step.Sophos query samples
Supported by Sophos

Sophos XG Firewall (Preview)

Connector attribute Description
Data ingestion method Syslog
Log Analytics table(s) Syslog
DCR support Workspace transformation DCR
Kusto function alias: SophosXGFirewall
Kusto function URL: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Sophos%20XG%20Firewall/Parsers/SophosXGFirewall.txt
Vendor documentation/installation instructions Add a syslog server
Supported by Microsoft

Squadra Technologies secRMM

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) secRMM_CL
DCR support Not currently supported
Vendor documentation/installation instructions secRMM Microsoft Sentinel Administrator Guide
Supported by Squadra Technologies

Squid Proxy (Preview)

Connector attribute Description
Data ingestion method Log Analytics agent - custom logs
Log Analytics table(s) SquidProxy_CL
DCR support Not currently supported
Kusto function alias: SquidProxy
Kusto function URL https://aka.ms/Sentinel-squidproxy-parser
Custom log sample file: access.log or cache.log
Supported by Microsoft

Symantec Integrated Cyber Defense Exchange (ICDx)

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector API
Log Analytics table(s) SymantecICDx_CL
DCR support Not currently supported
Vendor documentation/installation instructions Configuring Microsoft Sentinel (Log Analytics) Forwarders
Supported by Broadcom Symantec

Symantec ProxySG (Preview)

Connector attribute Description
Data ingestion method Syslog
Log Analytics table(s) Syslog
DCR support Workspace transformation DCR
Kusto function alias: SymantecProxySG
Kusto function URL: https://aka.ms/sentinelgithubparserssymantecproxysg
Vendor documentation/installation instructions Sending Access Logs to a Syslog server
Supported by Microsoft

Symantec VIP (Preview)

Connector attribute Description
Data ingestion method Syslog
Log Analytics table(s) Syslog
DCR support Workspace transformation DCR
Kusto function alias: SymantecVIP
Kusto function URL: https://aka.ms/sentinelgithubparserssymantecvip
Vendor documentation/installation instructions Configuring syslog
Supported by Microsoft

Thycotic Secret Server (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Secure Syslog/CEF Logging
Supported by Thycotic

Trend Micro Deep Security

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto function parser
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Kusto function alias: TrendMicroDeepSecurity
Kusto function URL https://aka.ms/TrendMicroDeepSecurityFunction
Vendor documentation/installation instructions Forward Deep Security events to a Syslog or SIEM server
Supported by Trend Micro

Trend Micro TippingPoint (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto function parser
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Kusto function alias: TrendMicroTippingPoint
Kusto function URL https://aka.ms/Sentinel-trendmicrotippingpoint-function
Vendor documentation/installation instructions Send Syslog messages in ArcSight CEF Format v4.2 format.
Supported by Trend Micro

Trend Micro Vision One (XDR) (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST API
Log Analytics table(s) TrendMicro_XDR_CL
DCR support Not currently supported
API credentials API Token
Vendor documentation/installation instructions Trend Micro Vision One APIObtaining API Keys for Third-Party Access
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) template
Supported by Trend Micro

VMware Carbon Black Endpoint Standard (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST API
Log Analytics table(s) CarbonBlackEvents_CLCarbonBlackAuditLogs_CLCarbonBlackNotifications_CL
DCR support Not currently supported
Azure Function App code https://aka.ms/sentinelcarbonblackazurefunctioncode
API credentials API access level (for Audit and Event logs):API IDAPI KeySIEM access level (for Notification events):SIEM API IDSIEM API Key
Vendor documentation/installation instructions Carbon Black API DocumentationCreating an API Key
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Application settings apiIdapiKeyWorkspaceIDWorkspaceKeyuri (by region; see list of options. Follows schema: https://<API URL>.conferdeploy.net.)timeInterval (Set to 5)SIEMapiId (if ingesting Notification events)SIEMapiKey (if ingesting Notification events)logAnalyticsUri (optional)
Supported by Microsoft

VMware ESXi (Preview)

Connector attribute Description
Data ingestion method Syslog
Log Analytics table(s) Syslog
DCR support Workspace transformation DCR
Kusto function alias: VMwareESXi
Kusto function URL: https://aka.ms/Sentinel-vmwareesxi-parser
Vendor documentation/installation instructions Enabling syslog on ESXi 3.5 and 4.xConfigure Syslog on ESXi Hosts
Supported by Microsoft

WatchGuard Firebox (Preview)

Connector attribute Description
Data ingestion method Syslog
Log Analytics table(s) Syslog
DCR support Workspace transformation DCR
Kusto function alias: WatchGuardFirebox
Kusto function URL: https://aka.ms/Sentinel-watchguardfirebox-parser
Vendor documentation/installation instructions Microsoft Sentinel Integration Guide
Supported by WatchGuard Technologies

WireX Network Forensics Platform (Preview)

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Contact WireX support in order to configure your NFP solution to send Syslog messages in CEF format.
Supported by WireX Systems

Windows DNS Events via AMA (Preview)

Connector attribute Description
Data ingestion method Azure service-to-service integration: Azure monitor Agent-based connection
Log Analytics table(s) DnsEventsDnsInventory
DCR support Standard DCR
Supported by Microsoft

Windows DNS Server (Preview)

This connector uses the legacy agent. We recommend that you use the DNS over AMA connector above.

Connector attribute Description
Data ingestion method Azure service-to-service integration: Log Analytics agent-based connections (Legacy)
Log Analytics table(s) DnsEventsDnsInventory
DCR support Workspace transformation DCR
Supported by Microsoft

Troubleshooting your Windows DNS Server data connector

If your DNS events don't show up in Microsoft Sentinel:

  1. Make sure that DNS analytics logs on your servers are enabled.
  2. Go to Azure DNS Analytics.
  3. In the Configuration area, change any of the settings and save your changes. Change your settings back if you need to, and then save your changes again.
  4. Check your Azure DNS Analytics to make sure that your events and queries display properly.

For more information, see Gather insights about your DNS infrastructure with the DNS Analytics Preview solution.

Windows Forwarded Events (Preview)

Connector attribute Description
Data ingestion method Azure service-to-service integration: Azure Monitor Agent-based connectionsAdditional instructions for deploying the Windows Forwarded Events connector
Prerequisites You must have Windows Event Collection (WEC) enabled and running.Install the Azure Monitor Agent on the WEC machine.
xPath queries prefix "ForwardedEvents!*"
Log Analytics table(s) WindowsEvents
DCR support Standard DCR
Supported by Microsoft

Additional instructions for deploying the Windows Forwarded Events connector

We recommend installing the Advanced Security Information Model (ASIM) parsers to ensure full support for data normalization. You can deploy these parsers from the Azure-Sentinel GitHub repository using the Deploy to Azure button there.

Windows Firewall

Connector attribute Description
Data ingestion method Azure service-to-service integration: Log Analytics agent-based connections (Legacy)
Log Analytics table(s) WindowsFirewall
Supported by Microsoft

Windows Security Events via AMA

Connector attribute Description
Data ingestion method Azure service-to-service integration: Azure Monitor Agent-based connections
xPath queries prefix "Security!*"
Log Analytics table(s) SecurityEvents
DCR support Standard DCR
Supported by Microsoft

See also:

Configure the Security events / Windows Security Events connector for anomalous RDP login detection

Important

Anomalous RDP login detection is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

Microsoft Sentinel can apply machine learning (ML) to Security events data to identify anomalous Remote Desktop Protocol (RDP) login activity. Scenarios include:

  • Unusual IP - the IP address has rarely or never been observed in the last 30 days

  • Unusual geo-location - the IP address, city, country, and ASN have rarely or never been observed in the last 30 days

  • New user - a new user logs in from an IP address and geo-location, both or either of which were not expected to be seen based on data from the 30 days prior.

Configuration instructions

  1. You must be collecting RDP login data (Event ID 4624) through the Security events or Windows Security Events data connectors. Make sure you have selected an event set besides "None", or created a data collection rule that includes this event ID, to stream into Microsoft Sentinel.

  2. From the Microsoft Sentinel portal, select Analytics, and then select the Rule templates tab. Choose the (Preview) Anomalous RDP Login Detection rule, and move the Status slider to Enabled.

    Note

    As the machine learning algorithm requires 30 days' worth of data to build a baseline profile of user behavior, you must allow 30 days of Windows Security events data to be collected before any incidents can be detected.

Workplace from Facebook (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST APIConfigure Webhooks Add Callback URL to Webhook configuration
Log Analytics table(s) Workplace_Facebook_CL
DCR support Not currently supported
Azure Function App code https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Workplace%20from%20Facebook/Data%20Connectors/WorkplaceFacebook/WorkplaceFacebookWebhooksSentinelConn.zip
API credentials WorkplaceAppSecretWorkplaceVerifyToken
Vendor documentation/installation instructions Configure WebhooksConfigure permissions
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Kusto function alias Workplace_Facebook
Kusto function URL/Parser config instructions https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Workplace%20from%20Facebook/Parsers/Workplace_Facebook.txt
Application settings WorkplaceAppSecretWorkplaceVerifyTokenWorkspaceIDWorkspaceKeylogAnalyticsUri (optional)
Supported by Microsoft

Configure Webhooks

  1. Sign in to the Workplace with Admin user credentials.
  2. In the Admin panel, select Integrations.
  3. In the All integrations view, select Create custom integration.
  4. Enter the name and description and select Create.
  5. In the Integration details panel, show the App secret and copy it.
  6. In the Integration permissions panel, set all read permissions. Refer to permission page for details.

Add Callback URL to Webhook configuration

  1. Open your Function App's page, go to the Functions list, select Get Function URL, and copy it.
  2. Go back to Workplace from Facebook. In the Configure webhooks panel, on each Tab set the Callback URL as the Function URL you copied in the last step, and the Verify token as the same value you received during automatic deployment, or entered during manual deployment.
  3. Select Save.

Zimperium Mobile Thread Defense (Preview)

Zimperium Mobile Threat Defense data connector connects the Zimperium threat log to Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This connector gives you more insight into your organization's mobile threat landscape and enhances your security operation capabilities.

For more information, see Connect Zimperium to Microsoft Sentinel.

Connector attribute Description
Data ingestion method Microsoft Sentinel Data Collector APIConfigure and connect Zimperium MTD
Log Analytics table(s) ZimperiumThreatLog_CLZimperiumMitigationLog_CL
DCR support Not currently supported
Vendor documentation/installation instructions Zimperium customer support portal (sign-in required)
Supported by Zimperium

Configure and connect Zimperium MTD

  1. In zConsole, select Manage on the navigation bar.
  2. Select the Integrations tab.
  3. Select the Threat Reporting button and then the Add Integrations button.
  4. Create the Integration:
    1. From the available integrations, select Microsoft Sentinel.
    2. Enter your workspace ID and primary key, select Next.
    3. Fill in a name for your Microsoft Sentinel integration.
    4. Select a Filter Level for the threat data you wish to push to Microsoft Sentinel.
    5. Select Finish.

Zoom Reports (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST API
Log Analytics table(s) Zoom_CL
DCR support Not currently supported
Azure Function App code https://aka.ms/Sentinel-ZoomAPI-functionapp
API credentials ZoomApiKeyZoomApiSecret
Vendor documentation/installation instructions Get credentials using JWT With Zoom
Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) templateManual deployment
Kusto function alias Zoom
Kusto function URL/Parser config instructions https://aka.ms/Sentinel-ZoomAPI-parser
Application settings ZoomApiKeyZoomApiSecretWorkspaceIDWorkspaceKeylogAnalyticsUri (optional)
Supported by Microsoft

Zscaler

Connector attribute Description
Data ingestion method Common Event Format (CEF) over Syslog
Log Analytics table(s) CommonSecurityLog
DCR support Workspace transformation DCR
Vendor documentation/installation instructions Zscaler and Microsoft Sentinel Deployment Guide
Supported by Zscaler

Zscaler Private Access (ZPA) (Preview)

Connector attribute Description
Data ingestion method Log Analytics agent - custom logsExtra configuration for Zscaler Private Access
Log Analytics table(s) ZPA_CL
DCR support Not currently supported
Kusto function alias: ZPAEvent
Kusto function URL https://aka.ms/Sentinel-zscalerprivateaccess-parser
Vendor documentation/installation instructions Zscaler Private Access documentationAlso, see below
Supported by Microsoft

Extra configuration for Zscaler Private Access

Follow the configuration steps below to get Zscaler Private Access logs into Microsoft Sentinel. For more information, see the Azure Monitor Documentation. Zscaler Private Access logs are delivered via Log Streaming Service (LSS). Refer to LSS documentation for detailed information.

  1. Configure Log Receivers. While configuring a Log Receiver, choose JSON as Log Template.

  2. Download config file zpa.conf.

    wget -v https://aka.ms/sentinel-zscalerprivateaccess-conf -O zpa.conf
    
  3. Sign in to the server where you have installed the Azure Log Analytics agent.

  4. Copy zpa.conf to the /etc/opt/microsoft/omsagent/workspace_id/conf/omsagent.d/ folder.

  5. Edit zpa.conf as follows:

    1. Specify the port that you have set your Zscaler Log Receivers to forward logs to (line 4)
    2. Replace workspace_id with real value of your Workspace ID (lines 14,15,16,19)
  6. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:

    sudo /opt/microsoft/omsagent/bin/service_control restart
    

You can find the value of your workspace ID on the ZScaler Private Access connector page or on your Log Analytics workspace's agents management page.

Next steps

For more information, see: