Find your Microsoft Sentinel data connector
This article lists all supported, out-of-the-box data connectors and links to each connector's deployment steps.
Important
- Noted Microsoft Sentinel data connectors are currently in Preview. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
- Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see Microsoft Sentinel in the Microsoft Defender portal.
Data connectors are available as part of the following offerings:
Solutions: Many data connectors are deployed as part of Microsoft Sentinel solution together with related content like analytics rules, workbooks, and playbooks. For more information, see the Microsoft Sentinel solutions catalog.
Community connectors: More data connectors are provided by the Microsoft Sentinel community and can be found in the Azure Marketplace. Documentation for community data connectors is the responsibility of the organization that created the connector.
Custom connectors: If you have a data source that isn't listed or currently supported, you can also create your own, custom connector. For more information, see Resources for creating Microsoft Sentinel custom connectors.
Note
For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.
Data connector prerequisites
Each data connector has its own set of prerequisites. Prerequisites might include that you must have specific permissions on your Azure workspace, subscription, or policy. Or, you must meet other requirements for the partner data source you're connecting to.
Prerequisites for each data connector are listed on the relevant data connector page in Microsoft Sentinel.
Azure Monitor agent (AMA) based data connectors require an internet connection from the system where the agent is installed. Enable port 443 outbound to allow a connection between the system where the agent is installed and Microsoft Sentinel.
Syslog and Common Event Format (CEF) connectors
Log collection from many security appliances and devices are supported by the data connectors Syslog via AMA or Common Event Format (CEF) via AMA in Microsoft Sentinel. To forward data to your Log Analytics workspace for Microsoft Sentinel, complete the steps in Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent. These steps include installing the Microsoft Sentinel solution for a security appliance or device from the Content hub in Microsoft Sentinel. Then, configure the Syslog via AMA or Common Event Format (CEF) via AMA data connector that's appropriate for the Microsoft Sentinel solution you installed. Complete the setup by configuring the security device or appliance. Find instructions to configure your security device or appliance in one of the following articles:
- CEF via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion
- Syslog via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion
Contact the solution provider for more information or where information is unavailable for the appliance or device.
Custom Logs via AMA connector
Filter and ingest logs in text-file format from network or security applications installed on Windows or Linux machines by using the Custom Logs via AMA connector in Microsoft Sentinel. For more information, see the following articles:
- Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel
- Custom Logs via AMA data connector - Configure data ingestion to Microsoft Sentinel from specific applications
Codeless connector platform connectors
The following connectors use the current codeless connector platform but don't have a specific documentation page generated. They're available from the content hub in Microsoft Sentinel as part of a solution. For instructions on how to configure these data connectors, review the instructions available with each data connector within Microsoft Sentinel.
Codeless connector name | Azure Marketplace solution |
---|---|
Atlassian Jira Audit (using REST API) (Preview) | Atlassian Jira Audit |
Cisco Meraki (using Rest API) | Cisco Meraki Events via REST API |
Ermes Browser Security Events | Ermes Browser Security for Microsoft Sentinel |
Okta Single Sign-On (Preview) | Okta Single Sign-On Solution |
Sophos Endpoint Protection (using REST API) (Preview) | Sophos Endpoint Protection Solution |
Workday User Activity (Preview) | Workday (Preview) |
For more information about the codeless connector platform, see Create a codeless connector for Microsoft Sentinel.
1Password
42Crunch
Abnormal Security Corporation
AliCloud
Amazon Web Services
archTIS
ARGOS Cloud Security Pty Ltd
Armis, Inc.
- Armis Activities (using Azure Functions)
- Armis Alerts (using Azure Functions)
- Armis Alerts Activities (using Azure Functions)
- Armis Devices (using Azure Functions)
Armorblox
Atlassian
Auth0
Better Mobile Security Inc.
Bitglass
Bitsight Technologies, Inc.
Bosch Global Software Technologies Pvt Ltd
Box
Cisco
- Cisco ASA/FTD via AMA (Preview)
- Cisco Duo Security (using Azure Functions)
- Cisco Secure Endpoint (AMP) (using Azure Functions)
- Cisco Umbrella (using Azure Functions)
Cisco Systems, Inc.
Claroty
Cloudflare
Cognni
cognyte technologies israel ltd
CohesityDev
Commvault
Corelight Inc.
Cribl
Crowdstrike
- CrowdStrike Falcon Adversary Intelligence (using Azure Functions)
- Crowdstrike Falcon Data Replicator (using Azure Functions)
- Crowdstrike Falcon Data Replicator V2 (using Azure Functions)
CyberArk
CyberPion
Cybersixgill
Cyborg Security, Inc.
Cynerio
Darktrace plc
Dataminr, Inc.
Defend Limited
DEFEND Limited
Derdack
Digital Shadows
Dynatrace
Elastic
F5, Inc.
Feedly, Inc.
Flare Systems
Forescout
Fortinet
Gigamon, Inc
- Google Cloud Platform DNS (using Azure Functions)
- Google Cloud Platform IAM (using Azure Functions)
- Google Cloud Platform Cloud Monitoring (using Azure Functions)
- Google ApigeeX (using Azure Functions)
- Google Workspace (G Suite) (using Azure Functions)
Greynoise Intelligence, Inc.
HYAS Infosec Inc
Illumio, Inc.
H.O.L.M. Security Sweden AB
Imperva
Infoblox
- [Recommended] Infoblox Cloud Data Connector via AMA
- [Recommended] Infoblox SOC Insight Data Connector via AMA
- Infoblox Data Connector via REST API (using Azure Functions)
- Infoblox SOC Insight Data Connector via REST API
Infosec Global
Insight VM / Rapid7
Island Technology Inc.
- Island Enterprise Browser Admin Audit (Polling CCP)
- Island Enterprise Browser User Activity (Polling CCP)
Jamf Software, LLC
Lookout, Inc.
- Lookout (using Azure Function)
- Lookout Cloud Security for Microsoft Sentinel (using Azure Functions)
MailGuard Pty Limited
Microsoft
- Automated Logic WebCTRL
- Microsoft Entra ID
- Microsoft Entra ID Protection
- Azure Activity
- Azure Cognitive Search
- Azure DDoS Protection
- Azure Key Vault
- Azure Kubernetes Service (AKS)
- Microsoft Purview (Preview)
- Azure Storage Account
- Azure Web Application Firewall (WAF)
- Azure Batch Account
- Common Event Format (CEF) via AMA
- Windows DNS Events via AMA
- Azure Event Hubs
- Microsoft 365 Insider Risk Management
- Azure Logic Apps
- Microsoft Defender for Identity
- Microsoft Defender XDR
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Endpoint
- Subscription-based Microsoft Defender for Cloud (Legacy)
- Tenant-based Microsoft Defender for Cloud (Preview)
- Microsoft Defender for Office 365 (Preview)
- Microsoft Power BI
- Microsoft Project
- Microsoft Purview Information Protection
- Network Security Groups
- Microsoft 365
- Windows Security Events via AMA
- Azure Service Bus
- Azure Stream Analytics
- Syslog via AMA
- Microsoft Defender Threat Intelligence (Preview)
- Premium Microsoft Defender Threat Intelligence (Preview)
- Threat intelligence - TAXII
- Threat Intelligence Platforms
- Threat Intelligence Upload Indicators API (Preview)
- Microsoft Defender for IoT
- Windows Firewall
- Windows Firewall Events via AMA (Preview)
- Windows Forwarded Events
Microsoft Corporation
Microsoft Corporation - sentinel4github
Microsoft Sentinel Community, Microsoft Corporation
- Exchange Security Insights Online Collector (using Azure Functions)
- Exchange Security Insights On-Premises Collector
- Microsoft Active-Directory Domain Controllers Security Event Logs
- Microsoft Exchange Admin Audit Logs by Event Logs
- Microsoft Exchange HTTP Proxy Logs
- Microsoft Exchange Logs and Events
- Microsoft Exchange Message Tracking Logs
- Forcepoint DLP
- MISP2Sentinel
Mimecast North America
- Mimecast Audit & Authentication (using Azure Functions)
- Mimecast Secure Email Gateway (using Azure Functions)
- Mimecast Intelligence for Microsoft - Microsoft Sentinel (using Azure Functions)
- Mimecast Targeted Threat Protection (using Azure Functions)
MuleSoft
NetClean Technologies AB
Netskope
- Netskope (using Azure Functions)
- Netskope Data Connector (using Azure Functions)
- Netskope Web Transactions Data Connector (using Azure Functions)
Noname Gate, Inc.
NXLog Ltd.
Okta
OneLogin
Orca Security, Inc.
Palo Alto Networks
Perimeter 81
Phosphorus Cybersecurity
Prancer Enterprise
Proofpoint
Qualys
- Qualys Vulnerability Management (using Azure Functions)
- Qualys VM KnowledgeBase (using Azure Functions)
Radiflow
Rubrik, Inc.
SailPoint
Salesforce
Secure Practice
Senserva, LLC
SentinelOne
SERAPHIC ALGORITHMS LTD
Silverfort Ltd.
Slack
Snowflake
Sonrai Security
Sophos
Symantec
TALON CYBER SECURITY LTD
Tenable
The Collective Consulting BV
TheHive
Theom, Inc.
Transmit Security LTD
Trend Micro
Valence Security Inc.
Varonis
Vectra AI, Inc
VMware
WithSecure
Wiz, Inc.
ZERO NETWORKS LTD
Zerofox, Inc.
Zimperium, Inc.
Zoom
Next steps
For more information, see: