Resources for creating Microsoft Sentinel custom connectors
Microsoft Sentinel provides a wide range of out-of-the-box connectors for Azure services and external solutions, and also supports ingesting data from some sources without a dedicated connector.
If you're unable to connect your data source to Microsoft Sentinel using any of the existing solutions available, consider creating your own data source connector.
For a full list of supported connectors, see the Find your Microsoft Sentinel data connector).
Compare custom connector methods
The following table compares essential details about each method for creating custom connectors described in this article. Select the links in the table for more details about each method.
| Method description | Capability | Serverless | Complexity |
|---|---|---|---|
| Codeless Connector Platform (CCP) Best for less technical audiences to create SaaS connectors using a configuration file instead of advanced development. |
Supports all capabilities available with the code. | Yes | Low; simple, codeless development |
| Azure Monitor Agent Best for collecting files from on-premises and IaaS sources |
File collection, data transformation | No | Low |
| Logstash Best for on-premises and IaaS sources, any source for which a plugin is available, and organizations already familiar with Logstash |
Supports all capabilities of the Azure Monitor Agent | No; requires a VM or VM cluster to run | Low; supports many scenarios with plugins |
| Logic Apps High cost; avoid for high-volume data Best for low-volume cloud sources |
Codeless programming allows for limited flexibility, without support for implementing algorithms. If no available action already supports your requirements, creating a custom action may add complexity. |
Yes | Low; simple, codeless development |
| Log Ingestion API in Azure Monitor Best for ISVs implementing integration, and for unique collection requirements |
Supports all capabilities available with the code. | Depends on the implementation | High |
| Azure Functions Best for high-volume cloud sources, and for unique collection requirements |
Supports all capabilities available with the code. | Yes | High; requires programming knowledge |
Tip
For comparisons of using Logic Apps and Azure Functions for the same connector, see:
- Ingest Fastly Web Application Firewall logs into Microsoft Sentinel
- Office 365 (Microsoft Sentinel GitHub community): Logic App connector | Azure Function connector
Connect with the Codeless Connector Platform
The Codeless Connector Platform (CCP) provides a configuration file that can be used by both customers and partners, and then deployed to your own workspace, or as a solution to Microsoft Sentinel's content hub.
Connectors created using the CCP are fully SaaS, without any requirements for service installations, and also include health monitoring and full support from Microsoft Sentinel.
For more information, see Create a codeless connector for Microsoft Sentinel.
Connect with the Azure Monitor Agent
If your data source delivers events in text files, we recommend that you use the Azure Monitor Agent to create your custom connector.
For more information, see Collect logs from a text file with Azure Monitor Agent.
For an example of this method, see Collect logs from a JSON file with Azure Monitor Agent.
Connect with Logstash
If you're familiar with Logstash, you may want to use Logstash with the Logstash output plug-in for Microsoft Sentinel to create your custom connector.
With the Microsoft Sentinel Logstash Output plugin, you can use any Logstash input and filtering plugins, and configure Microsoft Sentinel as the output for a Logstash pipeline. Logstash has a large library of plugins that enable input from various sources, such as Event Hubs, Apache Kafka, Files, Databases, and Cloud services. Use filtering plug-ins to parse events, filter unnecessary events, obfuscate values, and more.
For examples of using Logstash as a custom connector, see:
- Hunting for Capital One Breach TTPs in AWS logs using Microsoft Sentinel (blog)
- Radware Microsoft Sentinel implementation guide
For examples of useful Logstash plugins, see:
- Cloudwatch input plugin
- Azure Event Hubs plugin
- Google Cloud Storage input plugin
- Google_pubsub input plugin
Tip
Logstash also enables scaled data collection using a cluster. For more information, see Using a load-balanced Logstash VM at scale.
Connect with Logic Apps
Use Azure Logic Apps to create a serverless, custom connector for Microsoft Sentinel.
Note
While creating serverless connectors using Logic Apps may be convenient, using Logic Apps for your connectors may be costly for large volumes of data.
We recommend that you use this method only for low-volume data sources, or enriching your data uploads.
Use one of the following triggers to start your Logic Apps:
Trigger Description A recurring task For example, schedule your Logic App to retrieve data regularly from specific files, databases, or external APIs.
For more information, see Create, schedule, and run recurring tasks and workflows in Azure Logic Apps.On-demand triggering Run your Logic App on-demand for manual data collection and testing.
For more information, see Call, trigger, or nest logic apps using HTTPS endpoints.HTTP/S endpoint Recommended for streaming, and if the source system can start the data transfer.
For more information, see Call service endpoints over HTTP or HTTPs.Use any of the Logic App connectors that read information to get your events. For example:
Tip
Custom connectors to REST APIs, SQL Servers, and file systems also support retrieving data from on-premises data sources. For more information, see Install on-premises data gateway documentation.
Prepare the information you want to retrieve.
For example, use the parse JSON action to access properties in JSON content, enabling you to select those properties from the dynamic content list when you specify inputs for your Logic App.
For more information, see Perform data operations in Azure Logic Apps.
Write the data to Log Analytics.
For more information, see the Azure Log Analytics Data Collector documentation.
For examples of how you can create a custom connector for Microsoft Sentinel using Logic Apps, see:
- Create a data pipeline with the Data Collector API
- Palo Alto Prisma Logic App connector using a webhook (Microsoft Sentinel GitHub community)
- Secure your Microsoft Teams calls with scheduled activation (blog)
- Ingesting AlienVault OTX threat indicators into Microsoft Sentinel (blog)
Connect with the Log Ingestion API
You can stream events to Microsoft Sentinel by using the Log Analytics Data Collector API to call a RESTful endpoint directly.
While calling a RESTful endpoint directly requires more programming, it also provides more flexibility.
For more information, see the following articles:
- Log Ingestion API in Azure Monitor.
- Sample code to send data to Azure Monitor using Logs ingestion API.
Connect with Azure Functions
Use Azure Functions together with a RESTful API and various coding languages, such as PowerShell, to create a serverless custom connector.
For examples of this method, see:
- Connect your VMware Carbon Black Cloud Endpoint Standard to Microsoft Sentinel with Azure Function
- Connect your Okta Single Sign-On to Microsoft Sentinel with Azure Function
- Connect your Proofpoint TAP to Microsoft Sentinel with Azure Function
- Connect your Qualys VM to Microsoft Sentinel with Azure Function
- Ingesting XML, CSV, or other formats of data
- Monitoring Zoom with Microsoft Sentinel (blog)
- Deploy a Function App for getting Office 365 Management API data into Microsoft Sentinel (Microsoft Sentinel GitHub community)
Parse your custom connector data
To take advantage of the data collected with your custom connector, develop Advanced Security Information Model (ASIM) parsers to work with your connector. Using ASIM enables Microsoft Sentinel's built-in content to use your custom data and makes it easier for analysts to query the data.
If your connector method allows for it, you can implement part of the parsing as part of the connector to improve query time parsing performance:
- If you've used Logstash, use the Grok filter plugin to parse your data.
- If you've used an Azure function, parse your data with code.
You will still need to implement ASIM parsers, but implementing part of the parsing directly with the connector simplifies the parsing and improves performance.
Next steps
Use the data ingested into Microsoft Sentinel to secure your environment with any of the following processes: