data-connectors-reference.md

title	description	author	ms.topic	ms.date	ms.author	ms.custom
Find your Microsoft Sentinel data connector | Microsoft Docs	Learn about specific configuration steps for Microsoft Sentinel data connectors.	batamig	reference	01/04/2022	bagol	ignite-fall-2021

Find your Microsoft Sentinel data connector

[!INCLUDE Banner for top of topics]

This article describes how to deploy data connectors in Microsoft Sentinel, listing all supported, out-of-the-box data connectors, together with links to generic deployment procedures, and extra steps required for specific connectors.

Tip

Some data connectors are deployed only via solutions. For more information, see the Microsoft Sentinel solutions catalog. You can also find other, community-built data connectors in the Microsoft Sentinel GitHub repository.

How to use this guide

1. First, locate and select the connector for your product, service, or device in the headings menu to the right.

   The first piece of information you'll see for each connector is its data ingestion method. The method that appears there will be a link to one of the following generic deployment procedures, which contain most of the information you'll need to connect your data sources to Microsoft Sentinel:

   Data ingestion method	Linked article with instructions
   Azure service-to-service integration	Connect to Azure, Windows, Microsoft, and Amazon services
   Common Event Format (CEF) over Syslog	Get CEF-formatted logs from your device or appliance into Microsoft Sentinel
   Microsoft Sentinel Data Collector API	Connect your data source to the Microsoft Sentinel Data Collector API to ingest data
   Azure Functions and the REST API	Use Azure Functions to connect Microsoft Sentinel to your data source
   Syslog	Collect data from Linux-based sources using Syslog
   Custom logs	Collect data in custom log formats to Microsoft Sentinel with the Log Analytics agent

   |

   [!NOTE] The Azure service-to-service integration data ingestion method links to three different sections of its article, depending on the connector type. Each connector's section below specifies the section within that article that it links to.

2. When deploying a specific connector, choose the appropriate article linked to its data ingestion method, and use the information and extra guidance in the relevant section below to supplement the information in that article.

Tip

• Many data connectors can also be deployed as part of a Microsoft Sentinel solution, together with related analytics rules, workbooks and playbooks. For more information, see the Microsoft Sentinel solutions catalog.

• More data connectors are provided by the Microsoft Sentinel community and can be found in the Azure Marketplace. Documentation for community data connectors is the responsibility of the organization that created the connector.

• If you have a data source that isn't listed or currently supported, you can also create your own, custom connector. For more information, see Resources for creating Microsoft Sentinel custom connectors.

Important

Noted Microsoft Sentinel data connectors are currently in Preview. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Data connector prerequisites

[!INCLUDE data-connector-prereq]

Agari Phishing Defense and Brand Protection (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API Before deployment: Enable the Security Graph API (Optional). After deployment: Assign necessary permissions to your Function App
Log Analytics table(s)	agari_bpalerts_log_CL agari_apdtc_log_CL agari_apdpolicy_log_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/Sentinel-agari-functionapp
API credentials	Client ID Client Secret (Optional: Graph Tenant ID, Graph Client ID, Graph Client Secret)
Vendor documentation/ installation instructions	Quick Start Agari Developers Site
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Application settings	clientID clientSecret workspaceID workspaceKey enableBrandProtectionAPI (true/false) enablePhishingResponseAPI (true/false) enablePhishingDefenseAPI (true/false) resGroup (enter Resource group) functionName subId (enter Subscription ID) enableSecurityGraphSharing (true/false; see below) Required if enableSecurityGraphSharing is set to true (see below): GraphTenantId GraphClientId GraphClientSecret logAnalyticsUri (optional)
Supported by	Agari

Enable the Security Graph API (Optional)

Important

If you perform this step, do this before you deploy your data connector.

The Agari Function App allows you to share threat intelligence with Microsoft Sentinel via the Security Graph API. To use this feature, you'll need to enable the Sentinel Threat Intelligence Platforms connector and also register an application in Azure Active Directory.

This process will give you three pieces of information for use when deploying the Function App: the Graph tenant ID, the Graph client ID, and the Graph client secret (see the Application settings in the table above).

Assign necessary permissions to your Function App

The Agari connector uses an environment variable to store log access timestamps. In order for the application to write to this variable, permissions must be assigned to the system assigned identity.

1. In the Azure portal, navigate to Function App.
2. In the Function App page, select your Function App from the list, then select Identity under Settings in the Function App's navigation menu.
3. In the System assigned tab, set the Status to On.
4. Select Save, and an Azure role assignments button will appear. Select it.
5. In the Azure role assignments screen, select Add role assignment. Set Scope to Subscription, select your subscription from the Subscription drop-down, and set Role to App Configuration Data Owner.
6. Select Save.

AI Analyst (AIA) by Darktrace (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog Configure CEF log forwarding for AI Analyst
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Supported by	Darktrace

Configure CEF log forwarding for AI Analyst

Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Log Analytics agent.

1. Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin.
2. From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.
3. A configuration window will open. Locate Microsoft Sentinel Syslog CEF and select New to reveal the configuration settings, unless already exposed.
4. In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls.
5. Configure any alert thresholds, time offsets, or extra settings as required.
6. Review any extra configuration options you may wish to enable that alter the Syslog syntax.
7. Enable Send Alerts and save your changes.

AI Vectra Detect (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog Configure CEF log forwarding for AI Vectra Detect
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Supported by	Vectra AI

Configure CEF log forwarding for AI Vectra Detect

Configure Vectra (X Series) Agent to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Log Analytics agent.

From the Vectra interface, navigate to Settings > Notifications and choose Edit Syslog configuration. Follow the instructions below to set up the connection:

• Add a new Destination (the hostname of the log forwarder)
• Set the Port as 514
• Set the Protocol as UDP
• Set the format to CEF
• Set Log types (select all log types available)
• Select Save

You can select the Test button to force the sending of some test events to the log forwarder.

For more information, see the Cognito Detect Syslog Guide, which can be downloaded from the resource page in Detect UI.

Akamai Security Events (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog, with a Kusto function parser
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Kusto function alias:	AkamaiSIEMEvent
Kusto function URL:	https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Akamai%20Security%20Events/Parsers/AkamaiSIEMEvent.txt
Vendor documentation/ installation instructions	Configure Security Information and Event Management (SIEM) integration Set up a CEF connector.
Supported by	Akamai

Alcide kAudit

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	alcide_kaudit_activity_1_CL - Alcide kAudit activity logs alcide_kaudit_detections_1_CL - Alcide kAudit detections alcide_kaudit_selections_count_1_CL - Alcide kAudit activity counts alcide_kaudit_selections_details_1_CL - Alcide kAudit activity details
DCR support	Not currently supported
Vendor documentation/ installation instructions	Alcide kAudit installation guide
Supported by	Alcide

Alsid for Active Directory

Connector attribute	Description
Data ingestion method	Log Analytics agent - custom logs Extra configuration for Alsid
Log Analytics table(s)	AlsidForADLog_CL
DCR support	Not currently supported
Kusto function alias:	afad_parser
Kusto function URL:	https://aka.ms/Sentinel-alsidforad-parser
Supported by	Alsid

Extra configuration for Alsid

1. Configure the Syslog server

   You will first need a linux Syslog server that Alsid for AD will send logs to. Typically you can run rsyslog on Ubuntu.

   You can then configure this server as you wish, but we recommend that to be able to output AFAD logs in a separate file. Alternatively you can use a Quickstart template to deploy the Syslog server and the Microsoft agent for you. If you do use the template, you can skip the agent installation instructions.

2. Configure Alsid to send logs to your Syslog server

   On your Alsid for AD portal, go to System, Configuration, and then Syslog. From there, you can create a new Syslog alert toward your Syslog server.

   Once you've created a new Syslog alert, check that the logs are correctly gathered on your server in a separate file. For example, to check your logs, you can use the Test the configuration button in the Syslog alert configuration in AFAD. If you used the Quickstart template, the Syslog server will by default listen on port 514 in UDP and 1514 in TCP, without TLS.

Amazon Web Services

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data (Top connector article)
Log Analytics table(s)	AWSCloudTrail
DCR support	Workspace transformation DCR
Supported by	Microsoft

Amazon Web Services S3 (Preview)

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data (Top connector article)
Log Analytics table(s)	AWSCloudTrail AWSGuardDuty AWSVPCFlow
DCR support	Workspace transformation DCR
Supported by	Microsoft

Apache HTTP Server

Connector attribute	Description
Data ingestion method	Log Analytics agent - custom logs
Log Analytics table(s)	ApacheHTTPServer_CL
DCR support	Not currently supported
Kusto function alias:	ApacheHTTPServer
Kusto function URL:	https://aka.ms/Sentinel-apachehttpserver-parser
Custom log sample file:	access.log or error.log

Apache Tomcat

Connector attribute	Description
Data ingestion method	Log Analytics agent - custom logs
Log Analytics table(s)	Tomcat_CL
DCR support	Not currently supported
Kusto function alias:	TomcatEvent
Kusto function URL:	https://aka.ms/Sentinel-ApacheTomcat-parser
Custom log sample file:	access.log or error.log

Aruba ClearPass (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog, with a Kusto function parser
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Kusto function alias:	ArubaClearPass
Kusto function URL:	https://aka.ms/Sentinel-arubaclearpass-parser
Vendor documentation/ installation instructions	Follow Aruba's instructions to configure ClearPass.
Supported by	Microsoft

Atlassian Confluence Audit (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API
Log Analytics table(s)	Confluence_Audit_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/Sentinel-confluenceauditapi-functionapp
API credentials	ConfluenceAccessToken ConfluenceUsername ConfluenceHomeSiteName
Vendor documentation/ installation instructions	API Documentation Requirements and instructions for obtaining credentials View the audit log
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Kusto function alias	ConfluenceAudit
Kusto function URL/ Parser config instructions	https://aka.ms/Sentinel-confluenceauditapi-parser
Application settings	ConfluenceUsername ConfluenceAccessToken ConfluenceHomeSiteName WorkspaceID WorkspaceKey logAnalyticsUri (optional)
Supported by	Microsoft

Atlassian Jira Audit (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API
Log Analytics table(s)	Jira_Audit_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/Sentinel-jiraauditapi-functionapp
API credentials	JiraAccessToken JiraUsername JiraHomeSiteName
Vendor documentation/ installation instructions	API Documentation - Audit records Requirements and instructions for obtaining credentials
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Kusto function alias	JiraAudit
Kusto function URL/ Parser config instructions	https://aka.ms/Sentinel-jiraauditapi-parser
Application settings	JiraUsername JiraAccessToken JiraHomeSiteName WorkspaceID WorkspaceKey logAnalyticsUri (optional)
Supported by	Microsoft

Azure Active Directory

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Connect Azure Active Directory data to Microsoft Sentinel (Top connector article)
License prerequisites/ Cost information	Azure Active Directory P1 or P2 license for sign-in logs Any Azure AD license (Free/O365/P1/P2) for other log types Other charges may apply
Log Analytics table(s)	SigninLogs AuditLogs AADNonInteractiveUserSignInLogs AADServicePrincipalSignInLogs AADManagedIdentitySignInLogs AADProvisioningLogs ADFSSignInLogs
DCR support	Workspace transformation DCR
Supported by	Microsoft

Azure Active Directory Identity Protection

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: API-based connections
License prerequisites/ Cost information	Azure AD Premium P2 subscription Other charges may apply
Log Analytics table(s)	SecurityAlert
DCR support	Workspace transformation DCR
Supported by	Microsoft

Note

This connector was designed to import only those alerts whose status is "open." Alerts that have been closed in Azure AD Identity Protection will not be imported to Microsoft Sentinel.

Azure Activity

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Diagnostic settings-based connections, managed by Azure Policy Upgrade to the new Azure Activity connector
Log Analytics table(s)	AzureActivity
DCR support	Not currently supported
Supported by	Microsoft

Upgrade to the new Azure Activity connector

Data structure changes

This connector recently changed its back-end mechanism for collecting Activity log events. It is now using the diagnostic settings pipeline. If you're still using the legacy method for this connector, you are strongly encouraged to upgrade to the new version, which provides better functionality and greater consistency with resource logs. See the instructions below.

The diagnostic settings method sends the same data that the legacy method sent from the Activity log service, although there have been some changes to the structure of the AzureActivity table.

Here are some of the key improvements resulting from the move to the diagnostic settings pipeline:

• Improved ingestion latency (event ingestion within 2-3 minutes of occurrence instead of 15-20 minutes).
• Improved reliability.
• Improved performance.
• Support for all categories of events logged by the Activity log service (the legacy mechanism supports only a subset - for example, no support for Service Health events).
• Management at scale with Azure Policy.

See the Azure Monitor documentation for more in-depth treatment of Azure Activity log and the diagnostic settings pipeline.

Disconnect from old pipeline

Before setting up the new Azure Activity log connector, you must disconnect the existing subscriptions from the legacy method.

1. From the Microsoft Sentinel navigation menu, select Data connectors. From the list of connectors, select Azure Activity, and then select the Open connector page button on the lower right.

2. Under the Instructions tab, in the Configuration section, in step 1, review the list of your existing subscriptions that are connected to the legacy method (so you know which ones to add to the new), and disconnect them all at once by clicking the Disconnect All button below.

3. Continue setting up the new connector with the instructions linked in the table above.

Azure DDoS Protection

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Diagnostic settings-based connections
License prerequisites/ Cost information	You must have a configured Azure DDoS Standard protection plan. You must have a configured virtual network with Azure DDoS Standard enabled Other charges may apply
Log Analytics table(s)	AzureDiagnostics
DCR support	Not currently supported
Recommended diagnostics	DDoSProtectionNotifications DDoSMitigationFlowLogs DDoSMitigationReports
Supported by	Microsoft

Azure Defender

See Microsoft Defender for Cloud.

Azure Firewall

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Diagnostic settings-based connections
Log Analytics table(s)	AzureDiagnostics
DCR support	Not currently supported
Recommended diagnostics	AzureFirewallApplicationRule AzureFirewallNetworkRule AzureFirewallDnsProxy
Supported by	Microsoft

Azure Information Protection (Preview)

Connector attribute	Description
Data ingestion method	Azure service-to-service integration
Log Analytics table(s)	InformationProtectionLogs_CL
DCR support	Not currently supported
Supported by	Microsoft

Note

The Azure Information Protection (AIP) data connector uses the AIP audit logs (public preview) feature. As of March 18, 2022, we are sunsetting the AIP analytics and audit logs public preview, and moving forward will be using the Microsoft 365 auditing solution. Full retirement is scheduled for September 30, 2022.

For more information, see Removed and retired services.

Azure Key Vault

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Diagnostic settings-based connections, managed by Azure Policy
Log Analytics table(s)	KeyVaultData
DCR support	Not currently supported
Supported by	Microsoft

Azure Kubernetes Service (AKS)

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Diagnostic settings-based connections, managed by Azure Policy
Log Analytics table(s)	kube-apiserver kube-audit kube-audit-admin kube-controller-manager kube-scheduler cluster-autoscaler guard
DCR support	Not currently supported
Supported by	Microsoft

Microsoft Purview

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Diagnostic settings-based connections For more information, see Tutorial: Integrate Microsoft Sentinel and Microsoft Purview.
Log Analytics table(s)	PurviewDataSensitivityLogs
DCR support	Not currently supported
Supported by	Microsoft

Azure SQL Databases

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Diagnostic settings-based connections, managed by Azure Policy Also available in the Azure SQL and Microsoft Sentinel for SQL PaaS solutions
Log Analytics table(s)	SQLSecurityAuditEvents SQLInsights AutomaticTuning QueryStoreWaitStatistics Errors DatabaseWaitStatistics Timeouts Blocks Deadlocks Basic InstanceAndAppAdvanced WorkloadManagement DevOpsOperationsAudit
DCR support	Not currently supported
Supported by	Microsoft

Azure Storage Account

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Diagnostic settings-based connections Notes about storage account diagnostic settings configuration
Log Analytics table(s)	StorageBlobLogs StorageQueueLogs StorageTableLogs StorageFileLogs
Recommended diagnostics	Account resource Transaction Blob/Queue/Table/File resources StorageRead StorageWrite StorageDelete Transaction
DCR support	Not currently supported
Supported by	Microsoft

Notes about storage account diagnostic settings configuration

The storage account (parent) resource has within it other (child) resources for each type of storage: files, tables, queues, and blobs.

When configuring diagnostics for a storage account, you must select and configure, in turn:

• The parent account resource, exporting the Transaction metric.
• Each of the child storage-type resources, exporting all the logs and metrics (see the table above).

You will only see the storage types that you actually have defined resources for.

Azure Web Application Firewall (WAF)

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Diagnostic settings-based connections
Log Analytics table(s)	AzureDiagnostics
DCR support	Not currently supported
Recommended diagnostics	Application Gateway ApplicationGatewayAccessLog ApplicationGatewayFirewallLog Front Door FrontdoorAccessLog FrontdoorWebApplicationFirewallLog CDN WAF policy WebApplicationFirewallLogs
Supported by	Microsoft

Barracuda CloudGen Firewall

Connector attribute	Description
Data ingestion method	Syslog
Log Analytics table(s)	Syslog
DCR support	Workspace transformation DCR
Kusto function alias:	CGFWFirewallActivity
Kusto function URL:	https://aka.ms/Sentinel-barracudacloudfirewall-function
Vendor documentation/ installation instructions	https://aka.ms/Sentinel-barracudacloudfirewall-connector
Supported by	Barracuda

Barracuda WAF

Connector attribute	Description
Data ingestion method	Syslog
Log Analytics table(s)	CommonSecurityLog (Barracuda) Barracuda_CL
Vendor documentation/ installation instructions	https://aka.ms/asi-barracuda-connector
Supported by	Barracuda

See Barracuda instructions - note the assigned facilities for the different types of logs and be sure to add them to the default Syslog configuration.

BETTER Mobile Threat Defense (MTD) (Preview)

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	BetterMTDDeviceLog_CL BetterMTDIncidentLog_CL BetterMTDAppLog_CL BetterMTDNetflowLog_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	BETTER MTD Documentation Threat Policy setup, which defines the incidents that are reported to Microsoft Sentinel: In Better MTD Console, select Policies on the side bar. Select the Edit button of the Policy that you are using. For each Incident type that you want to be logged, go to Send to Integrations field and select Sentinel.
Supported by	Better Mobile

Beyond Security beSECURE

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	beSECURE_ScanResults_CL beSECURE_ScanEvents_CL beSECURE_Audit_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	Access the Integration menu: Select the More menu option. Select Server Select Integration Enable Microsoft Sentinel Paste the Workspace ID and Primary Key values in the beSECURE configuration. Select Modify.
Supported by	Beyond Security

BlackBerry CylancePROTECT (Preview)

Connector attribute	Description
Data ingestion method	Syslog
Log Analytics table(s)	Syslog
DCR support	Workspace transformation DCR
Kusto function alias:	CylancePROTECT
Kusto function URL:	https://aka.ms/Sentinel-cylanceprotect-parser
Vendor documentation/ installation instructions	Cylance Syslog Guide
Supported by	Microsoft

Broadcom Symantec Data Loss Prevention (DLP) (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog, with a Kusto function parser
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Kusto function alias:	SymantecDLP
Kusto function URL:	https://aka.ms/Sentinel-symantecdlp-parser
Vendor documentation/ installation instructions	Configuring the Log to a Syslog Server action
Supported by	Microsoft

Check Point

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog Available from the Check Point solution
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Log Exporter - Check Point Log Export
Supported by	Check Point

Cisco ASA

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog Available in the Cisco ASA solution
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Cisco ASA Series CLI Configuration Guide
Supported by	Microsoft

Cisco Firepower eStreamer (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog Extra configuration for Cisco Firepower eStreamer
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	eStreamer eNcore for Sentinel Operations Guide
Supported by	Cisco

Extra configuration for Cisco Firepower eStreamer

1. Install the Firepower eNcore client
   Install and configure the Firepower eNcore eStreamer client. For more information, see the full Cisco install guide.

2. Download the Firepower Connector from GitHub
   Download the latest version of the Firepower eNcore connector for Microsoft Sentinel from the Cisco GitHub repository. If you plan on using python3, use the python3 eStreamer connector.

3. Create a pkcs12 file using the Azure/VM IP Address
   Create a pkcs12 certificate using the public IP of the VM instance in Firepower under System > Integration > eStreamer. For more information, see the install guide.

4. Test Connectivity between the Azure/VM Client and the FMC
   Copy the pkcs12 file from the FMC to the Azure/VM instance and run the test utility (./encore.sh test) to ensure a connection can be established. For more information, see the setup guide.

5. Configure eNcore to stream data to the agent
   Configure eNcore to stream data via TCP to the Log Analytics Agent. This configuration should be enabled by default, but extra ports and streaming protocols can be configured depending on your network security posture. It is also possible to save the data to the file system. For more information, see Configure eNcore.

Cisco Meraki (Preview)

Connector attribute	Description
Data ingestion method	Syslog Available in the Cisco ISE solution
Log Analytics table(s)	Syslog
DCR support	Workspace transformation DCR
Kusto function alias:	CiscoMeraki
Kusto function URL:	https://aka.ms/Sentinel-ciscomeraki-parser
Vendor documentation/ installation instructions	Meraki Device Reporting documentation
Supported by	Microsoft

Cisco Umbrella (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API Available in the Cisco Umbrella solution
Log Analytics table(s)	Cisco_Umbrella_dns_CL Cisco_Umbrella_proxy_CL Cisco_Umbrella_ip_CL Cisco_Umbrella_cloudfirewall_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/Sentinel-CiscoUmbrellaConn-functionapp
API credentials	AWS Access Key ID AWS Secret Access Key AWS S3 Bucket Name
Vendor documentation/ installation instructions	Logging to Amazon S3
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Kusto function alias	Cisco_Umbrella
Kusto function URL/ Parser config instructions	https://aka.ms/Sentinel-ciscoumbrella-function
Application settings	WorkspaceID WorkspaceKey S3Bucket AWSAccessKeyId AWSSecretAccessKey logAnalyticsUri (optional)
Supported by	Microsoft

Cisco Unified Computing System (UCS) (Preview)

Connector attribute	Description
Data ingestion method	Syslog
Log Analytics table(s)	Syslog
DCR support	Workspace transformation DCR
Kusto function alias:	CiscoUCS
Kusto function URL:	https://aka.ms/Sentinel-ciscoucs-function
Vendor documentation/ installation instructions	Set up Syslog for Cisco UCS - Cisco
Supported by	Microsoft

Citrix Analytics (Security)

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	CitrixAnalytics_SAlerts_CL​
DCR support	Not currently supported
Vendor documentation/ installation instructions	Connect Citrix to Microsoft Sentinel
Supported by	Citrix Systems

Citrix Web App Firewall (WAF) (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	To configure WAF, see Support WIKI - WAF Configuration with NetScaler. To configure CEF logs, see CEF Logging Support in the Application Firewall. To forward the logs to proxy, see Configuring Citrix ADC appliance for audit logging.
Supported by	Citrix Systems

Cognni (Preview)

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	CognniIncidents_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	Connect to Cognni Go to Cognni integrations page. Select Connect on the Microsoft Sentinel box. Paste workspaceId and sharedKey (Primary Key) to the fields on Cognni's integrations screen. Select the Connect button to complete the configuration.
Supported by	Cognni

Continuous Threat Monitoring for SAP (Preview)

Connector attribute	Description
Data ingestion method	Only available after installing the Continuous Threat Monitoring for SAP solution
Log Analytics table(s)	See Microsoft Sentinel SAP solution data reference
Vendor documentation/ installation instructions	Deploy SAP continuous threat monitoring
Supported by	Microsoft

CyberArk Enterprise Password Vault (EPV) Events (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Security Information and Event Management (SIEM) Applications
Supported by	CyberArk

Cyberpion Security Logs (Preview)

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	CyberpionActionItems_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	Get a Cyberpion subscription Integrate Cyberpion security alerts into Microsoft Sentinel
Supported by	Cyberpion

DNS (Preview)

See Windows DNS Server (Preview).

Dynamics 365

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: API-based connections Also available as part of the Microsoft Sentinel 4 Dynamics 365 solution
License prerequisites/ Cost information	Microsoft Dynamics 365 production license. Not available for sandbox environments. At least one user assigned a Microsoft/Office 365 E1 or greater license. Other charges may apply
Log Analytics table(s)	Dynamics365Activity
DCR support	Workspace transformation DCR
Supported by	Microsoft

ESET Enterprise Inspector (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API Create an API user
Log Analytics table(s)	ESETEnterpriseInspector_CL​
DCR support	Not currently supported
API credentials	EEI Username EEI Password Base URL
Vendor documentation/ installation instructions	ESET Enterprise Inspector REST API documentation
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template
Supported by	ESET

Create an API user

1. Log into the ESET Security Management Center / ESET PROTECT console with an administrator account, select the More tab and the Users subtab.
2. Select the ADD NEW button and add a native user.
3. Create a new user for the API account. Optional: Select a Home group other than All to limit what detections are ingested.
4. Under the Permission Sets tab, assign the Enterprise Inspector reviewer permission set.
5. Sign out of the administrator account and log into the console with the new API credentials for validation, then sign out of the API account.

ESET Security Management Center (SMC) (Preview)

Connector attribute	Description
Data ingestion method	Syslog Configure the ESET SMC logs to be collected Configure OMS agent to pass Eset SMC data in API format Change OMS agent configuration to catch tag oms.api.eset and parse structured data Disable automatic configuration and restart agent
Log Analytics table(s)	eset_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	ESET Syslog server documentation
Supported by	ESET

Configure the ESET SMC logs to be collected

Configure rsyslog to accept logs from your Eset SMC IP address.

    sudo -i
    # Set ESET SMC source IP address
    export ESETIP={Enter your IP address}

    # Create rsyslog configuration file
    cat > /etc/rsyslog.d/80-remote.conf << EOF
    \$ModLoad imudp
    \$UDPServerRun 514
    \$ModLoad imtcp
    \$InputTCPServerRun 514
    \$AllowedSender TCP, 127.0.0.1, $ESETIP
    \$AllowedSender UDP, 127.0.0.1, $ESETIP user.=alert;user.=crit;user.=debug;user.=emerg;user.=err;user.=info;user.=notice;user.=warning  @127.0.0.1:25224
    EOF

    # Restart rsyslog
    systemctl restart rsyslog

Configure OMS agent to pass Eset SMC data in API format

In order to easily recognize Eset data, push it to a separate table and parse at agent to simplify and speed up your Microsoft Sentinel query.

In the /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsagent.conf file, modify the match oms.** section to send data as API objects, by changing the type to out_oms_api.

The following code is an example of the full match oms.** section:

    <match oms.** docker.**>
      type out_oms_api
      log_level info
      num_threads 5
      run_in_background false

      omsadmin_conf_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsadmin.conf
      cert_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/certs/oms.crt
      key_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/certs/oms.key

      buffer_chunk_limit 15m
      buffer_type file
      buffer_path /var/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/state/out_oms_common*.buffer

      buffer_queue_limit 10
      buffer_queue_full_action drop_oldest_chunk
      flush_interval 20s
      retry_limit 10
      retry_wait 30s
      max_retry_wait 9m
    </match>

Change OMS agent configuration to catch tag oms.api.eset and parse structured data

Modify the /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsagent.d/syslog.conf file.

For example:

    <source>
      type syslog
      port 25224
      bind 127.0.0.1
      protocol_type udp
      tag oms.api.eset
    </source>

    <filter oms.api.**>
      @type parser
      key_name message
      format /(?<message>.*?{.*})/
    </filter>

    <filter oms.api.**>
      @type parser
      key_name message
      format json
    </filter>

Disable automatic configuration and restart agent

For example:

    # Disable changes to configuration files from Portal
    sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'

    # Restart agent
    sudo /opt/microsoft/omsagent/bin/service_control restart

    # Check agent logs
    tail -f /var/opt/microsoft/omsagent/log/omsagent.log

Configure Eset SMC to send logs to connector

Configure Eset Logs using BSD style and JSON format.

• Go to the Syslog server configuration configure the Host (your connector), Format BSD, and Transport TCP
• Go to the Logging section and enable JSON

For more information, see the Eset documentation.

Exabeam Advanced Analytics (Preview)

Connector attribute	Description
Data ingestion method	Syslog
Log Analytics table(s)	Syslog
DCR support	Workspace transformation DCR
Kusto function alias:	ExabeamEvent
Kusto function URL:	https://aka.ms/Sentinel-Exabeam-parser
Vendor documentation/ installation instructions	Configure Advanced Analytics system activity notifications
Supported by	Microsoft

ExtraHop Reveal(x)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	ExtraHop Detection SIEM Connector
Supported by	ExtraHop

F5 BIG-IP

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	F5Telemetry_LTM_CL F5Telemetry_system_CL F5Telemetry_ASM_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	Integrating the F5 BIG-IP with Microsoft Sentinel
Supported by	F5 Networks

F5 Networks (ASM)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Configuring Application Security Event Logging
Supported by	F5 Networks

Forcepoint Cloud Access Security Broker (CASB) (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Forcepoint CASB and Microsoft Sentinel
Supported by	Forcepoint

Forcepoint Cloud Security Gateway (CSG) (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Forcepoint Cloud Security Gateway and Microsoft Sentinel
Supported by	Forcepoint

Forcepoint Data Loss Prevention (DLP) (Preview)

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	ForcepointDLPEvents_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	Forcepoint Data Loss Prevention and Microsoft Sentinel
Supported by	Forcepoint

Forcepoint Next Generation Firewall (NGFW) (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Forcepoint Next-Gen Firewall and Microsoft Sentinel
Supported by	Forcepoint

ForgeRock Common Audit (CAUD) for CEF (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Install this first! ForgeRock Common Audit (CAUD) for Microsoft Sentinel
Supported by	ForgeRock

Fortinet

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog Send Fortinet logs to the log forwarder Available in the Fortinet Fortigate solution
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Fortinet Document Library Choose your version and use the Handbook and Log Message Reference PDFs.
Supported by	Fortinet

Send Fortinet logs to the log forwarder

Open the CLI on your Fortinet appliance and run the following commands:

config log syslogd setting
set status enable
set format cef
set port 514
set server <ip_address_of_Forwarder>
end

• Replace the server ip address with the IP address of the log forwarder.
• Set the syslog port to 514 or the port set on the Syslog daemon on the forwarder.
• To enable CEF format in early FortiOS versions, you might need to run the command set csv disable.

GitHub (Preview)

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API Only available after installing the Continuous Threat Monitoring for GitHub solution.
Log Analytics table(s)	GitHubAuditLogPolling_CL
DCR support	Not currently supported
API credentials	GitHub access token
Connector deployment instructions	Extra configuration for the GitHub connector
Supported by	Microsoft

Extra configuration for the GitHub connector

Prerequisite: You must have a GitHub enterprise account and an accessible organization in order to connect to GitHub from Microsoft Sentinel.

1. Install the Continuous Threat Monitoring for GitHub solution in your Microsoft Sentinel workspace. For more information, see Centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions (Public preview).

2. Create a GitHub personal access token for use in the Microsoft Sentinel connector. For more information, see the relevant GitHub documentation.

3. In the Microsoft Sentinel Data connectors area, search for and locate the GitHub connector. On the right, select Open connector page.

4. On the Instructions tab, in the Configuration area, enter the following details:

   • Organization Name: Enter the name of the organization who's logs you want to connect to.
   • API Key: Enter the GitHub personal access token you'd created earlier in this procedure.

5. Select Connect to start ingesting your GitHub logs to Microsoft Sentinel.

Google Workspace (G-Suite) (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API Extra configuration for the Google Reports API
Log Analytics table(s)	GWorkspace_ReportsAPI_admin_CL GWorkspace_ReportsAPI_calendar_CL GWorkspace_ReportsAPI_drive_CL GWorkspace_ReportsAPI_login_CL GWorkspace_ReportsAPI_mobile_CL GWorkspace_ReportsAPI_token_CL GWorkspace_ReportsAPI_user_accounts_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/Sentinel-GWorkspaceReportsAPI-functionapp
API credentials	GooglePickleString
Vendor documentation/ installation instructions	API Documentation Get credentials at Perform Google Workspace Domain-Wide Delegation of Authority Convert token.pickle file to pickle string
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Kusto function alias	GWorkspaceActivityReports
Kusto function URL/ Parser config instructions	https://aka.ms/Sentinel-GWorkspaceReportsAPI-parser
Application settings	GooglePickleString WorkspaceID workspaceKey logAnalyticsUri (optional)
Supported by	Microsoft

Extra configuration for the Google Reports API

Add http://localhost:8081/ under Authorized redirect URIs while creating Web application credentials.

1. Follow the instructions to obtain the credentials.json.
2. To get the Google pickle string, run this Python script (in the same path as credentials.json).
3. Copy the pickle string output in single quotes and save. It will be needed for deploying the Function App.

Illusive Attack Management System (AMS) (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Illusive Networks Admin Guide
Supported by	Illusive Networks

Imperva WAF Gateway (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog Available in the Imperva Cloud WAF solution
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Steps for Enabling Imperva WAF Gateway Alert Logging to Microsoft Sentinel
Supported by	Imperva

Infoblox Network Identity Operating System (NIOS) (Preview)

Connector attribute	Description
Data ingestion method	Syslog available in the InfoBlox Threat Defense solution
Log Analytics table(s)	Syslog
DCR support	Workspace transformation DCR
Kusto function alias:	InfobloxNIOS
Kusto function URL:	https://aka.ms/sentinelgithubparsersinfoblox
Vendor documentation/ installation instructions	NIOS SNMP and Syslog Deployment Guide
Supported by	Microsoft

Juniper SRX (Preview)

Connector attribute	Description
Data ingestion method	Syslog
Log Analytics table(s)	Syslog
DCR support	Workspace transformation DCR
Kusto function alias:	JuniperSRX
Kusto function URL:	https://aka.ms/Sentinel-junipersrx-parser
Vendor documentation/ installation instructions	Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices Configure System Logging
Supported by	Juniper Networks

Lookout Mobile Threat Defense (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API Only available after installing the Lookout Mobile Threat Defense for Microsoft Sentinel solution
Log Analytics table(s)	Lookout_CL
DCR support	Not currently supported
API credentials	Lookout Application Key
Vendor documentation/ installation instructions	Installation Guide (sign-in required) API Documentation (sign-in required) Lookout Mobile Endpoint Security
Supported by	Lookout

Microsoft 365 Defender

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Connect data from Microsoft 365 Defender to Microsoft Sentinel (Top connector article)
License prerequisites/ Cost information	Valid license for Microsoft 365 Defender
Log Analytics table(s)	Alerts: SecurityAlert SecurityIncident Defender for Endpoint events: DeviceEvents DeviceFileEvents DeviceImageLoadEvents DeviceInfo DeviceLogonEvents DeviceNetworkEvents DeviceNetworkInfo DeviceProcessEvents DeviceRegistryEvents DeviceFileCertificateInfo Defender for Office 365 events: EmailAttachmentInfo EmailUrlInfo EmailEvents EmailPostDeliveryEvents Defender for Identity events: IdentityDirectoryEvents IdentityInfo IdentityLogonEvents IdentityQueryEvents Defender for Cloud Apps events: CloudAppEvents Defender alerts as events: AlertInfo AlertEvidence
DCR support	Not currently supported
Supported by	Microsoft

Microsoft 365 Insider Risk Management (IRM) (Preview)

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: API-based connections Also available in the Microsoft 365 Insider Risk Management solution
License and other prerequisites	Valid subscription for Microsoft 365 E5/A5/G5, or their accompanying Compliance or IRM add-ons. Microsoft 365 Insider risk management fully onboarded, and IRM policies defined and producing alerts. Microsoft 365 IRM configured to enable the export of IRM alerts to the Office 365 Management Activity API in order to receive the alerts through the Microsoft Sentinel connector.)
Log Analytics table(s)	SecurityAlert
Data query filter	SecurityAlert `
Supported by	Microsoft

Microsoft Defender for Cloud

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Connect security alerts from Microsoft Defender for Cloud (Top connector article)
Log Analytics table(s)	SecurityAlert
Supported by	Microsoft

Microsoft Defender for Cloud Apps

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: API-based connections For Cloud Discovery logs, enable Microsoft Sentinel as your SIEM in Microsoft Defender for Cloud Apps
Log Analytics table(s)	SecurityAlert - for alerts McasShadowItReporting​ - for Cloud Discovery logs
Supported by	Microsoft

Microsoft Defender for Endpoint

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: API-based connections
License prerequisites/ Cost information	Valid license for Microsoft Defender for Endpoint deployment
Log Analytics table(s)	SecurityAlert
DCR support	Workspace transformation DCR
Supported by	Microsoft

Microsoft Defender for Identity

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: API-based connections
Log Analytics table(s)	SecurityAlert
DCR support	Workspace transformation DCR
Supported by	Microsoft

Microsoft Defender for IoT

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: API-based connections
Log Analytics table(s)	SecurityAlert
DCR support	Workspace transformation DCR
Supported by	Microsoft

Microsoft Defender for Office 365

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: API-based connections
License prerequisites/ Cost information	You must have a valid license for Office 365 ATP Plan 2
Log Analytics table(s)	SecurityAlert
DCR support	Workspace transformation DCR
Supported by	Microsoft

Microsoft Office 365

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: API-based connections
License prerequisites/ Cost information	Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace. Other charges may apply.
Log Analytics table(s)	OfficeActivity
DCR support	Workspace transformation DCR
Supported by	Microsoft

Microsoft Power BI (Preview)

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: API-based connections
License prerequisites/ Cost information	Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace. Other charges may apply.
Log Analytics table(s)	PowerBIActivity
Supported by	Microsoft

Microsoft Project (Preview)

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: API-based connections
License prerequisites/ Cost information	Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace. Other charges may apply.
Log Analytics table(s)	ProjectActivity
Supported by	Microsoft

Microsoft Sysmon for Linux (Preview)

Connector attribute	Description
Data ingestion method	Syslog, with, ASIM parsers based on Kusto functions
Log Analytics table(s)	Syslog
DCR support	Workspace transformation DCR
Supported by	Microsoft

Morphisec UTPP (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog, with a Kusto function parser
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Kusto function alias:	Morphisec
Kusto function URL	https://aka.ms/Sentinel-Morphiescutpp-parser
Supported by	Morphisec

Netskope (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API
Log Analytics table(s)	Netskope_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/Sentinel-netskope-functioncode
API credentials	Netskope API Token
Vendor documentation/ installation instructions	Netskope Cloud Security Platform Netskope API Documentation Obtain an API Token
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Kusto function alias	Netskope
Kusto function URL/ Parser config instructions	https://aka.ms/Sentinel-netskope-parser
Application settings	apikey workspaceID workspaceKey uri (depends on region, follows schema: https://<Tenant Name>.goskope.com) timeInterval (set to 5) logTypes logAnalyticsUri (optional)
Supported by	Microsoft

NGINX HTTP Server (Preview)

Connector attribute	Description
Data ingestion method	Log Analytics agent - custom logs
Log Analytics table(s)	NGINX_CL
DCR support	Not currently supported
Kusto function alias:	NGINXHTTPServer
Kusto function URL	https://aka.ms/Sentinel-NGINXHTTP-parser
Vendor documentation/ installation instructions	Module ngx_http_log_module
Custom log sample file:	access.log or error.log
Supported by	Microsoft

NXLog Basic Security Module (BSM) macOS (Preview)

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	BSMmacOS_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	NXLog Microsoft Sentinel User Guide
Supported by	NXLog

NXLog DNS Logs (Preview)

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	DNS_Logs_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	NXLog Microsoft Sentinel User Guide
Supported by	NXLog

NXLog LinuxAudit (Preview)

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	LinuxAudit_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	NXLog Microsoft Sentinel User Guide
Supported by	NXLog

Okta Single Sign-On (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API
Log Analytics table(s)	Okta_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/sentineloktaazurefunctioncodev2
API credentials	API Token
Vendor documentation/ installation instructions	Okta System Log API Documentation Create an API token Connect Okta SSO to Microsoft Sentinel
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Application settings	apiToken workspaceID workspaceKey uri (follows schema https://<OktaDomain>/api/v1/logs?since=. Identify your domain namespace.) logAnalyticsUri (optional)
Supported by	Microsoft

Onapsis Platform (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog, with a Kusto lookup and enrichment function Configure Onapsis to send CEF logs to the log forwarder
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Kusto function alias:	incident_lookup
Kusto function URL	https://aka.ms/Sentinel-Onapsis-parser
Supported by	Onapsis

Configure Onapsis to send CEF logs to the log forwarder

Refer to the Onapsis in-product help to set up log forwarding to the Log Analytics agent.

1. Go to Setup > Third-party integrations > Defend Alarms and follow the instructions for Microsoft Sentinel.
2. Make sure your Onapsis Console can reach the log forwarder machine where the agent is installed. Logs should be sent to port 514 using TCP.

One Identity Safeguard (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	One Identity Safeguard for Privileged Sessions Administration Guide
Supported by	One Identity

Oracle WebLogic Server (Preview)

Connector attribute	Description
Data ingestion method	Log Analytics agent - custom logs
Log Analytics table(s)	OracleWebLogicServer_CL
DCR support	Not currently supported
Kusto function alias:	OracleWebLogicServerEvent
Kusto function URL:	https://aka.ms/Sentinel-OracleWebLogicServer-parser
Vendor documentation/ installation instructions	Oracle WebLogic Server documentation
Custom log sample file:	server.log
Supported by	Microsoft

Orca Security (Preview)

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	OrcaAlerts_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	Microsoft Sentinel integration
Supported by	Orca Security

OSSEC (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog, with a Kusto function parser
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Kusto function alias:	OSSECEvent
Kusto function URL:	https://aka.ms/Sentinel-OSSEC-parser
Vendor documentation/ installation instructions	OSSEC documentation Sending alerts via syslog
Supported by	Microsoft

Palo Alto Networks

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog Also available in the Palo Alto PAN-OS and Prisma solutions
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Common Event Format (CEF) Configuration Guides Configure Syslog Monitoring
Supported by	Palo Alto Networks

Perimeter 81 Activity Logs (Preview)

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	Perimeter81_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	Perimeter 81 documentation
Supported by	Perimeter 81

Proofpoint On Demand (POD) Email Security (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API Also available in the Proofpoint POD solution
Log Analytics table(s)	ProofpointPOD_message_CL ProofpointPOD_maillog_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/Sentinel-proofpointpod-functionapp
API credentials	ProofpointClusterID ProofpointToken
Vendor documentation/ installation instructions	Sign in to the Proofpoint Community Proofpoint API documentation and instructions
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Kusto function alias	ProofpointPOD
Kusto function URL/ Parser config instructions	https://aka.ms/Sentinel-proofpointpod-parser
Application settings	ProofpointClusterID ProofpointToken WorkspaceID WorkspaceKey logAnalyticsUri (optional)
Supported by	Microsoft

Proofpoint Targeted Attack Protection (TAP) (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API Also available in the Proofpoint TAP solution
Log Analytics table(s)	ProofPointTAPClicksPermitted_CL ProofPointTAPClicksBlocked_CL ProofPointTAPMessagesDelivered_CL ProofPointTAPMessagesBlocked_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/sentinelproofpointtapazurefunctioncode
API credentials	API Username API Password
Vendor documentation/ installation instructions	Proofpoint SIEM API Documentation
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Application settings	apiUsername apiUsername uri (set to https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=300) WorkspaceID WorkspaceKey logAnalyticsUri (optional)
Supported by	Microsoft

Pulse Connect Secure (Preview)

Connector attribute	Description
Data ingestion method	Syslog
Log Analytics table(s)	Syslog
DCR support	Workspace transformation DCR
Kusto function alias:	PulseConnectSecure
Kusto function URL:	https://aka.ms/sentinelgithubparserspulsesecurevpn
Vendor documentation/ installation instructions	Configuring Syslog
Supported by	Microsoft

Qualys VM KnowledgeBase (KB) (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API Extra configuration for the Qualys VM KB Also available in the Qualys VM solution
Log Analytics table(s)	QualysKB_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/Sentinel-qualyskb-functioncode
API credentials	API Username API Password
Vendor documentation/ installation instructions	QualysVM API User Guide
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Kusto function alias	QualysKB
Kusto function URL/ Parser config instructions	https://aka.ms/Sentinel-qualyskb-parser
Application settings	apiUsername apiUsername uri (by region; see API Server list. Follows schema https://<API Server>/api/2.0. WorkspaceID WorkspaceKey filterParameters (add to end of URI, delimited by &. No spaces.) logAnalyticsUri (optional)
Supported by	Microsoft

Extra configuration for the Qualys VM KB

1. Log into the Qualys Vulnerability Management console with an administrator account, select the Users tab and the Users subtab.
2. Select the New drop-down menu and select Users.
3. Create a username and password for the API account.
4. In the User Roles tab, ensure the account role is set to Manager and access is allowed to GUI and API
5. Sign out of the administrator account and sign into the console with the new API credentials for validation, then sign out of the API account.
6. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to GUI.
7. Save all changes.

Qualys Vulnerability Management (VM) (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API Extra configuration for the Qualys VM Manual deployment - after configuring the Function App
Log Analytics table(s)	QualysHostDetection_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/sentinelqualysvmazurefunctioncode
API credentials	API Username API Password
Vendor documentation/ installation instructions	QualysVM API User Guide
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Application settings	apiUsername apiUsername uri (by region; see API Server list. Follows schema https://<API Server>/api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=. WorkspaceID WorkspaceKey filterParameters (add to end of URI, delimited by &. No spaces.) timeInterval (set to 5. If you modify, change Function App timer trigger accordingly.) logAnalyticsUri (optional)
Supported by	Microsoft

Extra configuration for the Qualys VM

1. Log into the Qualys Vulnerability Management console with an administrator account, select the Users tab and the Users subtab.
2. Select the New drop-down menu and select Users.
3. Create a username and password for the API account.
4. In the User Roles tab, ensure the account role is set to Manager and access is allowed to GUI and API
5. Sign out of the administrator account and log into the console with the new API credentials for validation, then sign out of the API account.
6. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to GUI.
7. Save all changes.

Manual deployment - after configuring the Function App

Configure the host.json file

Due to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five minutes. Increase the default timeout duration to the maximum of 10 minutes, under the Consumption Plan, to allow more time for the Function App to execute.

1. In the Function App, select the Function App Name and select the App Service Editor page.
2. Select Go to open the editor, then select the host.json file under the wwwroot directory.
3. Add the line "functionTimeout": "00:10:00", above the managedDependancy line.
4. Ensure SAVED appears on the top-right corner of the editor, then exit the editor.

If a longer timeout duration is required, consider upgrading to an App Service Plan.

Salesforce Service Cloud (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API
Log Analytics table(s)	SalesforceServiceCloud_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/Sentinel-SalesforceServiceCloud-functionapp
API credentials	Salesforce API Username Salesforce API Password Salesforce Security Token Salesforce Consumer Key Salesforce Consumer Secret
Vendor documentation/ installation instructions	Salesforce REST API Developer Guide Under Set up authorization, use Session ID method instead of OAuth.
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Kusto function alias	SalesforceServiceCloud
Kusto function URL/ Parser config instructions	https://aka.ms/Sentinel-SalesforceServiceCloud-parser
Application settings	SalesforceUser SalesforcePass SalesforceSecurityToken SalesforceConsumerKey SalesforceConsumerSecret WorkspaceID WorkspaceKey logAnalyticsUri (optional)
Supported by	Microsoft

Security events via Legacy Agent (Windows)

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Log Analytics agent-based connections (Legacy)
Log Analytics table(s)	SecurityEvents
DCR support	Workspace transformation DCR
Supported by	Microsoft

For more information, see:

• Windows security event sets that can be sent to Microsoft Sentinel
• Insecure protocols workbook setup
• Windows Security Events via AMA connector based on Azure Monitor Agent (AMA)
• Configure the Security events / Windows Security Events connector for anomalous RDP login detection.

SentinelOne (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API Extra configuration for SentinelOne
Log Analytics table(s)	SentinelOne_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/Sentinel-SentinelOneAPI-functionapp
API credentials	SentinelOneAPIToken SentinelOneUrl (https://<SOneInstanceDomain>.sentinelone.net)
Vendor documentation/ installation instructions	https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview See instructions below
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Kusto function alias	SentinelOne
Kusto function URL/ Parser config instructions	https://aka.ms/Sentinel-SentinelOneAPI-parser
Application settings	SentinelOneAPIToken SentinelOneUrl WorkspaceID WorkspaceKey logAnalyticsUri (optional)
Supported by	Microsoft

Extra configuration for SentinelOne

Follow the instructions to obtain the credentials.

1. Sign-in to the SentinelOne Management Console with Admin user credentials.
2. In the Management Console, select Settings.
3. In the SETTINGS view, select USERS
4. Select New User.
5. Enter the information for the new console user.
6. In Role, select Admin.
7. Select SAVE
8. Save credentials of the new user for using in the data connector.

SonicWall Firewall (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Log > Syslog Select facility local4 and ArcSight as the Syslog format.
Supported by	SonicWall

Sophos Cloud Optix (Preview)

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	SophosCloudOptix_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	Integrate with Microsoft Sentinel, skipping the first step. Sophos query samples
Supported by	Sophos

Sophos XG Firewall (Preview)

Connector attribute	Description
Data ingestion method	Syslog
Log Analytics table(s)	Syslog
DCR support	Workspace transformation DCR
Kusto function alias:	SophosXGFirewall
Kusto function URL:	https://aka.ms/sentinelgithubparserssophosfirewallxg
Vendor documentation/ installation instructions	Add a syslog server
Supported by	Microsoft

Squadra Technologies secRMM

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	secRMM_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	secRMM Microsoft Sentinel Administrator Guide
Supported by	Squadra Technologies

Squid Proxy (Preview)

Connector attribute	Description
Data ingestion method	Log Analytics agent - custom logs
Log Analytics table(s)	SquidProxy_CL
DCR support	Not currently supported
Kusto function alias:	SquidProxy
Kusto function URL	https://aka.ms/Sentinel-squidproxy-parser
Custom log sample file:	access.log or cache.log
Supported by	Microsoft

Symantec Integrated Cyber Defense Exchange (ICDx)

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API
Log Analytics table(s)	SymantecICDx_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	Configuring Microsoft Sentinel (Log Analytics) Forwarders
Supported by	Broadcom Symantec

Symantec ProxySG (Preview)

Connector attribute	Description
Data ingestion method	Syslog
Log Analytics table(s)	Syslog
DCR support	Workspace transformation DCR
Kusto function alias:	SymantecProxySG
Kusto function URL:	https://aka.ms/sentinelgithubparserssymantecproxysg
Vendor documentation/ installation instructions	Sending Access Logs to a Syslog server
Supported by	Microsoft

Symantec VIP (Preview)

Connector attribute	Description
Data ingestion method	Syslog
Log Analytics table(s)	Syslog
DCR support	Workspace transformation DCR
Kusto function alias:	SymantecVIP
Kusto function URL:	https://aka.ms/sentinelgithubparserssymantecvip
Vendor documentation/ installation instructions	Configuring syslog
Supported by	Microsoft

Thycotic Secret Server (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Secure Syslog/CEF Logging
Supported by	Thycotic

Trend Micro Deep Security

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog, with a Kusto function parser
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Kusto function alias:	TrendMicroDeepSecurity
Kusto function URL	https://aka.ms/TrendMicroDeepSecurityFunction
Vendor documentation/ installation instructions	Forward Deep Security events to a Syslog or SIEM server
Supported by	Trend Micro

Trend Micro TippingPoint (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog, with a Kusto function parser
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Kusto function alias:	TrendMicroTippingPoint
Kusto function URL	https://aka.ms/Sentinel-trendmicrotippingpoint-function
Vendor documentation/ installation instructions	Send Syslog messages in ArcSight CEF Format v4.2 format.
Supported by	Trend Micro

Trend Micro Vision One (XDR) (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API
Log Analytics table(s)	TrendMicro_XDR_CL
DCR support	Not currently supported
API credentials	API Token
Vendor documentation/ installation instructions	Trend Micro Vision One API Obtaining API Keys for Third-Party Access
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template
Supported by	Trend Micro

VMware Carbon Black Endpoint Standard (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API
Log Analytics table(s)	CarbonBlackEvents_CL CarbonBlackAuditLogs_CL CarbonBlackNotifications_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/sentinelcarbonblackazurefunctioncode
API credentials	API access level (for Audit and Event logs): API ID API Key SIEM access level (for Notification events): SIEM API ID SIEM API Key
Vendor documentation/ installation instructions	Carbon Black API Documentation Creating an API Key
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Application settings	apiId apiKey WorkspaceID WorkspaceKey uri (by region; see list of options. Follows schema: https://<API URL>.conferdeploy.net.) timeInterval (Set to 5) SIEMapiId (if ingesting Notification events) SIEMapiKey (if ingesting Notification events) logAnalyticsUri (optional)
Supported by	Microsoft

VMware ESXi (Preview)

Connector attribute	Description
Data ingestion method	Syslog
Log Analytics table(s)	Syslog
DCR support	Workspace transformation DCR
Kusto function alias:	VMwareESXi
Kusto function URL:	https://aka.ms/Sentinel-vmwareesxi-parser
Vendor documentation/ installation instructions	Enabling syslog on ESXi 3.5 and 4.x Configure Syslog on ESXi Hosts
Supported by	Microsoft

WatchGuard Firebox (Preview)

Connector attribute	Description
Data ingestion method	Syslog
Log Analytics table(s)	Syslog
DCR support	Workspace transformation DCR
Kusto function alias:	WatchGuardFirebox
Kusto function URL:	https://aka.ms/Sentinel-watchguardfirebox-parser
Vendor documentation/ installation instructions	Microsoft Sentinel Integration Guide
Supported by	WatchGuard Technologies

WireX Network Forensics Platform (Preview)

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Contact WireX support in order to configure your NFP solution to send Syslog messages in CEF format.
Supported by	WireX Systems

Windows DNS Server (Preview)

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Log Analytics agent-based connections (Legacy)
Log Analytics table(s)	DnsEvents DnsInventory
DCR support	Workspace transformation DCR
Supported by	Microsoft

Troubleshooting your Windows DNS Server data connector

If your DNS events don't show up in Microsoft Sentinel:

1. Make sure that DNS analytics logs on your servers are enabled.
2. Go to Azure DNS Analytics.
3. In the Configuration area, change any of the settings and save your changes. Change your settings back if you need to, and then save your changes again.
4. Check your Azure DNS Analytics to make sure that your events and queries display properly.

For more information, see Gather insights about your DNS infrastructure with the DNS Analytics Preview solution.

Windows Forwarded Events (Preview)

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Azure Monitor Agent-based connections Additional instructions for deploying the Windows Forwarded Events connector
Prerequisites	You must have Windows Event Collection (WEC) enabled and running. Install the Azure Monitor Agent on the WEC machine.
xPath queries prefix	"ForwardedEvents!*"
Log Analytics table(s)	WindowsEvents
DCR support	Standard DCR
Supported by	Microsoft

Additional instructions for deploying the Windows Forwarded Events connector

We recommend installing the Advanced Security Information Model (ASIM) parsers to ensure full support for data normalization. You can deploy these parsers from the Azure-Sentinel GitHub repository using the Deploy to Azure button there.

Windows Firewall

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Log Analytics agent-based connections (Legacy)
Log Analytics table(s)	WindowsFirewall
Supported by	Microsoft

Windows Security Events via AMA

Connector attribute	Description
Data ingestion method	Azure service-to-service integration: Azure Monitor Agent-based connections
xPath queries prefix	"Security!*"
Log Analytics table(s)	SecurityEvents
DCR support	Standard DCR
Supported by	Microsoft

See also: Security events via legacy agent connector.

Configure the Security events / Windows Security Events connector for anomalous RDP login detection

Important

Anomalous RDP login detection is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

Microsoft Sentinel can apply machine learning (ML) to Security events data to identify anomalous Remote Desktop Protocol (RDP) login activity. Scenarios include:

• Unusual IP - the IP address has rarely or never been observed in the last 30 days

• Unusual geo-location - the IP address, city, country, and ASN have rarely or never been observed in the last 30 days

• New user - a new user logs in from an IP address and geo-location, both or either of which were not expected to be seen based on data from the 30 days prior.

Configuration instructions

1. You must be collecting RDP login data (Event ID 4624) through the Security events or Windows Security Events data connectors. Make sure you have selected an event set besides "None", or created a data collection rule that includes this event ID, to stream into Microsoft Sentinel.

2. From the Microsoft Sentinel portal, select Analytics, and then select the Rule templates tab. Choose the (Preview) Anomalous RDP Login Detection rule, and move the Status slider to Enabled.

   [!NOTE] As the machine learning algorithm requires 30 days' worth of data to build a baseline profile of user behavior, you must allow 30 days of Windows Security events data to be collected before any incidents can be detected.

Workplace from Facebook (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API Configure Webhooks Add Callback URL to Webhook configuration
Log Analytics table(s)	Workplace_Facebook_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/Sentinel-WorkplaceFacebook-functionapp
API credentials	WorkplaceAppSecret WorkplaceVerifyToken
Vendor documentation/ installation instructions	Configure Webhooks Configure permissions
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Kusto function alias	Workplace_Facebook
Kusto function URL/ Parser config instructions	https://aka.ms/Sentinel-WorkplaceFacebook-parser
Application settings	WorkplaceAppSecret WorkplaceVerifyToken WorkspaceID WorkspaceKey logAnalyticsUri (optional)
Supported by	Microsoft

Configure Webhooks

1. Sign in to the Workplace with Admin user credentials.
2. In the Admin panel, select Integrations.
3. In the All integrations view, select Create custom integration.
4. Enter the name and description and select Create.
5. In the Integration details panel, show the App secret and copy it.
6. In the Integration permissions panel, set all read permissions. Refer to permission page for details.

Add Callback URL to Webhook configuration

1. Open your Function App's page, go to the Functions list, select Get Function URL, and copy it.
2. Go back to Workplace from Facebook. In the Configure webhooks panel, on each Tab set the Callback URL as the Function URL you copied in the last step, and the Verify token as the same value you received during automatic deployment, or entered during manual deployment.
3. Select Save.

Zimperium Mobile Thread Defense (Preview)

Zimperium Mobile Threat Defense data connector connects the Zimperium threat log to Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This connector gives you more insight into your organization's mobile threat landscape and enhances your security operation capabilities.

For more information, see Connect Zimperium to Microsoft Sentinel.

Connector attribute	Description
Data ingestion method	Microsoft Sentinel Data Collector API Configure and connect Zimperium MTD
Log Analytics table(s)	ZimperiumThreatLog_CL ZimperiumMitigationLog_CL
DCR support	Not currently supported
Vendor documentation/ installation instructions	Zimperium customer support portal (sign-in required)
Supported by	Zimperium

Configure and connect Zimperium MTD

1. In zConsole, select Manage on the navigation bar.
2. Select the Integrations tab.
3. Select the Threat Reporting button and then the Add Integrations button.
4. Create the Integration:
   1. From the available integrations, select Microsoft Sentinel.
   2. Enter your workspace ID and primary key, select Next.
   3. Fill in a name for your Microsoft Sentinel integration.
   4. Select a Filter Level for the threat data you wish to push to Microsoft Sentinel.
   5. Select Finish.

Zoom Reports (Preview)

Connector attribute	Description
Data ingestion method	Azure Functions and the REST API
Log Analytics table(s)	Zoom_CL
DCR support	Not currently supported
Azure Function App code	https://aka.ms/Sentinel-ZoomAPI-functionapp
API credentials	ZoomApiKey ZoomApiSecret
Vendor documentation/ installation instructions	Get credentials using JWT With Zoom
Connector deployment instructions	Single-click deployment via Azure Resource Manager (ARM) template Manual deployment
Kusto function alias	Zoom
Kusto function URL/ Parser config instructions	https://aka.ms/Sentinel-ZoomAPI-parser
Application settings	ZoomApiKey ZoomApiSecret WorkspaceID WorkspaceKey logAnalyticsUri (optional)
Supported by	Microsoft

Zscaler

Connector attribute	Description
Data ingestion method	Common Event Format (CEF) over Syslog
Log Analytics table(s)	CommonSecurityLog
DCR support	Workspace transformation DCR
Vendor documentation/ installation instructions	Zscaler and Microsoft Sentinel Deployment Guide
Supported by	Zscaler

Zscaler Private Access (ZPA) (Preview)

Connector attribute	Description
Data ingestion method	Log Analytics agent - custom logs Extra configuration for Zscaler Private Access
Log Analytics table(s)	ZPA_CL
DCR support	Not currently supported
Kusto function alias:	ZPAEvent
Kusto function URL	https://aka.ms/Sentinel-zscalerprivateaccess-parser
Vendor documentation/ installation instructions	Zscaler Private Access documentation Also, see below
Supported by	Microsoft

Extra configuration for Zscaler Private Access

Follow the configuration steps below to get Zscaler Private Access logs into Microsoft Sentinel. For more information, see the Azure Monitor Documentation. Zscaler Private Access logs are delivered via Log Streaming Service (LSS). Refer to LSS documentation for detailed information.

1. Configure Log Receivers. While configuring a Log Receiver, choose JSON as Log Template.

2. Download config file zpa.conf.

   wget -v https://aka.ms/sentinel-zscalerprivateaccess-conf -O zpa.conf

3. Sign in to the server where you have installed the Azure Log Analytics agent.

4. Copy zpa.conf to the /etc/opt/microsoft/omsagent/workspace_id/conf/omsagent.d/ folder.

5. Edit zpa.conf as follows:

   1. Specify the port that you have set your Zscaler Log Receivers to forward logs to (line 4)
   2. Replace workspace_id with real value of your Workspace ID (lines 14,15,16,19)

6. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:

   sudo /opt/microsoft/omsagent/bin/service_control restart

You can find the value of your workspace ID on the ZScaler Private Access connector page or on your Log Analytics workspace's agents management page.

Next steps

For more information, see:

• Microsoft Sentinel solutions catalog
• Threat intelligence integration in Microsoft Sentinel