Find your Microsoft Sentinel data connector

2025-05-28
Applies to: Microsoft Sentinel in the Microsoft Defender portal, Microsoft Sentinel in the Azure portal

This article lists all supported, out-of-the-box data connectors and links to each connector's deployment steps.

Important

Noted Microsoft Sentinel data connectors are currently in Preview. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Microsoft Sentinel is generally available in the Microsoft Defender portal, including for customers without Microsoft Defender XDR or an E5 license. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

Data connectors are available as part of the following offerings:

Solutions: Many data connectors are deployed as part of Microsoft Sentinel solution together with related content like analytics rules, workbooks, and playbooks. For more information, see the Microsoft Sentinel solutions catalog.
Community connectors: More data connectors are provided by the Microsoft Sentinel community and can be found in the Azure Marketplace. Documentation for community data connectors is the responsibility of the organization that created the connector.
Custom connectors: If you have a data source that isn't listed or currently supported, you can also create your own, custom connector. For more information, see Resources for creating Microsoft Sentinel custom connectors.

Note

For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.

Data connector prerequisites

Each data connector has its own set of prerequisites. Prerequisites might include that you must have specific permissions on your Azure workspace, subscription, or policy. Or, you must meet other requirements for the partner data source you're connecting to.

Prerequisites for each data connector are listed on the relevant data connector page in Microsoft Sentinel.

Azure Monitor agent (AMA) based data connectors require an internet connection from the system where the agent is installed. Enable port 443 outbound to allow a connection between the system where the agent is installed and Microsoft Sentinel.

Syslog and Common Event Format (CEF) connectors

Log collection from many security appliances and devices are supported by the data connectors Syslog via AMA or Common Event Format (CEF) via AMA in Microsoft Sentinel. To forward data to your Log Analytics workspace for Microsoft Sentinel, complete the steps in Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent. These steps include installing the Microsoft Sentinel solution for a security appliance or device from the Content hub in Microsoft Sentinel. Then, configure the Syslog via AMA or Common Event Format (CEF) via AMA data connector that's appropriate for the Microsoft Sentinel solution you installed. Complete the setup by configuring the security device or appliance. Find instructions to configure your security device or appliance in one of the following articles:

Contact the solution provider for more information or where information is unavailable for the appliance or device.

Custom Logs via AMA connector

Filter and ingest logs in text-file format from network or security applications installed on Windows or Linux machines by using the Custom Logs via AMA connector in Microsoft Sentinel. For more information, see the following articles:

Sentinel data connectors

Note

The following table lists the data connectors that are available in the Microsoft Sentinel Content hub. The connectors are supported by the product vendor. For support, see the link in the Supported by column in the following table.

Connector	Supported by
1Password (Serverless) The 1Password CCF connector allows the user to ingest 1Password Audit, Signin & ItemUsage events into Microsoft Sentinel. Log Analytics table(s): - `OnePasswordEventLogs_CL` Data collection rule support: Not currently supported Prerequisites: - 1Password API token: A 1Password API Token is required. See the 1Password documentation on how to create an API token.	1Password
1Password (using Azure Functions) The 1Password solution for Microsoft Sentinel enables you to ingest sign-in attempts, item usage, and audit events from your 1Password Business account using the 1Password Events Reporting API. This allows you to monitor and investigate events in 1Password in Microsoft Sentinel along with the other applications and services your organization uses. Underlying Microsoft Technologies used: This solution depends on the following technologies, and some of which may be in Preview state or may incur additional ingestion or operational costs: - Azure Functions Log Analytics table(s): - `OnePasswordEventLogs_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - 1Password Events API Token: A 1Password Events API Token is required. For more information, see the 1Password API. Note: A 1Password Business account is required	1Password
AbnormalSecurity (using Azure Function) The Abnormal Security data connector provides the capability to ingest threat and case logs into Microsoft Sentinel using the Abnormal Security Rest API. Log Analytics table(s): - `ABNORMAL_THREAT_MESSAGES_CL` - `ABNORMAL_CASES_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Abnormal Security API Token: An Abnormal Security API Token is required. For more information, see Abnormal Security API. Note: An Abnormal Security account is required	Abnormal Security
AIShield AIShield connector allows users to connect with AIShield custom defense mechanism logs with Microsoft Sentinel, allowing the creation of dynamic Dashboards, Workbooks, Notebooks and tailored Alerts to improve investigation and thwart attacks on AI systems. It gives users more insight into their organization's AI assets security posturing and improves their AI systems security operation capabilities.AIShield.GuArdIan analyzes the LLM generated content to identify and mitigate harmful content, safeguarding against legal, policy, role based, and usage based violations Log Analytics table(s): - `AIShield_CL` Data collection rule support: Not currently supported Prerequisites: - Note: Users should have utilized AIShield SaaS offering to conduct vulnerability analysis and deployed custom defense mechanisms generated along with their AI asset. Click here to know more or get in touch.	AIShield
AliCloud (using Azure Functions) The AliCloud data connector provides the capability to retrieve logs from cloud applications using the Cloud API and store events into Microsoft Sentinel through the REST API. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `AliCloud_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: AliCloudAccessKeyId and AliCloudAccessKey are required for making API calls.	Microsoft Corporation
Amazon Web Services Instructions to connect to AWS and stream your CloudTrail logs into Microsoft Sentinel are shown during the installation process. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `AWSCloudTrail` Data collection rule support: Not currently supported	Microsoft Corporation
Amazon Web Services S3 This connector allows you to ingest AWS service logs, collected in AWS S3 buckets, to Microsoft Sentinel. The currently supported data types are: * AWS CloudTrail * VPC Flow Logs * AWS GuardDuty * AWSCloudWatch For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `AWSGuardDuty` - `AWSVPCFlow` - `AWSCloudTrail` - `AWSCloudWatch` Data collection rule support: Not currently supported Prerequisites: - Environment: You must have the following AWS resources defined and configured: S3, Simple Queue Service (SQS), IAM roles and permissions policies, and the AWS services whose logs you want to collect.	Microsoft Corporation
Amazon Web Services S3 WAF This connector allows you to ingest AWS WAF logs, collected in AWS S3 buckets, to Microsoft Sentinel. AWS WAF logs are detailed records of traffic that web access control lists (ACLs) analyze, which are essential for maintaining the security and performance of web applications. These logs contain information such as the time AWS WAF received the request, the specifics of the request, and the action taken by the rule that the request matched. Log Analytics table(s): - `AWSWAF` Data collection rule support: Not currently supported	Microsoft Corporation
ARGOS Cloud Security The ARGOS Cloud Security integration for Microsoft Sentinel allows you to have all your important cloud security events in one place. This enables you to easily create dashboards, alerts, and correlate events across multiple systems. Overall this will improve your organization's security posture and security incident response. Log Analytics table(s): - `ARGOS_CL` Data collection rule support: Not currently supported	ARGOS Cloud Security
Armis Alerts Activities (using Azure Functions) The Armis Alerts Activities connector gives the capability to ingest Armis Alerts and Activities into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: `https://<YourArmisInstance>.armis.com/api/v1/docs` for more information. The connector provides the ability to get alert and activity information from the Armis platform and to identify and prioritize threats in your environment. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents. Log Analytics table(s): - `Armis_Alerts_CL` - `Armis_Activities_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: Armis Secret Key is required. See the documentation to learn more about API on the `https://<YourArmisInstance>.armis.com/api/v1/doc`	Armis Corporation
Armis Devices (using Azure Functions) The Armis Device connector gives the capability to ingest Armis Devices into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: `https://<YourArmisInstance>.armis.com/api/v1/docs` for more information. The connector provides the ability to get device information from the Armis platform. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents. Armis can also integrate with your existing IT & security management tools to identify and classify each and every device, managed or unmanaged in your environment. Log Analytics table(s): - `Armis_Devices_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: Armis Secret Key is required. See the documentation to learn more about API on the `https://<YourArmisInstance>.armis.com/api/v1/doc`	Armis Corporation
Armorblox (using Azure Function) The Armorblox data connector provides the capability to ingest incidents from your Armorblox instance into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, and more. Log Analytics table(s): - `Armorblox_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Armorblox Instance Details: ArmorbloxInstanceName OR ArmorbloxInstanceURL is required - Armorblox API Credentials: ArmorbloxAPIToken is required	armorblox
Atlassian Beacon Alerts Atlassian Beacon is a cloud product that is built for Intelligent threat detection across the Atlassian platforms (Jira, Confluence, and Atlassian Admin). This can help users detect, investigate and respond to risky user activity for the Atlassian suite of products. The solution is a custom data connector from DEFEND Ltd. that is used to visualize the alerts ingested from Atlassian Beacon to Microsoft Sentinel via a Logic App. Log Analytics table(s): - `atlassian_beacon_alerts_CL` Data collection rule support: Not currently supported	DEFEND Ltd.
Atlassian Confluence Audit (via Codeless Connector Framework) The Atlassian Confluence Audit data connector provides the capability to ingest Confluence Audit Records events into Microsoft Sentinel through the REST API. Refer to API documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `ConfluenceAuditLogs_CL` Data collection rule support: Not currently supported Prerequisites: - Atlassian Confluence API access: Permission of Administer Confluence is required to get access to the Confluence Audit logs API. See Confluence API documentation to learn more about the audit API.	Microsoft Corporation
Atlassian Jira Audit (using Azure Functions) The Atlassian Jira Audit data connector provides the capability to ingest Jira Audit Records events into Microsoft Sentinel through the REST API. Refer to API documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `Jira_Audit_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: JiraAccessToken, JiraUsername is required for REST API. For more information, see API. Check all requirements and follow the instructions for obtaining credentials.	Microsoft Corporation
Atlassian Jira Audit (using REST API) The Atlassian Jira Audit data connector provides the capability to ingest Jira Audit Records events into Microsoft Sentinel through the REST API. Refer to API documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `Jira_Audit_v2_CL` Data collection rule support: Not currently supported Prerequisites: - Atlassian Jira API access: Permission of Administer Jira is required to get access to the Jira Audit logs API. See Jira API documentation to learn more about the audit API.	Microsoft Corporation
Auth0 Access Management (using Azure Functions) The Auth0 Access Management data connector provides the capability to ingest Auth0 log events into Microsoft Sentinel Log Analytics table(s): - `Auth0AM_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: API token is required. For more information, see API token	Microsoft Corporation
Auth0 Logs The Auth0 data connector allows ingesting logs from Auth0 API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Framework. It uses Auth0 API to fetch logs and it supports DCR-based ingestion time transformations that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance. Log Analytics table(s): - `Auth0Logs_CL` Data collection rule support: Not currently supported	Microsoft Corporation
Automated Logic WebCTRL You can stream the audit logs from the WebCTRL SQL server hosted on Windows machines connected to your Microsoft Sentinel. This connection enables you to view dashboards, create custom alerts and improve investigation. This gives insights into your Industrial Control Systems that are monitored or controlled by the WebCTRL BAS application. Log Analytics table(s): - `Event` Data collection rule support: Not currently supported	Microsoft Corporation
Azure Activity Azure Activity Log is a subscription log that provides insight into subscription-level events that occur in Azure, including events from Azure Resource Manager operational data, service health events, write operations taken on the resources in your subscription, and the status of activities performed in Azure. For more information, see the Microsoft Sentinel documentation . Log Analytics table(s): - `AzureActivity` Data collection rule support: Not currently supported	Microsoft Corporation
Azure Batch Account Azure Batch Account is a uniquely identified entity within the Batch service. Most Batch solutions use Azure Storage for storing resource files and output files, so each Batch account is usually associated with a corresponding storage account. This connector lets you stream your Azure Batch account diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `AzureDiagnostics` Data collection rule support: Not currently supported Prerequisites: - Policy: Owner role assigned for each policy assignment scope	Microsoft Corporation
Azure CloudNGFW By Palo Alto Networks Cloud Next-Generation Firewall by Palo Alto Networks - an Azure Native ISV Service - is Palo Alto Networks Next-Generation Firewall (NGFW) delivered as a cloud-native service on Azure. You can discover Cloud NGFW in the Azure Marketplace and consume it in your Azure Virtual Networks (VNet). With Cloud NGFW, you can access the core NGFW capabilities such as App-ID, URL filtering based technologies. It provides threat prevention and detection through cloud-delivered security services and threat prevention signatures. The connector allows you to easily connect your Cloud NGFW logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. For more information, see the Cloud NGFW for Azure documentation. Log Analytics table(s): - `fluentbit_CL` Data collection rule support: Not currently supported	Palo Alto Networks
Azure Cognitive Search Azure Cognitive Search is a cloud search service that gives developers infrastructure, APIs, and tools for building a rich search experience over private, heterogeneous content in web, mobile, and enterprise applications. This connector lets you stream your Azure Cognitive Search diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity. Log Analytics table(s): - `AzureDiagnostics` Data collection rule support: Not currently supported Prerequisites: - Policy: Owner role assigned for each policy assignment scope	Microsoft Corporation
Azure DDoS Protection Connect to Azure DDoS Protection Standard logs via Public IP Address Diagnostic Logs. In addition to the core DDoS protection in the platform, Azure DDoS Protection Standard provides advanced DDoS mitigation capabilities against network attacks. It's automatically tuned to protect your specific Azure resources. Protection is simple to enable during the creation of new virtual networks. It can also be done after creation and requires no application or resource changes. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `AzureDiagnostics` Data collection rule support: Not currently supported	Microsoft Corporation
Azure DevOps Audit Logs (via Codeless Connector Framework) The Azure DevOps Audit Logs data connector allows you to ingest audit events from Azure DevOps into Microsoft Sentinel. This data connector is built using the Microsoft Sentinel Codeless Connector Framework, ensuring seamless integration. It leverages the Azure DevOps Audit Logs API to fetch detailed audit events and supports DCR-based ingestion time transformations. These transformations enable parsing of the received audit data into a custom table during ingestion, improving query performance by eliminating the need for additional parsing. By using this connector, you can gain enhanced visibility into your Azure DevOps environment and streamline your security operations. Log Analytics table(s): - `ADOAuditLogs_CL` Data collection rule support: Not currently supported Prerequisites: - Azure DevOps Prerequisite: Please ensure the following: 1. Register an Entra App in Microsoft Entra Admin Center under App Registrations. 2. In 'API permissions' - add Permissions to 'Azure DevOps - vso.auditlog'. 3. In 'Certificates & secrets' - generate 'Client secret'. 4. In 'Authentication' - add Redirect URI: 'https://portal.azure.com/TokenAuthorize/ExtensionName/Microsoft_Azure_Security_Insights'. 5. In the Azure DevOps settings - enable audit log and set View audit log for the user. Azure DevOps Auditing.	Microsoft Corporation
Azure Event Hub Azure Event Hubs is a big data streaming platform and event ingestion service. It can receive and process millions of events per second. This connector lets you stream your Azure Event Hub diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity. Log Analytics table(s): - `AzureDiagnostics` Data collection rule support: Not currently supported Prerequisites: - Policy: Owner role assigned for each policy assignment scope	Microsoft Corporation
Azure Firewall Connect to Azure Firewall. Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `AzureDiagnostics` - `AZFWApplicationRule` - `AZFWFlowTrace` - `AZFWFatFlow` - `AZFWNatRule` - `AZFWDnsQuery` - `AZFWIdpsSignature` - `AZFWInternalFqdnResolutionFailure` - `AZFWNetworkRule` - `AZFWThreatIntel` Data collection rule support: Not currently supported	Microsoft Corporation
Azure Key Vault Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. This connector lets you stream your Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `AzureDiagnostics` Data collection rule support: Not currently supported	Microsoft Corporation
Azure Kubernetes Service (AKS) Azure Kubernetes Service (AKS) is an open-source, fully-managed container orchestration service that allows you to deploy, scale, and manage Docker containers and container-based applications in a cluster environment. This connector lets you stream your Azure Kubernetes Service (AKS) diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `AzureDiagnostics` Data collection rule support: Not currently supported	Microsoft Corporation
Azure Logic Apps Azure Logic Apps is a cloud-based platform for creating and running automated workflows that integrate your apps, data, services, and systems. This connector lets you stream your Azure Logic Apps diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity. Log Analytics table(s): - `AzureDiagnostics` Data collection rule support: Not currently supported Prerequisites: - Policy: Owner role assigned for each policy assignment scope	Microsoft Corporation
Azure Service Bus Azure Service Bus is a fully managed enterprise message broker with message queues and publish-subscribe topics (in a namespace). This connector lets you stream your Azure Service Bus diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity. Log Analytics table(s): - `AzureDiagnostics` Data collection rule support: Not currently supported Prerequisites: - Policy: Owner role assigned for each policy assignment scope	Microsoft Corporation
Azure SQL Databases Azure SQL is a fully managed, Platform-as-a-Service (PaaS) database engine that handles most database management functions, such as upgrading, patching, backups, and monitoring, without necessitating user involvement. This connector lets you stream your Azure SQL databases audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. Log Analytics table(s): - `AzureDiagnostics` Data collection rule support: Not currently supported	Microsoft Corporation
Azure Storage Account Azure Storage account is a cloud solution for modern data storage scenarios. It contains all your data objects: blobs, files, queues, tables, and disks. This connector lets you stream Azure Storage accounts diagnostics logs into your Microsoft Sentinel workspace, allowing you to continuously monitor activity in all your instances, and detect malicious activity in your organization. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `AzureMetrics` - `StorageBlobLogs` - `StorageQueueLogs` - `StorageTableLogs` - `StorageFileLogs` Data collection rule support: Not currently supported Prerequisites: - Policy: Owner role assigned for each policy assignment scope	Microsoft Corporation
Azure Stream Analytics Azure Stream Analytics is a real-time analytics and complex event-processing engine that is designed to analyze and process high volumes of fast streaming data from multiple sources simultaneously. This connector lets you stream your Azure Stream Analytics hub diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity. Log Analytics table(s): - `AzureDiagnostics` Data collection rule support: Not currently supported Prerequisites: - Policy: Owner role assigned for each policy assignment scope	Microsoft Corporation
Azure Web Application Firewall (WAF) Connect to the Azure Web Application Firewall (WAF) for Application Gateway, Front Door, or CDN. This WAF protects your applications from common web vulnerabilities such as SQL injection and cross-site scripting, and lets you customize rules to reduce false positives. Instructions to stream your Microsoft Web application firewall logs into Microsoft Sentinel are shown during the installation process. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `AzureDiagnostics` Data collection rule support: Not currently supported	Microsoft Corporation
BETTER Mobile Threat Defense (MTD) The BETTER MTD Connector allows Enterprises to connect their Better MTD instances with Microsoft Sentinel, to view their data in Dashboards, create custom alerts, use it to trigger playbooks and expands threat hunting capabilities. This gives users more insight into their organization's mobile devices and ability to quickly analyze current mobile security posture which improves their overall SecOps capabilities. Log Analytics table(s): - `BetterMTDIncidentLog_CL` - `BetterMTDDeviceLog_CL` - `BetterMTDNetflowLog_CL` - `BetterMTDAppLog_CL` Data collection rule support: Not currently supported	Better Mobile Security Inc.
Bitglass (using Azure Functions) The Bitglass data connector provides the capability to retrieve security event logs of the Bitglass services and more events into Microsoft Sentinel through the REST API. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `BitglassLogs_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: BitglassToken and BitglassServiceURL are required for making API calls.	Microsoft Corporation
Bitsight data connector (using Azure Functions) The BitSight Data Connector supports evidence-based cyber risk monitoring by bringing BitSight data in Microsoft Sentinel. Log Analytics table(s): - `Alerts_data_CL` - `BitsightBreaches_data_CL` - `BitsightCompany_details_CL` - `BitsightCompany_rating_details_CL` - `BitsightDiligence_historical_statistics_CL` - `BitsightDiligence_statistics_CL` - `BitsightFindings_data_CL` - `BitsightFindings_summary_CL` - `BitsightGraph_data_CL` - `BitsightIndustrial_statistics_CL` - `BitsightObservation_statistics_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: BitSight API Token is required. See the documentation to learn more about API Token.	BitSight Support
Bitwarden Event Logs This connector provides insight into activity of your Bitwarden organization such as user's activity (logged in, changed password, 2fa, etc.), cipher activity (created, updated, deleted, shared, etc.), collection activity, organization activity, and more. Log Analytics table(s): - `BitwardenEventLogs` Data collection rule support: Not currently supported Prerequisites: - Bitwarden Client Id and Client Secret: Your API key can be found in the Bitwarden organization admin console. Please see Bitwarden documentation for more information.	Bitwarden Inc
Box (using Azure Functions) The Box data connector provides the capability to ingest Box enterprise's events into Microsoft Sentinel using the Box REST API. Refer to Box documentation for more information. Log Analytics table(s): - `BoxEvents_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Box API Credentials: Box config JSON file is required for Box REST API JWT authentication. For more information, see JWT authentication.	Microsoft Corporation
Box Events (CCF) The Box data connector provides the capability to ingest Box enterprise's events into Microsoft Sentinel using the Box REST API. Refer to Box documentation for more information. Log Analytics table(s): - `BoxEventsV2_CL` Data collection rule support: Not currently supported Prerequisites: - Box API credentials: Box API requires a Box App client ID and client secret to authenticate. For more information, see Client Credentials grant - Box Enterprise ID: Box Enterprise ID is required to make the connection. See documentation to find Enterprise ID	Microsoft Corporation
Check Point CloudGuard CNAPP Connector for Microsoft Sentinel The CloudGuard data connector enables the ingestion of security events from the CloudGuard API into Microsoft Sentinel™, using Microsoft Sentinel’s Codeless Connector Framework. The connector supports DCR-based ingestion time transformations which parses incoming security event data into custom columns. This pre-parsing process eliminates the need for query-time parsing, resulting in improved performance for data queries. Log Analytics table(s): - `CloudGuard_SecurityEvents_CL` Data collection rule support: Not currently supported Prerequisites: - CloudGuard API Key: Refer to the instructions provided here to generate an API key.	Check Point
Cisco ASA/FTD via AMA (Preview) The Cisco ASA firewall connector allows you to easily connect your Cisco ASA logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. Log Analytics table(s): - `CommonSecurityLog` Data collection rule support: Workspace transform DCR Prerequisites: - To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. Learn more	Microsoft Corporation
Cisco Duo Security (using Azure Functions) The Cisco Duo Security data connector provides the capability to ingest authentication logs, administrator logs, telephony logs, offline enrollment logs and Trust Monitor events into Microsoft Sentinel using the Cisco Duo Admin API. Refer to API documentation for more information. Log Analytics table(s): - `CiscoDuo_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Cisco Duo API credentials: Cisco Duo API credentials with permission Grant read log is required for Cisco Duo API. See the documentation to learn more about creating Cisco Duo API credentials.	Microsoft Corporation
Cisco ETD (using Azure Functions) The connector fetches data from ETD api for threat analysis Log Analytics table(s): - `CiscoETD_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Email Threat Defense API, API key, Client ID and Secret: Ensure you have the API key, Client ID and Secret key.	N/A
Cisco Meraki (using REST API) The Cisco Meraki connector allows you to easily connect your Cisco Meraki organization events (Security events, Configuration Changes and API Requests) to Microsoft Sentinel. The data connector uses the Cisco Meraki REST API to fetch logs and supports DCR-based ingestion time transformations that parses the received data and ingests into ASIM and custom tables in your Log Analytics workspace. This data connector benefits from capabilities such as DCR based ingestion-time filtering, data normalization. Supported ASIM schema: 1. Network Session 2. Web Session 3. Audit Event Log Analytics table(s): - `ASimNetworkSessionLogs` Data collection rule support: Not currently supported Prerequisites: - Cisco Meraki REST API Key: Enable API access in Cisco Meraki and generate API Key. Please refer to Cisco Meraki official documentation for more information. - Cisco Meraki Organization Id: Obtain your Cisco Meraki organization id to fetch security events. Follow the steps in the documentation to obtain the Organization Id using the Meraki API Key obtained in previous step.	Microsoft Corporation
Cisco Secure Endpoint (AMP) (using Azure Functions) The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint audit logs and events into Microsoft Sentinel. Log Analytics table(s): - `CiscoSecureEndpoint_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Cisco Secure Endpoint API credentials: Cisco Secure Endpoint Client ID and API Key are required. For more information, see Cisco Secure Endpoint API. API ___domain must be provided as well.	Microsoft Corporation
Cisco Software Defined WAN The Cisco Software Defined WAN(SD-WAN) data connector provides the capability to ingest Cisco SD-WAN Syslog and Netflow data into Microsoft Sentinel. Log Analytics table(s): - `Syslog` - `CiscoSDWANNetflow_CL` Data collection rule support: Workspace transform DCR	Cisco Systems
Cisco Umbrella (using Azure Functions) The Cisco Umbrella data connector provides the capability to ingest Cisco Umbrella events stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API. Refer to Cisco Umbrella log management documentation for more information. Log Analytics table(s): - `Cisco_Umbrella_dns_CL` - `Cisco_Umbrella_proxy_CL` - `Cisco_Umbrella_ip_CL` - `Cisco_Umbrella_cloudfirewall_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Amazon S3 REST API Credentials/permissions: AWS Access Key Id, AWS Secret Access Key, AWS S3 Bucket Name are required for Amazon S3 REST API.	Microsoft Corporation
Claroty xDome Claroty xDome delivers comprehensive security and alert management capabilities for healthcare and industrial network environments. It is designed to map multiple source types, identify the collected data, and integrate it into Microsoft Sentinel data models. This results in the ability to monitor all potential threats in your healthcare and industrial environments in one ___location, leading to more effective security monitoring and a stronger security posture. Log Analytics table(s): - `CommonSecurityLog` Data collection rule support: Workspace transform DCR	xDome Customer Support
Cloudflare (Preview) (using Azure Functions) The Cloudflare data connector provides the capability to ingest Cloudflare logs into Microsoft Sentinel using the Cloudflare Logpush and Azure Blob Storage. Refer to Cloudflare documentation for more information. Log Analytics table(s): - `Cloudflare_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Azure Blob Storage connection string and container name: Azure Blob Storage connection string and container name where the logs are pushed to by Cloudflare Logpush. For more information, see creating Azure Blob Storage container.	Cloudflare
Cognni The Cognni connector offers a quick and simple integration with Microsoft Sentinel. You can use Cognni to autonomously map your previously unclassified important information and detect related incidents. This allows you to recognize risks to your important information, understand the severity of the incidents, and investigate the details you need to remediate, fast enough to make a difference. Log Analytics table(s): - `CognniIncidents_CL` Data collection rule support: Not currently supported	Cognni
Cohesity (using Azure Functions) The Cohesity function apps provide the ability to ingest Cohesity Datahawk ransomware alerts into Microsoft Sentinel. Log Analytics table(s): - `Cohesity_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Azure Blob Storage connection string and container name: Azure Blob Storage connection string and container name	Cohesity
CommvaultSecurityIQ (using Azure Functions) This Azure Function enables Commvault users to ingest alerts/events into their Microsoft Sentinel instance. With Analytic Rules,Microsoft Sentinel can automatically create Microsoft Sentinel incidents from incoming events and logs. Log Analytics table(s): - `CommvaultSecurityIQ_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Commvault Environment Endpoint URL: Make sure to follow the documentation and set the secret value in KeyVault - Commvault QSDK Token: Make sure to follow the documentation and set the secret value in KeyVault	Commvault
Corelight Connector Exporter The Corelight data connector enables incident responders and threat hunters who use Microsoft Sentinel to work faster and more effectively. The data connector enables ingestion of events from Zeek and Suricata via Corelight Sensors into Microsoft Sentinel. Log Analytics table(s): - `Corelight` Data collection rule support: Not currently supported	Corelight
Cortex XDR - Incidents Custom Data connector from DEFEND to utilise the Cortex API to ingest incidents from Cortex XDR platform into Microsoft Sentinel. Log Analytics table(s): - `CortexXDR_Incidents_CL` Data collection rule support: Not currently supported Prerequisites: - Cortex API credentials: Cortex API Token is required for REST API. For more information, see API. Check all requirements and follow the instructions for obtaining credentials.	DEFEND Ltd.
Cribl The Cribl connector allows you to easily connect your Cribl (Cribl Enterprise Edition - Standalone) logs with Microsoft Sentinel. This gives you more security insight into your organization's data pipelines. Log Analytics table(s): - `CriblInternal_CL` Data collection rule support: Not currently supported	Cribl
CTERA Syslog The CTERA Data Connector for Microsoft Sentinel offers monitoring and threat detection capabilities for your CTERA solution. It includes a workbook visualizing the sum of all operations per type, deletions, and denied access operations. It also provides analytic rules which detects ransomware incidents and alert you when a user is blocked due to suspicious ransomware activity. Additionally, it helps you identify critical patterns such as mass access denied events, mass deletions, and mass permission changes, enabling proactive threat management and response. Log Analytics table(s): - `Syslog` Data collection rule support: Workspace transform DCR	CTERA
Custom logs via AMA Many applications log information to text or JSON files instead of standard logging services, such as Windows Event logs, Syslog or CEF. The Custom Logs data connector allows you to collect events from files on both Windows and Linux computers and stream them to custom logs tables you created. While streaming the data you can parse and transform the contents using the DCR. After collecting the data, you can apply analytic rules, hunting, searching, threat intelligence, enrichments and more. NOTE: Use this connector for the following devices: Cisco Meraki, Zscaler Private Access (ZPA), VMware vCenter, Apache HTTP server, Apache Tomcat, Jboss Enterprise application platform, Juniper IDP, MarkLogic Audit, MongoDB Audit, Nginx HTTP server, Oracle Weblogic server, PostgreSQL Events, Squid Proxy, Ubiquiti UniFi, SecurityBridge Threat detection SAP and AI vectra stream. Log Analytics table(s): - `JBossEvent_CL<br>` - `JuniperIDP_CL<br>` - `ApacheHTTPServer_CL<br>` - `Tomcat_CL<br>` - `meraki_CL<br>` - `VectraStream_CL<br>` - `MarkLogicAudit_CL<br>` - `MongoDBAudit_CL<br>` - `NGINX_CL<br>` - `OracleWebLogicServer_CL<br>` - `PostgreSQL_CL<br>` - `SquidProxy_CL<br>` - `Ubiquiti_CL<br>` - `vcenter_CL<br>` - `ZPA_CL<br>` - `SecurityBridgeLogs_CL<br>` Data collection rule support: Not currently supported Prerequisites: - Permissions: To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. Learn more	Microsoft Corporation
Cyber Blind Spot Integration (using Azure Functions) Through the API integration, you have the capability to retrieve all the issues related to your CBS organizations via a RESTful interface. Log Analytics table(s): - `CBSLog_Azure_1_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.	Cyber Threat Management 360
CyberArkAudit (using Azure Functions) The CyberArk Audit data connector provides the capability to retrieve security event logs of the CyberArk Audit service and more events into Microsoft Sentinel through the REST API. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `CyberArk_AuditEvents_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Audit REST API Connections details and Credentials: OauthUsername, OauthPassword, WebAppID, AuditApiKey, IdentityEndpoint and AuditApiBaseUrl are required for making API calls.	CyberArk Support
CyberArkEPM (using Azure Functions) The CyberArk Endpoint Privilege Manager data connector provides the capability to retrieve security event logs of the CyberArk EPM services and more events into Microsoft Sentinel through the REST API. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `CyberArkEPM_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: CyberArkEPMUsername, CyberArkEPMPassword and CyberArkEPMServerURL are required for making API calls.	CyberArk Support
Cyberpion Security Logs The Cyberpion Security Logs data connector, ingests logs from the Cyberpion system directly into Sentinel. The connector allows users to visualize their data, create alerts and incidents and improve security investigations. Log Analytics table(s): - `CyberpionActionItems_CL` Data collection rule support: Not currently supported Prerequisites: - Cyberpion Subscription: A subscription and account is required for cyberpion logs. One can be acquired here.	Cyberpion
Cybersixgill Actionable Alerts (using Azure Functions) Actionable alerts provide customized alerts based on configured assets Log Analytics table(s): - `CyberSixgill_Alerts_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: Client_ID and Client_Secret are required for making API calls.	Cybersixgill
Cyborg Security HUNTER Hunt Packages Cyborg Security is a leading provider of advanced threat hunting solutions, with a mission to empower organizations with cutting-edge technology and collaborative tools to proactively detect and respond to cyber threats. Cyborg Security's flagship offering, the HUNTER Platform, combines powerful analytics, curated threat hunting content, and comprehensive hunt management capabilities to create a dynamic ecosystem for effective threat hunting operations. Follow the steps to gain access to Cyborg Security's Community and setup the 'Open in Tool' capabilities in the HUNTER Platform. Log Analytics table(s): - `SecurityEvent` Data collection rule support: Not currently supported	Cyborg Security
Cyfirma Attack Surface Connector N/A Log Analytics table(s): - `CyfirmaASCertificatesAlerts_CL` - `CyfirmaASConfigurationAlerts_CL` - `CyfirmaASDomainIPReputationAlerts_CL` - `CyfirmaASOpenPortsAlerts_CL` - `CyfirmaASCloudWeaknessAlerts_CL` - `CyfirmaASDomainIPVulnerabilityAlerts_CL` Data collection rule support: Not currently supported	Cyfirma
Cyfirma Brand Intelligence Connector N/A Log Analytics table(s): - `CyfirmaBIDomainITAssetAlerts_CL` - `CyfirmaBIExecutivePeopleAlerts_CL` - `CyfirmaBIProductSolutionAlerts_CL` - `CyfirmaBISocialHandlersAlerts_CL` - `CyfirmaBIMaliciousMobileAppsAlerts_CL` Data collection rule support: Not currently supported	Cyfirma
Cyfirma Digital Risk Connector The [Cyfirma DeCYFIR/DeTCT Alerts] data connector enables seamless log ingestion from the DeCYFIR/DeTCT API into Microsoft Sentinel. Built on the Microsoft Sentinel Codeless Connector Framework, it leverages the DeCYFIR Alerts API to retrieve logs. Additionally, it supports DCR-based ingestion time transformations, which parse security data into a custom table during ingestion. This eliminates the need for query-time parsing, enhancing performance and efficiency. Log Analytics table(s): - `CyfirmaDBWMPhishingAlerts_CL` - `CyfirmaDBWMRansomwareAlerts_CL` - `CyfirmaDBWMDarkWebAlerts_CL` - `CyfirmaSPESourceCodeAlerts_CL` - `CyfirmaSPEConfidentialFilesAlerts_CL` - `CyfirmaSPEPIIAndCIIAlerts_CL` - `CyfirmaSPESocialThreatAlerts_CL` Data collection rule support: Not currently supported	Cyfirma
Cynerio Security Events The Cynerio connector allows you to easily connect your Cynerio Security Events with Microsoft Sentinel, to view IDS Events. This gives you more insight into your organization network security posture and improves your security operation capabilities. Log Analytics table(s): - `CynerioEvent_CL` Data collection rule support: Not currently supported	Cynerio
Darktrace Connector for Microsoft Sentinel REST API The Darktrace REST API connector pushes real-time events from Darktrace to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Sentinel. The connector writes logs to a custom log table titled "darktrace_model_alerts_CL"; Model Breaches, AI Analyst Incidents, System Alerts and Email Alerts can be ingested - additional filters can be set up on the Darktrace System Configuration page. Data is pushed to Sentinel from Darktrace masters. Log Analytics table(s): - `darktrace_model_alerts_CL` Data collection rule support: Not currently supported Prerequisites: - Darktrace Prerequisites: To use this Data Connector a Darktrace master running v5.2+ is required. Data is sent to the Azure Monitor HTTP Data Collector API over HTTPs from Darktrace masters, therefore outbound connectivity from the Darktrace master to Microsoft Sentinel REST API is required. - Filter Darktrace Data: During configuration it is possible to set up additional filtering on the Darktrace System Configuration page to constrain the amount or types of data sent. - Try the Darktrace Sentinel Solution: You can get the most out of this connector by installing the Darktrace Solution for Microsoft Sentinel. This will provide workbooks to visualise alert data and analytics rules to automatically create alerts and incidents from Darktrace Model Breaches and AI Analyst incidents.	Darktrace
Datalake2Sentinel This solution installs the Datalake2Sentinel connector which is built using the Codeless Connector Framework and allows you to automatically ingest threat intelligence indicators from Datalake Orange Cyberdefense's CTI platform into Microsoft Sentinel via the Upload Indicators REST API. After installing the solution, configure and enable this data connector by following guidance in Manage solution view. Log Analytics table(s): - `ThreatIntelligenceIndicator` Data collection rule support: Not currently supported	Orange Cyberdefense
Dataminr Pulse Alerts Data Connector (using Azure Functions) Dataminr Pulse Alerts Data Connector brings our AI-powered real-time intelligence into Microsoft Sentinel for faster threat detection and response. Log Analytics table(s): - `DataminrPulse_Alerts_CL` Data collection rule support: Not currently supported Prerequisites: - Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group. - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Required Dataminr Credentials/permissions: a. Users must have a valid Dataminr Pulse API client ID and secret to use this data connector. b. One or more Dataminr Pulse Watchlists must be configured in the Dataminr Pulse website.	Dataminr Support
Derdack SIGNL4 When critical systems fail or security incidents happen, SIGNL4 bridges the ‘last mile’ to your staff, engineers, IT admins and workers in the field. It adds real-time mobile alerting to your services, systems, and processes in no time. SIGNL4 notifies through persistent mobile push, SMS text and voice calls with acknowledgement, tracking and escalation. Integrated duty and shift scheduling ensure the right people are alerted at the right time. Learn more > Log Analytics table(s): - `SecurityIncident` Data collection rule support: Not currently supported	Derdack
Digital Shadows Searchlight (using Azure Functions) The Digital Shadows data connector provides ingestion of the incidents and alerts from Digital Shadows Searchlight into the Microsoft Sentinel using the REST API. The connector will provide the incidents and alerts information such that it helps to examine, diagnose and analyse the potential security risks and threats. Log Analytics table(s): - `DigitalShadows_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: Digital Shadows account ID, secret and key is required. See the documentation to learn more about API on the `https://portal-digitalshadows.com/learn/searchlight-api/overview/description`.	Digital Shadows
DNS The DNS log connector allows you to easily connect your DNS analytic and audit logs with Microsoft Sentinel, and other related data, to improve investigation. When you enable DNS log collection you can: - Identify clients that try to resolve malicious ___domain names. - Identify stale resource records. - Identify frequently queried ___domain names and talkative DNS clients. - View request load on DNS servers. - View dynamic DNS registration failures. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `DnsEvents` - `DnsInventory` Data collection rule support: Not currently supported	Microsoft Corporation
Doppel Data Connector The data connector is built on Microsoft Sentinel for Doppel events and alerts and supports DCR-based ingestion time transformations that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance. Log Analytics table(s): - `DoppelTable_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft Entra Tenant ID, Client ID and Client Secret: Microsoft Entra ID requires a Client ID and Client Secret to authenticate your application. Additionally, Global Admin/Owner level access is required to assign the Entra-registered application a Resource Group Monitoring Metrics Publisher role. - Requires Workspace ID, DCE-URI, DCR-ID: You will need to get the Log Analytics Workspace ID, DCE Logs Ingestion URI and DCR Immutable ID for the configuration.	Doppel
Dragos Notifications via Cloud Sitestore The Dragos Platform is the leading Industrial Cyber Security platform it offers a comprehensive Operational Technology (OT) cyber threat detection built by unrivaled industrial cybersecurity expertise. This solution enables Dragos Platform notification data to be viewed in Microsoft Sentinel so that security analysts are able to triage potential cyber security events occurring in their industrial environments. Log Analytics table(s): - `DragosAlerts_CL` Data collection rule support: Not currently supported Prerequisites: - Dragos Sitestore API access: A Sitestore user account that has the `notification:read` permission. This account also needs to have an API key that can be provided to Sentinel.	Dragos Inc
Druva Events Connector Provides capability to ingest the Druva events from Druva APIs Log Analytics table(s): - `DruvaSecurityEvents_CL` Data collection rule support: Not currently supported Prerequisites: - Druva API Access: Druva API requires a client id and client secret to authenticate	Druva Inc
Dynamics 365 Finance and Operations Dynamics 365 for Finance and Operations is a comprehensive Enterprise Resource Planning (ERP) solution that combines financial and operational capabilities to help businesses manage their day-to-day operations. It offers a range of features that enable businesses to streamline workflows, automate tasks, and gain insights into operational performance. The Dynamics 365 Finance and Operations data connector ingests Dynamics 365 Finance and Operations admin activities and audit logs as well as user business process and application activities logs into Microsoft Sentinel. Log Analytics table(s): - `FinanceOperationsActivity_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft Entra app registration: Application client ID and secret used to access Dynamics 365 Finance and Operations.	Microsoft Corporation
Dynamics365 The Dynamics 365 Common Data Service (CDS) activities connector provides insight into admin, user, and support activities, as well as Microsoft Social Engagement logging events. By connecting Dynamics 365 CRM logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process. Log Analytics table(s): - `Dynamics365Activity` Data collection rule support: Not currently supported	Microsoft Corporation
Dynatrace Attacks This connector uses the Dynatrace Attacks REST API to ingest detected attacks into Microsoft Sentinel Log Analytics Log Analytics table(s): - `DynatraceAttacks_CL` Data collection rule support: Not currently supported Prerequisites: - Dynatrace tenant (ex. xyz.dynatrace.com): You need a valid Dynatrace tenant with Application Security enabled, learn more about the Dynatrace platform. - Dynatrace Access Token: You need a Dynatrace Access Token, the token should have Read attacks (attacks.read) scope.	Dynatrace
Dynatrace Audit Logs This connector uses the Dynatrace Audit Logs REST API to ingest tenant audit logs into Microsoft Sentinel Log Analytics Log Analytics table(s): - `DynatraceAuditLogs_CL` Data collection rule support: Not currently supported Prerequisites: - Dynatrace tenant (ex. xyz.dynatrace.com): You need a valid Dynatrace Tenant, to learn more about the Dynatrace platform Start your free trial. - Dynatrace Access Token: You need a Dynatrace Access Token, the token should have Read audit logs (auditLogs.read) scope.	Dynatrace
Dynatrace Problems This connector uses the Dynatrace Problem REST API to ingest problem events into Microsoft Sentinel Log Analytics Log Analytics table(s): - `DynatraceProblems_CL` Data collection rule support: Not currently supported Prerequisites: - Dynatrace tenant (ex. xyz.dynatrace.com): You need a valid Dynatrace Tenant, to learn more about the Dynatrace platform Start your free trial. - Dynatrace Access Token: You need a Dynatrace Access Token, the token should have Read problems (problems.read) scope.	Dynatrace
Dynatrace Runtime Vulnerabilities This connector uses the Dynatrace Security Problem REST API to ingest detected runtime vulnerabilities into Microsoft Sentinel Log Analytics. Log Analytics table(s): - `DynatraceSecurityProblems_CL` Data collection rule support: Not currently supported Prerequisites: - Dynatrace tenant (ex. xyz.dynatrace.com): You need a valid Dynatrace tenant with Application Security enabled, learn more about the Dynatrace platform. - Dynatrace Access Token: You need a Dynatrace Access Token, the token should have Read security problems (securityProblems.read) scope.	Dynatrace
Elastic Agent (Standalone) The Elastic Agent data connector provides the capability to ingest Elastic Agent logs, metrics, and security data into Microsoft Sentinel. Log Analytics table(s): - `ElasticAgentEvent` Data collection rule support: Not currently supported Prerequisites: - Include custom pre-requisites if the connectivity requires - else delete customs: Description for any custom pre-requisite	Microsoft Corporation
Ermes Browser Security Events Ermes Browser Security Events Log Analytics table(s): - `ErmesBrowserSecurityEvents_CL` Data collection rule support: Not currently supported Prerequisites: - Ermes Client Id and Client Secret: Enable API access in Ermes. Please contact Ermes Cyber Security support for more information.	Ermes Cyber Security S.p.A.
ESET Protect Platform (using Azure Functions) The ESET Protect Platform data connector enables users to inject detections data from ESET Protect Platform using the provided Integration REST API. Integration REST API runs as scheduled Azure Function App. Log Analytics table(s): - `IntegrationTable_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Permission to register an application in Microsoft Entra ID: Sufficient permissions to register an application with your Microsoft Entra tenant are required. - Permission to assign a role to the registered application: Permission to assign the Monitoring Metrics Publisher role to the registered application in Microsoft Entra ID is required.	ESET Enterprise Integrations
Exchange Security Insights On-Premises Collector Connector used to push Exchange On-Premises Security configuration for Microsoft Sentinel Analysis Log Analytics table(s): - `ESIExchangeConfig_CL` Data collection rule support: Not currently supported Prerequisites: - Service Account with Organization Management role: The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information. - Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here	Community
Exchange Security Insights Online Collector (using Azure Functions) Connector used to push Exchange Online Security configuration for Microsoft Sentinel Analysis Log Analytics table(s): - `ESIExchangeOnlineConfig_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - microsoft.automation/automationaccounts permissions: Read and write permissions to create an Azure Automation with a Runbook is required. For more information, see Automation Account. - Microsoft.Graph permissions: Groups.Read, Users.Read and Auditing.Read permissions are required to retrieve user/group information linked to Exchange Online assignments. See the documentation to learn more. - Exchange Online permissions: Exchange.ManageAsApp permission and Global Reader or Security Reader Role are needed to retrieve the Exchange Online Security Configuration.See the documentation to learn more. - (Optional) Log Storage permissions: Storage Blob Data Contributor to a storage account linked to the Automation Account Managed identity or an Application ID is mandatory to store logs.See the documentation to learn more.	Community
F5 BIG-IP The F5 firewall connector allows you to easily connect your F5 logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. Log Analytics table(s): - `F5Telemetry_LTM_CL` - `F5Telemetry_system_CL` - `F5Telemetry_ASM_CL` Data collection rule support: Not currently supported	F5 Networks
Feedly This connector allows you to ingest IoCs from Feedly. Log Analytics table(s): - `feedly_indicators_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Custom prerequisites if necessary, otherwise delete this customs tag: Description for any custom pre-requisites	Feedly Inc
Flare Flare connector allows you to receive data and intelligence from Flare on Microsoft Sentinel. Log Analytics table(s): - `Firework_CL` Data collection rule support: Not currently supported Prerequisites: - Required Flare permissions: Only Flare organization administrators may configure the Microsoft Sentinel integration.	Flare
Forcepoint DLP The Forcepoint DLP (Data Loss Prevention) connector allows you to automatically export DLP incident data from Forcepoint DLP into Microsoft Sentinel in real-time. This enriches visibility into user activities and data loss incidents, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel. Log Analytics table(s): - `ForcepointDLPEvents_CL` Data collection rule support: Not currently supported	Community
Forescout The Forescout data connector provides the capability to ingest Forescout events into Microsoft Sentinel. Refer to Forescout documentation for more information. Log Analytics table(s): - `ForescoutEvent` Data collection rule support: Not currently supported	Microsoft Corporation
Forescout Host Property Monitor The Forescout Host Property Monitor connector allows you to connect host properties from Forescout platform with Microsoft Sentinel, to view, create custom incidents, and improve investigation. This gives you more insight into your organization network and improves your security operation capabilities. Log Analytics table(s): - `ForescoutHostProperties_CL` Data collection rule support: Not currently supported Prerequisites: - Forescout Plugin requirement: Please make sure Forescout Microsoft Sentinel plugin is running on Forescout platform	Microsoft Corporation
Fortinet FortiNDR Cloud (using Azure Functions) The Fortinet FortiNDR Cloud data connector provides the capability to ingest Fortinet FortiNDR Cloud data into Microsoft Sentinel using the FortiNDR Cloud API Log Analytics table(s): - `FncEventsSuricata_CL` - `FncEventsObservation_CL` - `FncEventsDetections_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - MetaStream Credentials: AWS Access Key Id, AWS Secret Access Key, FortiNDR Cloud Account Code are required to retrieve event data. - API Credentials: FortiNDR Cloud API Token, FortiNDR Cloud Account UUID are required to retrieve detection data.	Fortinet
Garrison ULTRA Remote Logs (using Azure Functions) The Garrison ULTRA Remote Logs connector allows you to ingest Garrison ULTRA Remote Logs into Microsoft Sentinel. Log Analytics table(s): - `Garrison_ULTRARemoteLogs_CL` Data collection rule support: Not currently supported Prerequisites: - Garrison ULTRA: To use this data connector you must have an active Garrison ULTRA license.	Garrison
GCP Pub/Sub Audit Logs The Google Cloud Platform (GCP) audit logs, ingested from Microsoft Sentinel's connector, enables you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources. Log Analytics table(s): - `GCPAuditLogs` Data collection rule support: Not currently supported	Microsoft Corporation
GCP Pub/Sub Load Balancer Logs (via Codeless Connector Framework). Google Cloud Platform (GCP) Load Balancer logs provide detailed insights into network traffic, capturing both inbound and outbound activities. These logs are used for monitoring access patterns and identifying potential security threats across GCP resources. Additionally, these logs also include GCP Web Application Firewall (WAF) logs, enhancing the ability to detect and mitigate risks effectively. Log Analytics table(s): - `GCPLoadBalancerLogs_CL` Data collection rule support: Not currently supported	Microsoft Corporation
GCP Pub/Sub VPC Flow Logs (via Codeless Connector Framework) (Preview) The Google Cloud Platform (GCP) VPC Flow Logs enable you to capture network traffic activity at the VPC level, allowing you to monitor access patterns, analyze network performance, and detect potential threats across GCP resources. Log Analytics table(s): - `GCPVPCFlow` Data collection rule support: Not currently supported	Microsoft Corporation
Gigamon AMX Data Connector Use this data connector to integrate with Gigamon Application Metadata Exporter (AMX) and get data sent directly to Microsoft Sentinel. Log Analytics table(s): - `Gigamon_CL` Data collection rule support: Not currently supported	Gigamon
GitHub (using Webhooks) (using Azure Functions) The GitHub webhook data connector provides the capability to ingest GitHub subscribed events into Microsoft Sentinel using GitHub webhook events. The connector provides ability to get events into Microsoft Sentinel which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. Note: If you are intended to ingest Github Audit logs, Please refer to GitHub Enterprise Audit Log Connector from "Data Connectors" gallery. Log Analytics table(s): - `githubscanaudit_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.	Microsoft Corporation
GitHub Enterprise Audit Log The GitHub audit log connector provides the capability to ingest GitHub logs into Microsoft Sentinel. By connecting GitHub audit logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process. Note: If you intended to ingest GitHub subscribed events into Microsoft Sentinel, please refer to GitHub (using Webhooks) Connector from "Data Connectors" gallery. Log Analytics table(s): - `GitHubAuditLogPolling_CL` Data collection rule support: Not currently supported Prerequisites: - GitHub API personal access token: You need a GitHub personal access token to enable polling for the organization audit log. You may use either a classic token with 'read:org' scope OR a fine-grained token with 'Administration: Read-only' scope. - GitHub Enterprise type: This connector will only function with GitHub Enterprise Cloud; it will not support GitHub Enterprise Server.	Microsoft Corporation
Google ApigeeX (using Azure Functions) The Google ApigeeX data connector provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP Logging API. Refer to GCP Logging API documentation for more information. Log Analytics table(s): - `ApigeeX_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - GCP service account: GCP service account with permissions to read logs is required for GCP Logging API. Also json file with service account key is required. See the documentation to learn more about required permissions, creating service account and creating service account key.	Microsoft Corporation
Google Cloud Platform Cloud Monitoring (using Azure Functions) The Google Cloud Platform Cloud Monitoring data connector provides the capability to ingest GCP Monitoring metrics into Microsoft Sentinel using the GCP Monitoring API. Refer to GCP Monitoring API documentation for more information. Log Analytics table(s): - `GCP_MONITORING_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - GCP service account: GCP service account with permissions to read Cloud Monitoring metrics is required for GCP Monitoring API (required Monitoring Viewer role). Also json file with service account key is required. See the documentation to learn more about creating service account and creating service account key.	Microsoft Corporation
Google Cloud Platform DNS (via Codeless Connector Framework) (Preview) The Google Cloud Platform DNS data connector provides the capability to ingest Cloud DNS Query logs and Cloud DNS Audit logs into Microsoft Sentinel using the Google Cloud DNS API. Refer to Cloud DNS API documentation for more information. Log Analytics table(s): - `GCPDNS` Data collection rule support: Not currently supported	Microsoft Corporation
Google Cloud Platform IAM (via Codeless Connector Framework) (Preview) The Google Cloud Platform IAM data connector provides the capability to ingest the Audit logs relating to Identity and Access Management (IAM) activities within Google Cloud into Microsoft Sentinel using the Google IAM API. Refer to GCP IAM API documentation for more information. Log Analytics table(s): - `GCP_IAMV2_CL` Data collection rule support: Not currently supported	Microsoft Corporation
Google Security Command Center The Google Cloud Platform (GCP) Security Command Center is a comprehensive security and risk management platform for Google Cloud, ingested from Sentinel's connector. It offers features such as asset inventory and discovery, vulnerability and threat detection, and risk mitigation and remediation to help you gain insight into your organization's security and data attack surface. This integration enables you to perform tasks related to findings and assets more effectively. Log Analytics table(s): - `GoogleCloudSCC` Data collection rule support: Not currently supported	Microsoft Corporation
Google Workspace (G Suite) (using Azure Functions) The Google Workspace data connector provides the capability to ingest Google Workspace Activity events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems, track who signs in and when, analyze administrator activity, understand how users create and share content, and more review events in your org. Log Analytics table(s): - `GWorkspace_ReportsAPI_admin_CL` - `GWorkspace_ReportsAPI_calendar_CL` - `GWorkspace_ReportsAPI_drive_CL` - `GWorkspace_ReportsAPI_login_CL` - `GWorkspace_ReportsAPI_mobile_CL` - `GWorkspace_ReportsAPI_token_CL` - `GWorkspace_ReportsAPI_user_accounts_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: GooglePickleString is required for REST API. For more information, see API. Instructions to obtain the credentials are shown during the installation process. You can check all requirements and follow the instructions from here as well.	Microsoft Corporation
GreyNoise Threat Intelligence (using Azure Functions) This Data Connector installs an Azure Function app to download GreyNoise indicators once per day and inserts them into the ThreatIntelligenceIndicator table in Microsoft Sentinel. Log Analytics table(s): - `ThreatIntelligenceIndicator` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - GreyNoise API Key: Retrieve your GreyNoise API Key here.	GreyNoise
HackerView Intergration (using Azure Functions) Through the API integration, you have the capability to retrieve all the issues related to your HackerView organizations via a RESTful interface. Log Analytics table(s): - `HackerViewLog_Azure_1_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.	Cyber Threat Management 360
Holm Security Asset Data (using Azure Functions) The connector provides the capability to poll data from Holm Security Center into Microsoft Sentinel. Log Analytics table(s): - `net_assets_CL` - `web_assets_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Holm Security API Token: Holm Security API Token is required. Holm Security API Token	Holm Security
IIS Logs of Microsoft Exchange Servers [Option 5] - Using Azure Monitor Agent - You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation. Log Analytics table(s): - `W3CIISLog` Data collection rule support: Not currently supported Prerequisites: - Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more - Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here	Community
Illumio SaaS (using Azure Functions) Illumio connector provides the capability to ingest events into Microsoft Sentinel. The connector provides ability to ingest auditable and flow events from AWS S3 bucket. Log Analytics table(s): - `Illumio_Auditable_Events_CL` - `Illumio_Flow_Events_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - SQS and AWS S3 account credentials/permissions: AWS_SECRET, AWS_REGION_NAME, AWS_KEY, QUEUE_URL is required. If you are using s3 bucket provided by Illumio, contact Illumio support. At your request they will provide you with the AWS S3 bucket name, AWS SQS url and AWS credentials to access them. - Illumio API key and secret: ILLUMIO_API_KEY, ILLUMIO_API_SECRET is required for a workbook to make connection to SaaS PCE and fetch api responses.	Illumio
Imperva Cloud WAF (using Azure Functions) The Imperva Cloud WAF data connector provides the capability to integrate and ingest Web Application Firewall events into Microsoft Sentinel through the REST API. Refer to Log integration documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `ImpervaWAFCloud_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: ImpervaAPIID, ImpervaAPIKey, ImpervaLogServerURI are required for the API. For more information, see Setup Log Integration process. Check all requirements and follow the instructions for obtaining credentials. Please note that this connector uses CEF log event format. More information about log format.	Microsoft Corporation
Infoblox Cloud Data Connector via AMA The Infoblox Cloud Data Connector allows you to easily connect your Infoblox data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. Log Analytics table(s): - `CommonSecurityLog` Data collection rule support: Workspace transform DCR	Infoblox
Infoblox Data Connector via REST API (using Azure Functions) The Infoblox Data Connector allows you to easily connect your Infoblox TIDE data and Dossier data with Microsoft Sentinel. By connecting your data to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. Log Analytics table(s): - `Failed_Range_To_Ingest_CL` - `Infoblox_Failed_Indicators_CL` - `dossier_whois_CL` - `dossier_tld_risk_CL` - `dossier_threat_actor_CL` - `dossier_rpz_feeds_records_CL` - `dossier_rpz_feeds_CL` - `dossier_nameserver_matches_CL` - `dossier_nameserver_CL` - `dossier_malware_analysis_v3_CL` - `dossier_inforank_CL` - `dossier_infoblox_web_cat_CL` - `dossier_geo_CL` - `dossier_dns_CL` - `dossier_atp_threat_CL` - `dossier_atp_CL` - `dossier_ptr_CL` Data collection rule support: Not currently supported Prerequisites: - Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group. - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: Infoblox API Key is required. See the documentation to learn more about API on the Rest API reference	Infoblox
Infoblox SOC Insight Data Connector via AMA The Infoblox SOC Insight Data Connector allows you to easily connect your Infoblox BloxOne SOC Insight data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. This data connector ingests Infoblox SOC Insight CDC logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector. Log Analytics table(s): - `CommonSecurityLog` Data collection rule support: Workspace transform DCR Prerequisites: - To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. Learn more - Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed. Learn more	Infoblox
Infoblox SOC Insight Data Connector via REST API The Infoblox SOC Insight Data Connector allows you to easily connect your Infoblox BloxOne SOC Insight data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. Log Analytics table(s): - `InfobloxInsight_CL` Data collection rule support: Not currently supported	Infoblox
InfoSecGlobal Data Connector Use this data connector to integrate with InfoSec Crypto Analytics and get data sent directly to Microsoft Sentinel. Log Analytics table(s): - `InfoSecAnalytics_CL` Data collection rule support: Not currently supported	InfoSecGlobal
Island Enterprise Browser Admin Audit (Polling CCF) The Island Admin connector provides the capability to ingest Island Admin Audit logs into Microsoft Sentinel. Log Analytics table(s): - `Island_Admin_CL` Data collection rule support: Not currently supported Prerequisites: - Island API Key: An Island API key is required.	Island
Island Enterprise Browser User Activity (Polling CCF) The Island connector provides the capability to ingest Island User Activity logs into Microsoft Sentinel. Log Analytics table(s): - `Island_User_CL` Data collection rule support: Not currently supported Prerequisites: - Island API Key: An Island API key is required.	Island
Jamf Protect Push Connector The Jamf Protect connector provides the capability to read raw event data from Jamf Protect in Microsoft Sentinel. Log Analytics table(s): - `jamfprotecttelemetryv2_CL` - `jamfprotectunifiedlogs_CL` - `jamfprotectalerts_CL` Data collection rule support: Supported Prerequisites: - Microsoft Entra: Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher. - Microsoft Azure: Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role	Jamf Software, LLC
LastPass Enterprise - Reporting (Polling CCF) The LastPass Enterprise connector provides the capability to LastPass reporting (audit) logs into Microsoft Sentinel. The connector provides visibility into logins and activity within LastPass (such as reading and removing passwords). Log Analytics table(s): - `LastPassNativePoller_CL` Data collection rule support: Not currently supported Prerequisites: - LastPass API Key and CID: A LastPass API key and CID are required. For more information, see LastPass API.	The Collective Consulting
Lookout (using Azure Function) The Lookout data connector provides the capability to ingest Lookout events into Microsoft Sentinel through the Mobile Risk API. Refer to API documentation for more information. The Lookout data connector provides ability to get events which helps to examine potential security risks and more. Log Analytics table(s): - `Lookout_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Mobile Risk API Credentials/permissions: EnterpriseName & ApiKey are required for Mobile Risk API. For more information, see API. Check all requirements and follow the instructions for obtaining credentials.	Lookout
Luminar IOCs and Leaked Credentials (using Azure Functions) Luminar IOCs and Leaked Credentials connector allows integration of intelligence-based IOC data and customer-related leaked records identified by Luminar. Log Analytics table(s): - `ThreatIntelligenceIndicator` Data collection rule support: Not currently supported Prerequisites: - Azure Subscription: Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group. - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: Luminar Client ID, Luminar Client Secret and Luminar Account ID are required.	Cognyte Luminar
MailGuard 365 MailGuard 365 Enhanced Email Security for Microsoft 365. Exclusive to the Microsoft marketplace, MailGuard 365 is integrated with Microsoft 365 security (incl. Defender) for enhanced protection against advanced email threats like phishing, ransomware and sophisticated BEC attacks. Log Analytics table(s): - `MailGuard365_Threats_CL` Data collection rule support: Not currently supported	MailGuard 365
MailRisk by Secure Practice (using Azure Functions) Data connector to push emails from MailRisk into Microsoft Sentinel Log Analytics. Log Analytics table(s): - `MailRiskEmails_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - API credentials: Your Secure Practice API key pair is also needed, which are created in the settings in the admin portal. If you have lost your API secret, you can generate a new key pair (WARNING: Any other integrations using the old key pair will stop working).	Secure Practice
Microsoft 365 (formerly, Office 365) The Microsoft 365 (formerly, Office 365) activity log connector provides insight into ongoing user activities. You will get details of operations such as file downloads, access requests sent, changes to group events, set-mailbox and details of the user who performed the actions. By connecting Microsoft 365 logs into Microsoft Sentinel you can use this data to view dashboards, create custom alerts, and improve your investigation process. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `OfficeActivity` Data collection rule support: Not currently supported	Microsoft Corporation
Microsoft 365 Insider Risk Management Microsoft 365 Insider Risk Management is a compliance solution in Microsoft 365 that helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risk policies allow you to: - define the types of risks you want to identify and detect in your organization. - decide on what actions to take in response, including escalating cases to Microsoft Advanced eDiscovery if needed. This solution produces alerts that can be seen by Office customers in the Insider Risk Management solution in Microsoft 365 Compliance Center. Learn More about Insider Risk Management. These alerts can be imported into Microsoft Sentinel with this connector, allowing you to see, investigate, and respond to them in a broader organizational threat context. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `SecurityAlert` Data collection rule support: Not currently supported	Microsoft Corporation
Microsoft Active-Directory Domain Controllers Security Event Logs [Option 3 & 4] - Using Azure Monitor Agent -You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation. Log Analytics table(s): - `SecurityEvent` Data collection rule support: Not currently supported Prerequisites: - Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more - Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here	Community
Microsoft Dataverse Microsoft Dataverse is a scalable and secure data platform that enables organizations to store and manage data used by business applications. The Microsoft Dataverse data connector provides the capability to ingest Dataverse and Dynamics 365 CRM activity logs from the Microsoft Purview Audit log into Microsoft Sentinel. Log Analytics table(s): - `DataverseActivity` Data collection rule support: Not currently supported Prerequisites: - Tenant Permissions: 'Security Administrator' or 'Global Administrator' on the workspace's tenant. - Micorosft Purview Audit: Microsoft Purview Audit (Standard or Premium) must be activated. - Production Dataverse: Activity logging is available only for Production environments. Other types, such as sandbox, do not support activity logging. - Dataverse Audit Settings: Audit settings must be configured both globally and at the entity/table level. For more information, see Dataverse audit settings.	Microsoft Corporation
Microsoft Defender for Cloud Apps By connecting with Microsoft Defender for Cloud Apps you will gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels. - Identify shadow IT cloud apps on your network. - Control and limit access based on conditions and session context. - Use built-in or custom policies for data sharing and data loss prevention. - Identify high-risk use and get alerts for unusual user activities with Microsoft behavioral analytics and anomaly detection capabilities, including ransomware activity, impossible travel, suspicious email forwarding rules, and mass download of files. - Mass download of files Deploy now > Log Analytics table(s): - `SecurityAlert` - `McasShadowItReporting` Data collection rule support: Not currently supported	Microsoft Corporation
Microsoft Defender for Endpoint Microsoft Defender for Endpoint is a security platform designed to prevent, detect, investigate, and respond to advanced threats. The platform creates alerts when suspicious security events are seen in an organization. Fetch alerts generated in Microsoft Defender for Endpoint to Microsoft Sentinel so that you can effectively analyze security events. You can create rules, build dashboards and author playbooks for immediate response. For more information, see the Microsoft Sentinel documentation >. Log Analytics table(s): - `SecurityAlert` Data collection rule support: Not currently supported	Microsoft Corporation
Microsoft Defender for Identity Connect Microsoft Defender for Identity to gain visibility into the events and user analytics. Microsoft Defender for Identity identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft Defender for Identity enables SecOp analysts and security professionals struggling to detect advanced attacks in hybrid environments to: - Monitor users, entity behavior, and activities with learning-based analytics - Protect user identities and credentials stored in Active Directory - Identify and investigate suspicious user activities and advanced attacks throughout the kill chain - Provide clear incident information on a simple timeline for fast triage Try now > Deploy now > For more information, see the Microsoft Sentinel documentation >. Log Analytics table(s): - `SecurityAlert` Data collection rule support: Not currently supported	Microsoft Corporation
Microsoft Defender for IoT Gain insights into your IoT security by connecting Microsoft Defender for IoT alerts to Microsoft Sentinel. You can get out-of-the-box alert metrics and data, including alert trends, top alerts, and alert breakdown by severity. You can also get information about the recommendations provided for your IoT hubs including top recommendations and recommendations by severity. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `SecurityAlert` Data collection rule support: Not currently supported	Microsoft Corporation
Microsoft Defender for Office 365 (Preview) Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools. By ingesting Microsoft Defender for Office 365 alerts into Microsoft Sentinel, you can incorporate information about email- and URL-based threats into your broader risk analysis and build response scenarios accordingly. The following types of alerts will be imported: - A potentially malicious URL click was detected - Email messages containing malware removed after delivery - Email messages containing phish URLs removed after delivery - Email reported by user as malware or phish - Suspicious email sending patterns detected - User restricted from sending email These alerts can be seen by Office customers in the Office Security and Compliance Center. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `SecurityAlert` Data collection rule support: Not currently supported	Microsoft Corporation
Microsoft Defender Threat Intelligence Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc. Log Analytics table(s): - `ThreatIntelligenceIndicator` Data collection rule support: Not currently supported	Microsoft Corporation
Microsoft Defender XDR Microsoft Defender XDR is a unified, natively integrated, pre- and post-breach enterprise defense suite that protects endpoint, identity, email, and applications and helps you detect, prevent, investigate, and automatically respond to sophisticated threats. Microsoft Defender XDR suite includes: - Microsoft Defender for Endpoint - Microsoft Defender for Identity - Microsoft Defender for Office 365 - Threat & Vulnerability Management - Microsoft Defender for Cloud Apps For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `SecurityIncident` - `SecurityAlert` - `DeviceEvents` - `EmailEvents` - `IdentityLogonEvents` - `CloudAppEvents` - `AlertEvidence` Data collection rule support: Not currently supported	Microsoft Corporation
Microsoft Entra ID Gain insights into Microsoft Entra ID by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Microsoft Entra ID scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Microsoft Entra ID Management activities like user, group, role, app management using our Audit logs table. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `SigninLogs` - `AuditLogs` - `AADNonInteractiveUserSignInLogs` - `AADServicePrincipalSignInLogs` - `AADManagedIdentitySignInLogs` - `AADProvisioningLogs` - `ADFSSignInLogs` - `AADUserRiskEvents` - `AADRiskyUsers` - `NetworkAccessTraffic` - `AADRiskyServicePrincipals` - `AADServicePrincipalRiskEvents` Data collection rule support: Not currently supported	Microsoft Corporation
Microsoft Entra ID Protection Microsoft Entra ID Protection provides a consolidated view at risk users, risk events and vulnerabilities, with the ability to remediate risk immediately, and set policies to auto-remediate future events. The service is built on Microsoft’s experience protecting consumer identities and gains tremendous accuracy from the signal from over 13 billion logins a day. Integrate Microsoft Microsoft Entra ID Protection alerts with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. For more information, see the Microsoft Sentinel documentation . Get Microsoft Entra ID Premium P1/P2 Log Analytics table(s): - `SecurityAlert` Data collection rule support: Not currently supported	Microsoft Corporation
Microsoft Exchange Admin Audit Logs by Event Logs [Option 1] - Using Azure Monitor Agent - You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment Log Analytics table(s): - `Event` Data collection rule support: Not currently supported Prerequisites: - Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more - Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here	Community
Microsoft Exchange HTTP Proxy Logs [Option 7] - Using Azure Monitor Agent - You can stream HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you create custom alerts, and improve investigation. Learn more Log Analytics table(s): - `ExchangeHttpProxy_CL` Data collection rule support: Not currently supported Prerequisites: - Azure Log Analytics will be deprecated: Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more - Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here	Community
Microsoft Exchange Logs and Events [Option 2] - Using Azure Monitor Agent - You can stream all Exchange Security & Application Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation. Log Analytics table(s): - `Event` Data collection rule support: Not currently supported Prerequisites: - Azure Log Analytics will be deprecated: Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more - Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here	Community
Microsoft Exchange Message Tracking Logs [Option 6] - Using Azure Monitor Agent - You can stream all Exchange Message Tracking from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. Those logs can be used to track the flow of messages in your Exchange environment. This data connector is based on the option 6 of the Microsoft Exchange Security wiki. Log Analytics table(s): - `MessageTrackingLog_CL` Data collection rule support: Not currently supported Prerequisites: - Azure Log Analytics will be deprecated: Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more - Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here	Community
Microsoft Power Automate Power Automate is a Microsoft service that helps users create automated workflows between apps and services to synchronize files, get notifications, collect data, and more. It simplifies task automation, increasing efficiency by reducing manual, repetitive tasks, and enhancing productivity. The Power Automate data connector provides the capability to ingest Power Automate activity logs from the Microsoft Purview Audit log into Microsoft Sentinel. Log Analytics table(s): - `PowerAutomateActivity` Data collection rule support: Not currently supported Prerequisites: - Tenant Permissions: 'Security Administrator' or 'Global Administrator' on the workspace's tenant. - Micorosft Purview Audit: Microsoft Purview Audit (Standard or Premium) must be activated.	Microsoft Corporation
Microsoft Power Platform Admin Activity Microsoft Power Platform is a low-code/no-code suite empowering both citizen and pro developers to streamline business processes by enabling the creation of custom apps, automation of workflows, and data analysis with minimal coding. The Power Platform Admin data connector provides the capability to ingest Power Platform administrator activity logs from the Microsoft Purview Audit log into Microsoft Sentinel. Log Analytics table(s): - `PowerPlatformAdminActivity` Data collection rule support: Not currently supported Prerequisites: - Tenant Permissions: 'Security Administrator' or 'Global Administrator' on the workspace's tenant. - Micorosft Purview Audit: Microsoft Purview Audit (Standard or Premium) must be activated.	Microsoft Corporation
Microsoft PowerBI Microsoft PowerBI is a collection of software services, apps, and connectors that work together to turn your unrelated sources of data into coherent, visually immersive, and interactive insights. Your data may be an Excel spreadsheet, a collection of cloud-based and on-premises hybrid data warehouses, or a data store of some other type. This connector lets you stream PowerBI audit logs into Microsoft Sentinel, allowing you to track user activities in your PowerBI environment. You can filter the audit data by date range, user, dashboard, report, dataset, and activity type. Log Analytics table(s): - `PowerBIActivity` Data collection rule support: Not currently supported	Microsoft Corporation
Microsoft Project Microsoft Project (MSP) is a project management software solution. Depending on your plan, Microsoft Project lets you plan projects, assign tasks, manage resources, create reports and more. This connector allows you to stream your Azure Project audit logs into Microsoft Sentinel in order to track your project activities. Log Analytics table(s): - `ProjectActivity` Data collection rule support: Not currently supported	Microsoft
Microsoft Purview Connect to Microsoft Purview to enable data sensitivity enrichment of Microsoft Sentinel. Data classification and sensitivity label logs from Microsoft Purview scans can be ingested and visualized through workbooks, analytical rules, and more. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `PurviewDataSensitivityLogs` Data collection rule support: Not currently supported	Microsoft Corporation
Microsoft Purview Information Protection Microsoft Purview Information Protection helps you discover, classify, protect, and govern sensitive information wherever it lives or travels. Using these capabilities enable you to know your data, identify items that are sensitive and gain visibility into how they are being used to better protect your data. Sensitivity labels are the foundational capability that provide protection actions, applying encryption, access restrictions and visual markings. Integrate Microsoft Purview Information Protection logs with Microsoft Sentinel to view dashboards, create custom alerts and improve investigation. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `MicrosoftPurviewInformationProtection` Data collection rule support: Not currently supported	Microsoft Corporation
Mimecast Audit (using Azure Functions) The data connector for Mimecast Audit provides customers with the visibility into security events related to audit and authentication events within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into user activity, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. The Mimecast products included within the connector are: Audit Log Analytics table(s): - `MimecastAudit_CL` Data collection rule support: Not currently supported Prerequisites: - Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group. - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: See the documentation to learn more about API on the Rest API reference	Mimecast
Mimecast Audit & Authentication (using Azure Functions) The data connector for Mimecast Audit & Authentication provides customers with the visibility into security events related to audit and authentication events within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into user activity, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. The Mimecast products included within the connector are: Audit & Authentication Log Analytics table(s): - `MimecastAudit_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Mimecast API credentials: You need to have the following pieces of information to configure the integration: - mimecastEmail: Email address of a dedicated Mimecast admin user - mimecastPassword: Password for the dedicated Mimecast admin user - mimecastAppId: API Application Id of the Mimecast Microsoft Sentinel app registered with Mimecast - mimecastAppKey: API Application Key of the Mimecast Microsoft Sentinel app registered with Mimecast - mimecastAccessKey: Access Key for the dedicated Mimecast admin user - mimecastSecretKey: Secret Key for the dedicated Mimecast admin user - mimecastBaseURL: Mimecast Regional API Base URL > The Mimecast Application Id, Application Key, along with the Access Key and Secret keys for the dedicated Mimecast admin user are obtainable via the Mimecast Administration Console: Administration \| Services \| API and Platform Integrations. > The Mimecast API Base URL for each region is documented here: https://integrations.mimecast.com/documentation/api-overview/global-base-urls/ - Resource group: You need to have a resource group created with a subscription you are going to use. - Functions app: You need to have an Azure App registered for this connector to use 1. Application Id 2. Tenant Id 3. Client Id 4. Client Secret	Mimecast
Mimecast Awareness Training (using Azure Functions) The data connector for Mimecast Awareness Training provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. The Mimecast products included within the connector are: - Performance Details - Safe Score Details - User Data - Watchlist Details Log Analytics table(s): - `Awareness_Performance_Details_CL` - `Awareness_SafeScore_Details_CL` - `Awareness_User_Data_CL` - `Awareness_Watchlist_Details_CL` Data collection rule support: Not currently supported Prerequisites: - Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group. - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: See the documentation to learn more about API on the Rest API reference	Mimecast
Mimecast Cloud Integrated (using Azure Functions) The data connector for Mimecast Cloud Integrated provides customers with the visibility into security events related to the Cloud Integrated inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. Log Analytics table(s): - `Cloud_Integrated_CL` Data collection rule support: Not currently supported Prerequisites: - Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group. - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: See the documentation to learn more about API on the Rest API reference	Mimecast
Mimecast Intelligence for Microsoft - Microsoft Sentinel (using Azure Functions) The data connector for Mimecast Intelligence for Microsoft provides regional threat intelligence curated from Mimecast’s email inspection technologies with pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times. Mimecast products and features required: - Mimecast Secure Email Gateway - Mimecast Threat Intelligence Log Analytics table(s): - `ThreatIntelligenceIndicator` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Mimecast API credentials: You need to have the following pieces of information to configure the integration: - mimecastEmail: Email address of a dedicated Mimecast admin user - mimecastPassword: Password for the dedicated Mimecast admin user - mimecastAppId: API Application Id of the Mimecast Microsoft Sentinel app registered with Mimecast - mimecastAppKey: API Application Key of the Mimecast Microsoft Sentinel app registered with Mimecast - mimecastAccessKey: Access Key for the dedicated Mimecast admin user - mimecastSecretKey: Secret Key for the dedicated Mimecast admin user - mimecastBaseURL: Mimecast Regional API Base URL > The Mimecast Application Id, Application Key, along with the Access Key and Secret keys for the dedicated Mimecast admin user are obtainable via the Mimecast Administration Console: Administration \| Services \| API and Platform Integrations. > The Mimecast API Base URL for each region is documented here: https://integrations.mimecast.com/documentation/api-overview/global-base-urls/ - Resource group: You need to have a resource group created with a subscription you are going to use. - Functions app: You need to have an Azure App registered for this connector to use 1. Application Id 2. Tenant Id 3. Client Id 4. Client Secret	Mimecast
Mimecast Secure Email Gateway (using Azure Functions) The data connector for Mimecast Secure Email Gateway allows easy log collection from the Secure Email Gateway to surface email insight and user activity within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. Mimecast products and features required: - Mimecast Secure Email Gateway - Mimecast Data Leak Prevention Log Analytics table(s): - `MimecastSIEM_CL` - `MimecastDLP_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Mimecast API credentials: You need to have the following pieces of information to configure the integration: - mimecastEmail: Email address of a dedicated Mimecast admin user - mimecastPassword: Password for the dedicated Mimecast admin user - mimecastAppId: API Application Id of the Mimecast Microsoft Sentinel app registered with Mimecast - mimecastAppKey: API Application Key of the Mimecast Microsoft Sentinel app registered with Mimecast - mimecastAccessKey: Access Key for the dedicated Mimecast admin user - mimecastSecretKey: Secret Key for the dedicated Mimecast admin user - mimecastBaseURL: Mimecast Regional API Base URL > The Mimecast Application Id, Application Key, along with the Access Key and Secret keys for the dedicated Mimecast admin user are obtainable via the Mimecast Administration Console: Administration \| Services \| API and Platform Integrations. > The Mimecast API Base URL for each region is documented here: https://integrations.mimecast.com/documentation/api-overview/global-base-urls/ - Resource group: You need to have a resource group created with a subscription you are going to use. - Functions app: You need to have an Azure App registered for this connector to use 1. Application Id 2. Tenant Id 3. Client Id 4. Client Secret	Mimecast
Mimecast Secure Email Gateway (using Azure Functions) The data connector for Mimecast Secure Email Gateway allows easy log collection from the Secure Email Gateway to surface email insight and user activity within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. Mimecast products and features required: - Mimecast Cloud Gateway - Mimecast Data Leak Prevention Log Analytics table(s): - `Seg_Cg_CL` - `Seg_Dlp_CL` Data collection rule support: Not currently supported Prerequisites: - Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group. - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: See the documentation to learn more about API on the Rest API reference	Mimecast
Mimecast Targeted Threat Protection (using Azure Functions) The data connector for Mimecast Targeted Threat Protection provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. The Mimecast products included within the connector are: - URL Protect - Impersonation Protect - Attachment Protect Log Analytics table(s): - `MimecastTTPUrl_CL` - `MimecastTTPAttachment_CL` - `MimecastTTPImpersonation_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: You need to have the following pieces of information to configure the integration: - mimecastEmail: Email address of a dedicated Mimecast admin user - mimecastPassword: Password for the dedicated Mimecast admin user - mimecastAppId: API Application Id of the Mimecast Microsoft Sentinel app registered with Mimecast - mimecastAppKey: API Application Key of the Mimecast Microsoft Sentinel app registered with Mimecast - mimecastAccessKey: Access Key for the dedicated Mimecast admin user - mimecastSecretKey: Secret Key for the dedicated Mimecast admin user - mimecastBaseURL: Mimecast Regional API Base URL > The Mimecast Application Id, Application Key, along with the Access Key and Secret keys for the dedicated Mimecast admin user are obtainable via the Mimecast Administration Console: Administration \| Services \| API and Platform Integrations. > The Mimecast API Base URL for each region is documented here: https://integrations.mimecast.com/documentation/api-overview/global-base-urls/	Mimecast
Mimecast Targeted Threat Protection (using Azure Functions) The data connector for Mimecast Targeted Threat Protection provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. The Mimecast products included within the connector are: - URL Protect - Impersonation Protect - Attachment Protect Log Analytics table(s): - `Ttp_Url_CL` - `Ttp_Attachment_CL` - `Ttp_Impersonation_CL` Data collection rule support: Not currently supported Prerequisites: - Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group. - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: See the documentation to learn more about API on the Rest API reference	Mimecast
MISP2Sentinel This solution installs the MISP2Sentinel connector that allows you to automatically push threat indicators from MISP to Microsoft Sentinel via the Upload Indicators REST API. After installing the solution, configure and enable this data connector by following guidance in Manage solution view. Log Analytics table(s): - `ThreatIntelligenceIndicator` Data collection rule support: Not currently supported	Community
MuleSoft Cloudhub (using Azure Functions) The MuleSoft Cloudhub data connector provides the capability to retrieve logs from Cloudhub applications using the Cloudhub API and more events into Microsoft Sentinel through the REST API. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `MuleSoft_Cloudhub_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: MuleSoftEnvId, MuleSoftAppName, MuleSoftUsername and MuleSoftPassword are required for making API calls.	Microsoft Corporation
NC Protect NC Protect Data Connector (archtis.com) provides the capability to ingest user activity logs and events into Microsoft Sentinel. The connector provides visibility into NC Protect user activity logs and events in Microsoft Sentinel to improve monitoring and investigation capabilities Log Analytics table(s): - `NCProtectUAL_CL` Data collection rule support: Not currently supported Prerequisites: - NC Protect: You must have a running instance of NC Protect for O365. Please contact us.	archTIS
Netclean ProActive Incidents This connector uses the Netclean Webhook (required) and Logic Apps to push data into Microsoft Sentinel Log Analytics Log Analytics table(s): - `Netclean_Incidents_CL` Data collection rule support: Not currently supported	NetClean
Netskope Alerts and Events Netskope Security Alerts and Events Log Analytics table(s): - `NetskopeAlerts_CL` Data collection rule support: Not currently supported Prerequisites: - Netskope organisation url: The Netskope data connector requires you to provide your organisation url. You can find your organisation url by signing into the Netskope portal. - Netskope API key: The Netskope data connector requires you to provide a valid API key. You can create one by following the Netskope documentation.	Netskope
Netskope Data Connector (using Azure Functions) The Netskope data connector provides the following capabilities: 1. NetskopeToAzureStorage : >* Get the Netskope Alerts and Events data from Netskope and ingest to Azure storage. 2. StorageToSentinel : >* Get the Netskope Alerts and Events data from Azure storage and ingest to custom log table in log analytics workspace. 3. WebTxMetrics : >* Get the WebTxMetrics data from Netskope and ingest to custom log table in log analytics workspace. For more details of REST APIs refer to the below documentations: 1. Netskope API documentation: > https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/ 2. Azure storage documentation: > /azure/storage/common/storage-introduction 3. Microsoft log analytic documentation: > /azure/azure-monitor/logs/log-analytics-overview Log Analytics table(s): - `alertscompromisedcredentialdata_CL` - `alertsctepdata_CL` - `alertsdlpdata_CL` - `alertsmalsitedata_CL` - `alertsmalwaredata_CL` - `alertspolicydata_CL` - `alertsquarantinedata_CL` - `alertsremediationdata_CL` - `alertssecurityassessmentdata_CL` - `alertsubadata_CL` - `eventsapplicationdata_CL` - `eventsauditdata_CL` - `eventsconnectiondata_CL` - `eventsincidentdata_CL` - `eventsnetworkdata_CL` - `eventspagedata_CL` - `Netskope_WebTx_metrics_CL` Data collection rule support: Not currently supported Prerequisites: - Azure Subscription: Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group. - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: Netskope Tenant and Netskope API Token is required. See the documentation to learn more about API on the Rest API reference	Netskope
Netskope Web Transactions Data Connector (using Azure Functions) The Netskope Web Transactions data connector provides the functionality of a docker image to pull the Netskope Web Transactions data from google pubsublite, process the data and ingest the processed data to Log Analytics. As part of this data connector two tables will be formed in Log Analytics, one for Web Transactions data and other for errors encountered during execution. For more details related to Web Transactions refer to the below documentation: 1. Netskope Web Transactions documentation: > https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/ Log Analytics table(s): - `NetskopeWebtxData_CL` - `NetskopeWebtxErrors_CL` Data collection rule support: Not currently supported Prerequisites: - Azure Subscription: Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group. - Microsoft.Compute permissions: Read and write permissions to Azure VMs is required. For more information, see Azure VMs. - TransactionEvents Credentials and Permissions: Netskope Tenant and Netskope API Token is required. For more information, see Transaction Events. - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.	Netskope
Network Security Groups Azure network security groups (NSG) allow you to filter network traffic to and from Azure resources in an Azure virtual network. A network security group includes rules that allow or deny traffic to a virtual network subnet, network interface, or both. When you enable logging for an NSG, you can gather the following types of resource log information: - Event: Entries are logged for which NSG rules are applied to VMs, based on MAC address. - Rule counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic. The status for these rules is collected every 300 seconds. This connector lets you stream your NSG diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `AzureDiagnostics` Data collection rule support: Not currently supported	Microsoft Corporation
Okta Single Sign-On The Okta Single Sign-On (SSO) data connector provides the capability to ingest audit and event logs from the Okta Sysem Log API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Framework and uses the Okta System Log API to fetch the events. The connector supports DCR-based ingestion time transformations that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance. Log Analytics table(s): - `OktaSSO` Data collection rule support: Not currently supported Prerequisites: - Okta API Token: An Okta API token. Follow the following instructions to create an See the documentation to learn more about Okta System Log API.	Microsoft Corporation
Okta Single Sign-On (using Azure Functions) The Okta Single Sign-On (SSO) connector provides the capability to ingest audit and event logs from the Okta API into Microsoft Sentinel. The connector provides visibility into these log types in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities. Log Analytics table(s): - `Okta_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Okta API Token: An Okta API Token is required. See the documentation to learn more about the Okta System Log API.	Microsoft Corporation
OneLogin IAM Platform(using Azure Functions) The OneLogin data connector provides the capability to ingest common OneLogin IAM Platform events into Microsoft Sentinel through Webhooks. The OneLogin Event Webhook API which is also known as the Event Broadcaster will send batches of events in near real-time to an endpoint that you specify. When a change occurs in the OneLogin, an HTTPS POST request with event information is sent to a callback data connector URL. Refer to Webhooks documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `OneLogin_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Webhooks Credentials/permissions: OneLoginBearerToken, Callback URL are required for working Webhooks. See the documentation to learn more about configuring Webhooks.You need to generate OneLoginBearerToken according to your security requirements and use it in Custom Headers section in format: Authorization: Bearer OneLoginBearerToken. Logs Format: JSON Array.	Microsoft Corporation
Oracle Cloud Infrastructure (using Azure Functions) The Oracle Cloud Infrastructure (OCI) data connector provides the capability to ingest OCI Logs from OCI Stream into Microsoft Sentinel using the OCI Streaming REST API. Log Analytics table(s): - `OCI_Logs_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - OCI API Credentials: API Key Configuration File and Private Key are required for OCI API connection. See the documentation to learn more about creating keys for API access	Microsoft Corporation
Orca Security Alerts The Orca Security Alerts connector allows you to easily export Alerts logs to Microsoft Sentinel. Log Analytics table(s): - `OrcaAlerts_CL` Data collection rule support: Not currently supported	Orca Security
Palo Alto Cortex XDR The Palo Alto Cortex XDR data connector allows ingesting logs from the Palo Alto Cortex XDR API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Framework. It uses the Palo Alto Cortex XDR API to fetch logs and it supports DCR-based ingestion time transformations that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance. Log Analytics table(s): - `PaloAltoCortexXDR_Incidents_CL` - `PaloAltoCortexXDR_Endpoints_CL` - `PaloAltoCortexXDR_Audit_Management_CL` - `PaloAltoCortexXDR_Audit_Agent_CL` - `PaloAltoCortexXDR_Alerts_CL` Data collection rule support: Not currently supported	Microsoft Corporation
Palo Alto Prisma Cloud CSPM (using Azure Functions) The Palo Alto Prisma Cloud CSPM data connector provides the capability to ingest Prisma Cloud CSPM alerts and audit logs into Microsoft sentinel using the Prisma Cloud CSPM API. Refer to Prisma Cloud CSPM API documentation for more information. Log Analytics table(s): - `PaloAltoPrismaCloudAlert_CL` - `PaloAltoPrismaCloudAudit_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Palo Alto Prisma Cloud API Credentials: Prisma Cloud API Url, Prisma Cloud Access Key ID, Prisma Cloud Secret Key are required for Prisma Cloud API connection. See the documentation to learn more about creating Prisma Cloud Access Key and about obtaining Prisma Cloud API Url	Microsoft Corporation
Palo Alto Prisma Cloud CWPP (using REST API) The Palo Alto Prisma Cloud CWPP data connector allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel's Codeless Connector Framework and uses the Prisma Cloud API to fetch security events and supports DCR-based ingestion time transformations that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance. Log Analytics table(s): - `PrismaCloudCompute_CL` Data collection rule support: Not currently supported Prerequisites: - PrismaCloudCompute API Key: A Palo Alto Prisma Cloud CWPP Monitor API username and password is required. For more information, see PrismaCloudCompute SIEM API.	Microsoft Corporation
Perimeter 81 Activity Logs The Perimeter 81 Activity Logs connector allows you to easily connect your Perimeter 81 activity logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. Log Analytics table(s): - `Perimeter81_CL` Data collection rule support: Not currently supported	Perimeter 81
Phosphorus Devices The Phosphorus Device Connector provides the capability to Phosphorus to ingest device data logs into Microsoft Sentinel through the Phosphorus REST API. The Connector provides visibility into the devices enrolled in Phosphorus. This Data Connector pulls devices information along with its corresponding alerts. Log Analytics table(s): - `Phosphorus_CL` Data collection rule support: Not currently supported Prerequisites: - REST API Credentials/permissions: Phosphorus API Key is required. Please make sure that the API Key associated with the User has the Manage Settings permissions enabled. Follow these instructions to enable Manage Settings permissions. 1. Log in to the Phosphorus Application 2. Go to 'Settings' -> 'Groups' 3. Select the Group the Integration user is a part of 4. Navigate to 'Product Actions' -> toggle on the 'Manage Settings' permission.	Phosphorus Inc.
Prancer Data Connector The Prancer Data Connector has provides the capability to ingest Prancer (CSPM)[https://docs.prancer.io/web/CSPM/] and PAC data to process through Microsoft Sentinel. Refer to Prancer Documentation for more information. Log Analytics table(s): - `prancer_CL` Data collection rule support: Not currently supported Prerequisites: - Include custom pre-requisites if the connectivity requires - else delete customs: Description for any custom pre-requisite	Prancer PenSuiteAI Integration
Premium Microsoft Defender Threat Intelligence Microsoft Sentinel provides you the capability to import threat intelligence generated by Microsoft to enable monitoring, alerting and hunting. Use this data connector to import Indicators of Compromise (IOCs) from Premium Microsoft Defender Threat Intelligence (MDTI) into Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes, etc. Note: This is a paid connector. To use and ingest data from it, please purchase the "MDTI API Access" SKU from the Partner Center. Log Analytics table(s): - `ThreatIntelligenceIndicator` Data collection rule support: Not currently supported	Microsoft Corporation
Proofpoint On Demand Email Security (via Codeless Connector Framework) Proofpoint On Demand Email Security data connector provides the capability to get Proofpoint on Demand Email Protection data, allows users to check message traceability, monitoring into email activity, threats,and data exfiltration by attackers and malicious insiders. The connector provides ability to review events in your org on an accelerated basis, get event log files in hourly increments for recent activity. Log Analytics table(s): - `ProofpointPODMailLog_CL` - `ProofpointPODMessage_CL` Data collection rule support: Not currently supported Prerequisites: - Websocket API Credentials/permissions: ProofpointClusterID, and ProofpointToken are required. For more information, see API.	Microsoft Corporation
Proofpoint TAP (via Codeless Connector Framework) The Proofpoint Targeted Attack Protection (TAP) connector provides the capability to ingest Proofpoint TAP logs and events into Microsoft Sentinel. The connector provides visibility into Message and Click events in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities. Log Analytics table(s): - `ProofPointTAPMessagesDeliveredV2_CL` - `ProofPointTAPMessagesBlockedV2_CL` - `ProofPointTAPClicksPermittedV2_CL` - `ProofPointTAPClicksBlockedV2_CL` Data collection rule support: Not currently supported Prerequisites: - Proofpoint TAP API Key: A Proofpoint TAP API service principal and secret is required to access Proofpoint's SIEM API. For more information, see Proofpoint SIEM API.	Microsoft Corporation
Qualys VM KnowledgeBase (using Azure Functions) The Qualys Vulnerability Management (VM) KnowledgeBase (KB) connector provides the capability to ingest the latest vulnerability data from the Qualys KB into Microsoft Sentinel. This data can used to correlate and enrich vulnerability detections found by the Qualys Vulnerability Management (VM) data connector. Log Analytics table(s): - `QualysKB_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Qualys API Key: A Qualys VM API username and password is required. For more information, see Qualys VM API.	Microsoft Corporation
Qualys Vulnerability Management (via Codeless Connector Framework) (Preview) The Qualys Vulnerability Management (VM) data connector provides the capability to ingest vulnerability host detection data into Microsoft Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. Log Analytics table(s): - `QualysHostDetectionV3_CL` Data collection rule support: Not currently supported Prerequisites: - API access and roles: Ensure the Qualys VM user has a role of Reader or higher. If the role is Reader, ensure that API access is enabled for the account. Auditor role is not supported to access the API. For more details, refer to the Qualys VM Host Detection API and User role Comparison document.	Microsoft Corporation
Radiflow iSID via AMA iSID enables non-disruptive monitoring of distributed ICS networks for changes in topology and behavior, using multiple security packages, each offering a unique capability pertaining to a specific type of network activity Log Analytics table(s): - `RadiflowEvent` Data collection rule support: Not currently supported	Radiflow
Rapid7 Insight Platform Vulnerability Management Reports (using Azure Functions) The Rapid7 Insight VM Report data connector provides the capability to ingest Scan reports and vulnerability data into Microsoft Sentinel through the REST API from the Rapid7 Insight platform (Managed in the cloud). Refer to API documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `NexposeInsightVMCloud_assets_CL` - `NexposeInsightVMCloud_vulnerabilities_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials: InsightVMAPIKey is required for REST API. For more information, see API. Check all requirements and follow the instructions for obtaining credentials	Microsoft Corporation
Rubrik Security Cloud data connector (using Azure Functions) The Rubrik Security Cloud data connector enables security operations teams to integrate insights from Rubrik's Data Observability services into Microsoft Sentinel. The insights include identification of anomalous filesystem behavior associated with ransomware and mass deletion, assess the blast radius of a ransomware attack, and sensitive data operators to prioritize and more rapidly investigate potential incidents. Log Analytics table(s): - `Rubrik_Anomaly_Data_CL` - `Rubrik_Ransomware_Data_CL` - `Rubrik_ThreatHunt_Data_CL` - `Rubrik_Events_Data_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.	Rubrik
SaaS Security Connects the Valence SaaS security platform Azure Log Analytics via the REST API interface Log Analytics table(s): - `ValenceAlert_CL` Data collection rule support: Not currently supported	Valence Security
SailPoint IdentityNow (using Azure Function) The SailPoint IdentityNow data connector provides the capability to ingest [SailPoint IdentityNow] search events into Microsoft Sentinel through the REST API. The connector provides customers the ability to extract audit information from their IdentityNow tenant. It is intended to make it even easier to bring IdentityNow user activity and governance events into Microsoft Sentinel to improve insights from your security incident and event monitoring solution. Log Analytics table(s): - `SailPointIDN_Events_CL` - `SailPointIDN_Triggers_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - SailPoint IdentityNow API Authentication Credentials: TENANT_ID, CLIENT_ID and CLIENT_SECRET are required for authentication.	N/A
Salesforce Service Cloud (using Azure Functions) The Salesforce Service Cloud data connector provides the capability to ingest information about your Salesforce operational events into Microsoft Sentinel through the REST API. The connector provides ability to review events in your org on an accelerated basis, get event log files in hourly increments for recent activity. Log Analytics table(s): - `SalesforceServiceCloud_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: Salesforce API Username, Salesforce API Password, Salesforce Security Token, Salesforce Consumer Key, Salesforce Consumer Secret is required for REST API. For more information, see API.	Microsoft Corporation
Samsung Knox Asset Intelligence (Preview) Samsung Knox Asset Intelligence Data Connector lets you centralize your mobile security events and logs in order to view customized insights using the Workbook template, and identify incidents based on Analytics Rules templates. Log Analytics table(s): - `Samsung_Knox_Audit_CL` Data collection rule support: Not currently supported Prerequisites: - Entra app: An Entra app needs to be registered and provisioned with ‘Microsoft Metrics Publisher’ role and configured with either Certificate or Client Secret as credentials for secure data transfer. See the Log ingestion tutorial to learn more about Entra App creation, registration and credential configuration.	Samsung Electronics Co., Ltd.
SAP BTP SAP Business Technology Platform (SAP BTP) brings together data management, analytics, artificial intelligence, application development, automation, and integration in one, unified environment. Log Analytics table(s): - `SAPBTPAuditLog_CL` Data collection rule support: Not currently supported Prerequisites: - Client Id and Client Secret for Audit Retrieval API: Enable API access in BTP.	Microsoft Corporation
SAP Enterprise Threat Detection, cloud edition The SAP Enterprise Threat Detection, cloud edition (ETD) data connector enables ingestion of security alerts from ETD into Microsoft Sentinel, supporting cross-correlation, alerting, and threat hunting. Log Analytics table(s): - `SAPETDAlerts_CL` Data collection rule support: Not currently supported Prerequisites: - Client Id and Client Secret for ETD Retrieval API: Enable API access in ETD.	SAP
SAP LogServ (RISE), S/4HANA Cloud private edition SAP LogServ is an SAP Enterprise Cloud Services (ECS) service aimed at collection, storage, forwarding and access of logs. LogServ centralizes the logs from all systems, applications, and ECS services used by a registered customer. Main Features include: Near Realtime Log Collection: With ability to integrate into Microsoft Sentinel as SIEM solution. LogServ complements the existing SAP application layer threat monitoring and detections in Microsoft Sentinel with the log types owned by SAP ECS as the system provider. This includes logs like: SAP Security Audit Log (AS ABAP), HANA database, AS JAVA, ICM, SAP Web Dispatcher, SAP Cloud Connector, OS, SAP Gateway, 3rd party Database, Network, DNS, Proxy, Firewall Log Analytics table(s): - `SAPLogServ_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft Entra: Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher. - Microsoft Azure: Permission to assign Monitoring Metrics Publisher role on data collection rules. Typically requires Azure RBAC Owner or User Access Administrator role.	SAP
SenservaPro (Preview) The SenservaPro data connector provides a viewing experience for your SenservaPro scanning logs. View dashboards of your data, use queries to hunt & explore, and create custom alerts. Log Analytics table(s): - `SenservaPro_CL` Data collection rule support: Not currently supported	Senserva
SentinelOne The SentinelOne data connector allows ingesting logs from the SentinelOne API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Framework. It uses the SentinelOne API to fetch logs and it supports DCR-based ingestion time transformations that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance. Log Analytics table(s): - `SentinelOneActivities_CL` - `SentinelOneAgents_CL` - `SentinelOneGroups_CL` - `SentinelOneThreats_CL` - `SentinelOneAlerts_CL` Data collection rule support: Not currently supported	Microsoft Corporation
SentinelOne (using Azure Functions) The SentinelOne data connector provides the capability to ingest common SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. Refer to API documentation: `https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview` for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `SentinelOne_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: SentinelOneAPIToken is required. See the documentation to learn more about API on the `https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview`.	Microsoft Corporation
Seraphic Web Security The Seraphic Web Security data connector provides the capability to ingest Seraphic Web Security events and alerts into Microsoft Sentinel. Log Analytics table(s): - `SeraphicWebSecurity_CL` Data collection rule support: Not currently supported Prerequisites: - Seraphic API key: API key for Microsoft Sentinel connected to your Seraphic Web Security tenant. To get this API key for your tenant - read this documentation.	Seraphic Security
Silverfort Admin Console The Silverfort ITDR Admin Console connector solution allows ingestion of Silverfort events and logging into Microsoft Sentinel. Silverfort provides syslog based events and logging using Common Event Format (CEF). By forwarding your Silverfort ITDR Admin Console CEF data into Microsoft Sentinel, you can take advantage of Sentinels's search & correlation, alerting, and threat intelligence enrichment on Silverfort data. Please contact Silverfort or consult the Silverfort documentation for more information. Log Analytics table(s): - `CommonSecurityLog` Data collection rule support: Workspace transform DCR	Silverfort
SINEC Security Guard The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the SINEC Security Guard into Microsoft Sentinel Log Analytics table(s): - `SINECSecurityGuard_CL` Data collection rule support: Not currently supported	Siemens AG
SlackAudit (via Codeless Connector Framework) (Preview) The SlackAudit data connector provides the capability to ingest Slack Audit logs into Microsoft Sentinel through the REST API. Refer to API documentation for more information. Log Analytics table(s): - `SlackAuditV2_CL` Data collection rule support: Not currently supported	Microsoft Corporation
Snowflake (using Azure Functions) The Snowflake data connector provides the capability to ingest Snowflake login logs and query logs into Microsoft Sentinel using the Snowflake Python Connector. Refer to Snowflake documentation for more information. Log Analytics table(s): - `Snowflake_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Snowflake Credentials: Snowflake Account Identifier, Snowflake User and Snowflake Password are required for connection. See the documentation to learn more about Snowflake Account Identifier. Instructions for creating the user for this connector are shown during the installation process.	Microsoft Corporation
Sonrai Data Connector Use this data connector to integrate with Sonrai Security and get Sonrai tickets sent directly to Microsoft Sentinel. Log Analytics table(s): - `Sonrai_Tickets_CL` Data collection rule support: Not currently supported	N/A
Sophos Cloud Optix The Sophos Cloud Optix connector allows you to easily connect your Sophos Cloud Optix logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's cloud security and compliance posture and improves your cloud security operation capabilities. Log Analytics table(s): - `SophosCloudOptix_CL` Data collection rule support: Not currently supported	Sophos
Sophos Endpoint Protection (using Azure Functions) The Sophos Endpoint Protection data connector provides the capability to ingest Sophos events into Microsoft Sentinel. Refer to Sophos Central Admin documentation for more information. Log Analytics table(s): - `SophosEP_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: API token is required. For more information, see API token	Microsoft Corporation
Sophos Endpoint Protection (using REST API) The Sophos Endpoint Protection data connector provides the capability to ingest Sophos events and Sophos alerts into Microsoft Sentinel. Refer to Sophos Central Admin documentation for more information. Log Analytics table(s): - `SophosEPEvents_CL` Data collection rule support: Not currently supported Prerequisites: - Sophos Endpoint Protection API access: Access to the Sophos Endpoint Protection API through a service principal is required.	Microsoft Corporation
Symantec Integrated Cyber Defense Exchange Symantec ICDx connector allows you to easily connect your Symantec security solutions logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities. Log Analytics table(s): - `SymantecICDx_CL` Data collection rule support: Not currently supported	Microsoft Corporation
Syslog via AMA Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace. Learn more > Log Analytics table(s): - `Syslog` Data collection rule support: Workspace transform DCR	Microsoft Corporation
Talon Insights The Talon Security Logs connector allows you to easily connect your Talon events and audit logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. Log Analytics table(s): - `Talon_CL` Data collection rule support: Not currently supported	Talon Security
Team Cymru Scout Data Connector (using Azure Functions) The TeamCymruScout Data Connector allows users to bring Team Cymru Scout IP, ___domain and account usage data in Microsoft Sentinel for enrichment. Log Analytics table(s): - `Cymru_Scout_Domain_Data_CL` - `Cymru_Scout_IP_Data_Foundation_CL` - `Cymru_Scout_IP_Data_Details_CL` - `Cymru_Scout_IP_Data_Communications_CL` - `Cymru_Scout_IP_Data_PDNS_CL` - `Cymru_Scout_IP_Data_Fingerprints_CL` - `Cymru_Scout_IP_Data_OpenPorts_CL` - `Cymru_Scout_IP_Data_x509_CL` - `Cymru_Scout_IP_Data_Summary_Details_CL` - `Cymru_Scout_IP_Data_Summary_PDNS_CL` - `Cymru_Scout_IP_Data_Summary_OpenPorts_CL` - `Cymru_Scout_IP_Data_Summary_Certs_CL` - `Cymru_Scout_IP_Data_Summary_Fingerprints_CL` - `Cymru_Scout_Account_Usage_Data_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Team Cymru Scout Credentials/permissions: Team Cymru Scout account credentials(Username, Password) is required.	Team Cymru
Tenable Identity Exposure Tenable Identity Exposure connector allows Indicators of Exposure, Indicators of Attack and trailflow logs to be ingested into Microsoft Sentinel.The different work books and data parsers allow you to more easily manipulate logs and monitor your Active Directory environment. The analytic templates allow you to automate responses regarding different events, exposures and attacks. Log Analytics table(s): - `Tenable_IE_CL` Data collection rule support: Not currently supported Prerequisites: - Access to TenableIE Configuration: Permissions to configure syslog alerting engine	Tenable
Tenable Vulnerability Management (using Azure Functions) The TVM data connector provides the ability to ingest Asset, Vulnerability and Compliance data into Microsoft Sentinel using TVM REST APIs. Refer to API documentation for more information. The connector provides the ability to get data which helps to examine potential security risks, get insight into your computing assets, diagnose configuration problems and more Log Analytics table(s): - `Tenable_VM_Assets_CL` - `Tenable_VM_Vuln_CL` - `Tenable_VM_Compliance_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: Both a TenableAccessKey and a TenableSecretKey is required to access the Tenable REST API. For more information, see API. Check all requirements and follow the instructions for obtaining credentials.	Tenable
Tenant-based Microsoft Defender for Cloud (Preview) Microsoft Defender for Cloud is a security management tool that allows you to detect and quickly respond to threats across Azure, hybrid, and multi-cloud workloads. This connector allows you to stream your MDC security alerts from Microsoft 365 Defender into Microsoft Sentinel, so you can can leverage the advantages of XDR correlations connecting the dots across your cloud resources, devices and identities and view the data in workbooks, queries and investigate and respond to incidents. Log Analytics table(s): - `SecurityAlert` Data collection rule support: Not currently supported	Microsoft Corporation
TheHive Project - TheHive (using Azure Functions) The TheHive data connector provides the capability to ingest common TheHive events into Microsoft Sentinel through Webhooks. TheHive can notify external system of modification events (case creation, alert update, task assignment) in real time. When a change occurs in the TheHive, an HTTPS POST request with event information is sent to a callback data connector URL. Refer to Webhooks documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `TheHive_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Webhooks Credentials/permissions: TheHiveBearerToken, Callback URL are required for working Webhooks. See the documentation to learn more about configuring Webhooks.	Microsoft Corporation
Theom Theom Data Connector enables organizations to connect their Theom environment to Microsoft Sentinel. This solution enables users to receive alerts on data security risks, create and enrich incidents, check statistics and trigger SOAR playbooks in Microsoft Sentinel Log Analytics table(s): - `TheomAlerts_CL` Data collection rule support: Not currently supported	Theom
Threat intelligence - TAXII Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send the supported STIX object types from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the Microsoft Sentinel documentation >. Log Analytics table(s): - `ThreatIntelligenceIndicator` Data collection rule support: Not currently supported	Microsoft Corporation
Threat Intelligence Platforms Microsoft Sentinel integrates with Microsoft Graph Security API data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send threat indicators to Microsoft Sentinel from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MindMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the Microsoft Sentinel documentation >. Log Analytics table(s): - `ThreatIntelligenceIndicator` Data collection rule support: Not currently supported	Microsoft Corporation
Threat Intelligence Upload API (Preview) Microsoft Sentinel offers a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `ThreatIntelligenceIndicator` Data collection rule support: Not currently supported	Microsoft Corporation
Transmit Security Connector (using Azure Functions) The [Transmit Security] data connector provides the capability to ingest common Transmit Security API events into Microsoft Sentinel through the REST API. Refer to API documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `TransmitSecurityActivity_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Client ID: TransmitSecurityClientID is required. See the documentation to learn more about API on the `https://developer.transmitsecurity.com/`. - REST API Client Secret: TransmitSecurityClientSecret is required. See the documentation to learn more about API on the `https://developer.transmitsecurity.com/`.	Transmit Security
Trend Vision One (using Azure Functions) The Trend Vision One connector allows you to easily connect your Workbench alert data with Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities. This gives you more insight into your organization's networks/systems and improves your security operation capabilities. The Trend Vision One connector is supported in Microsoft Sentinel in the following regions: Australia East, Australia Southeast, Brazil South, Canada Central, Canada East, Central India, Central US, East Asia, East US, East US 2, France Central, Japan East, Korea Central, North Central US, North Europe, Norway East, South Africa North, South Central US, Southeast Asia, Sweden Central, Switzerland North, UAE North, UK South, UK West, West Europe, West US, West US 2, West US 3. Log Analytics table(s): - `TrendMicro_XDR_WORKBENCH_CL` - `TrendMicro_XDR_RCA_Task_CL` - `TrendMicro_XDR_RCA_Result_CL` - `TrendMicro_XDR_OAT_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Trend Vision One API Token: A Trend Vision One API Token is required. See the documentation to learn more about the Trend Vision One API.	Trend Micro
Varonis SaaS Varonis SaaS provides the capability to ingest Varonis Alerts into Microsoft Sentinel. Varonis prioritizes deep data visibility, classification capabilities, and automated remediation for data access. Varonis builds a single prioritized view of risk for your data, so you can proactively and systematically eliminate risk from insider threats and cyberattacks. Log Analytics table(s): - `VaronisAlerts_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions.	Varonis
Vectra XDR (using Azure Functions) The Vectra XDR connector gives the capability to ingest Vectra Detections, Audits, Entity Scoring, Lockdown, Health and Entities data into Microsoft Sentinel through the Vectra REST API. Refer to the API documentation: `https://support.vectra.ai/s/article/KB-VS-1666` for more information. Log Analytics table(s): - `Detections_Data_CL` - `Audits_Data_CL` - `Entity_Scoring_Data_CL` - `Lockdown_Data_CL` - `Health_Data_CL` - `Entities_Data_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: Vectra Client ID and Client Secret is required for Health, Entity Scoring, Entities, Detections, Lockdown and Audit data collection. See the documentation to learn more about API on the `https://support.vectra.ai/s/article/KB-VS-1666`.	Vectra Support
VMware Carbon Black Cloud (using Azure Functions) The VMware Carbon Black Cloud connector provides the capability to ingest Carbon Black data into Microsoft Sentinel. The connector provides visibility into Audit, Notification and Event logs in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities. Log Analytics table(s): - `CarbonBlackEvents_CL` - `CarbonBlackNotifications_CL` - `CarbonBlackAuditLogs_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - VMware Carbon Black API Key(s): Carbon Black API and/or SIEM Level API Key(s) are required. See the documentation to learn more about the Carbon Black API. - A Carbon Black API access level API ID and Key is required for Audit and Event logs. - A Carbon Black SIEM access level API ID and Key is required for Notification alerts. - Amazon S3 REST API Credentials/permissions: AWS Access Key Id, AWS Secret Access Key, AWS S3 Bucket Name, Folder Name in AWS S3 Bucket are required for Amazon S3 REST API.	Microsoft
VMware Carbon Black Cloud via AWS S3 The VMware Carbon Black Cloud via AWS S3 data connector provides the capability to ingest watchlist, alerts, auth and endpoints events via AWS S3 and stream them to ASIM normalized tables. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `CarbonBlack_Alerts_CL` Data collection rule support: Not currently supported Prerequisites: - Environment: You must have the following AWS resources defined and configured: S3, Simple Queue Service (SQS), IAM roles and permissions policies - Environment: You must have the a Carbon black account and required permissions to create a Data Forwarded to AWS S3 buckets. For more information, see Carbon Black Data Forwarder Docs	Microsoft
Windows DNS Events via AMA The Windows DNS log connector allows you to easily filter and stream all analytics logs from your Windows DNS servers to your Microsoft Sentinel workspace using the Azure Monitoring agent (AMA). Having this data in Microsoft Sentinel helps you identify issues and security threats such as: - Trying to resolve malicious ___domain names. - Stale resource records. - Frequently queried ___domain names and talkative DNS clients. - Attacks performed on DNS server. You can get the following insights into your Windows DNS servers from Microsoft Sentinel: - All logs centralized in a single place. - Request load on DNS servers. - Dynamic DNS registration failures. Windows DNS events are supported by Advanced SIEM Information Model (ASIM) and stream data into the ASimDnsActivityLogs table. Learn more. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `ASimDnsActivityLogs` Data collection rule support: Not currently supported	Microsoft Corporation
Windows Firewall Windows Firewall is a Microsoft Windows application that filters information coming to your system from the Internet and blocking potentially harmful programs. The software blocks most programs from communicating through the firewall. Users simply add a program to the list of allowed programs to allow it to communicate through the firewall. When using a public network, Windows Firewall can also secure the system by blocking all unsolicited attempts to connect to your computer. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `WindowsFirewall` Data collection rule support: Not currently supported	Microsoft Corporation
Windows Firewall Events via AMA Windows Firewall is a Microsoft Windows application that filters information coming to your system from the internet and blocking potentially harmful programs. The firewall software blocks most programs from communicating through the firewall. To stream your Windows Firewall application logs collected from your machines, use the Azure Monitor agent (AMA) to stream those logs to the Microsoft Sentinel workspace. A configured data collection endpoint (DCE) is required to be linked with the data collection rule (DCR) created for the AMA to collect logs. For this connector, a DCE is automatically created in the same region as the workspace. If you already use a DCE stored in the same region, it's possible to change the default created DCE and use your existing one through the API. DCEs can be located in your resources with SentinelDCE prefix in the resource name. For more information, see the following articles: - Data collection endpoints in Azure Monitor - Microsoft Sentinel documentation Log Analytics table(s): - `ASimNetworkSessionLogs` Data collection rule support: Not currently supported	Microsoft Corporation
Windows Forwarded Events You can stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA). This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `WindowsEvent` Data collection rule support: Not currently supported	Microsoft Corporation
Windows Security Events via AMA You can stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `SecurityEvent` Data collection rule support: Not currently supported	Microsoft Corporation
WithSecure Elements API (Azure Function) WithSecure Elements is the unified cloud-based cyber security platform designed to reduce risk, complexity, and inefficiency. Elevate your security from your endpoints to your cloud applications. Arm yourself against every type of cyber threat, from targeted attacks to zero-day ransomware. WithSecure Elements combines powerful predictive, preventive, and responsive security capabilities - all managed and monitored through a single security center. Our modular structure and flexible pricing models give you the freedom to evolve. With our expertise and insight, you'll always be empowered - and you'll never be alone. With Microsoft Sentinel integration, you can correlate security events data from the WithSecure Elements solution with data from other sources, enabling a rich overview of your entire environment and faster reaction to threats. With this solution Azure Function is deployed to your tenant, polling periodically for the WithSecure Elements security events. For more information visit our website at: https://www.withsecure.com. Log Analytics table(s): - `WsSecurityEvents_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - WithSecure Elements API client credentials: Client credentials are required. See the documentation to learn more.	WithSecure
Wiz (using Azure Functions) The Wiz connector allows you to easily send Wiz Issues, Vulnerability Findings, and Audit logs to Microsoft Sentinel. Log Analytics table(s): - `union isfuzzy=true <br>(WizIssues_CL),<br>(WizIssuesV2_CL)` - `union isfuzzy=true <br>(WizVulnerabilities_CL),<br>(WizVulnerabilitiesV2_CL)` - `union isfuzzy=true <br>(WizAuditLogs_CL),<br>(WizAuditLogsV2_CL)` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Wiz Service Account credentials: Ensure you have your Wiz service account client ID and client secret, API endpoint URL, and auth URL. Instructions can be found on Wiz documentation.	Wiz
Workday User Activity The Workday User Activity data connector provides the capability to ingest User Activity Logs from Workday API into Microsoft Sentinel. Log Analytics table(s): - `ASimAuditEventLogs` Data collection rule support: Not currently supported Prerequisites: - Workday User Activity API access: Access to the Workday user activity API through Oauth are required. The API Client needs to have the scope: System and it needs to be authorized by an account with System Auditing permissions.	Microsoft Corporation
Workplace from Facebook (using Azure Functions) The Workplace data connector provides the capability to ingest common Workplace events into Microsoft Sentinel through Webhooks. Webhooks enable custom integration apps to subscribe to events in Workplace and receive updates in real time. When a change occurs in Workplace, an HTTPS POST request with event information is sent to a callback data connector URL. Refer to Webhooks documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `Workplace_Facebook_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Webhooks Credentials/permissions: WorkplaceAppSecret, WorkplaceVerifyToken, Callback URL are required for working Webhooks. See the documentation to learn more about configuring Webhooks, configuring permissions.	Microsoft Corporation
Zero Networks Segment Audit The Zero Networks Segment Audit data connector provides the capability to ingest Zero Networks Audit events into Microsoft Sentinel through the REST API. This data connector uses Microsoft Sentinel native polling capability. Log Analytics table(s): - `ZNSegmentAuditNativePoller_CL` Data collection rule support: Not currently supported Prerequisites: - Zero Networks API Token: ZeroNetworksAPIToken is required for REST API. See the API Guide and follow the instructions for obtaining credentials.	Zero Networks
Zero Networks Segment Audit (Function) (using Azure Functions) The Zero Networks Segment Audit data connector provides the capability to ingest Audit events into Microsoft Sentinel through the REST API. Refer to API guide for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `ZNSegmentAudit_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials: Zero Networks Segment API Token is required for REST API. See the API Guide.	Zero Networks
ZeroFox CTI (using Azure Functions) The ZeroFox CTI data connectors provide the capability to ingest the different ZeroFox cyber threat intelligence alerts into Microsoft Sentinel. Log Analytics table(s): - `ZeroFox_CTI_advanced_dark_web_CL` - `ZeroFox_CTI_botnet_CL` - `ZeroFox_CTI_breaches_CL` - `ZeroFox_CTI_C2_CL` - `ZeroFox_CTI_compromised_credentials_CL` - `ZeroFox_CTI_credit_cards_CL` - `ZeroFox_CTI_dark_web_CL` - `ZeroFox_CTI_discord_CL` - `ZeroFox_CTI_disruption_CL` - `ZeroFox_CTI_email_addresses_CL` - `ZeroFox_CTI_exploits_CL` - `ZeroFox_CTI_irc_CL` - `ZeroFox_CTI_malware_CL` - `ZeroFox_CTI_national_ids_CL` - `ZeroFox_CTI_phishing_CL` - `ZeroFox_CTI_phone_numbers_CL` - `ZeroFox_CTI_ransomware_CL` - `ZeroFox_CTI_telegram_CL` - `ZeroFox_CTI_threat_actors_CL` - `ZeroFox_CTI_vulnerabilities_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - ZeroFox API Credentials/permissions: ZeroFox Username, ZeroFox Personal Access Token are required for ZeroFox CTI REST API.	ZeroFox
ZeroFox Enterprise - Alerts (Polling CCF) Collects alerts from ZeroFox API. Log Analytics table(s): - `ZeroFoxAlertPoller_CL` Data collection rule support: Not currently supported Prerequisites: - ZeroFox Personal Access Token (PAT): A ZeroFox PAT is required. You can get it in Data Connectors > API Data Feeds.	ZeroFox
Zimperium Mobile Threat Defense Zimperium Mobile Threat Defense connector gives you the ability to connect the Zimperium threat log with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's mobile threat landscape and enhances your security operation capabilities. Log Analytics table(s): - `ZimperiumThreatLog_CL` Data collection rule support: Not currently supported	Zimperium
Zoom Reports (using Azure Functions) The Zoom Reports data connector provides the capability to ingest Zoom Reports events into Microsoft Sentinel through the REST API. Refer to API documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Log Analytics table(s): - `Zoom_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: AccountID, ClientID and ClientSecret are required for Zoom API. For more information, see Zoom API. Follow the instructions for Zoom API configurations.	Microsoft Corporation

Deprecated Sentinel data connectors

Note

The following table lists the deprecated and legacy data connectors. Deprecated connectors are no longer supported.

Connector	Supported by
[Deprecated] Atlassian Confluence Audit (using Azure Functions) The Atlassian Confluence Audit data connector provides the capability to ingest Confluence Audit Records for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Note: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API. Log Analytics table(s): - `Confluence_Audit_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: ConfluenceAccessToken, ConfluenceUsername is required for REST API. For more information, see API. Check all requirements and follow the instructions for obtaining credentials.	Microsoft Corporation
[Deprecated] Google Cloud Platform DNS (using Azure Functions) The Google Cloud Platform DNS data connector provides the capability to ingest Cloud DNS query logs and Cloud DNS audit logs into Microsoft Sentinel using the GCP Logging API. Refer to GCP Logging API documentation for more information. Note: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API. Log Analytics table(s): - `GCP_DNS_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - GCP service account: GCP service account with permissions to read logs (with "logging.logEntries.list" permission) is required for GCP Logging API. Also json file with service account key is required. See the documentation to learn more about permissions, creating service account and creating service account key.	Microsoft Corporation
[Deprecated] Google Cloud Platform IAM (using Azure Functions) The Google Cloud Platform Identity and Access Management (IAM) data connector provides the capability to ingest GCP IAM logs into Microsoft Sentinel using the GCP Logging API. Refer to GCP Logging API documentation for more information. Note: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API. Log Analytics table(s): - `GCP_IAM_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - GCP service account: GCP service account with permissions to read logs is required for GCP Logging API. Also json file with service account key is required. See the documentation to learn more about required permissions, creating service account and creating service account key.	Microsoft Corporation
[Deprecated] Infoblox SOC Insight Data Connector via Legacy Agent The Infoblox SOC Insight Data Connector allows you to easily connect your Infoblox BloxOne SOC Insight data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. This data connector ingests Infoblox SOC Insight CDC logs into your Log Analytics Workspace using the legacy Log Analytics agent. Microsoft recommends installation of Infoblox SOC Insight Data Connector via AMA Connector. The legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and should only be installed where AMA is not supported. Using MMA and AMA on the same machine can cause log duplication and extra ingestion cost. More details. Log Analytics table(s): - `CommonSecurityLog` Data collection rule support: Workspace transform DCR	Infoblox
[Deprecated] Microsoft Exchange Logs and Events Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment Log Analytics table(s): - `Event` - `SecurityEvent` - `W3CIISLog` - `MessageTrackingLog_CL` - `ExchangeHttpProxy_CL` Data collection rule support: Not currently supported Prerequisites: - Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more - Detailled documentation: >NOTE: Detailled documentation on Installation procedure and usage can be found here	Community
[Deprecated] Proofpoint On Demand Email Security (using Azure Functions) Proofpoint On Demand Email Security data connector provides the capability to get Proofpoint on Demand Email Protection data, allows users to check message traceability, monitoring into email activity, threats,and data exfiltration by attackers and malicious insiders. The connector provides ability to review events in your org on an accelerated basis, get event log files in hourly increments for recent activity. Note: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API. Log Analytics table(s): - `ProofpointPOD_message_CL` - `ProofpointPOD_maillog_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Websocket API Credentials/permissions: ProofpointClusterID, ProofpointToken is required. For more information, see API.	Microsoft Corporation
[Deprecated] Proofpoint TAP (using Azure Functions) The Proofpoint Targeted Attack Protection (TAP) connector provides the capability to ingest Proofpoint TAP logs and events into Microsoft Sentinel. The connector provides visibility into Message and Click events in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities. Note: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API. Log Analytics table(s): - `ProofPointTAPMessagesDelivered_CL` - `ProofPointTAPMessagesBlocked_CL` - `ProofPointTAPClicksPermitted_CL` - `ProofPointTAPClicksBlocked_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Proofpoint TAP API Key: A Proofpoint TAP API username and password is required. For more information, see Proofpoint SIEM API.	Microsoft Corporation
[Deprecated] Qualys Vulnerability Management (using Azure Functions) The Qualys Vulnerability Management (VM) data connector provides the capability to ingest vulnerability host detection data into Microsoft Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Microsoft Sentinel the capability to view dashboards, create custom alerts, and improve investigation Note: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API. Log Analytics table(s): - `QualysHostDetectionV2_CL` - `QualysHostDetection_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - Qualys API Key: A Qualys VM API username and password is required. For more information, see Qualys VM API.	Microsoft Corporation
[Deprecated] Slack Audit (using Azure Functions) The Slack Audit data connector provides the capability to ingest Slack Audit Records events into Microsoft Sentinel through the REST API. Refer to API documentation for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues. Note: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API. Log Analytics table(s): - `SlackAudit_CL` Data collection rule support: Not currently supported Prerequisites: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. For more information, see Azure Functions. - REST API Credentials/permissions: SlackAPIBearerToken is required for REST API. For more information, see API. Check all requirements and follow the instructions for obtaining credentials.	Microsoft Corporation
Security Events via Legacy Agent You can stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities. For more information, see the Microsoft Sentinel documentation. Log Analytics table(s): - `SecurityEvent` Data collection rule support: Not currently supported	Microsoft Corporation
Subscription-based Microsoft Defender for Cloud (Legacy) Microsoft Defender for Cloud is a security management tool that allows you to detect and quickly respond to threats across Azure, hybrid, and multi-cloud workloads. This connector allows you to stream your security alerts from Microsoft Defender for Cloud into Microsoft Sentinel, so you can view Defender data in workbooks, query it to produce alerts, and investigate and respond to incidents. For more information> Log Analytics table(s): - `SecurityAlert` Data collection rule support: Not currently supported	Microsoft Corporation
Syslog via Legacy Agent Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace. Learn more > Log Analytics table(s): - `Syslog` Data collection rule support: Workspace transform DCR	Microsoft Corporation

Next steps

For more information, see:

Share via

Find your Microsoft Sentinel data connector

Data connector prerequisites

Syslog and Common Event Format (CEF) connectors

Custom Logs via AMA connector

Sentinel data connectors

Deprecated Sentinel data connectors

Next steps

Feedback

Additional resources