Find your Microsoft Sentinel data connector

Nalalapat sa: Microsoft Sentinel in the Microsoft Defender portal, Microsoft Sentinel in the Azure portal

This article lists all supported, out-of-the-box data connectors and links to each connector's deployment steps.

Important

Noted Microsoft Sentinel data connectors are currently in Preview. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Starting in July 2026, all customers using Microsoft Sentinel in the Azure portal will be redirected to the Defender portal and will use Microsoft Sentinel in the Defender portal only. Starting in July 2025, many new users are also automatically onboarded and redirected from the Azure portal to the Defender portal. If you're still using Microsoft Sentinel in the Azure portal, we recommend that you start planning your transition to the Defender portal to ensure a smooth transition and take full advantage of the unified security operations experience offered by Microsoft Defender. For more information, see It’s Time to Move: Retiring Microsoft Sentinel’s Azure portal for greater security.

Data connectors are available as part of the following offerings:

Solutions: Many data connectors are deployed as part of Microsoft Sentinel solution together with related content like analytics rules, workbooks, and playbooks. For more information, see the Microsoft Sentinel solutions catalog.
Community connectors: More data connectors are provided by the Microsoft Sentinel community and can be found in the Azure Marketplace. Documentation for community data connectors is the responsibility of the organization that created the connector.
Custom connectors: If you have a data source that isn't listed or currently supported, you can also create your own, custom connector. For more information, see Resources for creating Microsoft Sentinel custom connectors.

Note

For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.

Data connector prerequisites

Each data connector has its own set of prerequisites. Prerequisites might include that you must have specific permissions on your Azure workspace, subscription, or policy. Or, you must meet other requirements for the partner data source you're connecting to.

Prerequisites for each data connector are listed on the relevant data connector page in Microsoft Sentinel.

Azure Monitor agent (AMA) based data connectors require an internet connection from the system where the agent is installed. Enable port 443 outbound to allow a connection between the system where the agent is installed and Microsoft Sentinel.

Syslog and Common Event Format (CEF) connectors

Log collection from many security appliances and devices are supported by the data connectors Syslog via AMA or Common Event Format (CEF) via AMA in Microsoft Sentinel. To forward data to your Log Analytics workspace for Microsoft Sentinel, complete the steps in Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent. These steps include installing the Microsoft Sentinel solution for a security appliance or device from the Content hub in Microsoft Sentinel. Then, configure the Syslog via AMA or Common Event Format (CEF) via AMA data connector that's appropriate for the Microsoft Sentinel solution you installed. Complete the setup by configuring the security device or appliance. Find instructions to configure your security device or appliance in one of the following articles:

Contact the solution provider for more information or where information is unavailable for the appliance or device.

Custom Logs via AMA connector

Filter and ingest logs in text-file format from network or security applications installed on Windows or Linux machines by using the Custom Logs via AMA connector in Microsoft Sentinel. For more information, see the following articles:

Sentinel data connectors

Note

The following table lists the data connectors that are available in the Microsoft Sentinel Content hub. The connectors are supported by the product vendor. For support, see the link in the Supported by column in the following table.

1Password (Serverless)

Supported by: 1Password

The 1Password CCF connector allows the user to ingest 1Password Audit, Signin & ItemUsage events into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`OnePasswordEventLogs_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

1Password API token: A 1Password API Token is required. See the 1Password documentation on how to create an API token.

1Password (using Azure Functions)

Supported by: 1Password

The 1Password solution for Microsoft Sentinel enables you to ingest sign-in attempts, item usage, and audit events from your 1Password Business account using the 1Password Events Reporting API. This allows you to monitor and investigate events in 1Password in Microsoft Sentinel along with the other applications and services your organization uses.

Underlying Microsoft Technologies used:

This solution depends on the following technologies, and some of which may be in Preview state or may incur additional ingestion or operational costs:

Azure Functions

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`OnePasswordEventLogs_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
1Password Events API Token: A 1Password Events API Token is required. For more information, see the 1Password API.

Note: A 1Password Business account is required

AbnormalSecurity (using Azure Function)

Supported by: Abnormal Security

The Abnormal Security data connector provides the capability to ingest threat and case logs into Microsoft Sentinel using the Abnormal Security Rest API.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ABNORMAL_THREAT_MESSAGES_CL`	No	No
`ABNORMAL_CASES_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Abnormal Security API Token: An Abnormal Security API Token is required. For more information, see Abnormal Security API. Note: An Abnormal Security account is required

AIShield

Supported by: AIShield

AIShield connector allows users to connect with AIShield custom defense mechanism logs with Microsoft Sentinel, allowing the creation of dynamic Dashboards, Workbooks, Notebooks and tailored Alerts to improve investigation and thwart attacks on AI systems. It gives users more insight into their organization's AI assets security posturing and improves their AI systems security operation capabilities.AIShield.GuArdIan analyzes the LLM generated content to identify and mitigate harmful content, safeguarding against legal, policy, role based, and usage based violations

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AIShield_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Note: Users should have utilized AIShield SaaS offering to conduct vulnerability analysis and deployed custom defense mechanisms generated along with their AI asset. Click here to know more or get in touch.

Alibaba Cloud ActionTrail (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Alibaba Cloud ActionTrail data connector provides the capability to retrieve actiontrail events stored into Alibaba Cloud Simple Log Service and store them into Microsoft Sentinel through the SLS REST API. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AliCloudActionTrailLogs_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

SLS REST API Credentials/permissions: AliCloudAccessKeyId and AliCloudAccessKeySecret are required for making API calls. RAM policy statement with action of atleast log:GetLogStoreLogs over resource acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logstore/{#LogstoreName} is needed to grant a RAM user the permissions to call this operation.

AliCloud (using Azure Functions)

Supported by: Microsoft Corporation

The AliCloud data connector provides the capability to retrieve logs from cloud applications using the Cloud API and store events into Microsoft Sentinel through the REST API. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AliCloud_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: AliCloudAccessKeyId and AliCloudAccessKey are required for making API calls.

Amazon Web Services

Supported by: Microsoft Corporation

Instructions to connect to AWS and stream your CloudTrail logs into Microsoft Sentinel are shown during the installation process. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AWSCloudTrail`	Yes	Yes

Data collection rule support: Workspace transform DCR

Amazon Web Services CloudFront (via Codeless Connector Framework) (Preview)

Supported by: Microsoft Corporation

This data connector enables the integration of AWS CloudFront logs with Microsoft Sentinel to support advanced threat detection, investigation, and security monitoring. By utilizing Amazon S3 for log storage and Amazon SQS for message queuing, the connector reliably ingests CloudFront access logs into Microsoft Sentinel

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AWSCloudFront_AccessLog_CL`	No	No

Data collection rule support: Not currently supported

Amazon Web Services NetworkFirewall (via Codeless Connector Framework)

Supported by: Microsoft Corporation

This data connector allows you to ingest AWS Network Firewall logs into Microsoft Sentinel for advanced threat detection and security monitoring. By leveraging Amazon S3 and Amazon SQS, the connector forwards network traffic logs, intrusion detection alerts, and firewall events to Microsoft Sentinel, enabling real-time analysis and correlation with other security data

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AWSNetworkFirewallFlow`	Yes	Yes

Data collection rule support: Workspace transform DCR

Amazon Web Services S3

Supported by: Microsoft Corporation

This connector allows you to ingest AWS service logs, collected in AWS S3 buckets, to Microsoft Sentinel. The currently supported data types are:

AWS CloudTrail
VPC Flow Logs
AWS GuardDuty
AWSCloudWatch

For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AWSGuardDuty`	Yes	Yes
`AWSVPCFlow`	Yes	Yes
`AWSCloudTrail`	Yes	Yes
`AWSCloudWatch`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

Environment: You must have the following AWS resources defined and configured: S3, Simple Queue Service (SQS), IAM roles and permissions policies, and the AWS services whose logs you want to collect.

Amazon Web Services S3 DNS Route53 (via Codeless Connector Framework)

Supported by: Microsoft Corporation

This connector enables ingestion of AWS Route 53 DNS logs into Microsoft Sentinel for enhanced visibility and threat detection. It supports DNS Resolver query logs ingested directly from AWS S3 buckets, while Public DNS query logs and Route 53 audit logs can be ingested using Microsoft Sentinel's AWS CloudWatch and CloudTrail connectors. Comprehensive instructions are provided to guide you through the setup of each log type. Leverage this connector to monitor DNS activity, detect potential threats, and improve your security posture in cloud environments.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AWSRoute53Resolver`	Yes	Yes

Data collection rule support: Workspace transform DCR

Amazon Web Services S3 WAF

Supported by: Microsoft Corporation

This connector allows you to ingest AWS WAF logs, collected in AWS S3 buckets, to Microsoft Sentinel. AWS WAF logs are detailed records of traffic that web access control lists (ACLs) analyze, which are essential for maintaining the security and performance of web applications. These logs contain information such as the time AWS WAF received the request, the specifics of the request, and the action taken by the rule that the request matched.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AWSWAF`	Yes	Yes

Data collection rule support: Workspace transform DCR

Anvilogic

Supported by: Anvilogic

The Anvilogic data connector allows you to pull events of interest generated in the Anvilogic ADX cluster into your Microsoft Sentinel

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Anvilogic_Alerts_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Anvilogic Application Registration Client ID and Client Secret: To access the Anvilogic ADX we require the client id and client secret from the Anvilogic app registration

ARGOS Cloud Security

Supported by: ARGOS Cloud Security

The ARGOS Cloud Security integration for Microsoft Sentinel allows you to have all your important cloud security events in one place. This enables you to easily create dashboards, alerts, and correlate events across multiple systems. Overall this will improve your organization's security posture and security incident response.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ARGOS_CL`	No	No

Data collection rule support: Not currently supported

Armis Alerts Activities (using Azure Functions)

Supported by: Armis Corporation

The Armis Alerts Activities connector gives the capability to ingest Armis Alerts and Activities into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: https://<YourArmisInstance>.armis.com/api/v1/docs for more information. The connector provides the ability to get alert and activity information from the Armis platform and to identify and prioritize threats in your environment. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Armis_Alerts_CL`	No	No
`Armis_Activities_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: Armis Secret Key is required. See the documentation to learn more about API on the https://<YourArmisInstance>.armis.com/api/v1/doc

Armis Devices (using Azure Functions)

Supported by: Armis Corporation

The Armis Device connector gives the capability to ingest Armis Devices into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: https://<YourArmisInstance>.armis.com/api/v1/docs for more information. The connector provides the ability to get device information from the Armis platform. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents. Armis can also integrate with your existing IT & security management tools to identify and classify each and every device, managed or unmanaged in your environment.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Armis_Devices_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: Armis Secret Key is required. See the documentation to learn more about API on the https://<YourArmisInstance>.armis.com/api/v1/doc

Atlassian Beacon Alerts

Supported by: DEFEND Ltd.

Atlassian Beacon is a cloud product that is built for Intelligent threat detection across the Atlassian platforms (Jira, Confluence, and Atlassian Admin). This can help users detect, investigate and respond to risky user activity for the Atlassian suite of products. The solution is a custom data connector from DEFEND Ltd. that is used to visualize the alerts ingested from Atlassian Beacon to Microsoft Sentinel via a Logic App.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`atlassian_beacon_alerts_CL`	No	No

Data collection rule support: Not currently supported

Atlassian Confluence Audit (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Atlassian Confluence Audit data connector provides the capability to ingest Confluence Audit Records events into Microsoft Sentinel through the REST API. Refer to API documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ConfluenceAuditLogs_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Atlassian Confluence API access: Permission of Administer Confluence is required to get access to the Confluence Audit logs API. See Confluence API documentation to learn more about the audit API.

Atlassian Jira Audit (using Azure Functions)

Supported by: Microsoft Corporation

The Atlassian Jira Audit data connector provides the capability to ingest Jira Audit Records events into Microsoft Sentinel through the REST API. Refer to API documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Jira_Audit_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: JiraAccessToken, JiraUsername is required for REST API. For more information, see API. Check all requirements and follow the instructions for obtaining credentials.

Atlassian Jira Audit (using REST API)

Supported by: Microsoft Corporation

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Jira_Audit_v2_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Atlassian Jira API access: Permission of Administer Jira is required to get access to the Jira Audit logs API. See Jira API documentation to learn more about the audit API.

Auth0 Access Management (using Azure Functions)

Supported by: Microsoft Corporation

The Auth0 Access Management data connector provides the capability to ingest Auth0 log events into Microsoft Sentinel

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Auth0AM_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: API token is required. For more information, see API token

Auth0 Logs

Supported by: Microsoft Corporation

The Auth0 data connector allows ingesting logs from Auth0 API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Framework. It uses Auth0 API to fetch logs and it supports DCR-based ingestion time transformations that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Auth0Logs_CL`	No	No

Data collection rule support: Not currently supported

Automated Logic WebCTRL

Supported by: Microsoft Corporation

You can stream the audit logs from the WebCTRL SQL server hosted on Windows machines connected to your Microsoft Sentinel. This connection enables you to view dashboards, create custom alerts and improve investigation. This gives insights into your Industrial Control Systems that are monitored or controlled by the WebCTRL BAS application.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Event`	Yes	No

Data collection rule support: Workspace transform DCR

AWS S3 Server Access Logs (via Codeless Connector Framework)

Supported by: Microsoft Corporation

This connector allows you to ingest AWS S3 Server Access Logs into Microsoft Sentinel. These logs contain detailed records for requests made to S3 buckets, including the type of request, resource accessed, requester information, and response details. These logs are useful for analyzing access patterns, debugging issues, and ensuring security compliance.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AWSS3ServerAccess`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

Environment: You must have the following AWS resources defined and configured: S3 Bucket, Simple Queue Service (SQS), IAM roles and permissions policies.

AWS Security Hub Findings (via Codeless Connector Framework)

Supported by: Microsoft Corporation

This connector enables the ingestion of AWS Security Hub Findings, which are collected in AWS S3 buckets, into Microsoft Sentinel. It helps streamline the process of monitoring and managing security alerts by integrating AWS Security Hub Findings with Microsoft Sentinel's advanced threat detection and response capabilities.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AWSSecurityHubFindings`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

Environment: You must have the following AWS resources defined and configured: AWS Security Hub, Amazon Data Firehose, Amazon EventBridge, S3 Bucket, Simple Queue Service (SQS), IAM roles and permissions policies.

Azure Activity

Supported by: Microsoft Corporation

Azure Activity Log is a subscription log that provides insight into subscription-level events that occur in Azure, including events from Azure Resource Manager operational data, service health events, write operations taken on the resources in your subscription, and the status of activities performed in Azure. For more information, see the Microsoft Sentinel documentation .

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AzureActivity`	No	No

Data collection rule support: Not currently supported

Azure Batch Account

Supported by: Microsoft Corporation

Azure Batch Account is a uniquely identified entity within the Batch service. Most Batch solutions use Azure Storage for storing resource files and output files, so each Batch account is usually associated with a corresponding storage account. This connector lets you stream your Azure Batch account diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AzureDiagnostics`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Policy: Owner role assigned for each policy assignment scope

Azure CloudNGFW By Palo Alto Networks

Supported by: Palo Alto Networks

Cloud Next-Generation Firewall by Palo Alto Networks - an Azure Native ISV Service - is Palo Alto Networks Next-Generation Firewall (NGFW) delivered as a cloud-native service on Azure. You can discover Cloud NGFW in the Azure Marketplace and consume it in your Azure Virtual Networks (VNet). With Cloud NGFW, you can access the core NGFW capabilities such as App-ID, URL filtering based technologies. It provides threat prevention and detection through cloud-delivered security services and threat prevention signatures. The connector allows you to easily connect your Cloud NGFW logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. For more information, see the Cloud NGFW for Azure documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`fluentbit_CL`	No	No

Data collection rule support: Not currently supported

Azure Cognitive Search

Supported by: Microsoft Corporation

Azure Cognitive Search is a cloud search service that gives developers infrastructure, APIs, and tools for building a rich search experience over private, heterogeneous content in web, mobile, and enterprise applications. This connector lets you stream your Azure Cognitive Search diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AzureDiagnostics`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Policy: Owner role assigned for each policy assignment scope

Azure DDoS Protection

Supported by: Microsoft Corporation

Connect to Azure DDoS Protection Standard logs via Public IP Address Diagnostic Logs. In addition to the core DDoS protection in the platform, Azure DDoS Protection Standard provides advanced DDoS mitigation capabilities against network attacks. It's automatically tuned to protect your specific Azure resources. Protection is simple to enable during the creation of new virtual networks. It can also be done after creation and requires no application or resource changes. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AzureDiagnostics`	No	No

Data collection rule support: Not currently supported

Azure DevOps Audit Logs (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Azure DevOps Audit Logs data connector allows you to ingest audit events from Azure DevOps into Microsoft Sentinel. This data connector is built using the Microsoft Sentinel Codeless Connector Framework, ensuring seamless integration. It leverages the Azure DevOps Audit Logs API to fetch detailed audit events and supports DCR-based ingestion time transformations. These transformations enable parsing of the received audit data into a custom table during ingestion, improving query performance by eliminating the need for additional parsing. By using this connector, you can gain enhanced visibility into your Azure DevOps environment and streamline your security operations.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ADOAuditLogs_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Azure DevOps Prerequisite: Please ensure the following:
1. Register an Entra App in Microsoft Entra Admin Center under App Registrations.
2. In 'API permissions' - add Permissions to 'Azure DevOps - vso.auditlog'.
3. In 'Certificates & secrets' - generate 'Client secret'.
4. In 'Authentication' - add Redirect URI: 'https://portal.azure.com/TokenAuthorize/ExtensionName/Microsoft_Azure_Security_Insights'.
5. In the Azure DevOps settings - enable audit log and set View audit log for the user. Azure DevOps Auditing.
6. Ensure the user assigned to connect the data connector has the View audit logs permission explicitly set to Allow at all times. This permission is essential for successful log ingestion. If the permission is revoked or not granted, data ingestion will fail or be interrupted.

Azure Event Hub

Supported by: Microsoft Corporation

Azure Event Hubs is a big data streaming platform and event ingestion service. It can receive and process millions of events per second. This connector lets you stream your Azure Event Hub diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AzureDiagnostics`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Policy: Owner role assigned for each policy assignment scope

Azure Firewall

Supported by: Microsoft Corporation

Connect to Azure Firewall. Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AzureDiagnostics`	No	No
`AZFWApplicationRule`	Yes	Yes
`AZFWFlowTrace`	Yes	Yes
`AZFWFatFlow`	Yes	Yes
`AZFWNatRule`	Yes	Yes
`AZFWDnsQuery`	Yes	Yes
`AZFWIdpsSignature`	Yes	Yes
`AZFWInternalFqdnResolutionFailure`	Yes	Yes
`AZFWNetworkRule`	Yes	Yes
`AZFWThreatIntel`	Yes	Yes

Data collection rule support: Workspace transform DCR

Azure Key Vault

Supported by: Microsoft Corporation

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. This connector lets you stream your Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AzureDiagnostics`	No	No

Data collection rule support: Not currently supported

Azure Kubernetes Service (AKS)

Supported by: Microsoft Corporation

Azure Kubernetes Service (AKS) is an open-source, fully-managed container orchestration service that allows you to deploy, scale, and manage Docker containers and container-based applications in a cluster environment. This connector lets you stream your Azure Kubernetes Service (AKS) diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AzureDiagnostics`	No	No

Data collection rule support: Not currently supported

Azure Logic Apps

Supported by: Microsoft Corporation

Azure Logic Apps is a cloud-based platform for creating and running automated workflows that integrate your apps, data, services, and systems. This connector lets you stream your Azure Logic Apps diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AzureDiagnostics`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Policy: Owner role assigned for each policy assignment scope

Azure Resource Graph

Supported by: Microsoft Corporation

Azure Resource Graph connector gives richer insights into Azure events by supplementing details about Azure subscriptions and Azure resources.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion

Data collection rule support: Not currently supported

Prerequisites:

Policy: Owner role permission on Azure subscriptions

Azure Service Bus

Supported by: Microsoft Corporation

Azure Service Bus is a fully managed enterprise message broker with message queues and publish-subscribe topics (in a namespace). This connector lets you stream your Azure Service Bus diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AzureDiagnostics`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Policy: Owner role assigned for each policy assignment scope

Azure SQL Databases

Supported by: Microsoft Corporation

Azure SQL is a fully managed, Platform-as-a-Service (PaaS) database engine that handles most database management functions, such as upgrading, patching, backups, and monitoring, without necessitating user involvement. This connector lets you stream your Azure SQL databases audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AzureDiagnostics`	No	No

Data collection rule support: Not currently supported

Azure Storage Account

Supported by: Microsoft Corporation

Azure Storage account is a cloud solution for modern data storage scenarios. It contains all your data objects: blobs, files, queues, tables, and disks. This connector lets you stream Azure Storage accounts diagnostics logs into your Microsoft Sentinel workspace, allowing you to continuously monitor activity in all your instances, and detect malicious activity in your organization. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AzureMetrics`	No	No
`StorageBlobLogs`	Yes	Yes
`StorageQueueLogs`	Yes	Yes
`StorageTableLogs`	Yes	Yes
`StorageFileLogs`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

Policy: Owner role assigned for each policy assignment scope

Azure Stream Analytics

Supported by: Microsoft Corporation

Azure Stream Analytics is a real-time analytics and complex event-processing engine that is designed to analyze and process high volumes of fast streaming data from multiple sources simultaneously. This connector lets you stream your Azure Stream Analytics hub diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AzureDiagnostics`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Policy: Owner role assigned for each policy assignment scope

Azure Web Application Firewall (WAF)

Supported by: Microsoft Corporation

Connect to the Azure Web Application Firewall (WAF) for Application Gateway, Front Door, or CDN. This WAF protects your applications from common web vulnerabilities such as SQL injection and cross-site scripting, and lets you customize rules to reduce false positives. Instructions to stream your Microsoft Web application firewall logs into Microsoft Sentinel are shown during the installation process. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AzureDiagnostics`	No	No

Data collection rule support: Not currently supported

BETTER Mobile Threat Defense (MTD)

Supported by: Better Mobile Security Inc.

The BETTER MTD Connector allows Enterprises to connect their Better MTD instances with Microsoft Sentinel, to view their data in Dashboards, create custom alerts, use it to trigger playbooks and expands threat hunting capabilities. This gives users more insight into their organization's mobile devices and ability to quickly analyze current mobile security posture which improves their overall SecOps capabilities.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`BetterMTDIncidentLog_CL`	No	No
`BetterMTDDeviceLog_CL`	No	No
`BetterMTDNetflowLog_CL`	No	No
`BetterMTDAppLog_CL`	No	No

Data collection rule support: Not currently supported

Bitglass (using Azure Functions)

Supported by: Microsoft Corporation

The Bitglass data connector provides the capability to retrieve security event logs of the Bitglass services and more events into Microsoft Sentinel through the REST API. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`BitglassLogs_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: BitglassToken and BitglassServiceURL are required for making API calls.

Bitsight data connector (using Azure Functions)

Supported by: BitSight Support

The BitSight Data Connector supports evidence-based cyber risk monitoring by bringing BitSight data in Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`BitsightAlerts_data_CL`	No	No
`BitsightBreaches_data_CL`	No	No
`BitsightCompany_details_CL`	No	No
`BitsightCompany_rating_details_CL`	No	No
`BitsightDiligence_historical_statistics_CL`	No	No
`BitsightDiligence_statistics_CL`	No	No
`BitsightFindings_data_CL`	No	No
`BitsightFindings_summary_CL`	No	No
`BitsightGraph_data_CL`	No	No
`BitsightIndustrial_statistics_CL`	No	No
`BitsightObservation_statistics_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: BitSight API Token is required. See the documentation to learn more about API Token.

Bitwarden Event Logs

Supported by: Bitwarden Inc

This connector provides insight into activity of your Bitwarden organization such as user's activity (logged in, changed password, 2fa, etc.), cipher activity (created, updated, deleted, shared, etc.), collection activity, organization activity, and more.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`BitwardenEventLogs`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Bitwarden Client Id and Client Secret: Your API key can be found in the Bitwarden organization admin console. Please see Bitwarden documentation for more information.

Box (using Azure Functions)

Supported by: Microsoft Corporation

The Box data connector provides the capability to ingest Box enterprise's events into Microsoft Sentinel using the Box REST API. Refer to Box documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`BoxEvents_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Box API Credentials: Box config JSON file is required for Box REST API JWT authentication. For more information, see JWT authentication.

Box Events (CCF)

Supported by: Microsoft Corporation

The Box data connector provides the capability to ingest Box enterprise's events into Microsoft Sentinel using the Box REST API. Refer to Box documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`BoxEventsV2_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Box API credentials: Box API requires a Box App client ID and client secret to authenticate. For more information, see Client Credentials grant
Box Enterprise ID: Box Enterprise ID is required to make the connection. See documentation to find Enterprise ID

Check Point CloudGuard CNAPP Connector for Microsoft Sentinel

Supported by: Check Point

The CloudGuard data connector enables the ingestion of security events from the CloudGuard API into Microsoft Sentinel™, using Microsoft Sentinel’s Codeless Connector Framework. The connector supports DCR-based ingestion time transformations which parses incoming security event data into custom columns. This pre-parsing process eliminates the need for query-time parsing, resulting in improved performance for data queries.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CloudGuard_SecurityEvents_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

CloudGuard API Key: Refer to the instructions provided here to generate an API key.

Check Point Cyberint IOC Connector

Supported by: Cyberint

This is data connector for Check Point Cyberint IOC.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`iocsent_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Check Point Cyberint API Key and Argos URL: The connector API key and Argos URL are required

Check Point Cyberint IOC Connector

Supported by: Cyberint

This is data connector for Check Point Cyberint IOC.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`iocsent_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Check Point Cyberint API Key and Argos URL: The connector API key and Argos URL are required

Cisco ASA/FTD via AMA

Supported by: Microsoft Corporation

The Cisco ASA firewall connector allows you to easily connect your Cisco ASA logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CommonSecurityLog`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. Learn more

Cisco Cloud Security (using Azure Functions)

Supported by: Microsoft Corporation

The Cisco Cloud Security solution for Microsoft Sentinel enables you to ingest Cisco Secure Access and Cisco Umbrella logs stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API. Refer to Cisco Cloud Security log management documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Cisco_Umbrella_dns_CL`	No	No
`Cisco_Umbrella_proxy_CL`	No	No
`Cisco_Umbrella_ip_CL`	No	No
`Cisco_Umbrella_cloudfirewall_CL`	No	No
`Cisco_Umbrella_firewall_CL`	No	No
`Cisco_Umbrella_dlp_CL`	No	No
`Cisco_Umbrella_ravpnlogs_CL`	No	No
`Cisco_Umbrella_audit_CL`	No	No
`Cisco_Umbrella_ztna_CL`	No	No
`Cisco_Umbrella_intrusion_CL`	No	No
`Cisco_Umbrella_ztaflow_CL`	No	No
`Cisco_Umbrella_fileevent_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Amazon S3 REST API Credentials/permissions: AWS Access Key Id, AWS Secret Access Key, AWS S3 Bucket Name are required for Amazon S3 REST API.

Cisco Cloud Security (using elastic premium plan) (using Azure Functions)

Supported by: Microsoft Corporation

The Cisco Umbrella data connector provides the capability to ingest Cisco Umbrella events stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API. Refer to Cisco Umbrella log management documentation for more information.

NOTE: This data connector uses the Azure Functions Premium Plan to enable secure ingestion capabilities and will incur additional costs. More pricing details are here.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Cisco_Umbrella_dns_CL`	No	No
`Cisco_Umbrella_proxy_CL`	No	No
`Cisco_Umbrella_ip_CL`	No	No
`Cisco_Umbrella_cloudfirewall_CL`	No	No
`Cisco_Umbrella_firewall_CL`	No	No
`Cisco_Umbrella_dlp_CL`	No	No
`Cisco_Umbrella_ravpnlogs_CL`	No	No
`Cisco_Umbrella_audit_CL`	No	No
`Cisco_Umbrella_ztna_CL`	No	No
`Cisco_Umbrella_intrusion_CL`	No	No
`Cisco_Umbrella_ztaflow_CL`	No	No
`Cisco_Umbrella_fileevent_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Amazon S3 REST API Credentials/permissions: AWS Access Key Id, AWS Secret Access Key, AWS S3 Bucket Name are required for Amazon S3 REST API.
Virtual Network permissions (for private access): For private storage account access, Network Contributor permissions are required on the Virtual Network and subnet. The subnet must be delegated to Microsoft.Web/serverFarms for Function App VNet integration.

Cisco ETD (using Azure Functions)

Supported by: N/A

The connector fetches data from ETD api for threat analysis

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CiscoETD_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Email Threat Defense API, API key, Client ID and Secret: Ensure you have the API key, Client ID and Secret key.

Cisco Meraki (using REST API)

Supported by: Microsoft Corporation

The Cisco Meraki connector allows you to easily connect your Cisco Meraki organization events (Security events, Configuration Changes and API Requests) to Microsoft Sentinel. The data connector uses the Cisco Meraki REST API to fetch logs and supports DCR-based ingestion time transformations that parses the received data and ingests into ASIM and custom tables in your Log Analytics workspace. This data connector benefits from capabilities such as DCR based ingestion-time filtering, data normalization.

Supported ASIM schema:

Network Session
Web Session
Audit Event

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ASimNetworkSessionLogs`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

Cisco Meraki REST API Key: Enable API access in Cisco Meraki and generate API Key. Please refer to Cisco Meraki official documentation for more information.
Cisco Meraki Organization Id: Obtain your Cisco Meraki organization id to fetch security events. Follow the steps in the documentation to obtain the Organization Id using the Meraki API Key obtained in previous step.

Cisco Secure Endpoint (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint audit logs and events into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CiscoSecureEndpointAuditLogsV2_CL`	No	No
`CiscoSecureEndpointEventsV2_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Cisco Secure Endpoint API Credentials/Regions: To create API Credentials and to understand the regions, follow the document link provided here. Click here.

Cisco Software Defined WAN

Supported by: Cisco Systems

The Cisco Software Defined WAN(SD-WAN) data connector provides the capability to ingest Cisco SD-WAN Syslog and Netflow data into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Syslog`	Yes	Yes
`CiscoSDWANNetflow_CL`	No	No

Data collection rule support: Workspace transform DCR

Claroty xDome

Supported by: xDome Customer Support

Claroty xDome delivers comprehensive security and alert management capabilities for healthcare and industrial network environments. It is designed to map multiple source types, identify the collected data, and integrate it into Microsoft Sentinel data models. This results in the ability to monitor all potential threats in your healthcare and industrial environments in one location, leading to more effective security monitoring and a stronger security posture.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CommonSecurityLog`	Yes	Yes

Data collection rule support: Workspace transform DCR

Cloudflare (Preview) (using Azure Functions)

Supported by: Cloudflare

The Cloudflare data connector provides the capability to ingest Cloudflare logs into Microsoft Sentinel using the Cloudflare Logpush and Azure Blob Storage. Refer to Cloudflare documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Cloudflare_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Azure Blob Storage connection string and container name: Azure Blob Storage connection string and container name where the logs are pushed to by Cloudflare Logpush. For more information, see creating Azure Blob Storage container.

Cloudflare (Using Blob Container) (via Codeless Connector Framework)

Supported by: Cloudflare

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CloudflareV2_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Create a storage account and a container: Before setting up logpush in Cloudflare, first create a storage account and a container in Microsoft Azure. Use this guide to know more about Container and Blob. Follow the steps in the documentation to create an Azure Storage account.
Generate a Blob SAS URL: Create and Write permissions are required. Refer the documentation to know more about Blob SAS token and url.
Collecting logs from Cloudflare to your Blob container: Follow the steps in the documentation for collecting logs from Cloudflare to your Blob container.

Cognni

Supported by: Cognni

The Cognni connector offers a quick and simple integration with Microsoft Sentinel. You can use Cognni to autonomously map your previously unclassified important information and detect related incidents. This allows you to recognize risks to your important information, understand the severity of the incidents, and investigate the details you need to remediate, fast enough to make a difference.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CognniIncidents_CL`	No	No

Data collection rule support: Not currently supported

Cohesity (using Azure Functions)

Supported by: Cohesity

The Cohesity function apps provide the ability to ingest Cohesity Datahawk ransomware alerts into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Cohesity_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Azure Blob Storage connection string and container name: Azure Blob Storage connection string and container name

CommvaultSecurityIQ

Supported by: Commvault

This Azure Function enables Commvault users to ingest alerts/events into their Microsoft Sentinel instance. With Analytic Rules,Microsoft Sentinel can automatically create Microsoft Sentinel incidents from incoming events and logs.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CommvaultSecurityIQ_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Commvault Environment Endpoint URL: Make sure to follow the documentation and set the secret value in KeyVault
Commvault QSDK Token: Make sure to follow the documentation and set the secret value in KeyVault

ContrastADR

Supported by: Contrast Security

The ContrastADR data connector provides the capability to ingest Contrast ADR attack events into Microsoft Sentinel using the ContrastADR Webhook. ContrastADR data connector can enrich the incoming webhook data with ContrastADR API enrichment calls.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ContrastADR_CL`	No	No
`ContrastADRIncident_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.

Corelight Connector Exporter

Supported by: Corelight

The Corelight data connector enables incident responders and threat hunters who use Microsoft Sentinel to work faster and more effectively. The data connector enables ingestion of events from Zeek and Suricata via Corelight Sensors into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Corelight`	No	No

Data collection rule support: Not currently supported

Cortex XDR - Incidents

Supported by: DEFEND Ltd.

Custom Data connector from DEFEND to utilise the Cortex API to ingest incidents from Cortex XDR platform into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CortexXDR_Incidents_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Cortex API credentials: Cortex API Token is required for REST API. For more information, see API. Check all requirements and follow the instructions for obtaining credentials.

Cribl

Supported by: Cribl

The Cribl connector allows you to easily connect your Cribl (Cribl Enterprise Edition - Standalone) logs with Microsoft Sentinel. This gives you more security insight into your organization's data pipelines.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CriblInternal_CL`	No	No

Data collection rule support: Not currently supported

CrowdStrike API Data Connector (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The CrowdStrike Data Connector allows ingesting logs from the CrowdStrike API into Microsoft Sentinel. This connector is built on the Microsoft Sentinel Codeless Connector Framework and uses the CrowdStrike API to fetch logs for Alerts, Detections, Hosts, Incidents, and Vulnerabilities. It supports DCR-based ingestion time transformations so that queries can run more efficiently.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CrowdStrikeVulnerabilities`	Yes	Yes

Data collection rule support: Workspace transform DCR

CrowdStrike Falcon Adversary Intelligence (using Azure Functions)

Supported by: Microsoft Corporation

The CrowdStrike Falcon Indicators of Compromise connector retrieves the Indicators of Compromise from the Falcon Intel API and uploads them Microsoft Sentinel Threat Intel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ThreatIntelligenceIndicator`	Yes	No

Data collection rule support: Workspace transform DCR

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
CrowdStrike API Client ID and Client Secret: CROWDSTRIKE_CLIENT_ID, CROWDSTRIKE_CLIENT_SECRET, CROWDSTRIKE_BASE_URL. CrowdStrike credentials must have Indicators (Falcon Intelligence) read scope.

CrowdStrike Falcon Data Replicator (AWS S3) (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Crowdstrike Falcon Data Replicator (S3) connector provides the capability to ingest FDR event datainto Microsoft Sentinel from the AWS S3 bucket where the FDR logs have been streamed. The connector provides ability to get events from Falcon Agents which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.

NOTE:

1. CrowdStrike FDR license must be available & enabled.

2. The connector requires an IAM role to be configured on AWS to allow access to the AWS S3 bucket and may not be suitable for environments that leverage CrowdStrike - managed buckets.

3. For environments that leverage CrowdStrike-managed buckets, please configure the CrowdStrike Falcon Data Replicator (CrowdStrike-Managed AWS S3) connector.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CrowdStrike_Additional_Events_CL`	No	No

Data collection rule support: Not currently supported

CrowdStrike Falcon Data Replicator (CrowdStrike Managed AWS-S3) (using Azure Functions)

Supported by: Microsoft Corporation

This connector enables the ingestion of FDR data into Microsoft Sentinel using Azure Functions to support the assessment of potential security risks, analysis of collaboration activities, identification of configuration issues, and other operational insights.

NOTE:

1. CrowdStrike FDR license must be available & enabled.

2. The connector uses a Key & Secret based authentication and is suitable for CrowdStrike Managed buckets.

3. For environments that use a fully owned AWS S3 bucket, Microsoft recommends using the CrowdStrike Falcon Data Replicator (AWS S3) connector.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CrowdStrikeReplicatorV2`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
SQS and AWS S3 account credentials/permissions: AWS_SECRET, AWS_REGION_NAME, AWS_KEY, QUEUE_URL is required. For more information, see data pulling. To start, contact CrowdStrike support. At your request they will create a CrowdStrike managed Amazon Web Services (AWS) S3 bucket for short term storage purposes as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket.

CTERA Syslog

Supported by: CTERA

The CTERA Data Connector for Microsoft Sentinel offers monitoring and threat detection capabilities for your CTERA solution. It includes a workbook visualizing the sum of all operations per type, deletions, and denied access operations. It also provides analytic rules which detects ransomware incidents and alert you when a user is blocked due to suspicious ransomware activity. Additionally, it helps you identify critical patterns such as mass access denied events, mass deletions, and mass permission changes, enabling proactive threat management and response.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Syslog`	Yes	Yes

Data collection rule support: Workspace transform DCR

Custom logs via AMA

Supported by: Microsoft Corporation

Many applications log information to text or JSON files instead of standard logging services, such as Windows Event logs, Syslog or CEF. The Custom Logs data connector allows you to collect events from files on both Windows and Linux computers and stream them to custom logs tables you created. While streaming the data you can parse and transform the contents using the DCR. After collecting the data, you can apply analytic rules, hunting, searching, threat intelligence, enrichments and more.

NOTE: Use this connector for the following devices: Cisco Meraki, Zscaler Private Access (ZPA), VMware vCenter, Apache HTTP server, Apache Tomcat, Jboss Enterprise application platform, Juniper IDP, MarkLogic Audit, MongoDB Audit, Nginx HTTP server, Oracle Weblogic server, PostgreSQL Events, Squid Proxy, Ubiquiti UniFi, SecurityBridge Threat detection SAP and AI vectra stream.

Log Analytics table(s):

|Table|DCR support|Lake-only ingestion| |---|---|---| |JBossEvent_CL |No|No| |JuniperIDP_CL |No|No| |ApacheHTTPServer_CL |No|No| |Tomcat_CL |No|No| |meraki_CL |No|No| |VectraStream_CL |No|No| |MarkLogicAudit_CL |No|No| |MongoDBAudit_CL |No|No| |NGINX_CL |No|No| |OracleWebLogicServer_CL |No|No| |PostgreSQL_CL |No|No| |SquidProxy_CL |No|No| |Ubiquiti_CL |No|No| |vcenter_CL |No|No| |ZPA_CL |No|No| |SecurityBridgeLogs_CL |No|No|

Data collection rule support: Not currently supported

Prerequisites:

Permissions: To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. Learn more

Cyber Blind Spot Integration (using Azure Functions)

Supported by: Cyber Threat Management 360

Through the API integration, you have the capability to retrieve all the issues related to your CBS organizations via a RESTful interface.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CBSLog_Azure_1_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.

CyberArkAudit (using Azure Functions)

Supported by: CyberArk Support

The CyberArk Audit data connector provides the capability to retrieve security event logs of the CyberArk Audit service and more events into Microsoft Sentinel through the REST API. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CyberArk_AuditEvents_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Audit REST API Connections details and Credentials: OauthUsername, OauthPassword, WebAppID, AuditApiKey, IdentityEndpoint and AuditApiBaseUrl are required for making API calls.

Cybersixgill Actionable Alerts (using Azure Functions)

Supported by: Cybersixgill

Actionable alerts provide customized alerts based on configured assets

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CyberSixgill_Alerts_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: Client_ID and Client_Secret are required for making API calls.

Cyble Vision Alerts

Supported by: Cyble Support

The Cyble Vision Alerts CCF Data Connector enables Ingestion of Threat Alerts from Cyble Vision into Microsoft Sentinel using the Codeless Connector Framework Connector. It collects alert data via API, normalizes it, and stores it in a custom table for advanced detection, correlation, and response.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CybleVisionAlerts_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Cyble Vision API token: An API Token from Cyble Vision Platform is required.

Cyborg Security HUNTER Hunt Packages

Supported by: Cyborg Security

Cyborg Security is a leading provider of advanced threat hunting solutions, with a mission to empower organizations with cutting-edge technology and collaborative tools to proactively detect and respond to cyber threats. Cyborg Security's flagship offering, the HUNTER Platform, combines powerful analytics, curated threat hunting content, and comprehensive hunt management capabilities to create a dynamic ecosystem for effective threat hunting operations.

Follow the steps to gain access to Cyborg Security's Community and setup the 'Open in Tool' capabilities in the HUNTER Platform.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SecurityEvent`	Yes	Yes

Data collection rule support: Workspace transform DCR

CYFIRMA Attack Surface

Supported by: CYFIRMA

N/A

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CyfirmaASCertificatesAlerts_CL`	No	No
`CyfirmaASConfigurationAlerts_CL`	No	No
`CyfirmaASDomainIPReputationAlerts_CL`	No	No
`CyfirmaASOpenPortsAlerts_CL`	No	No
`CyfirmaASCloudWeaknessAlerts_CL`	No	No
`CyfirmaASDomainIPVulnerabilityAlerts_CL`	No	No

Data collection rule support: Not currently supported

CYFIRMA Brand Intelligence

Supported by: CYFIRMA

N/A

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CyfirmaBIDomainITAssetAlerts_CL`	No	No
`CyfirmaBIExecutivePeopleAlerts_CL`	No	No
`CyfirmaBIProductSolutionAlerts_CL`	No	No
`CyfirmaBISocialHandlersAlerts_CL`	No	No
`CyfirmaBIMaliciousMobileAppsAlerts_CL`	No	No

Data collection rule support: Not currently supported

CYFIRMA Compromised Accounts

Supported by: CYFIRMA

The CYFIRMA Compromised Accounts data connector enables seamless log ingestion from the DeCYFIR/DeTCT API into Microsoft Sentinel. Built on the Microsoft Sentinel Codeless Connector Framework, it leverages the DeCYFIR/DeTCT API to retrieve logs. Additionally, it supports DCR-based ingestion time transformations, which parse security data into a custom table during ingestion. This eliminates the need for query-time parsing, enhancing performance and efficiency.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CyfirmaCompromisedAccounts_CL`	No	No

Data collection rule support: Not currently supported

CYFIRMA Cyber Intelligence

Supported by: CYFIRMA

The CYFIRMA Cyber Intelligence data connector enables seamless log ingestion from the DeCYFIR API into Microsoft Sentinel. Built on the Microsoft Sentinel Codeless Connector Framework, it leverages the DeCYFIR Alerts API to retrieve logs. Additionally, it supports DCR-based ingestion time transformations, which parse security data into a custom table during ingestion. This eliminates the need for query-time parsing, enhancing performance and efficiency.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CyfirmaIndicators_CL`	No	No
`CyfirmaThreatActors_CL`	No	No
`CyfirmaCampaigns_CL`	No	No
`CyfirmaMalware_CL`	No	No

Data collection rule support: Not currently supported

CYFIRMA Digital Risk

Supported by: CYFIRMA

The CYFIRMA Digital Risk Alerts data connector enables seamless log ingestion from the DeCYFIR/DeTCT API into Microsoft Sentinel. Built on the Microsoft Sentinel Codeless Connector Framework, it leverages the DeCYFIR Alerts API to retrieve logs. Additionally, it supports DCR-based ingestion time transformations, which parse security data into a custom table during ingestion. This eliminates the need for query-time parsing, enhancing performance and efficiency.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CyfirmaDBWMPhishingAlerts_CL`	No	No
`CyfirmaDBWMRansomwareAlerts_CL`	No	No
`CyfirmaDBWMDarkWebAlerts_CL`	No	No
`CyfirmaSPESourceCodeAlerts_CL`	No	No
`CyfirmaSPEConfidentialFilesAlerts_CL`	No	No
`CyfirmaSPEPIIAndCIIAlerts_CL`	No	No
`CyfirmaSPESocialThreatAlerts_CL`	No	No

Data collection rule support: Not currently supported

CYFIRMA Vulnerabilities Intelligence

Supported by: CYFIRMA

The CYFIRMA Vulnerabilities Intelligence data connector enables seamless log ingestion from the DeCYFIR API into Microsoft Sentinel. Built on the Microsoft Sentinel Codeless Connector Framework, it leverages the CYFIRMA API's to retrieve logs. Additionally, it supports DCR-based ingestion time transformations, which parse security data into a custom table during ingestion. This eliminates the need for query-time parsing, enhancing performance and efficiency.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CyfirmaVulnerabilities_CL`	No	No

Data collection rule support: Not currently supported

Cynerio Security Events

Supported by: Cynerio

The Cynerio connector allows you to easily connect your Cynerio Security Events with Microsoft Sentinel, to view IDS Events. This gives you more insight into your organization network security posture and improves your security operation capabilities.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CynerioEvent_CL`	No	No

Data collection rule support: Not currently supported

Darktrace Connector for Microsoft Sentinel REST API

Supported by: Darktrace

The Darktrace REST API connector pushes real-time events from Darktrace to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Sentinel. The connector writes logs to a custom log table titled "darktrace_model_alerts_CL"; Model Breaches, AI Analyst Incidents, System Alerts and Email Alerts can be ingested - additional filters can be set up on the Darktrace System Configuration page. Data is pushed to Sentinel from Darktrace masters.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`darktrace_model_alerts_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Darktrace Prerequisites: To use this Data Connector a Darktrace master running v5.2+ is required. Data is sent to the Azure Monitor HTTP Data Collector API over HTTPs from Darktrace masters, therefore outbound connectivity from the Darktrace master to Microsoft Sentinel REST API is required.
Filter Darktrace Data: During configuration it is possible to set up additional filtering on the Darktrace System Configuration page to constrain the amount or types of data sent.
Try the Darktrace Sentinel Solution: You can get the most out of this connector by installing the Darktrace Solution for Microsoft Sentinel. This will provide workbooks to visualise alert data and analytics rules to automatically create alerts and incidents from Darktrace Model Breaches and AI Analyst incidents.

Datalake2Sentinel

Supported by: Orange Cyberdefense

This solution installs the Datalake2Sentinel connector which is built using the Codeless Connector Framework and allows you to automatically ingest threat intelligence indicators from Datalake Orange Cyberdefense's CTI platform into Microsoft Sentinel via the Upload Indicators REST API. After installing the solution, configure and enable this data connector by following guidance in Manage solution view.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ThreatIntelligenceIndicator`	Yes	No

Data collection rule support: Workspace transform DCR

Dataminr Pulse Alerts Data Connector (using Azure Functions)

Supported by: Dataminr Support

Dataminr Pulse Alerts Data Connector brings our AI-powered real-time intelligence into Microsoft Sentinel for faster threat detection and response.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`DataminrPulse_Alerts_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group.
Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Required Dataminr Credentials/permissions:

a. Users must have a valid Dataminr Pulse API client ID and secret to use this data connector.

b. One or more Dataminr Pulse Watchlists must be configured in the Dataminr Pulse website.

Derdack SIGNL4

Supported by: Derdack

When critical systems fail or security incidents happen, SIGNL4 bridges the ‘last mile’ to your staff, engineers, IT admins and workers in the field. It adds real-time mobile alerting to your services, systems, and processes in no time. SIGNL4 notifies through persistent mobile push, SMS text and voice calls with acknowledgement, tracking and escalation. Integrated duty and shift scheduling ensure the right people are alerted at the right time.

Learn more >

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SecurityIncident`	Yes	Yes

Data collection rule support: Workspace transform DCR

Digital Shadows Searchlight (using Azure Functions)

Supported by: Digital Shadows

The Digital Shadows data connector provides ingestion of the incidents and alerts from Digital Shadows Searchlight into the Microsoft Sentinel using the REST API. The connector will provide the incidents and alerts information such that it helps to examine, diagnose and analyse the potential security risks and threats.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`DigitalShadows_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: Digital Shadows account ID, secret and key is required. See the documentation to learn more about API on the https://portal-digitalshadows.com/learn/searchlight-api/overview/description.

DNS

Supported by: Microsoft Corporation

The DNS log connector allows you to easily connect your DNS analytic and audit logs with Microsoft Sentinel, and other related data, to improve investigation.

When you enable DNS log collection you can:

Identify clients that try to resolve malicious domain names.
Identify stale resource records.
Identify frequently queried domain names and talkative DNS clients.
View request load on DNS servers.
View dynamic DNS registration failures.

For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`DnsEvents`	Yes	Yes
`DnsInventory`	Yes	Yes

Data collection rule support: Workspace transform DCR

Doppel Data Connector

Supported by: Doppel

The data connector is built on Microsoft Sentinel for Doppel events and alerts and supports DCR-based ingestion time transformations that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`DoppelTable_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft Entra Tenant ID, Client ID and Client Secret: Microsoft Entra ID requires a Client ID and Client Secret to authenticate your application. Additionally, Global Admin/Owner level access is required to assign the Entra-registered application a Resource Group Monitoring Metrics Publisher role.
Requires Workspace ID, DCE-URI, DCR-ID: You will need to get the Log Analytics Workspace ID, DCE Logs Ingestion URI and DCR Immutable ID for the configuration.

Dragos Notifications via Cloud Sitestore

Supported by: Dragos Inc

The Dragos Platform is the leading Industrial Cyber Security platform it offers a comprehensive Operational Technology (OT) cyber threat detection built by unrivaled industrial cybersecurity expertise. This solution enables Dragos Platform notification data to be viewed in Microsoft Sentinel so that security analysts are able to triage potential cyber security events occurring in their industrial environments.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`DragosAlerts_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Dragos Sitestore API access: A Sitestore user account that has the notification:read permission. This account also needs to have an API key that can be provided to Sentinel.

Druva Events Connector

Supported by: Druva Inc

Provides capability to ingest the Druva events from Druva APIs

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`DruvaSecurityEvents_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Druva API Access: Druva API requires a client id and client secret to authenticate

Dynamics 365 Finance and Operations

Supported by: Microsoft Corporation

Dynamics 365 for Finance and Operations is a comprehensive Enterprise Resource Planning (ERP) solution that combines financial and operational capabilities to help businesses manage their day-to-day operations. It offers a range of features that enable businesses to streamline workflows, automate tasks, and gain insights into operational performance.

The Dynamics 365 Finance and Operations data connector ingests Dynamics 365 Finance and Operations admin activities and audit logs as well as user business process and application activities logs into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`FinanceOperationsActivity_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft Entra app registration: Application client ID and secret used to access Dynamics 365 Finance and Operations.

Dynamics365

Supported by: Microsoft Corporation

The Dynamics 365 Common Data Service (CDS) activities connector provides insight into admin, user, and support activities, as well as Microsoft Social Engagement logging events. By connecting Dynamics 365 CRM logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Dynamics365Activity`	Yes	No

Data collection rule support: Workspace transform DCR

Dynatrace Attacks

Supported by: Dynatrace

This connector uses the Dynatrace Attacks REST API to ingest detected attacks into Microsoft Sentinel Log Analytics

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`DynatraceAttacks_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Dynatrace tenant (ex. xyz.dynatrace.com): You need a valid Dynatrace tenant with Application Security enabled, learn more about the Dynatrace platform.
Dynatrace Access Token: You need a Dynatrace Access Token, the token should have Read attacks (attacks.read) scope.

Dynatrace Audit Logs

Supported by: Dynatrace

This connector uses the Dynatrace Audit Logs REST API to ingest tenant audit logs into Microsoft Sentinel Log Analytics

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`DynatraceAuditLogs_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Dynatrace tenant (ex. xyz.dynatrace.com): You need a valid Dynatrace Tenant, to learn more about the Dynatrace platform Start your free trial.
Dynatrace Access Token: You need a Dynatrace Access Token, the token should have Read audit logs (auditLogs.read) scope.

Dynatrace Problems

Supported by: Dynatrace

This connector uses the Dynatrace Problem REST API to ingest problem events into Microsoft Sentinel Log Analytics

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`DynatraceProblems_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Dynatrace tenant (ex. xyz.dynatrace.com): You need a valid Dynatrace Tenant, to learn more about the Dynatrace platform Start your free trial.
Dynatrace Access Token: You need a Dynatrace Access Token, the token should have Read problems (problems.read) scope.

Dynatrace Runtime Vulnerabilities

Supported by: Dynatrace

This connector uses the Dynatrace Security Problem REST API to ingest detected runtime vulnerabilities into Microsoft Sentinel Log Analytics.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`DynatraceSecurityProblems_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Dynatrace tenant (ex. xyz.dynatrace.com): You need a valid Dynatrace tenant with Application Security enabled, learn more about the Dynatrace platform.
Dynatrace Access Token: You need a Dynatrace Access Token, the token should have Read security problems (securityProblems.read) scope.

Elastic Agent (Standalone)

Supported by: Microsoft Corporation

The Elastic Agent data connector provides the capability to ingest Elastic Agent logs, metrics, and security data into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ElasticAgentEvent`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Include custom pre-requisites if the connectivity requires - else delete customs: Description for any custom pre-requisite

Ermes Browser Security Events

Supported by: Ermes Cyber Security S.p.A.

Ermes Browser Security Events

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ErmesBrowserSecurityEvents_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Ermes Client Id and Client Secret: Enable API access in Ermes. Please contact Ermes Cyber Security support for more information.

ESET Protect Platform (using Azure Functions)

Supported by: ESET Enterprise Integrations

The ESET Protect Platform data connector enables users to inject detections data from ESET Protect Platform using the provided Integration REST API. Integration REST API runs as scheduled Azure Function App.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`IntegrationTable_CL`	No	No
`IntegrationTableIncidents_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Permission to register an application in Microsoft Entra ID: Sufficient permissions to register an application with your Microsoft Entra tenant are required.
Permission to assign a role to the registered application: Permission to assign the Monitoring Metrics Publisher role to the registered application in Microsoft Entra ID is required.

Exchange Security Insights On-Premises Collector

Supported by: Community

Connector used to push Exchange On-Premises Security configuration for Microsoft Sentinel Analysis

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ESIExchangeConfig_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Service Account with Organization Management role: The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information.
Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here

Exchange Security Insights Online Collector (using Azure Functions)

Supported by: Community

Connector used to push Exchange Online Security configuration for Microsoft Sentinel Analysis

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ESIExchangeOnlineConfig_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
microsoft.automation/automationaccounts permissions: Read and write permissions to create an Azure Automation with a Runbook is required. For more information, see Automation Account.
Microsoft.Graph permissions: Groups.Read, Users.Read and Auditing.Read permissions are required to retrieve user/group information linked to Exchange Online assignments. See the documentation to learn more.
Exchange Online permissions: Exchange.ManageAsApp permission and Global Reader or Security Reader Role are needed to retrieve the Exchange Online Security Configuration.See the documentation to learn more.
(Optional) Log Storage permissions: Storage Blob Data Contributor to a storage account linked to the Automation Account Managed identity or an Application ID is mandatory to store logs.See the documentation to learn more.

ExtraHop Detections Data Connector (using Azure Functions)

Supported by: ExtraHop Support

The ExtraHop Detections Data Connector enables you to import detection data from ExtraHop RevealX to Microsoft Sentinel through webhook payloads.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ExtraHop_Detections_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group.
Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
ExtraHop RevealX permissions: The following is required on your ExtraHop RevealX system: 1.Your RevealX system must be running firmware version 9.9.2 or later. 2.Your RevealX system must be connected to ExtraHop Cloud Services. 3.Your user account must have System Administratin privileges on RevealX 360 or Full Write privileges on RevealX Enterprise.

F5 BIG-IP

Supported by: F5 Networks

The F5 firewall connector allows you to easily connect your F5 logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`F5Telemetry_LTM_CL`	No	No
`F5Telemetry_system_CL`	No	No
`F5Telemetry_ASM_CL`	No	No

Data collection rule support: Not currently supported

Feedly

Supported by: Feedly Inc

This connector allows you to ingest IoCs from Feedly.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`feedly_indicators_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Custom prerequisites if necessary, otherwise delete this customs tag: Description for any custom pre-requisites

Flare

Supported by: Flare

Flare connector allows you to receive data and intelligence from Flare on Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Firework_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Required Flare permissions: Only Flare organization administrators may configure the Microsoft Sentinel integration.

Forcepoint DLP

Supported by: Community

The Forcepoint DLP (Data Loss Prevention) connector allows you to automatically export DLP incident data from Forcepoint DLP into Microsoft Sentinel in real-time. This enriches visibility into user activities and data loss incidents, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ForcepointDLPEvents_CL`	No	No

Data collection rule support: Not currently supported

Forescout

Supported by: Microsoft Corporation

The Forescout data connector provides the capability to ingest Forescout events into Microsoft Sentinel. Refer to Forescout documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ForescoutEvent`	No	No

Data collection rule support: Not currently supported

Forescout Host Property Monitor

Supported by: Microsoft Corporation

The Forescout Host Property Monitor connector allows you to connect host properties from Forescout platform with Microsoft Sentinel, to view, create custom incidents, and improve investigation. This gives you more insight into your organization network and improves your security operation capabilities.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ForescoutHostProperties_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Forescout Plugin requirement: Please make sure Forescout Microsoft Sentinel plugin is running on Forescout platform

Fortinet FortiNDR Cloud

Supported by: Fortinet

The Fortinet FortiNDR Cloud data connector provides the capability to ingest Fortinet FortiNDR Cloud data into Microsoft Sentinel using the FortiNDR Cloud API

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`FncEventsSuricata_CL`	No	No
`FncEventsObservation_CL`	No	No
`FncEventsDetections_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
MetaStream Credentials: AWS Access Key Id, AWS Secret Access Key, FortiNDR Cloud Account Code are required to retrieve event data.
API Credentials: FortiNDR Cloud API Token, FortiNDR Cloud Account UUID are required to retrieve detection data.

Garrison ULTRA Remote Logs (using Azure Functions)

Supported by: Garrison

The Garrison ULTRA Remote Logs connector allows you to ingest Garrison ULTRA Remote Logs into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Garrison_ULTRARemoteLogs_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Garrison ULTRA: To use this data connector you must have an active Garrison ULTRA license.

GCP Cloud Run (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The GCP Cloud Run data connector provides the capability to ingest Cloud Run request logs into Microsoft Sentinel using Pub/Sub. Refer the Cloud Run Overview for more details.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GCPCloudRun`	Yes	Yes

Data collection rule support: Workspace transform DCR

GCP Cloud SQL (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The GCP Cloud SQL data connector provides the capability to ingest Audit logs into Microsoft Sentinel using the GCP Cloud SQL API. Refer to GCP cloud SQL Audit Logs documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GCPCloudSQL`	Yes	Yes

Data collection rule support: Workspace transform DCR

GCP Pub/Sub Audit Logs

Supported by: Microsoft Corporation

The Google Cloud Platform (GCP) audit logs, ingested from Microsoft Sentinel's connector, enables you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GCPAuditLogs`	Yes	Yes

Data collection rule support: Workspace transform DCR

GCP Pub/Sub Load Balancer Logs (via Codeless Connector Framework).

Supported by: Microsoft Corporation

Google Cloud Platform (GCP) Load Balancer logs provide detailed insights into network traffic, capturing both inbound and outbound activities. These logs are used for monitoring access patterns and identifying potential security threats across GCP resources. Additionally, these logs also include GCP Web Application Firewall (WAF) logs, enhancing the ability to detect and mitigate risks effectively.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GCPLoadBalancerLogs_CL`	No	No

Data collection rule support: Not currently supported

GCP Pub/Sub VPC Flow Logs (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Google Cloud Platform (GCP) VPC Flow Logs enable you to capture network traffic activity at the VPC level, allowing you to monitor access patterns, analyze network performance, and detect potential threats across GCP resources.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GCPVPCFlow`	Yes	Yes

Data collection rule support: Workspace transform DCR

Gigamon AMX Data Connector

Supported by: Gigamon

Use this data connector to integrate with Gigamon Application Metadata Exporter (AMX) and get data sent directly to Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Gigamon_CL`	No	No

Data collection rule support: Not currently supported

GitHub (using Webhooks)

Supported by: Microsoft Corporation

The GitHub webhook data connector provides the capability to ingest GitHub subscribed events into Microsoft Sentinel using GitHub webhook events. The connector provides ability to get events into Microsoft Sentinel which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.

Note: If you are intended to ingest Github Audit logs, Please refer to GitHub Enterprise Audit Log Connector from "Data Connectors" gallery.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`githubscanaudit_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.

GitHub Enterprise Audit Log (via Codeless Connector Framework) (Preview)

Supported by: Microsoft Corporation

The GitHub audit log connector provides the capability to ingest GitHub logs into Microsoft Sentinel. By connecting GitHub audit logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.

Note: If you intended to ingest GitHub subscribed events into Microsoft Sentinel, please refer to GitHub (using Webhooks) Connector from "Data Connectors" gallery.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GitHubAuditLogsV2_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

GitHub API personal access token: To enable polling for the Enterprise audit log, ensure the authenticated user is an Enterprise admin and has a GitHub personal access token (classic) with the read:audit_log scope.
GitHub Enterprise type: This connector will only function with GitHub Enterprise Cloud; it will not support GitHub Enterprise Server.

Google ApigeeX (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Google ApigeeX data connector provides the capability to ingest Audit logs into Microsoft Sentinel using the Google Apigee API. Refer to Google Apigee API documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GCPApigee`	Yes	Yes

Data collection rule support: Workspace transform DCR

Google Cloud Platform CDN (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Google Cloud Platform CDN data connector provides the capability to ingest Cloud CDN Audit logs and Cloud CDN Traffic logs into Microsoft Sentinel using the Compute Engine API. Refer the Product overview document for more details.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GCPCDN`	Yes	Yes

Data collection rule support: Workspace transform DCR

Google Cloud Platform Cloud IDS (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Google Cloud Platform IDS data connector provides the capability to ingest Cloud IDS Traffic logs, Threat logs and Audit logs into Microsoft Sentinel using the Google Cloud IDS API. Refer to Cloud IDS API documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GCPIDS`	Yes	Yes

Data collection rule support: Workspace transform DCR

Google Cloud Platform Cloud Monitoring (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Google Cloud Platform Cloud Monitoring data connector ingests Monitoring logs from Google Cloud into Microsoft Sentinel using the Google Cloud Monitoring API. Refer to Cloud Monitoring API documentation for more details.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GCPMonitoring`	Yes	Yes

Data collection rule support: Workspace transform DCR

Google Cloud Platform Compute Engine (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Google Cloud Platform Compute Engine data connector provides the capability to ingest Compute Engine Audit logs into Microsoft Sentinel using the Google Cloud Compute Engine API. Refer to Cloud Compute Engine API documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GCPComputeEngine`	Yes	Yes

Data collection rule support: Workspace transform DCR

Google Cloud Platform DNS (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Google Cloud Platform DNS data connector provides the capability to ingest Cloud DNS Query logs and Cloud DNS Audit logs into Microsoft Sentinel using the Google Cloud DNS API. Refer to Cloud DNS API documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GCPDNS`	Yes	Yes

Data collection rule support: Workspace transform DCR

Google Cloud Platform IAM (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Google Cloud Platform IAM data connector provides the capability to ingest the Audit logs relating to Identity and Access Management (IAM) activities within Google Cloud into Microsoft Sentinel using the Google IAM API. Refer to GCP IAM API documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GCPIAM`	Yes	Yes

Data collection rule support: Workspace transform DCR

Google Cloud Platform NAT (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Google Cloud Platform NAT data connector provides the capability to ingest Cloud NAT Audit logs and Cloud NAT Traffic logs into Microsoft Sentinel using the Compute Engine API. Refer the Product overview document for more details.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GCPNATAudit`	Yes	Yes
`GCPNAT`	Yes	Yes

Data collection rule support: Workspace transform DCR

Google Cloud Platform Resource Manager (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Google Cloud Platform Resource Manager data connector provides the capability to ingest Resource Manager Admin Activity and Data Access Audit logs into Microsoft Sentinel using the Cloud Resource Manager API. Refer the Product overview document for more details.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GCPResourceManager`	Yes	Yes

Data collection rule support: Workspace transform DCR

Google Kubernetes Engine (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Google Kubernetes Engine (GKE) Logs enable you to capture cluster activity, workload behavior, and security events, allowing you to monitor Kubernetes workloads, analyze performance, and detect potential threats across GKE clusters.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GKEAudit`	Yes	Yes

Data collection rule support: Workspace transform DCR

Google Security Command Center

Supported by: Microsoft Corporation

The Google Cloud Platform (GCP) Security Command Center is a comprehensive security and risk management platform for Google Cloud, ingested from Sentinel's connector. It offers features such as asset inventory and discovery, vulnerability and threat detection, and risk mitigation and remediation to help you gain insight into your organization's security and data attack surface. This integration enables you to perform tasks related to findings and assets more effectively.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GoogleCloudSCC`	Yes	Yes

Data collection rule support: Workspace transform DCR

Google Workspace Activities (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Google Workspace Activities data connector provides the capability to ingest Activity Events from Google Workspace API into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GoogleWorkspaceReports`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

Google Workspace API access: Access to the Google Workspace activities API through Oauth are required.

GreyNoise Threat Intelligence

Supported by: GreyNoise

This Data Connector installs an Azure Function app to download GreyNoise indicators once per day and inserts them into the ThreatIntelligenceIndicator table in Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ThreatIntelligenceIndicator`	Yes	No

Data collection rule support: Workspace transform DCR

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
GreyNoise API Key: Retrieve your GreyNoise API Key here.

HackerView Intergration (using Azure Functions)

Supported by: Cyber Threat Management 360

Through the API integration, you have the capability to retrieve all the issues related to your HackerView organizations via a RESTful interface.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`HackerViewLog_Azure_1_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.

Holm Security Asset Data (using Azure Functions)

Supported by: Holm Security

The connector provides the capability to poll data from Holm Security Center into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`net_assets_CL`	No	No
`web_assets_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Holm Security API Token: Holm Security API Token is required. Holm Security API Token

IIS Logs of Microsoft Exchange Servers

Supported by: Community

[Option 5] - Using Azure Monitor Agent - You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`W3CIISLog`	Yes	No

Data collection rule support: Workspace transform DCR

Prerequisites:

Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more
Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here

Illumio Insights

Supported by: Illumio

The Illumio Insights data connector allows ingesting logs from the Illumio API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Framework. It uses the Illumio API to fetch logs and it supports DCR-based ingestion time transformations that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`IlumioInsights`	Yes	Yes

Data collection rule support: Workspace transform DCR

Illumio Insights Summary

Supported by: Illumio

The Illumio Insights Summary data connector provides the capability to ingest Illumio security insights and threat analysis reports into Microsoft Sentinel through the REST API. Refer to Illumio API documentation for more information. The connector provides the ability to get daily and weekly summary reports from Illumio and visualize them in Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`IllumioInsightsSummary_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Illumio API access: Illumio API access is required for the Illumio Insights Summary API.

Illumio SaaS (using Azure Functions)

Supported by: Illumio

Illumio connector provides the capability to ingest events into Microsoft Sentinel. The connector provides ability to ingest auditable and flow events from AWS S3 bucket.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Illumio_Auditable_Events_CL`	No	No
`Illumio_Flow_Events_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
SQS and AWS S3 account credentials/permissions: AWS_SECRET, AWS_REGION_NAME, AWS_KEY, QUEUE_URL is required. If you are using s3 bucket provided by Illumio, contact Illumio support. At your request they will provide you with the AWS S3 bucket name, AWS SQS url and AWS credentials to access them.
Illumio API key and secret: ILLUMIO_API_KEY, ILLUMIO_API_SECRET is required for a workbook to make connection to SaaS PCE and fetch api responses.

Imperva Cloud WAF (using Azure Functions)

Supported by: Microsoft Corporation

The Imperva Cloud WAF data connector provides the capability to integrate and ingest Web Application Firewall events into Microsoft Sentinel through the REST API. Refer to Log integration documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ImpervaWAFCloud_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: ImpervaAPIID, ImpervaAPIKey, ImpervaLogServerURI are required for the API. For more information, see Setup Log Integration process. Check all requirements and follow the instructions for obtaining credentials. Please note that this connector uses CEF log event format. More information about log format.

Infoblox Cloud Data Connector via AMA

Supported by: Infoblox

The Infoblox Cloud Data Connector allows you to easily connect your Infoblox data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CommonSecurityLog`	Yes	Yes

Data collection rule support: Workspace transform DCR

Infoblox Data Connector via REST API

Supported by: Infoblox

The Infoblox Data Connector allows you to easily connect your Infoblox TIDE data and Dossier data with Microsoft Sentinel. By connecting your data to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Failed_Range_To_Ingest_CL`	No	No
`Infoblox_Failed_Indicators_CL`	No	No
`dossier_whois_CL`	No	No
`dossier_whitelist_CL`	No	No
`dossier_tld_risk_CL`	No	No
`dossier_threat_actor_CL`	No	No
`dossier_rpz_feeds_records_CL`	No	No
`dossier_rpz_feeds_CL`	No	No
`dossier_nameserver_matches_CL`	No	No
`dossier_nameserver_CL`	No	No
`dossier_malware_analysis_v3_CL`	No	No
`dossier_inforank_CL`	No	No
`dossier_infoblox_web_cat_CL`	No	No
`dossier_geo_CL`	No	No
`dossier_dns_CL`	No	No
`dossier_atp_threat_CL`	No	No
`dossier_atp_CL`	No	No
`dossier_ptr_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group.
Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: Infoblox API Key is required. See the documentation to learn more about API on the Rest API reference

Infoblox SOC Insight Data Connector via AMA

Supported by: Infoblox

The Infoblox SOC Insight Data Connector allows you to easily connect your Infoblox BloxOne SOC Insight data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.

This data connector ingests Infoblox SOC Insight CDC logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CommonSecurityLog`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. Learn more
Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed. Learn more

Infoblox SOC Insight Data Connector via REST API

Supported by: Infoblox

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`InfobloxInsight_CL`	No	No

Data collection rule support: Not currently supported

InfoSecGlobal Data Connector

Supported by: InfoSecGlobal

Use this data connector to integrate with InfoSec Crypto Analytics and get data sent directly to Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`InfoSecAnalytics_CL`	No	No

Data collection rule support: Not currently supported

IONIX Security Logs

Supported by: IONIX

The IONIX Security Logs data connector, ingests logs from the IONIX system directly into Sentinel. The connector allows users to visualize their data, create alerts and incidents and improve security investigations.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CyberpionActionItems_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

IONIX Subscription: A subscription and account is required for IONIX logs. One can be acquired here.

Island Enterprise Browser Admin Audit (Polling CCF)

Supported by: Island

The Island Admin connector provides the capability to ingest Island Admin Audit logs into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Island_Admin_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Island API Key: An Island API key is required.

Island Enterprise Browser User Activity (Polling CCF)

Supported by: Island

The Island connector provides the capability to ingest Island User Activity logs into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Island_User_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Island API Key: An Island API key is required.

Jamf Protect Push Connector

Supported by: Jamf Software, LLC

The Jamf Protect connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`jamfprotecttelemetryv2_CL`	No	No
`jamfprotectunifiedlogs_CL`	No	No
`jamfprotectalerts_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft Entra: Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.
Microsoft Azure: Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role

Keeper Security Push Connector

Supported by: Keeper Security

The Keeper Security connector provides the capability to read raw event data from Keeper Security in Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`KeeperSecurityEventNewLogs_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft Entra: Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.
Microsoft Azure: Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role

LastPass Enterprise - Reporting (Polling CCF)

Supported by: The Collective Consulting

The LastPass Enterprise connector provides the capability to LastPass reporting (audit) logs into Microsoft Sentinel. The connector provides visibility into logins and activity within LastPass (such as reading and removing passwords).

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`LastPassNativePoller_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

LastPass API Key and CID: A LastPass API key and CID are required. For more information, see LastPass API.

Lookout Mobile Threat Detection Connector (via Codeless Connector Framework) (Preview)

Supported by: Lookout

The Lookout Mobile Threat Detection data connector provides the capability to ingest events related to mobile security risks into Microsoft Sentinel through the Mobile Risk API. Refer to API documentation for more information. This connector helps you examine potential security risks detected in mobile devices.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`LookoutMtdV2_CL`	No	No

Data collection rule support: Not currently supported

Luminar IOCs and Leaked Credentials (using Azure Functions)

Supported by: Cognyte Luminar

Luminar IOCs and Leaked Credentials connector allows integration of intelligence-based IOC data and customer-related leaked records identified by Luminar.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ThreatIntelligenceIndicator`	Yes	No

Data collection rule support: Workspace transform DCR

Prerequisites:

Azure Subscription: Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group.
Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: Luminar Client ID, Luminar Client Secret and Luminar Account ID are required.

MailGuard 365

Supported by: MailGuard 365

MailGuard 365 Enhanced Email Security for Microsoft 365. Exclusive to the Microsoft marketplace, MailGuard 365 is integrated with Microsoft 365 security (incl. Defender) for enhanced protection against advanced email threats like phishing, ransomware and sophisticated BEC attacks.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`MailGuard365_Threats_CL`	No	No

Data collection rule support: Not currently supported

MailRisk by Secure Practice (using Azure Functions)

Supported by: Secure Practice

Data connector to push emails from MailRisk into Microsoft Sentinel Log Analytics.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`MailRiskEmails_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
API credentials: Your Secure Practice API key pair is also needed, which are created in the settings in the admin portal. If you have lost your API secret, you can generate a new key pair (WARNING: Any other integrations using the old key pair will stop working).

Microsoft 365 (formerly, Office 365)

Supported by: Microsoft Corporation

The Microsoft 365 (formerly, Office 365) activity log connector provides insight into ongoing user activities. You will get details of operations such as file downloads, access requests sent, changes to group events, set-mailbox and details of the user who performed the actions. By connecting Microsoft 365 logs into Microsoft Sentinel you can use this data to view dashboards, create custom alerts, and improve your investigation process. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`OfficeActivity`	Yes	Yes

Data collection rule support: Workspace transform DCR

Microsoft 365 Insider Risk Management

Supported by: Microsoft Corporation

Microsoft 365 Insider Risk Management is a compliance solution in Microsoft 365 that helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards.

Insider risk policies allow you to:

define the types of risks you want to identify and detect in your organization.
decide on what actions to take in response, including escalating cases to Microsoft Advanced eDiscovery if needed.

This solution produces alerts that can be seen by Office customers in the Insider Risk Management solution in Microsoft 365 Compliance Center. Learn More about Insider Risk Management.

These alerts can be imported into Microsoft Sentinel with this connector, allowing you to see, investigate, and respond to them in a broader organizational threat context. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SecurityAlert`	Yes	Yes

Data collection rule support: Workspace transform DCR

Microsoft Active-Directory Domain Controllers Security Event Logs

Supported by: Community

[Option 3 & 4] - Using Azure Monitor Agent -You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SecurityEvent`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more
Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here

Microsoft Dataverse

Supported by: Microsoft Corporation

Microsoft Dataverse is a scalable and secure data platform that enables organizations to store and manage data used by business applications. The Microsoft Dataverse data connector provides the capability to ingest Dataverse and Dynamics 365 CRM activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`DataverseActivity`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

Tenant Permissions: 'Security Administrator' or 'Global Administrator' on the workspace's tenant.
Micorosft Purview Audit: Microsoft Purview Audit (Standard or Premium) must be activated.
Production Dataverse: Activity logging is available only for Production environments. Other types, such as sandbox, do not support activity logging.
Dataverse Audit Settings: Audit settings must be configured both globally and at the entity/table level. For more information, see Dataverse audit settings.

Microsoft Defender for Cloud Apps

Supported by: Microsoft Corporation

By connecting with Microsoft Defender for Cloud Apps you will gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels.

Identify shadow IT cloud apps on your network.
Control and limit access based on conditions and session context.
Use built-in or custom policies for data sharing and data loss prevention.
Identify high-risk use and get alerts for unusual user activities with Microsoft behavioral analytics and anomaly detection capabilities, including ransomware activity, impossible travel, suspicious email forwarding rules, and mass download of files.
Mass download of files

Deploy now >

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SecurityAlert`	No	No
`McasShadowItReporting`	No	No

Data collection rule support: Not currently supported

Microsoft Defender for Endpoint

Supported by: Microsoft Corporation

Microsoft Defender for Endpoint is a security platform designed to prevent, detect, investigate, and respond to advanced threats. The platform creates alerts when suspicious security events are seen in an organization. Fetch alerts generated in Microsoft Defender for Endpoint to Microsoft Sentinel so that you can effectively analyze security events. You can create rules, build dashboards and author playbooks for immediate response. For more information, see the Microsoft Sentinel documentation >.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SecurityAlert`	Yes	Yes

Data collection rule support: Workspace transform DCR

Microsoft Defender for Identity

Supported by: Microsoft Corporation

Connect Microsoft Defender for Identity to gain visibility into the events and user analytics. Microsoft Defender for Identity identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft Defender for Identity enables SecOp analysts and security professionals struggling to detect advanced attacks in hybrid environments to:

Monitor users, entity behavior, and activities with learning-based analytics
Protect user identities and credentials stored in Active Directory
Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
Provide clear incident information on a simple timeline for fast triage

Try now >

Deploy now >

For more information, see the Microsoft Sentinel documentation >.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SecurityAlert`	Yes	Yes

Data collection rule support: Workspace transform DCR

Microsoft Defender for IoT

Supported by: Microsoft Corporation

Gain insights into your IoT security by connecting Microsoft Defender for IoT alerts to Microsoft Sentinel. You can get out-of-the-box alert metrics and data, including alert trends, top alerts, and alert breakdown by severity. You can also get information about the recommendations provided for your IoT hubs including top recommendations and recommendations by severity. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SecurityAlert`	Yes	Yes

Data collection rule support: Workspace transform DCR

Microsoft Defender for Office 365 (Preview)

Supported by: Microsoft Corporation

Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools. By ingesting Microsoft Defender for Office 365 alerts into Microsoft Sentinel, you can incorporate information about email- and URL-based threats into your broader risk analysis and build response scenarios accordingly.

The following types of alerts will be imported:

A potentially malicious URL click was detected
Email messages containing malware removed after delivery
Email messages containing phish URLs removed after delivery
Email reported by user as malware or phish
Suspicious email sending patterns detected
User restricted from sending email

These alerts can be seen by Office customers in the ** Office Security and Compliance Center**.

For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SecurityAlert`	Yes	Yes

Data collection rule support: Workspace transform DCR

Microsoft Defender Threat Intelligence

Supported by: Microsoft Corporation

Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ThreatIntelligenceIndicator`	Yes	No

Data collection rule support: Workspace transform DCR

Microsoft Defender XDR

Supported by: Microsoft Corporation

Microsoft Defender XDR is a unified, natively integrated, pre- and post-breach enterprise defense suite that protects endpoint, identity, email, and applications and helps you detect, prevent, investigate, and automatically respond to sophisticated threats.

Microsoft Defender XDR suite includes:

Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Defender for Office 365
Threat & Vulnerability Management
Microsoft Defender for Cloud Apps

For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SecurityIncident`	Yes	Yes
`SecurityAlert`	Yes	Yes
`DeviceEvents`	Yes	Yes
`EmailEvents`	Yes	Yes
`IdentityLogonEvents`	Yes	Yes
`CloudAppEvents`	Yes	Yes
`AlertEvidence`	Yes	Yes

Data collection rule support: Workspace transform DCR

Microsoft Entra ID

Supported by: Microsoft Corporation

Gain insights into Microsoft Entra ID by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Microsoft Entra ID scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Microsoft Entra ID Management activities like user, group, role, app management using our Audit logs table. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SigninLogs`	Yes	Yes
`AuditLogs`	Yes	Yes
`AADNonInteractiveUserSignInLogs`	Yes	Yes
`AADServicePrincipalSignInLogs`	Yes	Yes
`AADManagedIdentitySignInLogs`	Yes	Yes
`AADProvisioningLogs`	Yes	Yes
`ADFSSignInLogs`	Yes	Yes
`AADUserRiskEvents`	Yes	Yes
`AADRiskyUsers`	Yes	Yes
`NetworkAccessTraffic`	Yes	Yes
`AADRiskyServicePrincipals`	Yes	Yes
`AADServicePrincipalRiskEvents`	Yes	Yes

Data collection rule support: Workspace transform DCR

Microsoft Entra ID Assets

Supported by: Microsoft Corporation

Entra ID assets data connector gives richer insights into activity data by supplementing details with asset information. Data from this connector is used to build data risk graphs in Purview. If you have enabled those graphs, deactivating this Connector will prevent the graphs from being built. Learn about the data risk graph.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion

Data collection rule support: Not currently supported

Microsoft Entra ID Protection

Supported by: Microsoft Corporation

Microsoft Entra ID Protection provides a consolidated view at risk users, risk events and vulnerabilities, with the ability to remediate risk immediately, and set policies to auto-remediate future events. The service is built on Microsoft’s experience protecting consumer identities and gains tremendous accuracy from the signal from over 13 billion logins a day. Integrate Microsoft Microsoft Entra ID Protection alerts with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. For more information, see the Microsoft Sentinel documentation .

Get Microsoft Entra ID Premium P1/P2

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SecurityAlert`	Yes	Yes

Data collection rule support: Workspace transform DCR

Microsoft Exchange Admin Audit Logs by Event Logs

Supported by: Community

[Option 1] - Using Azure Monitor Agent - You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Event`	Yes	No

Data collection rule support: Workspace transform DCR

Prerequisites:

Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more
Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here

Microsoft Exchange HTTP Proxy Logs

Supported by: Community

[Option 7] - Using Azure Monitor Agent - You can stream HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you create custom alerts, and improve investigation. Learn more

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ExchangeHttpProxy_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Azure Log Analytics will be deprecated: Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more
Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here

Microsoft Exchange Logs and Events

Supported by: Community

[Option 2] - Using Azure Monitor Agent - You can stream all Exchange Security & Application Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Event`	Yes	No

Data collection rule support: Workspace transform DCR

Prerequisites:

Azure Log Analytics will be deprecated: Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more
Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here

Microsoft Exchange Message Tracking Logs

Supported by: Community

[Option 6] - Using Azure Monitor Agent - You can stream all Exchange Message Tracking from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. Those logs can be used to track the flow of messages in your Exchange environment. This data connector is based on the option 6 of the Microsoft Exchange Security wiki.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`MessageTrackingLog_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Azure Log Analytics will be deprecated: Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more
Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here

Microsoft Power Automate

Supported by: Microsoft Corporation

Power Automate is a Microsoft service that helps users create automated workflows between apps and services to synchronize files, get notifications, collect data, and more. It simplifies task automation, increasing efficiency by reducing manual, repetitive tasks, and enhancing productivity. The Power Automate data connector provides the capability to ingest Power Automate activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`PowerAutomateActivity`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

Tenant Permissions: 'Security Administrator' or 'Global Administrator' on the workspace's tenant.
Micorosft Purview Audit: Microsoft Purview Audit (Standard or Premium) must be activated.

Microsoft Power Platform Admin Activity

Supported by: Microsoft Corporation

Microsoft Power Platform is a low-code/no-code suite empowering both citizen and pro developers to streamline business processes by enabling the creation of custom apps, automation of workflows, and data analysis with minimal coding. The Power Platform Admin data connector provides the capability to ingest Power Platform administrator activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`PowerPlatformAdminActivity`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

Tenant Permissions: 'Security Administrator' or 'Global Administrator' on the workspace's tenant.
Micorosft Purview Audit: Microsoft Purview Audit (Standard or Premium) must be activated.

Microsoft PowerBI

Supported by: Microsoft Corporation

Microsoft PowerBI is a collection of software services, apps, and connectors that work together to turn your unrelated sources of data into coherent, visually immersive, and interactive insights. Your data may be an Excel spreadsheet, a collection of cloud-based and on-premises hybrid data warehouses, or a data store of some other type. This connector lets you stream PowerBI audit logs into Microsoft Sentinel, allowing you to track user activities in your PowerBI environment. You can filter the audit data by date range, user, dashboard, report, dataset, and activity type.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`PowerBIActivity`	Yes	Yes

Data collection rule support: Workspace transform DCR

Microsoft Project

Supported by: Microsoft

Microsoft Project (MSP) is a project management software solution. Depending on your plan, Microsoft Project lets you plan projects, assign tasks, manage resources, create reports and more. This connector allows you to stream your Azure Project audit logs into Microsoft Sentinel in order to track your project activities.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ProjectActivity`	Yes	Yes

Data collection rule support: Workspace transform DCR

Microsoft Purview

Supported by: Microsoft Corporation

Connect to Microsoft Purview to enable data sensitivity enrichment of Microsoft Sentinel. Data classification and sensitivity label logs from Microsoft Purview scans can be ingested and visualized through workbooks, analytical rules, and more. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`PurviewDataSensitivityLogs`	Yes	Yes

Data collection rule support: Workspace transform DCR

Microsoft Purview Information Protection

Supported by: Microsoft Corporation

Microsoft Purview Information Protection helps you discover, classify, protect, and govern sensitive information wherever it lives or travels. Using these capabilities enable you to know your data, identify items that are sensitive and gain visibility into how they are being used to better protect your data. Sensitivity labels are the foundational capability that provide protection actions, applying encryption, access restrictions and visual markings. Integrate Microsoft Purview Information Protection logs with Microsoft Sentinel to view dashboards, create custom alerts and improve investigation. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`MicrosoftPurviewInformationProtection`	Yes	Yes

Data collection rule support: Workspace transform DCR

Mimecast Audit

Supported by: Mimecast

The data connector for Mimecast Audit provides customers with the visibility into security events related to audit and authentication events within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into user activity, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities.
The Mimecast products included within the connector are: Audit

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Audit_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group.
Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: See the documentation to learn more about API on the Rest API reference

Mimecast Audit & Authentication (using Azure Functions)

Supported by: Mimecast

The data connector for Mimecast Audit & Authentication provides customers with the visibility into security events related to audit and authentication events within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into user activity, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities.
The Mimecast products included within the connector are: Audit & Authentication

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`MimecastAudit_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Mimecast API credentials: You need to have the following pieces of information to configure the integration:
mimecastEmail: Email address of a dedicated Mimecast admin user
mimecastPassword: Password for the dedicated Mimecast admin user
mimecastAppId: API Application Id of the Mimecast Microsoft Sentinel app registered with Mimecast
mimecastAppKey: API Application Key of the Mimecast Microsoft Sentinel app registered with Mimecast
mimecastAccessKey: Access Key for the dedicated Mimecast admin user
mimecastSecretKey: Secret Key for the dedicated Mimecast admin user
mimecastBaseURL: Mimecast Regional API Base URL

The Mimecast Application Id, Application Key, along with the Access Key and Secret keys for the dedicated Mimecast admin user are obtainable via the Mimecast Administration Console: Administration | Services | API and Platform Integrations.

The Mimecast API Base URL for each region is documented here: https://integrations.mimecast.com/documentation/api-overview/global-base-urls/

Resource group: You need to have a resource group created with a subscription you are going to use.
Functions app: You need to have an Azure App registered for this connector to use

Application Id
Tenant Id
Client Id
Client Secret

Mimecast Awareness Training

Supported by: Mimecast

The data connector for Mimecast Awareness Training provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities.
The Mimecast products included within the connector are:

Performance Details
Safe Score Details
User Data
Watchlist Details

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Awareness_Performance_Details_CL`	No	No
`Awareness_SafeScore_Details_CL`	No	No
`Awareness_User_Data_CL`	No	No
`Awareness_Watchlist_Details_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group.
Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: See the documentation to learn more about API on the Rest API reference

Mimecast Cloud Integrated

Supported by: Mimecast

The data connector for Mimecast Cloud Integrated provides customers with the visibility into security events related to the Cloud Integrated inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Cloud_Integrated_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group.
Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: See the documentation to learn more about API on the Rest API reference

Mimecast Intelligence for Microsoft - Microsoft Sentinel (using Azure Functions)

Supported by: Mimecast

The data connector for Mimecast Intelligence for Microsoft provides regional threat intelligence curated from Mimecast’s email inspection technologies with pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times.
Mimecast products and features required:

Mimecast Secure Email Gateway
Mimecast Threat Intelligence

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ThreatIntelligenceIndicator`	Yes	No

Data collection rule support: Workspace transform DCR

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Mimecast API credentials: You need to have the following pieces of information to configure the integration:
mimecastEmail: Email address of a dedicated Mimecast admin user
mimecastPassword: Password for the dedicated Mimecast admin user
mimecastAppId: API Application Id of the Mimecast Microsoft Sentinel app registered with Mimecast
mimecastAppKey: API Application Key of the Mimecast Microsoft Sentinel app registered with Mimecast
mimecastAccessKey: Access Key for the dedicated Mimecast admin user
mimecastSecretKey: Secret Key for the dedicated Mimecast admin user
mimecastBaseURL: Mimecast Regional API Base URL

The Mimecast Application Id, Application Key, along with the Access Key and Secret keys for the dedicated Mimecast admin user are obtainable via the Mimecast Administration Console: Administration | Services | API and Platform Integrations.

The Mimecast API Base URL for each region is documented here: https://integrations.mimecast.com/documentation/api-overview/global-base-urls/

Resource group: You need to have a resource group created with a subscription you are going to use.
Functions app: You need to have an Azure App registered for this connector to use

Application Id
Tenant Id
Client Id
Client Secret

Mimecast Secure Email Gateway

Supported by: Mimecast

The data connector for Mimecast Secure Email Gateway allows easy log collection from the Secure Email Gateway to surface email insight and user activity within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. Mimecast products and features required:

Mimecast Cloud Gateway
Mimecast Data Leak Prevention

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Seg_Cg_CL`	No	No
`Seg_Dlp_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group.
Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: See the documentation to learn more about API on the Rest API reference

Mimecast Secure Email Gateway (using Azure Functions)

Supported by: Mimecast

Mimecast Secure Email Gateway
Mimecast Data Leak Prevention

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`MimecastSIEM_CL`	No	No
`MimecastDLP_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Mimecast API credentials: You need to have the following pieces of information to configure the integration:
mimecastEmail: Email address of a dedicated Mimecast admin user
mimecastPassword: Password for the dedicated Mimecast admin user
mimecastAppId: API Application Id of the Mimecast Microsoft Sentinel app registered with Mimecast
mimecastAppKey: API Application Key of the Mimecast Microsoft Sentinel app registered with Mimecast
mimecastAccessKey: Access Key for the dedicated Mimecast admin user
mimecastSecretKey: Secret Key for the dedicated Mimecast admin user
mimecastBaseURL: Mimecast Regional API Base URL

The Mimecast Application Id, Application Key, along with the Access Key and Secret keys for the dedicated Mimecast admin user are obtainable via the Mimecast Administration Console: Administration | Services | API and Platform Integrations.

The Mimecast API Base URL for each region is documented here: https://integrations.mimecast.com/documentation/api-overview/global-base-urls/

Resource group: You need to have a resource group created with a subscription you are going to use.
Functions app: You need to have an Azure App registered for this connector to use

Application Id
Tenant Id
Client Id
Client Secret

Mimecast Targeted Threat Protection

Supported by: Mimecast

The data connector for Mimecast Targeted Threat Protection provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities.
The Mimecast products included within the connector are:

URL Protect
Impersonation Protect
Attachment Protect

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Ttp_Url_CL`	No	No
`Ttp_Attachment_CL`	No	No
`Ttp_Impersonation_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group.
Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: See the documentation to learn more about API on the Rest API reference

Mimecast Targeted Threat Protection (using Azure Functions)

Supported by: Mimecast

URL Protect
Impersonation Protect
Attachment Protect

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`MimecastTTPUrl_CL`	No	No
`MimecastTTPAttachment_CL`	No	No
`MimecastTTPImpersonation_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: You need to have the following pieces of information to configure the integration:
mimecastEmail: Email address of a dedicated Mimecast admin user
mimecastPassword: Password for the dedicated Mimecast admin user
mimecastAppId: API Application Id of the Mimecast Microsoft Sentinel app registered with Mimecast
mimecastAppKey: API Application Key of the Mimecast Microsoft Sentinel app registered with Mimecast
mimecastAccessKey: Access Key for the dedicated Mimecast admin user
mimecastSecretKey: Secret Key for the dedicated Mimecast admin user
mimecastBaseURL: Mimecast Regional API Base URL

The Mimecast Application Id, Application Key, along with the Access Key and Secret keys for the dedicated Mimecast admin user are obtainable via the Mimecast Administration Console: Administration | Services | API and Platform Integrations.

The Mimecast API Base URL for each region is documented here: https://integrations.mimecast.com/documentation/api-overview/global-base-urls/

MISP2Sentinel

Supported by: Community

This solution installs the MISP2Sentinel connector that allows you to automatically push threat indicators from MISP to Microsoft Sentinel via the Upload Indicators REST API. After installing the solution, configure and enable this data connector by following guidance in Manage solution view.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ThreatIntelligenceIndicator`	Yes	No

Data collection rule support: Workspace transform DCR

MongoDB Atlas Logs

Supported by: MongoDB

The MongoDBAtlas Logs connector gives the capability to upload MongoDB Atlas database logs into Microsoft Sentinel through the MongoDB Atlas Administration API. Refer to the API documentation for more information. The connector provides the ability to get a range of database log messages for the specified hosts and specified project.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`MDBALogTable_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: MongoDB Atlas service account Client ID and Client Secret are required. For more information, see creating a service account

MuleSoft Cloudhub (using Azure Functions)

Supported by: Microsoft Corporation

The MuleSoft Cloudhub data connector provides the capability to retrieve logs from Cloudhub applications using the Cloudhub API and more events into Microsoft Sentinel through the REST API. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`MuleSoft_Cloudhub_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: MuleSoftEnvId, MuleSoftAppName, MuleSoftUsername and MuleSoftPassword are required for making API calls.

NC Protect

Supported by: archTIS

NC Protect Data Connector (archtis.com) provides the capability to ingest user activity logs and events into Microsoft Sentinel. The connector provides visibility into NC Protect user activity logs and events in Microsoft Sentinel to improve monitoring and investigation capabilities

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`NCProtectUAL_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

NC Protect: You must have a running instance of NC Protect for O365. Please contact us.

Netskope Alerts and Events

Supported by: Netskope

Netskope Security Alerts and Events

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`NetskopeAlerts_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Netskope organisation url: The Netskope data connector requires you to provide your organisation url. You can find your organisation url by signing into the Netskope portal.
Netskope API key: The Netskope data connector requires you to provide a valid API key. You can create one by following the Netskope documentation.

Netskope Data Connector

Supported by: Netskope

The Netskope data connector provides the following capabilities:

NetskopeToAzureStorage :

Get the Netskope Alerts and Events data from Netskope and ingest to Azure storage. 2. StorageToSentinel :

Get the Netskope Alerts and Events data from Azure storage and ingest to custom log table in log analytics workspace. 3. WebTxMetrics :

Get the WebTxMetrics data from Netskope and ingest to custom log table in log analytics workspace.

For more details of REST APIs refer to the below documentations:

Netskope API documentation:

https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/ 2. Azure storage documentation: /azure/storage/common/storage-introduction 3. Microsoft log analytic documentation: /azure/azure-monitor/logs/log-analytics-overview

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`alertscompromisedcredentialdata_CL`	No	No
`alertsctepdata_CL`	No	No
`alertsdlpdata_CL`	No	No
`alertsmalsitedata_CL`	No	No
`alertsmalwaredata_CL`	No	No
`alertspolicydata_CL`	No	No
`alertsquarantinedata_CL`	No	No
`alertsremediationdata_CL`	No	No
`alertssecurityassessmentdata_CL`	No	No
`alertsubadata_CL`	No	No
`eventsapplicationdata_CL`	No	No
`eventsauditdata_CL`	No	No
`eventsconnectiondata_CL`	No	No
`eventsincidentdata_CL`	No	No
`eventsnetworkdata_CL`	No	No
`eventspagedata_CL`	No	No
`Netskope_WebTx_metrics_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Azure Subscription: Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group.
Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: Netskope Tenant and Netskope API Token is required. See the documentation to learn more about API on the Rest API reference

Netskope Web Transactions Data Connector

Supported by: Netskope

The Netskope Web Transactions data connector provides the functionality of a docker image to pull the Netskope Web Transactions data from google pubsublite, process the data and ingest the processed data to Log Analytics. As part of this data connector two tables will be formed in Log Analytics, one for Web Transactions data and other for errors encountered during execution.

For more details related to Web Transactions refer to the below documentation:

Netskope Web Transactions documentation:

https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`NetskopeWebtxData_CL`	No	No
`NetskopeWebtxErrors_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group.
Microsoft.Compute permissions: Read and write permissions to Azure VMs is required. For more information, see Azure VMs.
TransactionEvents Credentials and Permissions: Netskope Tenant and Netskope API Token is required. For more information, see Transaction Events.
Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.

Network Security Groups

Supported by: Microsoft Corporation

Azure network security groups (NSG) allow you to filter network traffic to and from Azure resources in an Azure virtual network. A network security group includes rules that allow or deny traffic to a virtual network subnet, network interface, or both.

When you enable logging for an NSG, you can gather the following types of resource log information:

Event: Entries are logged for which NSG rules are applied to VMs, based on MAC address.
Rule counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic. The status for these rules is collected every 300 seconds.

This connector lets you stream your NSG diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`AzureDiagnostics`	No	No

Data collection rule support: Not currently supported

NordPass

Supported by: NordPass

Integrating NordPass with Microsoft Sentinel SIEM via the API will allow you to automatically transfer Activity Log data from NordPass to Microsoft Sentinel and get real-time insights, such as item activity, all login attempts, and security notifications.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`NordPassEventLogs_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Ensure that the resource group and the Log Analytics workspace are created and located in the same region so you can deploy the Azure Functions.
Add Microsoft Sentinel to the created Log Analytics workspace.
Generate a Microsoft Sentinel API URL and token in the NordPass Admin Panel to finish the Azure Functions integration. Please note that you’ll need the NordPass Enterprise account for that.
Important: This connector uses Azure Functions to retrieve Activity Logs from NordPass into Microsoft Sentinel. This may result in additional data ingestion costs. For more information, refer to the Azure Functions pricing page.

Obsidian Datasharing Connector

Supported by: Obsidian Security

The Obsidian Datasharing connector provides the capability to read raw event data from Obsidian Datasharing in Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ObsidianActivity_CL`	No	No
`ObsidianThreat_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft Entra: Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.
Microsoft Azure: Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role

Okta Single Sign-On

Supported by: Microsoft Corporation

The Okta Single Sign-On (SSO) data connector provides the capability to ingest audit and event logs from the Okta Sysem Log API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Framework and uses the Okta System Log API to fetch the events. The connector supports DCR-based ingestion time transformations that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`OktaSSO`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Okta API Token: An Okta API token. Follow the following instructions to create an See the documentation to learn more about Okta System Log API.

Okta Single Sign-On (using Azure Functions)

Supported by: Microsoft Corporation

The Okta Single Sign-On (SSO) connector provides the capability to ingest audit and event logs from the Okta API into Microsoft Sentinel. The connector provides visibility into these log types in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Okta_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Okta API Token: An Okta API Token is required. See the documentation to learn more about the Okta System Log API.

Onapsis Defend: Integrate Unmatched SAP Threat Detection & Intel with Microsoft Sentinel

Supported by: Onapsis

Empower security teams with deep visibility into unique exploit, zero-day, and threat actor activity; suspicious user or insider behavior; sensitive data downloads; security control violations; and more - all enriched by the SAP experts at Onapsis.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Onapsis_Defend_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft Entra: Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.
Microsoft Azure: Permission to assign Monitoring Metrics Publisher role on data collection rules. Typically requires Azure RBAC Owner or User Access Administrator role.

OneLogin IAM Platform (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The OneLogin data connector provides the capability to ingest common OneLogin IAM Platform events into Microsoft Sentinel through REST API by using OneLogin Events API and OneLogin Users API. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`OneLoginEventsV2_CL`	No	No
`OneLoginUsersV2_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

OneLogin IAM API Credentials: To create API Credentials follow the document link provided here, Click Here. Make sure to have an account type of either account owner or administrator to create the API credentials. Once you create the API Credentials you get your Client ID and Client Secret.

OneTrust

Supported by: OneTrust, LLC

The OneTrust connector for Microsoft Sentinel provides the capability to have near real time visibility into where sensitive data has been located or remediated across across Google Cloud and other OneTrust supported data sources.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`OneTrustMetadataV3_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft Entra: Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.
Microsoft Azure: Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role

Open Systems Data Connector

Supported by: Open Systems

The Open Systems Logs API Microsoft Sentinel Connector provides the capability to ingest Open Systems logs into Microsoft Sentinel using Open Systems Logs API.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`OpenSystemsZtnaLogs_CL`	No	No
`OpenSystemsFirewallLogs_CL`	No	No
`OpenSystemsAuthenticationLogs_CL`	No	No
`OpenSystemsProxyLogs_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Azure Container Apps, DCRs, and DCEs: Permissions to deploy Azure Container Apps, Managed Environments, Data Collection Rules (DCRs), and Data Collection Endpoints (DCEs) are required. This is typically covered by having the 'Contributor' role on the subscription or resource group.
Role Assignment Permissions: Permissions to create role assignments (specifically 'Monitoring Metrics Publisher' on DCRs) are required for the deploying user or service principal.
Required Credentials for ARM Template: During deployment, you will need to provide: Open Systems Logs API endpoint and connection string, and Service Principal credentials (Client ID, Client Secret, Object/Principal ID).
Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Custom prerequisites if necessary, otherwise delete this customs tag: Description for any custom pre-requisites

Oracle Cloud Infrastructure (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Oracle Cloud Infrastructure (OCI) data connector provides the capability to ingest OCI Logs from OCI Stream into Microsoft Sentinel using the OCI Streaming REST API.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`OCI_LogsV2_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

OCI Streaming API access: Access to the OCI Streaming API through a API Signing Keys is required.

Orca Security Alerts

Supported by: Orca Security

The Orca Security Alerts connector allows you to easily export Alerts logs to Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`OrcaAlerts_CL`	No	No

Data collection rule support: Not currently supported

Palo Alto Cortex XDR

Supported by: Microsoft Corporation

The Palo Alto Cortex XDR data connector allows ingesting logs from the Palo Alto Cortex XDR API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Framework. It uses the Palo Alto Cortex XDR API to fetch logs and it supports DCR-based ingestion time transformations that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`PaloAltoCortexXDR_Incidents_CL`	No	No
`PaloAltoCortexXDR_Endpoints_CL`	No	No
`PaloAltoCortexXDR_Audit_Management_CL`	No	No
`PaloAltoCortexXDR_Audit_Agent_CL`	No	No
`PaloAltoCortexXDR_Alerts_CL`	No	No

Data collection rule support: Not currently supported

Palo Alto Cortex Xpanse (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Palo Alto Cortex Xpanse data connector ingests alerts data into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CortexXpanseAlerts_CL`	No	No

Data collection rule support: Not currently supported

Palo Alto Prisma Cloud CSPM (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Palo Alto Prisma Cloud CSPM data connector allows you to connect to your Palo Alto Prisma Cloud CSPM instance and ingesting Alerts (https://pan.dev/prisma-cloud/api/cspm/alerts/) & Audit Logs(https://pan.dev/prisma-cloud/api/cspm/audit-logs/) into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`PaloAltoPrismaCloudAlertV2_CL`	No	No

Data collection rule support: Not currently supported

Palo Alto Prisma Cloud CWPP (using REST API)

Supported by: Microsoft Corporation

The Palo Alto Prisma Cloud CWPP data connector allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel's Codeless Connector Framework and uses the Prisma Cloud API to fetch security events and supports DCR-based ingestion time transformations that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`PrismaCloudCompute_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

PrismaCloudCompute API Key: A Palo Alto Prisma Cloud CWPP Monitor API username and password is required. For more information, see PrismaCloudCompute SIEM API.

Pathlock Inc.: Threat Detection and Response for SAP

Supported by: Pathlock Inc.

The Pathlock Threat Detection and Response (TD&R) integration with Microsoft Sentinel Solution for SAP delivers unified, real-time visibility into SAP security events, enabling organizations to detect and act on threats across all SAP landscapes. This out-of-the-box integration allows Security Operations Centers (SOCs) to correlate SAP-specific alerts with enterprise-wide telemetry, creating actionable intelligence that connects IT security with business processes.

Pathlock’s connector is purpose-built for SAP and forwards only security-relevant events by default, minimizing data volume and noise while maintaining the flexibility to forward all log sources when needed. Each event is enriched with business process context, allowing Microsoft Sentinel Solution for SAP analytics to distinguish operational patterns from real threats and to prioritize what truly matters.

This precision-driven approach helps security teams drastically reduce false positives, focus investigations, and accelerate mean time to detect (MTTD) and mean time to respond (MTTR). Pathlock’s library consists of more than 1,500 SAP-specific detection signatures across 70+ log sources, the solution uncovers complex attack behaviors, configuration weaknesses, and access anomalies.

By combining business-context intelligence with advanced analytics, Pathlock enables enterprises to strengthen detection accuracy, streamline response actions, and maintain continuous control across their SAP environments—without adding complexity or redundant monitoring layers.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ABAPAuditLog`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

Microsoft Entra: Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.
Microsoft Azure: Permission to assign Monitoring Metrics Publisher role on data collection rules. Typically requires Azure RBAC Owner or User Access Administrator role.

Perimeter 81 Activity Logs

Supported by: Perimeter 81

The Perimeter 81 Activity Logs connector allows you to easily connect your Perimeter 81 activity logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Perimeter81_CL`	No	No

Data collection rule support: Not currently supported

Phosphorus Devices

Supported by: Phosphorus Inc.

The Phosphorus Device Connector provides the capability to Phosphorus to ingest device data logs into Microsoft Sentinel through the Phosphorus REST API. The Connector provides visibility into the devices enrolled in Phosphorus. This Data Connector pulls devices information along with its corresponding alerts.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Phosphorus_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

REST API Credentials/permissions: Phosphorus API Key is required. Please make sure that the API Key associated with the User has the Manage Settings permissions enabled.

Follow these instructions to enable Manage Settings permissions.

Log in to the Phosphorus Application
Go to 'Settings' -> 'Groups'
Select the Group the Integration user is a part of
Navigate to 'Product Actions' -> toggle on the 'Manage Settings' permission.

Ping One (via Codeless Connector Framework)

Supported by: Microsoft Corporation

This connector ingests audit activity logs from the PingOne Identity platform into Microsoft Sentinel using a Codeless Connector Framework.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`PingOne_AuditActivitiesV2_CL`	No	No

Data collection rule support: Not currently supported

Prancer Data Connector

Supported by: Prancer PenSuiteAI Integration

The Prancer Data Connector has provides the capability to ingest Prancer (CSPM)[https://docs.prancer.io/web/CSPM/] and PAC data to process through Microsoft Sentinel. Refer to Prancer Documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`prancer_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Include custom pre-requisites if the connectivity requires - else delete customs: Description for any custom pre-requisite

Premium Microsoft Defender Threat Intelligence

Supported by: Microsoft Corporation

Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Premium Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc. Note: This is a paid connector. To use and ingest data from it, please purchase the "MDTI API Access" SKU from the Partner Center.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ThreatIntelligenceIndicator`	Yes	No

Data collection rule support: Workspace transform DCR

Proofpoint On Demand Email Security (via Codeless Connector Framework)

Supported by: Proofpoint, Inc.

Proofpoint On Demand Email Security data connector provides the capability to get Proofpoint on Demand Email Protection data, allows users to check message traceability, monitoring into email activity, threats,and data exfiltration by attackers and malicious insiders. The connector provides ability to review events in your org on an accelerated basis, get event log files in hourly increments for recent activity.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ProofpointPODMailLog_CL`	No	No
`ProofpointPODMessage_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Websocket API Credentials/permissions: ProofpointClusterID, and ProofpointToken are required. For more information, see API.

Proofpoint On Demand Email Security (via Codeless Connector Framework)

Supported by: Microsoft Corporation

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ProofpointPODMailLog_CL`	No	No
`ProofpointPODMessage_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Websocket API Credentials/permissions: ProofpointClusterID, and ProofpointToken are required. For more information, see API.

Proofpoint TAP (via Codeless Connector Framework)

Supported by: Proofpoint, Inc.

The Proofpoint Targeted Attack Protection (TAP) connector provides the capability to ingest Proofpoint TAP logs and events into Microsoft Sentinel. The connector provides visibility into Message and Click events in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ProofPointTAPMessagesDeliveredV2_CL`	No	No
`ProofPointTAPMessagesBlockedV2_CL`	No	No
`ProofPointTAPClicksPermittedV2_CL`	No	No
`ProofPointTAPClicksBlockedV2_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Proofpoint TAP API Key: A Proofpoint TAP API service principal and secret is required to access Proofpoint's SIEM API. For more information, see Proofpoint SIEM API.

Proofpoint TAP (via Codeless Connector Framework)

Supported by: Microsoft Corporation

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ProofPointTAPMessagesDeliveredV2_CL`	No	No
`ProofPointTAPMessagesBlockedV2_CL`	No	No
`ProofPointTAPClicksPermittedV2_CL`	No	No
`ProofPointTAPClicksBlockedV2_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Proofpoint TAP API Key: A Proofpoint TAP API service principal and secret is required to access Proofpoint's SIEM API. For more information, see Proofpoint SIEM API.

QscoutAppEventsConnector

Supported by: Quokka

Ingest Qscout application events into Microsoft Sentinel

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`QscoutAppEvents_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Qscout organization id: The API requires your organization ID in Qscout.
Qscout organization API key: The API requires your organization API key in Qscout.

Qualys VM KnowledgeBase (using Azure Functions)

Supported by: Microsoft Corporation

The Qualys Vulnerability Management (VM) KnowledgeBase (KB) connector provides the capability to ingest the latest vulnerability data from the Qualys KB into Microsoft Sentinel.

This data can used to correlate and enrich vulnerability detections found by the Qualys Vulnerability Management (VM) data connector.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`QualysKB_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Qualys API Key: A Qualys VM API username and password is required. For more information, see Qualys VM API.

Qualys Vulnerability Management (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Qualys Vulnerability Management (VM) data connector provides the capability to ingest vulnerability host detection data into Microsoft Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`QualysHostDetectionV3_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

API access and roles: Ensure the Qualys VM user has a role of Reader or higher. If the role is Reader, ensure that API access is enabled for the account. Auditor role is not supported to access the API. For more details, refer to the Qualys VM Host Detection API and User role Comparison document.

Radiflow iSID via AMA

Supported by: Radiflow

iSID enables non-disruptive monitoring of distributed ICS networks for changes in topology and behavior, using multiple security packages, each offering a unique capability pertaining to a specific type of network activity

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`RadiflowEvent`	No	No

Data collection rule support: Not currently supported

Rapid7 Insight Platform Vulnerability Management Reports (using Azure Functions)

Supported by: Microsoft Corporation

The Rapid7 Insight VM Report data connector provides the capability to ingest Scan reports and vulnerability data into Microsoft Sentinel through the REST API from the Rapid7 Insight platform (Managed in the cloud). Refer to API documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`NexposeInsightVMCloud_assets_CL`	No	No
`NexposeInsightVMCloud_vulnerabilities_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials: InsightVMAPIKey is required for REST API. For more information, see API. Check all requirements and follow the instructions for obtaining credentials

RSA ID Plus Admin Logs Connector

Supported by: RSA Support Team

The RSA ID Plus AdminLogs Connector provides the capability to ingest Cloud Admin Console Audit Events into Microsoft Sentinel using Cloud Admin APIs.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`RSAIDPlus_AdminLogs_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

RSA ID Plus API Authentication: To access the Admin APIs, a valid Base64URL encoded JWT token, signed with the client's Legacy Administration API key is required.

Rubrik Security Cloud data connector (using Azure Functions)

Supported by: Rubrik

The Rubrik Security Cloud data connector enables security operations teams to integrate insights from Rubrik's Data Observability services into Microsoft Sentinel. The insights include identification of anomalous filesystem behavior associated with ransomware and mass deletion, assess the blast radius of a ransomware attack, and sensitive data operators to prioritize and more rapidly investigate potential incidents.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Rubrik_Anomaly_Data_CL`	No	No
`Rubrik_Ransomware_Data_CL`	No	No
`Rubrik_ThreatHunt_Data_CL`	No	No
`Rubrik_Events_Data_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.

SaaS Security

Supported by: Valence Security

Connects the Valence SaaS security platform Azure Log Analytics via the REST API interface

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ValenceAlert_CL`	No	No

Data collection rule support: Not currently supported

SailPoint IdentityNow (using Azure Functions)

Supported by: SailPoint

The SailPoint IdentityNow data connector provides the capability to ingest [SailPoint IdentityNow] search events into Microsoft Sentinel through the REST API. The connector provides customers the ability to extract audit information from their IdentityNow tenant. It is intended to make it even easier to bring IdentityNow user activity and governance events into Microsoft Sentinel to improve insights from your security incident and event monitoring solution.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SailPointIDN_Events_CL`	No	No
`SailPointIDN_Triggers_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
SailPoint IdentityNow API Authentication Credentials: TENANT_ID, CLIENT_ID and CLIENT_SECRET are required for authentication.

Salesforce Service Cloud (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Salesforce Service Cloud data connector provides the capability to ingest information about your Salesforce operational events into Microsoft Sentinel through the REST API. The connector provides ability to review events in your org on an accelerated basis, get event log files in hourly increments for recent activity.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SalesforceServiceCloudV2_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Salesforce Service Cloud API access: Access to the Salesforce Service Cloud API through a Connected App is required.

Samsung Knox Asset Intelligence

Supported by: Samsung Electronics Co., Ltd.

Samsung Knox Asset Intelligence Data Connector lets you centralize your mobile security events and logs in order to view customized insights using the Workbook template, and identify incidents based on Analytics Rules templates.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Samsung_Knox_Audit_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Entra app: An Entra app needs to be registered and provisioned with ‘Microsoft Metrics Publisher’ role and configured with either Certificate or Client Secret as credentials for secure data transfer. See the Log ingestion tutorial to learn more about Entra App creation, registration and credential configuration.

SAP BTP

Supported by: Microsoft Corporation

SAP Business Technology Platform (SAP BTP) brings together data management, analytics, artificial intelligence, application development, automation, and integration in one, unified environment.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SAPBTPAuditLog_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Client Id and Client Secret for Audit Retrieval API: Enable API access in BTP.

SAP Enterprise Threat Detection, cloud edition

Supported by: SAP

The SAP Enterprise Threat Detection, cloud edition (ETD) data connector enables ingestion of security alerts from ETD into Microsoft Sentinel, supporting cross-correlation, alerting, and threat hunting.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SAPETDAlerts_CL`	No	No
`SAPETDInvestigations_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Client Id and Client Secret for ETD Retrieval API: Enable API access in ETD.

SAP LogServ (RISE), S/4HANA Cloud private edition

Supported by: SAP

SAP LogServ is an SAP Enterprise Cloud Services (ECS) service aimed at collection, storage, forwarding and access of logs. LogServ centralizes the logs from all systems, applications, and ECS services used by a registered customer.
Main Features include:
Near Realtime Log Collection: With ability to integrate into Microsoft Sentinel as SIEM solution.
LogServ complements the existing SAP application layer threat monitoring and detections in Microsoft Sentinel with the log types owned by SAP ECS as the system provider. This includes logs like: SAP Security Audit Log (AS ABAP), HANA database, AS JAVA, ICM, SAP Web Dispatcher, SAP Cloud Connector, OS, SAP Gateway, 3rd party Database, Network, DNS, Proxy, Firewall

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SAPLogServ_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft Entra: Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.
Microsoft Azure: Permission to assign Monitoring Metrics Publisher role on data collection rules. Typically requires Azure RBAC Owner or User Access Administrator role.

SAP S/4HANA Cloud Public Edition

Supported by: SAP

The SAP S/4HANA Cloud Public Edition (GROW with SAP) data connector enables ingestion of SAP's security audit log into the Microsoft Sentinel Solution for SAP, supporting cross-correlation, alerting, and threat hunting. Looking for alternative authentication mechanisms? See here.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ABAPAuditLog`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

Client Id and Client Secret for Audit Retrieval API: Enable API access in BTP.

SecurityBridge Solution for SAP

Supported by: SecurityBridge

SecurityBridge enhances SAP security by integrating seamlessly with Microsoft Sentinel, enabling real-time monitoring and threat detection across SAP environments. This integration allows Security Operations Centers (SOCs) to consolidate SAP security events with other organizational data, providing a unified view of the threat landscape . Leveraging AI-powered analytics and Microsoft’s Security Copilot, SecurityBridge identifies sophisticated attack patterns and vulnerabilities within SAP applications, including ABAP code scanning and configuration assessments . The solution supports scalable deployments across complex SAP landscapes, whether on-premises, in the cloud, or hybrid environments . By bridging the gap between IT and SAP security teams, SecurityBridge empowers organizations to proactively detect, investigate, and respond to threats, enhancing overall security posture.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ABAPAuditLog`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

Microsoft Entra: Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.
Microsoft Azure: Permission to assign Monitoring Metrics Publisher role on data collection rules. Typically requires Azure RBAC Owner or User Access Administrator role.

SentinelOne

Supported by: Microsoft Corporation

The SentinelOne data connector allows ingesting logs from the SentinelOne API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Framework. It uses the SentinelOne API to fetch logs and it supports DCR-based ingestion time transformations that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SentinelOneActivities_CL`	No	No
`SentinelOneAgents_CL`	No	No
`SentinelOneGroups_CL`	No	No
`SentinelOneThreats_CL`	No	No
`SentinelOneAlerts_CL`	No	No

Data collection rule support: Not currently supported

SentinelOne (using Azure Functions)

Supported by: Microsoft Corporation

The SentinelOne data connector provides the capability to ingest common SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. Refer to API documentation: https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SentinelOne_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: SentinelOneAPIToken is required. See the documentation to learn more about API on the https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview.

Seraphic Web Security

Supported by: Seraphic Security

The Seraphic Web Security data connector provides the capability to ingest Seraphic Web Security events and alerts into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SeraphicWebSecurity_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Seraphic API key: API key for Microsoft Sentinel connected to your Seraphic Web Security tenant. To get this API key for your tenant - read this documentation.

Silverfort Admin Console

Supported by: Silverfort

The Silverfort ITDR Admin Console connector solution allows ingestion of Silverfort events and logging into Microsoft Sentinel. Silverfort provides syslog based events and logging using Common Event Format (CEF). By forwarding your Silverfort ITDR Admin Console CEF data into Microsoft Sentinel, you can take advantage of Sentinels's search & correlation, alerting, and threat intelligence enrichment on Silverfort data. Please contact Silverfort or consult the Silverfort documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CommonSecurityLog`	Yes	Yes

Data collection rule support: Workspace transform DCR

SlackAudit (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The SlackAudit data connector provides the capability to ingest Slack Audit logs into Microsoft Sentinel through the REST API. Refer to API documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SlackAuditV2_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

UserName, SlackAudit API Key & Action Type: To Generate the Access Token, create a new application in Slack, then add necessary scopes and configure the redirect URL. For detailed instructions on generating the access token, user name and action name limit, refer the link.

Snowflake (via Codeless Connector Framework)

Supported by: Microsoft Corporation

The Snowflake data connector provides the capability to ingest Snowflake Login History Logs, Query History Logs, User-Grant Logs, Role-Grant Logs, Load History Logs, Materialized View Refresh History Logs, Roles Logs, Tables Logs, Table Storage Metrics Logs, Users Logs into Microsoft Sentinel using the Snowflake SQL API. Refer to Snowflake SQL API documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SnowflakeLogin_CL`	No	No
`SnowflakeQuery_CL`	No	No
`SnowflakeUserGrant_CL`	No	No
`SnowflakeRoleGrant_CL`	No	No
`SnowflakeLoad_CL`	No	No
`SnowflakeMaterializedView_CL`	No	No
`SnowflakeRoles_CL`	No	No
`SnowflakeTables_CL`	No	No
`SnowflakeTableStorageMetrics_CL`	No	No
`SnowflakeUsers_CL`	No	No

Data collection rule support: Not currently supported

SOC Prime Platform Audit Logs Data Connector

Supported by: SOC Prime

The SOC Prime Audit Logs data connector allows ingesting logs from the SOC Prime Platform API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Framework. It uses the SOC Prime Platform API to fetch SOC Prime platform audit logs and it supports DCR-based ingestion time transformations that parses the received security data into a custom table, thus resulting in better performance.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SOCPrimeAuditLogs_CL`	No	No

Data collection rule support: Not currently supported

Sonrai Data Connector

Supported by: N/A

Use this data connector to integrate with Sonrai Security and get Sonrai tickets sent directly to Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Sonrai_Tickets_CL`	No	No

Data collection rule support: Not currently supported

Sophos Cloud Optix

Supported by: Sophos

The Sophos Cloud Optix connector allows you to easily connect your Sophos Cloud Optix logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's cloud security and compliance posture and improves your cloud security operation capabilities.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SophosCloudOptix_CL`	No	No

Data collection rule support: Not currently supported

Sophos Endpoint Protection (using Azure Functions)

Supported by: Microsoft Corporation

The Sophos Endpoint Protection data connector provides the capability to ingest Sophos events into Microsoft Sentinel. Refer to Sophos Central Admin documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SophosEP_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: API token is required. For more information, see API token

Sophos Endpoint Protection (using REST API)

Supported by: Microsoft Corporation

The Sophos Endpoint Protection data connector provides the capability to ingest Sophos events and Sophos alerts into Microsoft Sentinel. Refer to Sophos Central Admin documentation for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SophosEPEvents_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Sophos Endpoint Protection API access: Access to the Sophos Endpoint Protection API through a service principal is required.

Symantec Integrated Cyber Defense Exchange

Supported by: Microsoft Corporation

Symantec ICDx connector allows you to easily connect your Symantec security solutions logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SymantecICDx_CL`	No	No

Data collection rule support: Not currently supported

Syslog via AMA

Supported by: Microsoft Corporation

Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace.

Learn more >

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Syslog`	Yes	Yes

Data collection rule support: Workspace transform DCR

Talon Insights

Supported by: Talon Security

The Talon Security Logs connector allows you to easily connect your Talon events and audit logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Talon_CL`	No	No

Data collection rule support: Not currently supported

Team Cymru Scout Data Connector (using Azure Functions)

Supported by: Team Cymru

The TeamCymruScout Data Connector allows users to bring Team Cymru Scout IP, domain and account usage data in Microsoft Sentinel for enrichment.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Cymru_Scout_Domain_Data_CL`	No	No
`Cymru_Scout_IP_Data_Foundation_CL`	No	No
`Cymru_Scout_IP_Data_Details_CL`	No	No
`Cymru_Scout_IP_Data_Communications_CL`	No	No
`Cymru_Scout_IP_Data_PDNS_CL`	No	No
`Cymru_Scout_IP_Data_Fingerprints_CL`	No	No
`Cymru_Scout_IP_Data_OpenPorts_CL`	No	No
`Cymru_Scout_IP_Data_x509_CL`	No	No
`Cymru_Scout_IP_Data_Summary_Details_CL`	No	No
`Cymru_Scout_IP_Data_Summary_PDNS_CL`	No	No
`Cymru_Scout_IP_Data_Summary_OpenPorts_CL`	No	No
`Cymru_Scout_IP_Data_Summary_Certs_CL`	No	No
`Cymru_Scout_IP_Data_Summary_Fingerprints_CL`	No	No
`Cymru_Scout_Account_Usage_Data_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Permission to assign a role to the registered application: Permission to assign a role to the registered application in Microsoft Entra ID is required.
Team Cymru Scout Credentials/permissions: Team Cymru Scout account credentials(Username, Password) is required.

Tenable Identity Exposure

Supported by: Tenable

Tenable Identity Exposure connector allows Indicators of Exposure, Indicators of Attack and trailflow logs to be ingested into Microsoft Sentinel.The different work books and data parsers allow you to more easily manipulate logs and monitor your Active Directory environment. The analytic templates allow you to automate responses regarding different events, exposures and attacks.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion

Data collection rule support: Not currently supported

Prerequisites:

Access to TenableIE Configuration: Permissions to configure syslog alerting engine

Tenable Vulnerability Management (using Azure Functions)

Supported by: Tenable

The TVM data connector provides the ability to ingest Asset, Vulnerability, Compliance, WAS assets and WAS vulnerabilities data into Microsoft Sentinel using TVM REST APIs. Refer to API documentation for more information. The connector provides the ability to get data which helps to examine potential security risks, get insight into your computing assets, diagnose configuration problems and more

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Tenable_VM_Asset_CL`	No	No
`Tenable_VM_Vuln_CL`	No	No
`Tenable_VM_Compliance_CL`	No	No
`Tenable_WAS_Asset_CL`	No	No
`Tenable_WAS_Vuln_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: Both a TenableAccessKey and a TenableSecretKey is required to access the Tenable REST API. For more information, see API. Check all requirements and follow the instructions for obtaining credentials.

Tenant-based Microsoft Defender for Cloud

Supported by: Microsoft Corporation

Microsoft Defender for Cloud is a security management tool that allows you to detect and quickly respond to threats across Azure, hybrid, and multi-cloud workloads. This connector allows you to stream your MDC security alerts from Microsoft 365 Defender into Microsoft Sentinel, so you can can leverage the advantages of XDR correlations connecting the dots across your cloud resources, devices and identities and view the data in workbooks, queries and investigate and respond to incidents. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SecurityAlert`	Yes	Yes

Data collection rule support: Workspace transform DCR

TheHive Project - TheHive (using Azure Functions)

Supported by: Microsoft Corporation

The TheHive data connector provides the capability to ingest common TheHive events into Microsoft Sentinel through Webhooks. TheHive can notify external system of modification events (case creation, alert update, task assignment) in real time. When a change occurs in the TheHive, an HTTPS POST request with event information is sent to a callback data connector URL. Refer to Webhooks documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`TheHive_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Webhooks Credentials/permissions: TheHiveBearerToken, Callback URL are required for working Webhooks. See the documentation to learn more about configuring Webhooks.

Theom

Supported by: Theom

Theom Data Connector enables organizations to connect their Theom environment to Microsoft Sentinel. This solution enables users to receive alerts on data security risks, create and enrich incidents, check statistics and trigger SOAR playbooks in Microsoft Sentinel

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`TheomAlerts_CL`	No	No

Data collection rule support: Not currently supported

Threat intelligence - TAXII

Supported by: Microsoft Corporation

Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send the supported STIX object types from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the Microsoft Sentinel documentation >.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ThreatIntelligenceIndicator`	Yes	No

Data collection rule support: Workspace transform DCR

Threat Intelligence Platforms

Supported by: Microsoft Corporation

Microsoft Sentinel integrates with Microsoft Graph Security API data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send threat indicators to Microsoft Sentinel from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MindMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the Microsoft Sentinel documentation >.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ThreatIntelligenceIndicator`	Yes	No

Data collection rule support: Workspace transform DCR

Threat Intelligence Upload API (Preview)

Supported by: Microsoft Corporation

Microsoft Sentinel offers a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ThreatIntelligenceIndicator`	Yes	No

Data collection rule support: Workspace transform DCR

Transmit Security Connector (using Azure Functions)

Supported by: Transmit Security

The [Transmit Security] data connector provides the capability to ingest common Transmit Security API events into Microsoft Sentinel through the REST API. Refer to API documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`TransmitSecurityActivity_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Client ID: TransmitSecurityClientID is required. See the documentation to learn more about API on the https://developer.transmitsecurity.com/.
REST API Client Secret: TransmitSecurityClientSecret is required. See the documentation to learn more about API on the https://developer.transmitsecurity.com/.

Trend Vision One (using Azure Functions)

Supported by: Trend Micro

The Trend Vision One connector allows you to easily connect your Workbench alert data with Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities. This gives you more insight into your organization's networks/systems and improves your security operation capabilities.

The Trend Vision One connector is supported in Microsoft Sentinel in the following regions: Australia East, Australia Southeast, Brazil South, Canada Central, Canada East, Central India, Central US, East Asia, East US, East US 2, France Central, Japan East, Korea Central, North Central US, North Europe, Norway East, South Africa North, South Central US, Southeast Asia, Sweden Central, Switzerland North, UAE North, UK South, UK West, West Europe, West US, West US 2, West US 3.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`TrendMicro_XDR_WORKBENCH_CL`	No	No
`TrendMicro_XDR_RCA_Task_CL`	No	No
`TrendMicro_XDR_RCA_Result_CL`	No	No
`TrendMicro_XDR_OAT_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Trend Vision One API Token: A Trend Vision One API Token is required. See the documentation to learn more about the Trend Vision One API.

Tropico Security - Alerts

Supported by: TROPICO Security

Ingest security alerts from Tropico Security Platform in OCSF Security Finding format.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`{{graphQueriesTableName}}`	No	No

Data collection rule support: Not currently supported

Tropico Security - Events

Supported by: TROPICO Security

Ingest security events from Tropico Security Platform in OCSF Security Finding format.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`{{graphQueriesTableName}}`	No	No

Data collection rule support: Not currently supported

Tropico Security - Incidents

Supported by: TROPICO Security

Ingest attacker session incidents from Tropico Security Platform.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`{{graphQueriesTableName}}`	No	No

Data collection rule support: Not currently supported

Varonis Purview Push Connector

Supported by: Varonis

The Varonis Purview connector provides the capability to sync resources from Varonis to Microsoft Purview.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`varonisresources_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft Entra: Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.
Microsoft Azure: Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role

Varonis SaaS

Supported by: Varonis

Varonis SaaS provides the capability to ingest Varonis Alerts into Microsoft Sentinel.

Varonis prioritizes deep data visibility, classification capabilities, and automated remediation for data access. Varonis builds a single prioritized view of risk for your data, so you can proactively and systematically eliminate risk from insider threats and cyberattacks.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`VaronisAlerts_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.

Vectra XDR (using Azure Functions)

Supported by: Vectra Support

The Vectra XDR connector gives the capability to ingest Vectra Detections, Audits, Entity Scoring, Lockdown, Health and Entities data into Microsoft Sentinel through the Vectra REST API. Refer to the API documentation: https://support.vectra.ai/s/article/KB-VS-1666 for more information.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Detections_Data_CL`	No	No
`Audits_Data_CL`	No	No
`Entity_Scoring_Data_CL`	No	No
`Lockdown_Data_CL`	No	No
`Health_Data_CL`	No	No
`Entities_Data_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: Vectra Client ID and Client Secret is required for Health, Entity Scoring, Entities, Detections, Lockdown and Audit data collection. See the documentation to learn more about API on the https://support.vectra.ai/s/article/KB-VS-1666.

Veeam Data Connector (using Azure Functions)

Supported by: Veeam Software

Veeam Data Connector allows you to ingest Veeam telemetry data from multiple custom tables into Microsoft Sentinel.

The connector supports integration with Veeam Backup & Replication, Veeam ONE and Coveware platforms to provide comprehensive monitoring and security analytics. The data is collected through Azure Functions and stored in custom Log Analytics tables with dedicated Data Collection Rules (DCR) and Data Collection Endpoints (DCE).

Custom Tables Included:

VeeamMalwareEvents_CL: Malware detection events from Veeam Backup & Replication
VeeamSecurityComplianceAnalyzer_CL: Security & Compliance Analyzer results collected from Veeam backup infrastructure components
VeeamAuthorizationEvents_CL: Authorization and authentication events
VeeamOneTriggeredAlarms_CL: Triggered alarms from Veeam ONE servers
VeeamCovewareFindings_CL: Security findings from Coveware solution
VeeamSessions_CL: Veeam sessions

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`VeeamMalwareEvents_CL`	No	No
`VeeamSecurityComplianceAnalyzer_CL`	No	No
`VeeamOneTriggeredAlarms_CL`	No	No
`VeeamAuthorizationEvents_CL`	No	No
`VeeamCovewareFindings_CL`	No	No
`VeeamSessions_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Veeam Infrastructure Access: Access to Veeam Backup & Replication REST API and Veeam ONE monitoring platform is required. This includes proper authentication credentials and network connectivity.

VirtualMetric DataStream for Microsoft Sentinel

Supported by: VirtualMetric

VirtualMetric DataStream connector deploys Data Collection Rules to ingest security telemetry into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CommonSecurityLog`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

App Registration or Azure Managed Identity: VirtualMetric DataStream requires an Entra ID identity to authenticate and send logs to Microsoft Sentinel. You can choose between creating an App Registration with Client ID and Client Secret, or using Azure Managed Identity for enhanced security without credential management.
Resource Group Role Assignment: The chosen identity (App Registration or Managed Identity) must be assigned to the resource group containing the Data Collection Endpoint with the following roles: Monitoring Metrics Publisher (for log ingestion) and Monitoring Reader (for reading stream configuration).

VirtualMetric DataStream for Microsoft Sentinel data lake

Supported by: VirtualMetric

VirtualMetric DataStream connector deploys Data Collection Rules to ingest security telemetry into Microsoft Sentinel data lake.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CommonSecurityLog`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

App Registration or Azure Managed Identity: VirtualMetric DataStream requires an Entra ID identity to authenticate and send logs to Microsoft Sentinel data lake. You can choose between creating an App Registration with Client ID and Client Secret, or using Azure Managed Identity for enhanced security without credential management.
Resource Group Role Assignment: The chosen identity (App Registration or Managed Identity) must be assigned to the resource group containing the Data Collection Endpoint with the following roles: Monitoring Metrics Publisher (for log ingestion) and Monitoring Reader (for reading stream configuration).

VirtualMetric Director Proxy

Supported by: VirtualMetric

VirtualMetric Director Proxy deploys an Azure Function App to securely bridge VirtualMetric DataStream with Azure services including Microsoft Sentinel, Azure Data Explorer, and Azure Storage.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CommonSecurityLog`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

Azure Function App: An Azure Function App must be deployed to host the Director Proxy. Requires read, write, and delete permissions on Microsoft.Web/sites resources within your resource group to create and manage the Function App.
VirtualMetric DataStream Configuration: You need VirtualMetric DataStream configured with authentication credentials to connect to the Director Proxy. The Director Proxy acts as a secure bridge between VirtualMetric DataStream and Azure services.
Target Azure Services: Configure your target Azure services such as Microsoft Sentinel Data Collection Endpoints, Azure Data Explorer clusters, or Azure Storage accounts where the Director Proxy will forward data.

VMRayThreatIntelligence (using Azure Functions)

Supported by: VMRay

VMRayThreatIntelligence connector automatically generates and feeds threat intelligence for all submissions to VMRay, improving threat detection and incident response in Sentinel. This seamless integration empowers teams to proactively address emerging threats.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ThreatIntelligenceIndicator`	Yes	No

Data collection rule support: Workspace transform DCR

Prerequisites:

Azure Subscription: Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group.
Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: VMRay API Key is required.

VMware Carbon Black Cloud (using Azure Functions)

Supported by: Microsoft

The VMware Carbon Black Cloud connector provides the capability to ingest Carbon Black data into Microsoft Sentinel. The connector provides visibility into Audit, Notification and Event logs in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CarbonBlackEvents_CL`	No	No
`CarbonBlackNotifications_CL`	No	No
`CarbonBlackAuditLogs_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
VMware Carbon Black API Key(s): Carbon Black API and/or SIEM Level API Key(s) are required. See the documentation to learn more about the Carbon Black API.
A Carbon Black API access level API ID and Key is required for Audit and Event logs.
A Carbon Black SIEM access level API ID and Key is required for Notification alerts.
Amazon S3 REST API Credentials/permissions: AWS Access Key Id, AWS Secret Access Key, AWS S3 Bucket Name, Folder Name in AWS S3 Bucket are required for Amazon S3 REST API.

VMware Carbon Black Cloud via AWS S3

Supported by: Microsoft

The VMware Carbon Black Cloud via AWS S3 data connector provides the capability to ingest watchlist, alerts, auth and endpoints events via AWS S3 and stream them to ASIM normalized tables. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CarbonBlack_Alerts_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Environment: You must have the following AWS resources defined and configured: S3, Simple Queue Service (SQS), IAM roles and permissions policies
Environment: You must have the a Carbon black account and required permissions to create a Data Forwarded to AWS S3 buckets. For more information, see Carbon Black Data Forwarder Docs

Windows DNS Events via AMA

Supported by: Microsoft Corporation

The Windows DNS log connector allows you to easily filter and stream all analytics logs from your Windows DNS servers to your Microsoft Sentinel workspace using the Azure Monitoring agent (AMA). Having this data in Microsoft Sentinel helps you identify issues and security threats such as:

Trying to resolve malicious domain names.
Stale resource records.
Frequently queried domain names and talkative DNS clients.
Attacks performed on DNS server.

You can get the following insights into your Windows DNS servers from Microsoft Sentinel:

All logs centralized in a single place.
Request load on DNS servers.
Dynamic DNS registration failures.

Windows DNS events are supported by Advanced SIEM Information Model (ASIM) and stream data into the ASimDnsActivityLogs table. Learn more.

For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ASimDnsActivityLogs`	Yes	Yes

Data collection rule support: Workspace transform DCR

Windows Firewall

Supported by: Microsoft Corporation

Windows Firewall is a Microsoft Windows application that filters information coming to your system from the Internet and blocking potentially harmful programs. The software blocks most programs from communicating through the firewall. Users simply add a program to the list of allowed programs to allow it to communicate through the firewall. When using a public network, Windows Firewall can also secure the system by blocking all unsolicited attempts to connect to your computer. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion

Data collection rule support: Not currently supported

Windows Firewall Events via AMA

Supported by: Microsoft Corporation

Windows Firewall is a Microsoft Windows application that filters information coming to your system from the internet and blocking potentially harmful programs. The firewall software blocks most programs from communicating through the firewall. To stream your Windows Firewall application logs collected from your machines, use the Azure Monitor agent (AMA) to stream those logs to the Microsoft Sentinel workspace.

A configured data collection endpoint (DCE) is required to be linked with the data collection rule (DCR) created for the AMA to collect logs. For this connector, a DCE is automatically created in the same region as the workspace. If you already use a DCE stored in the same region, it's possible to change the default created DCE and use your existing one through the API. DCEs can be located in your resources with SentinelDCE prefix in the resource name.

For more information, see the following articles:

Log Analytics table(s):

Table	DCR support	Lake-only ingestion

Data collection rule support: Not currently supported

Windows Forwarded Events

Supported by: Microsoft Corporation

You can stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA). This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`WindowsEvent`	Yes	Yes

Data collection rule support: Workspace transform DCR

Windows Security Events via AMA

Supported by: Microsoft Corporation

You can stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities. For more information, see the Microsoft Sentinel documentation.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SecurityEvent`	Yes	Yes

Data collection rule support: Workspace transform DCR

WithSecure Elements API (Azure Function)

Supported by: WithSecure

WithSecure Elements is the unified cloud-based cyber security platform designed to reduce risk, complexity, and inefficiency.

Elevate your security from your endpoints to your cloud applications. Arm yourself against every type of cyber threat, from targeted attacks to zero-day ransomware.

WithSecure Elements combines powerful predictive, preventive, and responsive security capabilities - all managed and monitored through a single security center. Our modular structure and flexible pricing models give you the freedom to evolve. With our expertise and insight, you'll always be empowered - and you'll never be alone.

With Microsoft Sentinel integration, you can correlate security events data from the WithSecure Elements solution with data from other sources, enabling a rich overview of your entire environment and faster reaction to threats.

With this solution Azure Function is deployed to your tenant, polling periodically for the WithSecure Elements security events.

For more information visit our website at: https://www.withsecure.com.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`WsSecurityEvents_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
WithSecure Elements API client credentials: Client credentials are required. See the documentation to learn more.

Wiz (using Azure Functions)

Supported by: Wiz

The Wiz connector allows you to easily send Wiz Issues, Vulnerability Findings, and Audit logs to Microsoft Sentinel.

Log Analytics table(s):

|Table|DCR support|Lake-only ingestion| |---|---|---| |union isfuzzy=true (WizIssues_CL), (WizIssuesV2_CL)|No|No| |union isfuzzy=true (WizVulnerabilities_CL), (WizVulnerabilitiesV2_CL)|No|No| |union isfuzzy=true (WizAuditLogs_CL), (WizAuditLogsV2_CL)|No|No|

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Wiz Service Account credentials: Ensure you have your Wiz service account client ID and client secret, API endpoint URL, and auth URL. Instructions can be found on Wiz documentation.

Workday User Activity

Supported by: Microsoft Corporation

The Workday User Activity data connector provides the capability to ingest User Activity Logs from Workday API into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ASimAuditEventLogs`	Yes	Yes

Data collection rule support: Workspace transform DCR

Prerequisites:

Workday User Activity API access: Access to the Workday user activity API through Oauth are required. The API Client needs to have the scope: System and it needs to be authorized by an account with System Auditing permissions.

Workplace from Facebook (using Azure Functions)

Supported by: Microsoft Corporation

The Workplace data connector provides the capability to ingest common Workplace events into Microsoft Sentinel through Webhooks. Webhooks enable custom integration apps to subscribe to events in Workplace and receive updates in real time. When a change occurs in Workplace, an HTTPS POST request with event information is sent to a callback data connector URL. Refer to Webhooks documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Workplace_Facebook_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Webhooks Credentials/permissions: WorkplaceAppSecret, WorkplaceVerifyToken, Callback URL are required for working Webhooks. See the documentation to learn more about configuring Webhooks, configuring permissions.

Zero Networks Segment Audit

Supported by: Zero Networks

The Zero Networks Segment Audit data connector provides the capability to ingest Zero Networks Audit events into Microsoft Sentinel through the REST API. This data connector uses Microsoft Sentinel native polling capability.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ZNSegmentAuditNativePoller_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Zero Networks API Token: ZeroNetworksAPIToken is required for REST API. See the API Guide and follow the instructions for obtaining credentials.

ZeroFox CTI

Supported by: ZeroFox

The ZeroFox CTI data connectors provide the capability to ingest the different ZeroFox cyber threat intelligence alerts into Microsoft Sentinel.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ZeroFox_CTI_advanced_dark_web_CL`	No	No
`ZeroFox_CTI_botnet_CL`	No	No
`ZeroFox_CTI_breaches_CL`	No	No
`ZeroFox_CTI_C2_CL`	No	No
`ZeroFox_CTI_compromised_credentials_CL`	No	No
`ZeroFox_CTI_credit_cards_CL`	No	No
`ZeroFox_CTI_dark_web_CL`	No	No
`ZeroFox_CTI_discord_CL`	No	No
`ZeroFox_CTI_disruption_CL`	No	No
`ZeroFox_CTI_email_addresses_CL`	No	No
`ZeroFox_CTI_exploits_CL`	No	No
`ZeroFox_CTI_irc_CL`	No	No
`ZeroFox_CTI_malware_CL`	No	No
`ZeroFox_CTI_national_ids_CL`	No	No
`ZeroFox_CTI_phishing_CL`	No	No
`ZeroFox_CTI_phone_numbers_CL`	No	No
`ZeroFox_CTI_ransomware_CL`	No	No
`ZeroFox_CTI_telegram_CL`	No	No
`ZeroFox_CTI_threat_actors_CL`	No	No
`ZeroFox_CTI_vulnerabilities_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
ZeroFox API Credentials/permissions: ZeroFox Username, ZeroFox Personal Access Token are required for ZeroFox CTI REST API.

ZeroFox Enterprise - Alerts (Polling CCF)

Supported by: ZeroFox

Collects alerts from ZeroFox API.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ZeroFoxAlertPoller_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

ZeroFox Personal Access Token (PAT): A ZeroFox PAT is required. You can get it in Data Connectors > API Data Feeds.

Zimperium Mobile Threat Defense

Supported by: Zimperium

Zimperium Mobile Threat Defense connector gives you the ability to connect the Zimperium threat log with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's mobile threat landscape and enhances your security operation capabilities.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`ZimperiumThreatLog_CL`	No	No

Data collection rule support: Not currently supported

Zoom Reports (using Azure Functions)

Supported by: Microsoft Corporation

The Zoom Reports data connector provides the capability to ingest Zoom Reports events into Microsoft Sentinel through the REST API. Refer to API documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Zoom_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
REST API Credentials/permissions: AccountID, ClientID and ClientSecret are required for Zoom API. For more information, see Zoom API. Follow the instructions for Zoom API configurations.

Deprecated Sentinel data connectors

Note

The following table lists the deprecated and legacy data connectors. Deprecated connectors are no longer supported.

[Deprecated] GitHub Enterprise Audit Log

Supported by: Microsoft Corporation

Note: If you intended to ingest GitHub subscribed events into Microsoft Sentinel, please refer to GitHub (using Webhooks) Connector from "Data Connectors" gallery.

NOTE: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`GitHubAuditLogPolling_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

GitHub API personal access token: You need a GitHub personal access token to enable polling for the organization audit log. You may use either a classic token with 'read:org' scope OR a fine-grained token with 'Administration: Read-only' scope.
GitHub Enterprise type: This connector will only function with GitHub Enterprise Cloud; it will not support GitHub Enterprise Server.

[Deprecated] Infoblox SOC Insight Data Connector via Legacy Agent

Supported by: Infoblox

This data connector ingests Infoblox SOC Insight CDC logs into your Log Analytics Workspace using the legacy Log Analytics agent.

Microsoft recommends installation of Infoblox SOC Insight Data Connector via AMA Connector. The legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and should only be installed where AMA is not supported.

Using MMA and AMA on the same machine can cause log duplication and extra ingestion cost. More details.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`CommonSecurityLog`	Yes	Yes

Data collection rule support: Workspace transform DCR

[Deprecated] Lookout

Supported by: Lookout

The Lookout data connector provides the capability to ingest Lookout events into Microsoft Sentinel through the Mobile Risk API. Refer to API documentation for more information. The Lookout data connector provides ability to get events which helps to examine potential security risks and more.

NOTE: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API.

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Lookout_CL`	No	No

Data collection rule support: Not currently supported

Prerequisites:

Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.
Mobile Risk API Credentials/permissions: EnterpriseName & ApiKey are required for Mobile Risk API. For more information, see API. Check all requirements and follow the instructions for obtaining credentials.

[Deprecated] Microsoft Exchange Logs and Events

Supported by: Community

Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Event`	Yes	No
`SecurityEvent`	Yes	Yes
`W3CIISLog`	Yes	No
`MessageTrackingLog_CL`	No	No
`ExchangeHttpProxy_CL`	No	No

Data collection rule support: Workspace transform DCR

Prerequisites:

Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more
Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here

Security Events via Legacy Agent

Supported by: Microsoft Corporation

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SecurityEvent`	Yes	Yes

Data collection rule support: Workspace transform DCR

Subscription-based Microsoft Defender for Cloud (Legacy)

Supported by: Microsoft Corporation

Microsoft Defender for Cloud is a security management tool that allows you to detect and quickly respond to threats across Azure, hybrid, and multi-cloud workloads. This connector allows you to stream your security alerts from Microsoft Defender for Cloud into Microsoft Sentinel, so you can view Defender data in workbooks, query it to produce alerts, and investigate and respond to incidents.

For more information>

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`SecurityAlert`	Yes	Yes

Data collection rule support: Workspace transform DCR

Syslog via Legacy Agent

Supported by: Microsoft Corporation

Learn more >

Log Analytics table(s):

Table	DCR support	Lake-only ingestion
`Syslog`	Yes	Yes

Data collection rule support: Workspace transform DCR

Next steps

For more information, see:

Feedback

Nakatulong ba ang pahinang ito?

Last updated on 2025-07-27

Ibahagi sa

Find your Microsoft Sentinel data connector

Data connector prerequisites

Syslog and Common Event Format (CEF) connectors

Custom Logs via AMA connector

Sentinel data connectors

Deprecated Sentinel data connectors

Next steps

Feedback

Mga karagdagang mapagkukunan