Find your Microsoft Sentinel data connector
This article describes how to deploy data connectors in Microsoft Sentinel, listing all supported, out-of-the-box data connectors, together with links to generic deployment procedures, and extra steps required for specific connectors.
Some data connectors are deployed only via solutions. For more information, see the Discover and deploy Microsoft Sentinel out-of-the-box content and solutions. You can also find other, community-built data connectors in the Microsoft Sentinel GitHub repository.
Important
For connectors that use the Log Analytics agent, the agent will be retired on 31 August, 2024. If you are using the Log Analytics agent in your Microsoft Sentinel deployment, we recommend that you start planning your migration to the AMA. For more information, see AMA migration for Microsoft Sentinel.
How to use this guide
First, locate and select the connector for your product, service, or device in the headings menu to the right.
The first piece of information you'll see for each connector is its data ingestion method. The method that appears there will be a link to one of the following generic deployment procedures, which contain most of the information you'll need to connect your data sources to Microsoft Sentinel:
Data ingestion method Linked article with instructions Azure service-to-service integration Connect to Azure, Windows, Microsoft, and Amazon services Common Event Format (CEF) over Syslog Get CEF-formatted logs from your device or appliance into Microsoft Sentinel Microsoft Sentinel Data Collector API Connect your data source to the Microsoft Sentinel Data Collector API to ingest data Azure Functions and the REST API Use Azure Functions to connect Microsoft Sentinel to your data source Syslog Collect data from Linux-based sources using Syslog Custom logs Collect data in custom log formats to Microsoft Sentinel with the Log Analytics agent Note
The Azure service-to-service integration data ingestion method links to three different sections of its article, depending on the connector type. Each connector's section below specifies the section within that article that it links to.
When deploying a specific connector, choose the appropriate article linked to its data ingestion method, and use the information and extra guidance in the relevant section below to supplement the information in that article.
Tip
Many data connectors can also be deployed as part of a Microsoft Sentinel solution, together with related analytics rules, workbooks and playbooks. For more information, see the Microsoft Sentinel solutions catalog.
More data connectors are provided by the Microsoft Sentinel community and can be found in the Azure Marketplace. Documentation for community data connectors is the responsibility of the organization that created the connector.
If you have a data source that isn't listed or currently supported, you can also create your own, custom connector. For more information, see Resources for creating Microsoft Sentinel custom connectors.
Important
Noted Microsoft Sentinel data connectors are currently in Preview. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Data connector prerequisites
Each data connector will have its own set of prerequisites, such as required permissions on your Azure workspace, subscription, or policy, and so on, or other requirements for the partner data source you're connecting to.
Prerequisites for each data connector are listed on the relevant data connector page in Microsoft Sentinel, on the Instructions tab.
Agari Phishing Defense and Brand Protection (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API Before deployment: Enable the Security Graph API (Optional). After deployment: Assign necessary permissions to your Function App |
| Log Analytics table(s) | agari_bpalerts_log_CL agari_apdtc_log_CL agari_apdpolicy_log_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://aka.ms/Sentinel-agari-functionapp |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | |
| Application settings | Required if enableSecurityGraphSharing is set to true (see below): |
| Supported by | Agari |
Enable the Security Graph API (Optional)
Important
If you perform this step, do this before you deploy your data connector.
The Agari Function App allows you to share threat intelligence with Microsoft Sentinel via the Security Graph API. To use this feature, you'll need to enable the Sentinel Threat Intelligence Platforms connector and also register an application in Azure Active Directory.
This process will give you three pieces of information for use when deploying the Function App: the Graph tenant ID, the Graph client ID, and the Graph client secret (see the Application settings in the table above).
Assign necessary permissions to your Function App
The Agari connector uses an environment variable to store log access timestamps. In order for the application to write to this variable, permissions must be assigned to the system assigned identity.
- In the Azure portal, navigate to Function App.
- In the Function App page, select your Function App from the list, then select Identity under Settings in the Function App's navigation menu.
- In the System assigned tab, set the Status to On.
- Select Save, and an Azure role assignments button will appear. Select it.
- In the Azure role assignments screen, select Add role assignment. Set Scope to Subscription, select your subscription from the Subscription drop-down, and set Role to App Configuration Data Owner.
- Select Save.
AI Analyst (AIA) by Darktrace (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog Configure CEF log forwarding for AI Analyst |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Supported by | Darktrace |
Configure CEF log forwarding for AI Analyst
Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Log Analytics agent.
- Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin.
- From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.
- A configuration window will open. Locate Microsoft Sentinel Syslog CEF and select New to reveal the configuration settings, unless already exposed.
- In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls.
- Configure any alert thresholds, time offsets, or extra settings as required.
- Review any extra configuration options you may wish to enable that alter the Syslog syntax.
- Enable Send Alerts and save your changes.
AI Vectra Detect (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog Configure CEF log forwarding for AI Vectra Detect |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Supported by | Vectra AI |
Configure CEF log forwarding for AI Vectra Detect
Configure Vectra (X Series) Agent to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Log Analytics agent.
From the Vectra interface, navigate to Settings > Notifications and choose Edit Syslog configuration. Follow the instructions below to set up the connection:
- Add a new Destination (the hostname of the log forwarder)
- Set the Port as 514
- Set the Protocol as UDP
- Set the format to CEF
- Set Log types (select all log types available)
- Select Save
You can select the Test button to force the sending of some test events to the log forwarder.
For more information, see the Cognito Detect Syslog Guide, which can be downloaded from the resource page in Detect UI.
Akamai Security Events (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog, with a Kusto function parser |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | AkamaiSIEMEvent |
| Kusto function URL: | https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Akamai%20Security%20Events/Parsers/AkamaiSIEMEvent.txt |
| Vendor documentation/ installation instructions |
Configure Security Information and Event Management (SIEM) integration Set up a CEF connector. |
| Supported by | Akamai |
Alcide kAudit
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | alcide_kaudit_activity_1_CL - Alcide kAudit activity logs alcide_kaudit_detections_1_CL - Alcide kAudit detections alcide_kaudit_selections_count_1_CL - Alcide kAudit activity counts alcide_kaudit_selections_details_1_CL - Alcide kAudit activity details |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
Alcide kAudit installation guide |
| Supported by | Alcide |
Alsid for Active Directory
| Connector attribute | Description |
|---|---|
| Data ingestion method | Log Analytics agent - custom logs Extra configuration for Alsid |
| Log Analytics table(s) | AlsidForADLog_CL |
| DCR support | Not currently supported |
| Kusto function alias: | afad_parser |
| Kusto function URL: | https://aka.ms/Sentinel-alsidforad-parser |
| Supported by | Alsid |
Extra configuration for Alsid
Configure the Syslog server
You will first need a linux Syslog server that Alsid for AD will send logs to. Typically you can run rsyslog on Ubuntu.
You can then configure this server as you wish, but we recommend that to be able to output AFAD logs in a separate file. Alternatively you can use a Quickstart template to deploy the Syslog server and the Microsoft agent for you. If you do use the template, you can skip the agent installation instructions.
Configure Alsid to send logs to your Syslog server
On your Alsid for AD portal, go to System, Configuration, and then Syslog. From there, you can create a new Syslog alert toward your Syslog server.
Once you've created a new Syslog alert, check that the logs are correctly gathered on your server in a separate file. For example, to check your logs, you can use the Test the configuration button in the Syslog alert configuration in AFAD. If you used the Quickstart template, the Syslog server will by default listen on port 514 in UDP and 1514 in TCP, without TLS.
Amazon Web Services
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data (Top connector article) |
| Log Analytics table(s) | AWSCloudTrail |
| DCR support | Workspace transformation DCR |
| Supported by | Microsoft |
Amazon Web Services S3 (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data (Top connector article) |
| Log Analytics table(s) | AWSCloudTrail AWSGuardDuty AWSVPCFlow |
| DCR support | Workspace transformation DCR |
| Supported by | Microsoft |
Apache HTTP Server
| Connector attribute | Description |
|---|---|
| Data ingestion method | Log Analytics agent - custom logs |
| Log Analytics table(s) | ApacheHTTPServer_CL |
| DCR support | Not currently supported |
| Kusto function alias: | ApacheHTTPServer |
| Kusto function URL: | https://aka.ms/Sentinel-apachehttpserver-parser |
| Custom log sample file: | access.log or error.log |
Apache Tomcat
| Connector attribute | Description |
|---|---|
| Data ingestion method | Log Analytics agent - custom logs |
| Log Analytics table(s) | Tomcat_CL |
| DCR support | Not currently supported |
| Kusto function alias: | TomcatEvent |
| Kusto function URL: | https://aka.ms/Sentinel-ApacheTomcat-parser |
| Custom log sample file: | access.log or error.log |
Aruba ClearPass (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog, with a Kusto function parser |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | ArubaClearPass |
| Kusto function URL: | https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Aruba%20ClearPass/Parsers/ArubaClearPass.txt |
| Vendor documentation/ installation instructions |
Follow Aruba's instructions to configure ClearPass. |
| Supported by | Microsoft |
Atlassian Confluence Audit (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API |
| Log Analytics table(s) | Confluence_Audit_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://aka.ms/Sentinel-confluenceauditapi-functionapp |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | |
| Kusto function alias | ConfluenceAudit |
| Kusto function URL/ Parser config instructions |
https://aka.ms/Sentinel-confluenceauditapi-parser |
| Application settings | |
| Supported by | Microsoft |
Atlassian Jira Audit (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API |
| Log Analytics table(s) | Jira_Audit_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://aka.ms/Sentinel-jiraauditapi-functionapp |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | |
| Kusto function alias | JiraAudit |
| Kusto function URL/ Parser config instructions |
https://aka.ms/Sentinel-jiraauditapi-parser |
| Application settings | |
| Supported by | Microsoft |
Azure Active Directory
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Connect Azure Active Directory data to Microsoft Sentinel (Top connector article) |
| License prerequisites/ Cost information |
Other charges may apply |
| Log Analytics table(s) | SigninLogs AuditLogs AADNonInteractiveUserSignInLogs AADServicePrincipalSignInLogs AADManagedIdentitySignInLogs AADProvisioningLogs ADFSSignInLogs |
| DCR support | Workspace transformation DCR |
| Supported by | Microsoft |
Azure Active Directory Identity Protection
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: API-based connections |
| License prerequisites/ Cost information |
Azure AD Premium P2 subscription Other charges may apply |
| Log Analytics table(s) | SecurityAlert |
| DCR support | Workspace transformation DCR |
| Supported by | Microsoft |
Azure Activity
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Diagnostic settings-based connections, managed by Azure Policy Upgrade to the new Azure Activity connector |
| Log Analytics table(s) | AzureActivity |
| DCR support | Not currently supported |
| Supported by | Microsoft |
Upgrade to the new Azure Activity connector
Data structure changes
This connector recently changed its back-end mechanism for collecting Activity log events. It is now using the diagnostic settings pipeline. If you're still using the legacy method for this connector, you are strongly encouraged to upgrade to the new version, which provides better functionality and greater consistency with resource logs. See the instructions below.
The diagnostic settings method sends the same data that the legacy method sent from the Activity log service, although there have been some changes to the structure of the AzureActivity table.
Here are some of the key improvements resulting from the move to the diagnostic settings pipeline:
- Improved ingestion latency (event ingestion within 2-3 minutes of occurrence instead of 15-20 minutes).
- Improved reliability.
- Improved performance.
- Support for all categories of events logged by the Activity log service (the legacy mechanism supports only a subset - for example, no support for Service Health events).
- Management at scale with Azure Policy.
See the Azure Monitor documentation for more in-depth treatment of Azure Activity log and the diagnostic settings pipeline.
Disconnect from old pipeline
Before setting up the new Azure Activity log connector, you must disconnect the existing subscriptions from the legacy method.
From the Microsoft Sentinel navigation menu, select Data connectors. From the list of connectors, select Azure Activity, and then select the Open connector page button on the lower right.
Under the Instructions tab, in the Configuration section, in step 1, review the list of your existing subscriptions that are connected to the legacy method (so you know which ones to add to the new), and disconnect them all at once by clicking the Disconnect All button below.
Continue setting up the new connector with the instructions linked in the table above.
Azure DDoS Protection
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Diagnostic settings-based connections |
| License prerequisites/ Cost information |
Other charges may apply |
| Log Analytics table(s) | AzureDiagnostics |
| DCR support | Not currently supported |
| Recommended diagnostics | DDoSProtectionNotifications DDoSMitigationFlowLogs DDoSMitigationReports |
| Supported by | Microsoft |
Note
The Status for Azure DDoS Protection Data Connector changes to Connected only when the protected resources are under a DDoS attack.
Azure Defender
See Microsoft Defender for Cloud.
Azure Firewall
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Diagnostic settings-based connections |
| Log Analytics table(s) | AzureDiagnostics |
| DCR support | Not currently supported |
| Recommended diagnostics | AzureFirewallApplicationRule AzureFirewallNetworkRule AzureFirewallDnsProxy |
| Supported by | Microsoft |
Azure Information Protection (Preview)
Important
The Azure Information Protection (AIP) data connector uses the AIP audit logs (public preview) feature. As of March 31, 2023, the AIP analytics and audit logs public preview will be retired, and moving forward will be using the Microsoft 365 auditing solution.
For more information, see Removed and retired services.
See the Microsoft Purview Information Protection connector, which will replace this connector.
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration |
| Log Analytics table(s) | InformationProtectionLogs_CL |
| DCR support | Not currently supported |
| Supported by | Microsoft |
Azure Key Vault
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Diagnostic settings-based connections, managed by Azure Policy |
| Log Analytics table(s) | KeyVaultData |
| DCR support | Not currently supported |
| Supported by | Microsoft |
Azure Kubernetes Service (AKS)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Diagnostic settings-based connections, managed by Azure Policy |
| Log Analytics table(s) | kube-apiserver kube-audit kube-audit-admin kube-controller-manager kube-scheduler cluster-autoscaler guard |
| DCR support | Not currently supported |
| Supported by | Microsoft |
Microsoft Purview
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Diagnostic settings-based connections For more information, see Tutorial: Integrate Microsoft Sentinel and Microsoft Purview. |
| Log Analytics table(s) | PurviewDataSensitivityLogs |
| DCR support | Not currently supported |
| Supported by | Microsoft |
Azure SQL Databases
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Diagnostic settings-based connections, managed by Azure Policy Also available in the Azure SQL and Microsoft Sentinel for SQL PaaS solutions |
| Log Analytics table(s) | SQLSecurityAuditEvents SQLInsights AutomaticTuning QueryStoreWaitStatistics Errors DatabaseWaitStatistics Timeouts Blocks Deadlocks Basic InstanceAndAppAdvanced WorkloadManagement DevOpsOperationsAudit |
| DCR support | Not currently supported |
| Supported by | Microsoft |
Azure Storage Account
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Diagnostic settings-based connections Notes about storage account diagnostic settings configuration |
| Log Analytics table(s) | StorageBlobLogs StorageQueueLogs StorageTableLogs StorageFileLogs |
| Recommended diagnostics | Account resource Blob/Queue/Table/File resources |
| DCR support | Not currently supported |
| Supported by | Microsoft |
Notes about storage account diagnostic settings configuration
The storage account (parent) resource has within it other (child) resources for each type of storage: files, tables, queues, and blobs.
When configuring diagnostics for a storage account, you must select and configure, in turn:
- The parent account resource, exporting the Transaction metric.
- Each of the child storage-type resources, exporting all the logs and metrics (see the table above).
You will only see the storage types that you actually have defined resources for.
Azure Web Application Firewall (WAF)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Diagnostic settings-based connections |
| Log Analytics table(s) | AzureDiagnostics |
| DCR support | Not currently supported |
| Recommended diagnostics | Application Gateway Front Door CDN WAF policy |
| Supported by | Microsoft |
Barracuda CloudGen Firewall
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog |
| Log Analytics table(s) | Syslog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | CGFWFirewallActivity |
| Kusto function URL: | https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Barracuda%20CloudGen%20Firewall/Parsers/CGFWFirewallActivity.txt |
| Vendor documentation/ installation instructions |
https://aka.ms/Sentinel-barracudacloudfirewall-connector |
| Supported by | Barracuda |
Barracuda WAF
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog |
| Log Analytics table(s) | CommonSecurityLog (Barracuda) Barracuda_CL |
| Vendor documentation/ installation instructions |
https://aka.ms/asi-barracuda-connector |
| Supported by | Barracuda |
See Barracuda instructions - note the assigned facilities for the different types of logs and be sure to add them to the default Syslog configuration.
BETTER Mobile Threat Defense (MTD) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | BetterMTDDeviceLog_CL BetterMTDIncidentLog_CL BetterMTDAppLog_CL BetterMTDNetflowLog_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
BETTER MTD Documentation Threat Policy setup, which defines the incidents that are reported to Microsoft Sentinel:
|
| Supported by | Better Mobile |
Beyond Security beSECURE
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | beSECURE_ScanResults_CL beSECURE_ScanEvents_CL beSECURE_Audit_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
Access the Integration menu:
|
| Supported by | Beyond Security |
BlackBerry CylancePROTECT (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog |
| Log Analytics table(s) | Syslog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | CylancePROTECT |
| Kusto function URL: | https://aka.ms/Sentinel-cylanceprotect-parser |
| Vendor documentation/ installation instructions |
Cylance Syslog Guide |
| Supported by | Microsoft |
Broadcom Symantec Data Loss Prevention (DLP) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog, with a Kusto function parser |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | SymantecDLP |
| Kusto function URL: | https://aka.ms/Sentinel-symantecdlp-parser |
| Vendor documentation/ installation instructions |
Configuring the Log to a Syslog Server action |
| Supported by | Microsoft |
Common Event Format (CEF) via AMA
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure monitor Agent-based connection |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Standard DCR |
| Supported by | Microsoft |
Check Point
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog Available from the Check Point solution |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Log Exporter - Check Point Log Export |
| Supported by | Check Point |
Cisco ASA
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog Available in the Cisco ASA solution |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Cisco ASA Series CLI Configuration Guide |
| Supported by | Microsoft |
Cisco Firepower eStreamer (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog Extra configuration for Cisco Firepower eStreamer |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
eStreamer eNcore for Sentinel Operations Guide |
| Supported by | Cisco |
Extra configuration for Cisco Firepower eStreamer
Install the Firepower eNcore client
Install and configure the Firepower eNcore eStreamer client. For more information, see the full Cisco install guide.Download the Firepower Connector from GitHub
Download the latest version of the Firepower eNcore connector for Microsoft Sentinel from the Cisco GitHub repository. If you plan on using python3, use the python3 eStreamer connector.Create a pkcs12 file using the Azure/VM IP Address
Create a pkcs12 certificate using the public IP of the VM instance in Firepower under System > Integration > eStreamer. For more information, see the install guide.Test Connectivity between the Azure/VM Client and the FMC
Copy the pkcs12 file from the FMC to the Azure/VM instance and run the test utility (./encore.sh test) to ensure a connection can be established. For more information, see the setup guide.Configure eNcore to stream data to the agent
Configure eNcore to stream data via TCP to the Log Analytics Agent. This configuration should be enabled by default, but extra ports and streaming protocols can be configured depending on your network security posture. It is also possible to save the data to the file system. For more information, see Configure eNcore.
Cisco Meraki (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog Available in the Cisco ISE solution |
| Log Analytics table(s) | Syslog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | CiscoMeraki |
| Kusto function URL: | https://aka.ms/Sentinel-ciscomeraki-parser |
| Vendor documentation/ installation instructions |
Meraki Device Reporting documentation |
| Supported by | Microsoft |
Cisco Umbrella (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API Available in the Cisco Umbrella solution |
| Log Analytics table(s) | Cisco_Umbrella_dns_CL Cisco_Umbrella_proxy_CL Cisco_Umbrella_ip_CL Cisco_Umbrella_cloudfirewall_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://aka.ms/Sentinel-CiscoUmbrellaConn-functionapp |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | |
| Kusto function alias | Cisco_Umbrella |
| Kusto function URL/ Parser config instructions |
https://aka.ms/Sentinel-ciscoumbrella-function |
| Application settings | |
| Supported by | Microsoft |
Cisco Unified Computing System (UCS) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog |
| Log Analytics table(s) | Syslog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | CiscoUCS |
| Kusto function URL: | https://aka.ms/Sentinel-ciscoucs-function |
| Vendor documentation/ installation instructions |
Set up Syslog for Cisco UCS - Cisco |
| Supported by | Microsoft |
Citrix Analytics (Security)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | CitrixAnalytics_SAlerts_CL​ |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
Connect Citrix to Microsoft Sentinel |
| Supported by | Citrix Systems |
Citrix Web App Firewall (WAF) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
To configure WAF, see Support WIKI - WAF Configuration with NetScaler. To configure CEF logs, see CEF Logging Support in the Application Firewall. To forward the logs to proxy, see Configuring Citrix ADC appliance for audit logging. |
| Supported by | Citrix Systems |
Cognni (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | CognniIncidents_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
Connect to Cognni
|
| Supported by | Cognni |
Continuous Threat Monitoring for SAP (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Only available after installing the Continuous Threat Monitoring for SAP solution |
| Log Analytics table(s) | See Microsoft Sentinel SAP solution data reference |
| Vendor documentation/ installation instructions |
Deploy SAP continuous threat monitoring |
| Supported by | Microsoft |
CyberArk Enterprise Password Vault (EPV) Events (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Security Information and Event Management (SIEM) Applications |
| Supported by | CyberArk |
Cyberpion Security Logs (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | CyberpionActionItems_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
Get a Cyberpion subscription Integrate Cyberpion security alerts into Microsoft Sentinel |
| Supported by | Cyberpion |
DNS (Preview)
Important
The Log Analytics agent will be retired on 31 August, 2024. If you are using the Log Analytics agent in your Microsoft Sentinel deployment, we recommend that you start planning your migration to the AMA. For more information, see AMA migration for Microsoft Sentinel.
See Windows DNS Events via AMA (Preview) or Windows DNS Server (Preview).
Dynamics 365
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: API-based connections Also available as part of the Microsoft Sentinel 4 Dynamics 365 solution |
| License prerequisites/ Cost information |
Other charges may apply |
| Log Analytics table(s) | Dynamics365Activity |
| DCR support | Workspace transformation DCR |
| Supported by | Microsoft |
ESET Enterprise Inspector (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API Create an API user |
| Log Analytics table(s) | ESETEnterpriseInspector_CL​ |
| DCR support | Not currently supported |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | Single-click deployment via Azure Resource Manager (ARM) template |
| Supported by | ESET |
Create an API user
- Log into the ESET Security Management Center / ESET PROTECT console with an administrator account, select the More tab and the Users subtab.
- Select the ADD NEW button and add a native user.
- Create a new user for the API account. Optional: Select a Home group other than All to limit what detections are ingested.
- Under the Permission Sets tab, assign the Enterprise Inspector reviewer permission set.
- Sign out of the administrator account and log into the console with the new API credentials for validation, then sign out of the API account.
ESET Security Management Center (SMC) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog Configure the ESET SMC logs to be collected Configure OMS agent to pass Eset SMC data in API format Change OMS agent configuration to catch tag oms.api.eset and parse structured data Disable automatic configuration and restart agent |
| Log Analytics table(s) | eset_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
ESET Syslog server documentation |
| Supported by | ESET |
Configure the ESET SMC logs to be collected
Configure rsyslog to accept logs from your Eset SMC IP address.
sudo -i
# Set ESET SMC source IP address
export ESETIP={Enter your IP address}
# Create rsyslog configuration file
cat > /etc/rsyslog.d/80-remote.conf << EOF
\$ModLoad imudp
\$UDPServerRun 514
\$ModLoad imtcp
\$InputTCPServerRun 514
\$AllowedSender TCP, 127.0.0.1, $ESETIP
\$AllowedSender UDP, 127.0.0.1, $ESETIP user.=alert;user.=crit;user.=debug;user.=emerg;user.=err;user.=info;user.=notice;user.=warning @127.0.0.1:25224
EOF
# Restart rsyslog
systemctl restart rsyslog
Configure OMS agent to pass Eset SMC data in API format
In order to easily recognize Eset data, push it to a separate table and parse at agent to simplify and speed up your Microsoft Sentinel query.
In the /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsagent.conf file, modify the match oms.** section to send data as API objects, by changing the type to out_oms_api.
The following code is an example of the full match oms.** section:
<match oms.** docker.**>
type out_oms_api
log_level info
num_threads 5
run_in_background false
omsadmin_conf_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsadmin.conf
cert_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/certs/oms.crt
key_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/certs/oms.key
buffer_chunk_limit 15m
buffer_type file
buffer_path /var/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/state/out_oms_common*.buffer
buffer_queue_limit 10
buffer_queue_full_action drop_oldest_chunk
flush_interval 20s
retry_limit 10
retry_wait 30s
max_retry_wait 9m
</match>
Change OMS agent configuration to catch tag oms.api.eset and parse structured data
Modify the /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsagent.d/syslog.conf file.
For example:
<source>
type syslog
port 25224
bind 127.0.0.1
protocol_type udp
tag oms.api.eset
</source>
<filter oms.api.**>
@type parser
key_name message
format /(?<message>.*?{.*})/
</filter>
<filter oms.api.**>
@type parser
key_name message
format json
</filter>
Disable automatic configuration and restart agent
For example:
# Disable changes to configuration files from Portal
sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'
# Restart agent
sudo /opt/microsoft/omsagent/bin/service_control restart
# Check agent logs
tail -f /var/opt/microsoft/omsagent/log/omsagent.log
Configure Eset SMC to send logs to connector
Configure Eset Logs using BSD style and JSON format.
- Go to the Syslog server configuration configure the Host (your connector), Format BSD, and Transport TCP
- Go to the Logging section and enable JSON
For more information, see the Eset documentation.
Exabeam Advanced Analytics (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog |
| Log Analytics table(s) | Syslog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | ExabeamEvent |
| Kusto function URL: | https://aka.ms/Sentinel-Exabeam-parser |
| Vendor documentation/ installation instructions |
Configure Advanced Analytics system activity notifications |
| Supported by | Microsoft |
ExtraHop Reveal(x)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
ExtraHop Detection SIEM Connector |
| Supported by | ExtraHop |
F5 BIG-IP
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | F5Telemetry_LTM_CL F5Telemetry_system_CL F5Telemetry_ASM_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
Integrating the F5 BIG-IP with Microsoft Sentinel |
| Supported by | F5 Networks |
F5 Networks (ASM)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Configuring Application Security Event Logging |
| Supported by | F5 Networks |
Forcepoint Cloud Access Security Broker (CASB) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Forcepoint CASB and Microsoft Sentinel |
| Supported by | Forcepoint |
Forcepoint Cloud Security Gateway (CSG) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Forcepoint Cloud Security Gateway and Microsoft Sentinel |
| Supported by | Forcepoint |
Forcepoint Data Loss Prevention (DLP) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | ForcepointDLPEvents_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
Forcepoint Data Loss Prevention and Microsoft Sentinel |
| Supported by | Forcepoint |
Forcepoint Next Generation Firewall (NGFW) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Forcepoint Next-Gen Firewall and Microsoft Sentinel |
| Supported by | Forcepoint |
ForgeRock Common Audit (CAUD) for CEF (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Install this first! ForgeRock Common Audit (CAUD) for Microsoft Sentinel |
| Supported by | ForgeRock |
Fortinet
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog Send Fortinet logs to the log forwarder Available in the Fortinet Fortigate solution) |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Fortinet Document Library Choose your version and use the Handbook and Log Message Reference PDFs. |
| Supported by | Fortinet |
Send Fortinet logs to the log forwarder
Open the CLI on your Fortinet appliance and run the following commands:
config log syslogd setting
set status enable
set format cef
set port 514
set server <ip_address_of_Forwarder>
end
- Replace the server ip address with the IP address of the log forwarder.
- Set the syslog port to 514 or the port set on the Syslog daemon on the forwarder.
- To enable CEF format in early FortiOS versions, you might need to run the command set csv disable.
GitHub (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API Only available after installing the Continuous Threat Monitoring for GitHub solution. |
| Log Analytics table(s) | GitHubAuditLogPolling_CL |
| DCR support | Not currently supported |
| API credentials | GitHub access token |
| Connector deployment instructions | Extra configuration for the GitHub connector |
| Supported by | Microsoft |
Extra configuration for the GitHub connector
Prerequisite: You must have a GitHub enterprise account and an accessible organization in order to connect to GitHub from Microsoft Sentinel.
Install the Continuous Threat Monitoring for GitHub solution in your Microsoft Sentinel workspace. For more information, see Centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions (Public preview).
Create a GitHub personal access token for use in the Microsoft Sentinel connector. For more information, see the relevant GitHub documentation.
In the Microsoft Sentinel Data connectors area, search for and locate the GitHub connector. On the right, select Open connector page.
On the Instructions tab, in the Configuration area, enter the following details:
- Organization Name: Enter the name of the organization who's logs you want to connect to.
- API Key: Enter the GitHub personal access token you'd created earlier in this procedure.
Select Connect to start ingesting your GitHub logs to Microsoft Sentinel.
Google Workspace (G-Suite) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API Extra configuration for the Google Reports API |
| Log Analytics table(s) | GWorkspace_ReportsAPI_admin_CL GWorkspace_ReportsAPI_calendar_CL GWorkspace_ReportsAPI_drive_CL GWorkspace_ReportsAPI_login_CL GWorkspace_ReportsAPI_mobile_CL GWorkspace_ReportsAPI_token_CL GWorkspace_ReportsAPI_user_accounts_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://aka.ms/Sentinel-GWorkspaceReportsAPI-functionapp |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | |
| Kusto function alias | GWorkspaceActivityReports |
| Kusto function URL/ Parser config instructions |
https://aka.ms/Sentinel-GWorkspaceReportsAPI-parser |
| Application settings | |
| Supported by | Microsoft |
Extra configuration for the Google Reports API
Add http://localhost:8081/ under Authorized redirect URIs while creating Web application credentials.
- Follow the instructions to obtain the credentials.json.
- To get the Google pickle string, run this Python script (in the same path as credentials.json).
- Copy the pickle string output in single quotes and save. It will be needed for deploying the Function App.
Illusive Attack Management System (AMS) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Illusive Networks Admin Guide |
| Supported by | Illusive Networks |
Imperva WAF Gateway (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog Available in the Imperva Cloud WAF solution |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Steps for Enabling Imperva WAF Gateway Alert Logging to Microsoft Sentinel |
| Supported by | Imperva |
Infoblox Network Identity Operating System (NIOS) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog available in the InfoBlox Threat Defense solution |
| Log Analytics table(s) | Syslog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | InfobloxNIOS |
| Kusto function URL: | https://aka.ms/sentinelgithubparsersinfoblox |
| Vendor documentation/ installation instructions |
NIOS SNMP and Syslog Deployment Guide |
| Supported by | Microsoft |
Juniper SRX (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog |
| Log Analytics table(s) | Syslog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | JuniperSRX |
| Kusto function URL: | https://aka.ms/Sentinel-junipersrx-parser |
| Vendor documentation/ installation instructions |
Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices Configure System Logging |
| Supported by | Juniper Networks |
Lookout Mobile Threat Defense (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API Only available after installing the Lookout Mobile Threat Defense for Microsoft Sentinel solution |
| Log Analytics table(s) | Lookout_CL |
| DCR support | Not currently supported |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Supported by | Lookout |
Microsoft 365 Defender
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Connect data from Microsoft 365 Defender to Microsoft Sentinel (Top connector article) |
| License prerequisites/ Cost information |
Valid license for Microsoft 365 Defender |
| Log Analytics table(s) | Alerts: SecurityAlert SecurityIncident Defender for Endpoint events: DeviceEvents DeviceFileEvents DeviceImageLoadEvents DeviceInfo DeviceLogonEvents DeviceNetworkEvents DeviceNetworkInfo DeviceProcessEvents DeviceRegistryEvents DeviceFileCertificateInfo Defender for Office 365 events: EmailAttachmentInfo EmailUrlInfo EmailEvents EmailPostDeliveryEvents Defender for Identity events: IdentityDirectoryEvents IdentityInfo IdentityLogonEvents IdentityQueryEvents Defender for Cloud Apps events: CloudAppEvents Defender alerts as events: AlertInfo AlertEvidence |
| DCR support | Not currently supported |
| Supported by | Microsoft |
Microsoft Purview Insider Risk Management (IRM) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: API-based connections Also available in the Microsoft Purview Insider Risk Management solution |
| License and other prerequisites |
|
| Log Analytics table(s) | SecurityAlert |
| Data query filter | SecurityAlert| where ProductName == "Microsoft Purview Insider Risk Management" |
| Supported by | Microsoft |
Microsoft Defender for Cloud
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Connect security alerts from Microsoft Defender for Cloud (Top connector article) |
| Log Analytics table(s) | SecurityAlert |
| Supported by | Microsoft |
Microsoft Defender for Cloud Apps
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: API-based connections For Cloud Discovery logs, enable Microsoft Sentinel as your SIEM in Microsoft Defender for Cloud Apps |
| Log Analytics table(s) | SecurityAlert - for alerts McasShadowItReporting​ - for Cloud Discovery logs |
| Supported by | Microsoft |
Microsoft Defender for Endpoint
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: API-based connections |
| License prerequisites/ Cost information |
Valid license for Microsoft Defender for Endpoint deployment |
| Log Analytics table(s) | SecurityAlert |
| DCR support | Workspace transformation DCR |
| Supported by | Microsoft |
Microsoft Defender for Identity
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: API-based connections |
| Log Analytics table(s) | SecurityAlert |
| DCR support | Workspace transformation DCR |
| Supported by | Microsoft |
Microsoft Defender for IoT
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: API-based connections |
| Log Analytics table(s) | SecurityAlert |
| DCR support | Workspace transformation DCR |
| Supported by | Microsoft |
Microsoft Defender for Office 365
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: API-based connections |
| License prerequisites/ Cost information |
You must have a valid license for Office 365 ATP Plan 2 |
| Log Analytics table(s) | SecurityAlert |
| DCR support | Workspace transformation DCR |
| Supported by | Microsoft |
Microsoft Office 365
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: API-based connections |
| License prerequisites/ Cost information |
Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace. Other charges may apply. |
| Log Analytics table(s) | OfficeActivity |
| DCR support | Workspace transformation DCR |
| Supported by | Microsoft |
Microsoft Power BI (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: API-based connections |
| License prerequisites/ Cost information |
Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace. Other charges may apply. |
| Log Analytics table(s) | PowerBIActivity |
| Supported by | Microsoft |
Microsoft Project (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: API-based connections |
| License prerequisites/ Cost information |
Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace. Other charges may apply. |
| Log Analytics table(s) | ProjectActivity |
| Supported by | Microsoft |
Microsoft Purview Information Protection (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: API-based connections |
| License prerequisites/ Cost information |
Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace. Other charges may apply. |
| Log Analytics table(s) | MicrosoftPurviewInformationProtection |
| Supported by | Microsoft |
Microsoft Sysmon for Linux (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog, with, ASIM parsers based on Kusto functions |
| Log Analytics table(s) | Syslog |
| DCR support | Workspace transformation DCR |
| Supported by | Microsoft |
Morphisec UTPP (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog, with a Kusto function parser |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | Morphisec |
| Kusto function URL | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Parsers/Morphisec/ |
| Supported by | Morphisec |
Netskope (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API |
| Log Analytics table(s) | Netskope_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://aka.ms/Sentinel-netskope-functioncode |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | |
| Kusto function alias | Netskope |
| Kusto function URL/ Parser config instructions |
https://aka.ms/Sentinel-netskope-parser |
| Application settings | https://<Tenant Name>.goskope.com) |
| Supported by | Microsoft |
NGINX HTTP Server (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Log Analytics agent - custom logs |
| Log Analytics table(s) | NGINX_CL |
| DCR support | Not currently supported |
| Kusto function alias: | NGINXHTTPServer |
| Kusto function URL | https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NGINX%20HTTP%20Server/Parsers/NGINXHTTPServer.txt |
| Vendor documentation/ installation instructions |
Module ngx_http_log_module |
| Custom log sample file: | access.log or error.log |
| Supported by | Microsoft |
NXLog Basic Security Module (BSM) macOS (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | BSMmacOS_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
NXLog Microsoft Sentinel User Guide |
| Supported by | NXLog |
NXLog DNS Logs (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | DNS_Logs_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
NXLog Microsoft Sentinel User Guide |
| Supported by | NXLog |
NXLog LinuxAudit (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | LinuxAudit_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
NXLog Microsoft Sentinel User Guide |
| Supported by | NXLog |
Okta Single Sign-On (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API |
| Log Analytics table(s) | Okta_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://aka.ms/sentineloktaazurefunctioncodev2 |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | |
| Application settings | https://<OktaDomain>/api/v1/logs?since=. Identify your domain namespace.) |
| Supported by | Microsoft |
Onapsis Platform (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog, with a Kusto lookup and enrichment function Configure Onapsis to send CEF logs to the log forwarder |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | incident_lookup |
| Kusto function URL | https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Onapsis%20Platform/Parsers/OnapsisLookup.txt |
| Supported by | Onapsis |
Configure Onapsis to send CEF logs to the log forwarder
Refer to the Onapsis in-product help to set up log forwarding to the Log Analytics agent.
- Go to Setup > Third-party integrations > Defend Alarms and follow the instructions for Microsoft Sentinel.
- Make sure your Onapsis Console can reach the log forwarder machine where the agent is installed. Logs should be sent to port 514 using TCP.
One Identity Safeguard (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
One Identity Safeguard for Privileged Sessions Administration Guide |
| Supported by | One Identity |
Oracle WebLogic Server (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Log Analytics agent - custom logs |
| Log Analytics table(s) | OracleWebLogicServer_CL |
| DCR support | Not currently supported |
| Kusto function alias: | OracleWebLogicServerEvent |
| Kusto function URL: | https://aka.ms/Sentinel-OracleWebLogicServer-parser |
| Vendor documentation/ installation instructions |
Oracle WebLogic Server documentation |
| Custom log sample file: | server.log |
| Supported by | Microsoft |
Orca Security (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | OrcaAlerts_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
Microsoft Sentinel integration |
| Supported by | Orca Security |
OSSEC (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog, with a Kusto function parser |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | OSSECEvent |
| Kusto function URL: | https://aka.ms/Sentinel-OSSEC-parser |
| Vendor documentation/ installation instructions |
OSSEC documentation Sending alerts via syslog |
| Supported by | Microsoft |
Palo Alto Networks
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog Also available in the Palo Alto PAN-OS and Prisma solutions |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Common Event Format (CEF) Configuration Guides Configure Syslog Monitoring |
| Supported by | Palo Alto Networks |
Perimeter 81 Activity Logs (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | Perimeter81_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
Perimeter 81 documentation |
| Supported by | Perimeter 81 |
Proofpoint On Demand (POD) Email Security (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API Also available in the Proofpoint POD solution |
| Log Analytics table(s) | ProofpointPOD_message_CL ProofpointPOD_maillog_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://aka.ms/Sentinel-proofpointpod-functionapp |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | |
| Kusto function alias | ProofpointPOD |
| Kusto function URL/ Parser config instructions |
https://aka.ms/Sentinel-proofpointpod-parser |
| Application settings | |
| Supported by | Microsoft |
Proofpoint Targeted Attack Protection (TAP) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API Also available in the Proofpoint TAP solution |
| Log Analytics table(s) | ProofPointTAPClicksPermitted_CL ProofPointTAPClicksBlocked_CL ProofPointTAPMessagesDelivered_CL ProofPointTAPMessagesBlocked_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://aka.ms/sentinelproofpointtapazurefunctioncode |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | |
| Application settings | https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=300) |
| Supported by | Microsoft |
Pulse Connect Secure (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog |
| Log Analytics table(s) | Syslog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | PulseConnectSecure |
| Kusto function URL: | https://aka.ms/sentinelgithubparserspulsesecurevpn |
| Vendor documentation/ installation instructions |
Configuring Syslog |
| Supported by | Microsoft |
Qualys VM KnowledgeBase (KB) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API Extra configuration for the Qualys VM KB Also available in the Qualys VM solution |
| Log Analytics table(s) | QualysKB_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://aka.ms/Sentinel-qualyskb-functioncode |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | |
| Kusto function alias | QualysKB |
| Kusto function URL/ Parser config instructions |
https://aka.ms/Sentinel-qualyskb-parser |
| Application settings | https://<API Server>/api/2.0.&. No spaces.) |
| Supported by | Microsoft |
Extra configuration for the Qualys VM KB
- Log into the Qualys Vulnerability Management console with an administrator account, select the Users tab and the Users subtab.
- Select the New drop-down menu and select Users.
- Create a username and password for the API account.
- In the User Roles tab, ensure the account role is set to Manager and access is allowed to GUI and API
- Sign out of the administrator account and sign into the console with the new API credentials for validation, then sign out of the API account.
- Log back into the console using an administrator account and modify the API accounts User Roles, removing access to GUI.
- Save all changes.
Qualys Vulnerability Management (VM) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API Extra configuration for the Qualys VM Manual deployment - after configuring the Function App |
| Log Analytics table(s) | QualysHostDetection_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://aka.ms/sentinelqualysvmazurefunctioncode |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | |
| Application settings | https://<API Server>/api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=.&. No spaces.) |
| Supported by | Microsoft |
Extra configuration for the Qualys VM
- Log into the Qualys Vulnerability Management console with an administrator account, select the Users tab and the Users subtab.
- Select the New drop-down menu and select Users.
- Create a username and password for the API account.
- In the User Roles tab, ensure the account role is set to Manager and access is allowed to GUI and API
- Sign out of the administrator account and log into the console with the new API credentials for validation, then sign out of the API account.
- Log back into the console using an administrator account and modify the API accounts User Roles, removing access to GUI.
- Save all changes.
Manual deployment - after configuring the Function App
Configure the host.json file
Due to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five minutes. Increase the default timeout duration to the maximum of 10 minutes, under the Consumption Plan, to allow more time for the Function App to execute.
- In the Function App, select the Function App Name and select the App Service Editor page.
- Select Go to open the editor, then select the host.json file under the wwwroot directory.
- Add the line
"functionTimeout": "00:10:00",above themanagedDependancyline. - Ensure SAVED appears on the top-right corner of the editor, then exit the editor.
If a longer timeout duration is required, consider upgrading to an App Service Plan.
Salesforce Service Cloud (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API |
| Log Analytics table(s) | SalesforceServiceCloud_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://aka.ms/Sentinel-SalesforceServiceCloud-functionapp |
| API credentials | |
| Vendor documentation/ installation instructions |
Salesforce REST API Developer Guide Under Set up authorization, use Session ID method instead of OAuth. |
| Connector deployment instructions | |
| Kusto function alias | SalesforceServiceCloud |
| Kusto function URL/ Parser config instructions |
https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Salesforce%20Service%20Cloud/Parsers/SalesforceServiceCloud.txt |
| Application settings | |
| Supported by | Microsoft |
Security events via Legacy Agent (Windows)
Important
The Log Analytics agent will be retired on 31 August, 2024. If you are using the Log Analytics agent in your Microsoft Sentinel deployment, we recommend that you start planning your migration to the AMA. For more information, see AMA migration for Microsoft Sentinel.
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Log Analytics agent-based connections (Legacy) |
| Log Analytics table(s) | SecurityEvents |
| DCR support | Workspace transformation DCR |
| Supported by | Microsoft |
For more information, see:
- Windows security event sets that can be sent to Microsoft Sentinel
- Insecure protocols workbook setup
- Windows Security Events via AMA connector based on Azure Monitor Agent (AMA)
- Configure the Security events / Windows Security Events connector for anomalous RDP login detection.
SentinelOne (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API Extra configuration for SentinelOne |
| Log Analytics table(s) | SentinelOne_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://aka.ms/Sentinel-SentinelOneAPI-functionapp |
| API credentials | https://<SOneInstanceDomain>.sentinelone.net) |
| Vendor documentation/ installation instructions |
<SOneInstanceDomain>.sentinelone.net/api-doc/overview |
| Connector deployment instructions | |
| Kusto function alias | SentinelOne |
| Kusto function URL/ Parser config instructions |
https://aka.ms/Sentinel-SentinelOneAPI-parser |
| Application settings | |
| Supported by | Microsoft |
Extra configuration for SentinelOne
Follow the instructions to obtain the credentials.
- Sign-in to the SentinelOne Management Console with Admin user credentials.
- In the Management Console, select Settings.
- In the SETTINGS view, select USERS
- Select New User.
- Enter the information for the new console user.
- In Role, select Admin.
- Select SAVE
- Save credentials of the new user for using in the data connector.
SonicWall Firewall (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Log > Syslog Select facility local4 and ArcSight as the Syslog format. |
| Supported by | SonicWall |
Sophos Cloud Optix (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | SophosCloudOptix_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
Integrate with Microsoft Sentinel, skipping the first step. Sophos query samples |
| Supported by | Sophos |
Sophos XG Firewall (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog |
| Log Analytics table(s) | Syslog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | SophosXGFirewall |
| Kusto function URL: | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Sophos%20XG%20Firewall/Parsers/SophosXGFirewall.txt |
| Vendor documentation/ installation instructions |
Add a syslog server |
| Supported by | Microsoft |
Squadra Technologies secRMM
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | secRMM_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
secRMM Microsoft Sentinel Administrator Guide |
| Supported by | Squadra Technologies |
Squid Proxy (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Log Analytics agent - custom logs |
| Log Analytics table(s) | SquidProxy_CL |
| DCR support | Not currently supported |
| Kusto function alias: | SquidProxy |
| Kusto function URL | https://aka.ms/Sentinel-squidproxy-parser |
| Custom log sample file: | access.log or cache.log |
| Supported by | Microsoft |
Symantec Integrated Cyber Defense Exchange (ICDx)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API |
| Log Analytics table(s) | SymantecICDx_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
Configuring Microsoft Sentinel (Log Analytics) Forwarders |
| Supported by | Broadcom Symantec |
Symantec ProxySG (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog |
| Log Analytics table(s) | Syslog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | SymantecProxySG |
| Kusto function URL: | https://aka.ms/sentinelgithubparserssymantecproxysg |
| Vendor documentation/ installation instructions |
Sending Access Logs to a Syslog server |
| Supported by | Microsoft |
Symantec VIP (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog |
| Log Analytics table(s) | Syslog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | SymantecVIP |
| Kusto function URL: | https://aka.ms/sentinelgithubparserssymantecvip |
| Vendor documentation/ installation instructions |
Configuring syslog |
| Supported by | Microsoft |
Thycotic Secret Server (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Secure Syslog/CEF Logging |
| Supported by | Thycotic |
Trend Micro Deep Security
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog, with a Kusto function parser |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | TrendMicroDeepSecurity |
| Kusto function URL | https://aka.ms/TrendMicroDeepSecurityFunction |
| Vendor documentation/ installation instructions |
Forward Deep Security events to a Syslog or SIEM server |
| Supported by | Trend Micro |
Trend Micro TippingPoint (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog, with a Kusto function parser |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | TrendMicroTippingPoint |
| Kusto function URL | https://aka.ms/Sentinel-trendmicrotippingpoint-function |
| Vendor documentation/ installation instructions |
Send Syslog messages in ArcSight CEF Format v4.2 format. |
| Supported by | Trend Micro |
Trend Micro Vision One (XDR) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API |
| Log Analytics table(s) | TrendMicro_XDR_CL |
| DCR support | Not currently supported |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | Single-click deployment via Azure Resource Manager (ARM) template |
| Supported by | Trend Micro |
VMware Carbon Black Endpoint Standard (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API |
| Log Analytics table(s) | CarbonBlackEvents_CL CarbonBlackAuditLogs_CL CarbonBlackNotifications_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://aka.ms/sentinelcarbonblackazurefunctioncode |
| API credentials | API access level (for Audit and Event logs): SIEM access level (for Notification events): |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | |
| Application settings | https://<API URL>.conferdeploy.net.) |
| Supported by | Microsoft |
VMware ESXi (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog |
| Log Analytics table(s) | Syslog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | VMwareESXi |
| Kusto function URL: | https://aka.ms/Sentinel-vmwareesxi-parser |
| Vendor documentation/ installation instructions |
Enabling syslog on ESXi 3.5 and 4.x Configure Syslog on ESXi Hosts |
| Supported by | Microsoft |
WatchGuard Firebox (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Syslog |
| Log Analytics table(s) | Syslog |
| DCR support | Workspace transformation DCR |
| Kusto function alias: | WatchGuardFirebox |
| Kusto function URL: | https://aka.ms/Sentinel-watchguardfirebox-parser |
| Vendor documentation/ installation instructions |
Microsoft Sentinel Integration Guide |
| Supported by | WatchGuard Technologies |
WireX Network Forensics Platform (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Contact WireX support in order to configure your NFP solution to send Syslog messages in CEF format. |
| Supported by | WireX Systems |
Windows DNS Events via AMA (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Azure monitor Agent-based connection |
| Log Analytics table(s) | DnsEvents DnsInventory |
| DCR support | Standard DCR |
| Supported by | Microsoft |
Windows DNS Server (Preview)
Important
The Log Analytics agent will be retired on 31 August, 2024. If you are using the Log Analytics agent in your Microsoft Sentinel deployment, we recommend that you start planning your migration to the AMA. For more information, see AMA migration for Microsoft Sentinel.
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Log Analytics agent-based connections (Legacy) |
| Log Analytics table(s) | DnsEvents DnsInventory |
| DCR support | Workspace transformation DCR |
| Supported by | Microsoft |
Troubleshooting your Windows DNS Server data connector
If your DNS events don't show up in Microsoft Sentinel:
- Make sure that DNS analytics logs on your servers are enabled.
- Go to Azure DNS Analytics.
- In the Configuration area, change any of the settings and save your changes. Change your settings back if you need to, and then save your changes again.
- Check your Azure DNS Analytics to make sure that your events and queries display properly.
For more information, see Gather insights about your DNS infrastructure with the DNS Analytics Preview solution.
Windows Forwarded Events (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Azure Monitor Agent-based connections Additional instructions for deploying the Windows Forwarded Events connector |
| Prerequisites | You must have Windows Event Collection (WEC) enabled and running. Install the Azure Monitor Agent on the WEC machine. |
| xPath queries prefix | "ForwardedEvents!*" |
| Log Analytics table(s) | WindowsEvents |
| DCR support | Standard DCR |
| Supported by | Microsoft |
Additional instructions for deploying the Windows Forwarded Events connector
We recommend installing the Advanced Security Information Model (ASIM) parsers to ensure full support for data normalization. You can deploy these parsers from the Azure-Sentinel GitHub repository using the Deploy to Azure button there.
Windows Firewall
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Log Analytics agent-based connections (Legacy) |
| Log Analytics table(s) | WindowsFirewall |
| Supported by | Microsoft |
Windows Security Events via AMA
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure service-to-service integration: Azure Monitor Agent-based connections |
| xPath queries prefix | "Security!*" |
| Log Analytics table(s) | SecurityEvents |
| DCR support | Standard DCR |
| Supported by | Microsoft |
See also:
- Windows DNS Events via AMA connector (Preview): Uses the Azure Monitor Agent to stream and filter events from Windows Domain Name System (DNS) server logs.
- Security events via legacy agent connector.
Configure the Security events / Windows Security Events connector for anomalous RDP login detection
Important
Anomalous RDP login detection is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
Microsoft Sentinel can apply machine learning (ML) to Security events data to identify anomalous Remote Desktop Protocol (RDP) login activity. Scenarios include:
Unusual IP - the IP address has rarely or never been observed in the last 30 days
Unusual geo-location - the IP address, city, country, and ASN have rarely or never been observed in the last 30 days
New user - a new user logs in from an IP address and geo-location, both or either of which were not expected to be seen based on data from the 30 days prior.
Configuration instructions
You must be collecting RDP login data (Event ID 4624) through the Security events or Windows Security Events data connectors. Make sure you have selected an event set besides "None", or created a data collection rule that includes this event ID, to stream into Microsoft Sentinel.
From the Microsoft Sentinel portal, select Analytics, and then select the Rule templates tab. Choose the (Preview) Anomalous RDP Login Detection rule, and move the Status slider to Enabled.
Note
As the machine learning algorithm requires 30 days' worth of data to build a baseline profile of user behavior, you must allow 30 days of Windows Security events data to be collected before any incidents can be detected.
Workplace from Facebook (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API Configure Webhooks Add Callback URL to Webhook configuration |
| Log Analytics table(s) | Workplace_Facebook_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Workplace%20from%20Facebook/Data%20Connectors/WorkplaceFacebook/WorkplaceFacebookWebhooksSentinelConn.zip |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | |
| Kusto function alias | Workplace_Facebook |
| Kusto function URL/ Parser config instructions |
https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Workplace%20from%20Facebook/Parsers/Workplace_Facebook.txt |
| Application settings | |
| Supported by | Microsoft |
Configure Webhooks
- Sign in to the Workplace with Admin user credentials.
- In the Admin panel, select Integrations.
- In the All integrations view, select Create custom integration.
- Enter the name and description and select Create.
- In the Integration details panel, show the App secret and copy it.
- In the Integration permissions panel, set all read permissions. Refer to permission page for details.
Add Callback URL to Webhook configuration
- Open your Function App's page, go to the Functions list, select Get Function URL, and copy it.
- Go back to Workplace from Facebook. In the Configure webhooks panel, on each Tab set the Callback URL as the Function URL you copied in the last step, and the Verify token as the same value you received during automatic deployment, or entered during manual deployment.
- Select Save.
Zimperium Mobile Thread Defense (Preview)
Zimperium Mobile Threat Defense data connector connects the Zimperium threat log to Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This connector gives you more insight into your organization's mobile threat landscape and enhances your security operation capabilities.
For more information, see Connect Zimperium to Microsoft Sentinel.
| Connector attribute | Description |
|---|---|
| Data ingestion method | Microsoft Sentinel Data Collector API Configure and connect Zimperium MTD |
| Log Analytics table(s) | ZimperiumThreatLog_CL ZimperiumMitigationLog_CL |
| DCR support | Not currently supported |
| Vendor documentation/ installation instructions |
Zimperium customer support portal (sign-in required) |
| Supported by | Zimperium |
Configure and connect Zimperium MTD
- In zConsole, select Manage on the navigation bar.
- Select the Integrations tab.
- Select the Threat Reporting button and then the Add Integrations button.
- Create the Integration:
- From the available integrations, select Microsoft Sentinel.
- Enter your workspace ID and primary key, select Next.
- Fill in a name for your Microsoft Sentinel integration.
- Select a Filter Level for the threat data you wish to push to Microsoft Sentinel.
- Select Finish.
Zoom Reports (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Azure Functions and the REST API |
| Log Analytics table(s) | Zoom_CL |
| DCR support | Not currently supported |
| Azure Function App code | https://aka.ms/Sentinel-ZoomAPI-functionapp |
| API credentials | |
| Vendor documentation/ installation instructions |
|
| Connector deployment instructions | |
| Kusto function alias | Zoom |
| Kusto function URL/ Parser config instructions |
https://aka.ms/Sentinel-ZoomAPI-parser |
| Application settings | |
| Supported by | Microsoft |
Zscaler
| Connector attribute | Description |
|---|---|
| Data ingestion method | Common Event Format (CEF) over Syslog |
| Log Analytics table(s) | CommonSecurityLog |
| DCR support | Workspace transformation DCR |
| Vendor documentation/ installation instructions |
Zscaler and Microsoft Sentinel Deployment Guide |
| Supported by | Zscaler |
Zscaler Private Access (ZPA) (Preview)
| Connector attribute | Description |
|---|---|
| Data ingestion method | Log Analytics agent - custom logs Extra configuration for Zscaler Private Access |
| Log Analytics table(s) | ZPA_CL |
| DCR support | Not currently supported |
| Kusto function alias: | ZPAEvent |
| Kusto function URL | https://aka.ms/Sentinel-zscalerprivateaccess-parser |
| Vendor documentation/ installation instructions |
Zscaler Private Access documentation Also, see below |
| Supported by | Microsoft |
Extra configuration for Zscaler Private Access
Follow the configuration steps below to get Zscaler Private Access logs into Microsoft Sentinel. For more information, see the Azure Monitor Documentation. Zscaler Private Access logs are delivered via Log Streaming Service (LSS). Refer to LSS documentation for detailed information.
Configure Log Receivers. While configuring a Log Receiver, choose JSON as Log Template.
Download config file zpa.conf.
wget -v https://aka.ms/sentinel-zscalerprivateaccess-conf -O zpa.confSign in to the server where you have installed the Azure Log Analytics agent.
Copy zpa.conf to the /etc/opt/microsoft/omsagent/
workspace_id/conf/omsagent.d/ folder.Edit zpa.conf as follows:
- Specify the port that you have set your Zscaler Log Receivers to forward logs to (line 4)
- Replace
workspace_idwith real value of your Workspace ID (lines 14,15,16,19)
Save changes and restart the Azure Log Analytics agent for Linux service with the following command:
sudo /opt/microsoft/omsagent/bin/service_control restart
You can find the value of your workspace ID on the ZScaler Private Access connector page or on your Log Analytics workspace's agents management page.
Next steps
For more information, see:
- Solutions catalog for Microsoft Sentinel in the Azure Marketplace
- Microsoft Sentinel solution catalog
- Threat intelligence integration in Microsoft Sentinel
Feedback
Submit and view feedback for