New Azure Sentinel connectors

Published Jul 21 2020 07:56 AM 18.8K Views

Today, we are announcing over a dozen new connectors for leading security solutions that enable data collection and automation scenarios in Azure Sentinel. Customers have diverse environments with different security solutions. These connectors make it easy for customers to collect and analyze their security data from these different security solutions at cloud scale. New workbooks and analytic rule templates are also available to help you monitor these new data sources and detect threats immediately. Refer to the documentation for a complete list of data connectors and Azure Logic Apps custom connectors that you can leverage in Azure Sentinel.


VMware Carbon Black

Use the Carbon Black data connector to ingest Carbon Black events, audit logs and notifications in Azure Sentinel. There is a new workbook as illustrated below, and analytic rule templates on critical threats and malware detections to help you get started immediately.

VMware Carbon Black WorkbookVMware Carbon Black Workbook


Sophos XG Firewall

Collect Sophos XG Firewall logs using the Sophos data connector and the related workbook to monitor the network traffic and firewall status. Furthermore, enable the port scans and excessive denied connections analytic rules to create custom alerts and track as incidents for the ingested data.


Okta SSO

Okta Single Sign-on audit and event logs can now be easily ingested using the Okta SSO data connector. Monitor user activity and authentication status using the workbook. Enhance your threat detection capability with analytics to track invalid user logins, geolocation logins and password spray attacks.



Two new data connectors for Symantec enable you to ingest Symantec Proxy SG (Secure Gateway) and Symantec VIP logs. Use the new workbooks for these data sources to monitor their gateway and authentication logs. Out-of-the-box analytic rule templates for excessive failed authentications, suspicious URL access and denied client and proxy traffic can help with threat detection capabilities as well.


Qualys VM

Use the new Qualys VM data connector to ingest Qualys Vulnerability Management detections. There is a new workbook to monitor Qualys reported vulnerabilities in Azure Sentinel as illustrated below. Detections for new high severity vulnerabilities and high volume of vulnerabilities can enable customized alert generation and incident management in Azure Sentinel.

Qualys VM WorkbookQualys VM Workbook

Vectra AI

Use the Vectra data connector to ingest detection analytics from Vectra and the related workbook to drill down into the behavioral analytics and create custom alerts. Refer to the Vectra AI announcement for detailed information.


Proofpoint TAP

Proofpoint Targeted Attack Protection (TAP) logs and events can now be ingested using the Proofpoint TAP data connector. Visualize the message and click logs and events data using the workbook. Use the analytics for malware attachment and malware links clicked for enhanced alerting and incident management.


Infoblox NIOS

Collect your Infoblox Network Identity Operating System (NIOS) logs using the Infoblox NIOS data connector. Drilldown into the DHCP and DNS logs using the workbook. Detect threats using the DHCP starvation attacks and excessive DNS domain queries analytics.



Tap into threat intelligence feeds from RiskIQ using RiskIQ Azure Logic App connector in playbooks to enrich analytics, incidents and investigation experiences in Azure Sentinel as illustrated below. Deploy one or more of the RiskIQ enrichment playbooks available on the Azure Sentinel GitHub repository to your Azure Sentinel workspace to get started now!

Risk IQ PlaybookRisk IQ Playbook

Pulse Connect Secure

Ingest Pulse Connect Secure logs in Azure Sentinel using the Pulse Connect Secure data connector. Monitor your VPN device logs using the workbook. Use the high volume of failed logins and multiple failed VPN user logins analytics to generate custom alerts and manage as incidents.


Perimeter 81

Perimeter 81 activity logs can be ingested using the Perimeter 81 data connector. Use the Perimeter 81 overview workbook to monitor activities like login failure. Create custom alerts using the Perimeter 81 data in Azure Sentinel to detect threats.


Alcide kAudit

Identify anomalous Kubernetes behavior by ingesting the Alcide kAudit activity logs and detections using the Alcide data connector. Build your custom workbooks to monitor the data and create custom analytic rule templates to detect threats using this data.


Illusive Networks

Illusive Attack Management System data connector enables you to ingest Illusive's attack surface analysis data and incident logs. You can view this data in dedicated dashboards that offer insight into organization's attack surface risk (ASM workbook) and track unauthorized lateral movement in your organization's network (ADS workbook).


Orca Security

Ingest Orca Security alerts in Azure Sentinel using the Orca security data connector. Build your custom workbooks to monitor the data and create custom analytic rule templates to detect threats using this data.



Ingest Eset Security Management Center firewall, threat and audit events using the Eset data connector. Use the workbook to monitor threats pertaining to users and hosts and the Eset SMC detections to get alerted on critical threats and sites blocked by Eset.



Try out the new connectors, workbooks, and analytics in Azure Sentinel, and let us know your feedback using any of the channels listed in the Resources.

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community and follow the guidance.


Occasional Visitor
Drilldown into the DHCP and DCP logs using

This should be 'DNS logs', right? :)



@tuckner - Yes, fixed - Thanks, for catching this.


Does the Qualys vulnerability management workbook work with the Azure Security Centre vulnerability assessment tool (powered by Qualys)?

Occasional Contributor

Great content @Preeti_Krishna  habe shared with my LinkedIn Network


Is rsyslog a requirement for the eset connector? We are using syslog-ng and I cannot seem to get the data parsed in the way the connector documentations shows. We have been forwarding the logs to a table called ESET_CL so I imagine I need to change the table in the sample queries to match this but no luck.


Hi @endakelly - The eset connector is supported as an extension to the official Syslog connector (based on rsyslog) and not with syslog-ng (although it should work with this as well). Configure the name in the connector as just "eset“ as Sentinel automatically adds "_CL“ suffix to the name of the custom table. Please try exactly as documented first and then try to swap with syslog-ng to see if it works with this as well. 

Also please [file an issue on Azure Sentinel GitHub]( so that we can continue further discussions on this.  Thanks. 


@SteveMiles70  - Thanks! 

Occasional Visitor

Hi, There is a connector on Sentinel for Google Cloud Platform?

Frequent Visitor

We set up the Carbon Black connector as described for a customer. W can see in Azure that the function is reaching out to Carbon Black API. It says connection was successful. No data was retrieved. Carbon Black console also shows the API as successful connection.


However, it is capable to upload only audits logs related to logins to the portal. The events and notifications are not being collected. How do we correct this issue?

Version history
Last update:
‎Jul 21 2020 03:53 PM
Updated by: