เบราว์เซอร์นี้ไม่ได้รับการสนับสนุนอีกต่อไป
อัปเกรดเป็น Microsoft Edge เพื่อใช้ประโยชน์จากคุณลักษณะล่าสุด เช่น การอัปเดตความปลอดภัยและการสนับสนุนด้านเทคนิค
Microsoft Sentinel provides a wide range of out-of-the-box connectors for Azure services and external solutions, and also supports ingesting data from some sources without a dedicated connector.
If you're unable to connect your data source to Microsoft Sentinel using any of the existing solutions available, consider creating your own data source connector.
For a full list of supported connectors, see the Find your Microsoft Sentinel data connector).
The following table compares essential details about each method for creating custom connectors described in this article. Select the links in the table for more details about each method.
| Method description | Capability | Serverless | Complexity |
|---|---|---|---|
| Codeless Connector Platform (CCP) Best for less technical audiences to create SaaS connectors using a configuration file instead of advanced development. |
Supports all capabilities available with the code. | Yes | Low; simple, codeless development |
| Azure Monitor Agent Best for collecting files from on-premises and IaaS sources |
File collection, data transformation | No | Low |
| Logstash Best for on-premises and IaaS sources, any source for which a plugin is available, and organizations already familiar with Logstash |
Supports all capabilities of the Azure Monitor Agent | No; requires a VM or VM cluster to run | Low; supports many scenarios with plugins |
| Logic Apps High cost; avoid for high-volume data Best for low-volume cloud sources |
Codeless programming allows for limited flexibility, without support for implementing algorithms. If no available action already supports your requirements, creating a custom action may add complexity. |
Yes | Low; simple, codeless development |
| Log Ingestion API in Azure Monitor Best for ISVs implementing integration, and for unique collection requirements |
Supports all capabilities available with the code. | Depends on the implementation | High |
| Azure Functions Best for high-volume cloud sources, and for unique collection requirements |
Supports all capabilities available with the code. | Yes | High; requires programming knowledge |
เคล็ดลับ
For comparisons of using Logic Apps and Azure Functions for the same connector, see:
The Codeless Connector Platform (CCP) provides a configuration file that can be used by both customers and partners, and then deployed to your own workspace, or as a solution to Microsoft Sentinel's content hub.
Connectors created using the CCP are fully SaaS, without any requirements for service installations, and also include health monitoring and full support from Microsoft Sentinel.
For more information, see Create a codeless connector for Microsoft Sentinel.
If your data source delivers events in text files, we recommend that you use the Azure Monitor Agent to create your custom connector.
For more information, see Collect logs from a text file with Azure Monitor Agent.
For an example of this method, see Collect logs from a JSON file with Azure Monitor Agent.
If you're familiar with Logstash, you may want to use Logstash with the Logstash output plug-in for Microsoft Sentinel to create your custom connector.
With the Microsoft Sentinel Logstash Output plugin, you can use any Logstash input and filtering plugins, and configure Microsoft Sentinel as the output for a Logstash pipeline. Logstash has a large library of plugins that enable input from various sources, such as Event Hubs, Apache Kafka, Files, Databases, and Cloud services. Use filtering plug-ins to parse events, filter unnecessary events, obfuscate values, and more.
For examples of using Logstash as a custom connector, see:
For examples of useful Logstash plugins, see:
เคล็ดลับ
Logstash also enables scaled data collection using a cluster. For more information, see Using a load-balanced Logstash VM at scale.
Use Azure Logic Apps to create a serverless, custom connector for Microsoft Sentinel.
หมายเหตุ
While creating serverless connectors using Logic Apps may be convenient, using Logic Apps for your connectors may be costly for large volumes of data.
We recommend that you use this method only for low-volume data sources, or enriching your data uploads.
Use one of the following triggers to start your Logic Apps:
| Trigger | Description |
|---|---|
| A recurring task | For example, schedule your Logic App to retrieve data regularly from specific files, databases, or external APIs. For more information, see Create, schedule, and run recurring tasks and workflows in Azure Logic Apps. |
| On-demand triggering | Run your Logic App on-demand for manual data collection and testing. For more information, see Call, trigger, or nest logic apps using HTTPS endpoints. |
| HTTP/S endpoint | Recommended for streaming, and if the source system can start the data transfer. For more information, see Call service endpoints over HTTP or HTTPs. |
Use any of the Logic App connectors that read information to get your events. For example:
เคล็ดลับ
Custom connectors to REST APIs, SQL Servers, and file systems also support retrieving data from on-premises data sources. For more information, see Install on-premises data gateway documentation.
Prepare the information you want to retrieve.
For example, use the parse JSON action to access properties in JSON content, enabling you to select those properties from the dynamic content list when you specify inputs for your Logic App.
For more information, see Perform data operations in Azure Logic Apps.
Write the data to Log Analytics.
For more information, see the Azure Log Analytics Data Collector documentation.
For examples of how you can create a custom connector for Microsoft Sentinel using Logic Apps, see:
You can stream events to Microsoft Sentinel by using the Log Analytics Data Collector API to call a RESTful endpoint directly.
While calling a RESTful endpoint directly requires more programming, it also provides more flexibility.
For more information, see the following articles:
Use Azure Functions together with a RESTful API and various coding languages, such as PowerShell, to create a serverless custom connector.
For examples of this method, see:
To take advantage of the data collected with your custom connector, develop Advanced Security Information Model (ASIM) parsers to work with your connector. Using ASIM enables Microsoft Sentinel's built-in content to use your custom data and makes it easier for analysts to query the data.
If your connector method allows for it, you can implement part of the parsing as part of the connector to improve query time parsing performance:
You will still need to implement ASIM parsers, but implementing part of the parsing directly with the connector simplifies the parsing and improves performance.
Use the data ingested into Microsoft Sentinel to secure your environment with any of the following processes:
การฝึกอบรม
โมดูล
Connect data to Microsoft Sentinel using data connectors - Training
Connect data to Microsoft Sentinel using data connectors
ใบรับรอง
ได้รับการรับรองจาก Microsoft: ผู้ร่วมวิเคราะห์ฝ่ายปฏิบัติการรักษาความปลอดภัย - Certifications
ตรวจสอบ ค้นหา และลดภัยคุกคามโดยใช้ Microsoft Sentinel, Microsoft Defender for Cloud และ Microsoft 365 Defender
เอกสาร
Microsoft Sentinel data connectors
Learn about supported data connectors, like Microsoft Defender XDR (formerly Microsoft 365 Defender), Microsoft 365 and Office 365, Microsoft Entra ID, ATP, and Defender for Cloud Apps to Microsoft Sentinel.
Find your Microsoft Sentinel data connector
Learn about specific configuration steps for Microsoft Sentinel data connectors.
Connect your data sources to Microsoft Sentinel by using data connectors
Learn how to install and configure a data connector in Microsoft Sentinel.