(Last updated Apr 20th, 2021)
Please note that as the built-in list of connectors in Azure Sentinel is growing, this list is not actively maintained anymore. Refer to the Azure Sentinel connector documentation for more information.
Source types
Built-in
Built-in connectors are included in the Azure Sentinel documentation and the data connectors pane in the product itself. Those connectors are based on one of the technologies listed below. Therefore a built-in connector will have a type: CEF, Syslog, Direct, and so forth.
Syslog and CEF
Most network and security systems support either Syslog or CEF (which stands for Common Event Format) over Syslog as means for sending data to a SIEM. This makes Syslog or CEF the most straightforward ways to stream security and networking events to Azure Sentinel.
- Want to learn more about best practices for CEF collection? see here.
- Want to scale CEF or Syslog collection? Use a VM scale set as described here.
The advantage of CEF over Syslog is that it ensures the data is normalized, making it more immediately useful for analysis using Sentinel. However, unlike many other SIEM products, Sentinel allows ingesting unparsed Syslog events and performing analytics on them using query time parsing.
The number of systems supporting Syslog or CEF is in the hundreds, making the table below by no means comprehensive. We will update this list continuously. The table provides links to the source device's vendor documentation for configuring the device to send events in Syslog or CEF.
Tip: Want to ingest test CEF data? here is how to do that.
Direct
Most Microsoft cloud sources and many other clouds and on-prem systems can send to Azure Sentinel natively. For Microsoft Azure sources, this often uses their diagnostics feature, on which you can read more here.
Agent
The Log Analytics agent can collect different types of events from servers and endpoints listed here. To learn more about the agent, read Azure Sentinel Agent: Collecting telemetry from on-prem and IaaS server.
Threat Intelligence (TI)
You can use one of the threat intelligence connectors:
- Platform, which uses the Graph Security API
- TAXII, which uses the TAXII 2.0 protocol
to ingest threat intelligence indicators, which are used by Azure Sentinel's built-in TI analytics rules, and to build your own rules. You can read more about the Threat Intelligence connectors in module #6 of the Azure Sentinel Ninja Training
Custom: Logic Apps, Logstash, Azure Functions, and others
In addition to CEF and Syslog, many solutions are based on Sentinel's data collector API and create custom log tables in the workspace. Those belong to 3 groups:
- Sources that support Logstash, which in turn has an output plug-in that can send the events to Azure Sentinel.
- Sources that have native support for the API.
- Sources for which there is a community or Microsoft field created solution that uses the API, usually using Logic Apps or an Azure function.
You can read more about custom connectors here.
Automation and integration
While all the types above focused on getting telemetry into Azure Sentinel, connectors marked as automation/integration enable Azure Sentinel to implement other use cases such as sending information to another system or performing an action on another system. Those might be API-based on integration or Logic App-based integrations.
The Grand List
|
Vendor |
Product |
Connector |
Connecting and using |
| Agari | Phishing Defense and Brand Protection | Built-in (Function, Graph Security API) | Instructions |
| AI Vectra | Detect | Built-in (CEF) | Instructions |
| Akamai | Built-in (CEF) | Instructions | |
|
Alcide |
kAudit |
Built-in (API) |
|
|
AlgoSec |
ASMS |
CEF |
|
|
Anomali |
Limo |
Built-in (TAXII) |
|
|
Anomali |
ThreatStream |
Built-in (TI Platform) | |
|
Anomali |
Match |
Integration | |
|
Apache |
httpd |
Built-in (Agent custom logs) |
Also, read using rsyslog or logger as a file forwarder for an alternative method. |
|
Apache |
Kafka |
Logstash |
See Logstash plug-in. Use to get events sent using Kafka, not for Kafka's own audit events. |
|
Aruba |
ClearPass |
CEF |
|
| AT&T Cyber |
AlienVault OTX |
TI (Platform) |
Using Logic Apps, See instructions |
|
AWS |
CloudTrail |
Built-in |
|
|
AWS |
CloudTrail S3 logs |
Custom |
Using an Azure Function. See here. Using an AWS Lambda Function. See here. |
|
AWS |
CloudWatch |
Logstash |
See Logstash Plug-in. |
|
AWS |
Kinesis |
Logstash |
See Logstash Plug-in. |
|
AWS |
Object Level S3 Logging |
Logstash |
See here. |
|
AWS |
Security Hub |
Custom |
Azure Function. See here. |
|
Barracuda |
WAF |
Built-in (API) |
|
|
Barracuda |
CloudGen Firewall |
API |
|
|
BETTER Mobile |
Threat Defense |
Built-in (API) |
|
|
Beyond Security |
beSECURE |
Built-in (API) |
|
|
Carbon Black |
Cloud Endpoint Standard (Cb Defense) |
Built-in (Function) Syslog |
|
|
Carbon Black |
(Cb Response) |
Syslog |
|
| Checkpoint | CEF | ||
| Cisco | ACS | Syslog | |
| Cisco | ASA | Cisco (CEF) |
Notes: - Cisco ASA support uses Sentinel's CEF pipeline. However, Cisco's logging is not in CEF format. - Make sure you disable logging timestamp using "no logging timestamp". See here for more details. |
| Cisco | Cloud Security Gateway (CWS) | CEF | Use the Cisco Advanced Web Security Reporting. |
| Cisco | FTD | Cisco (CEF) | FTP Platform logs are compatible with ASA logs and can use the same connector (see here). |
| Cisco | IOS | Syslog | Instructions |
| Cisco | ISE (NAC) | Syslog | Instructions |
| Cisco | Web Security Appliance (WSA) | CEF | Use the Cisco Advanced Web Security Reporting. |
|
Cisco |
Meraki |
Syslog |
|
| Cisco | eStreamer | CEF | |
| Cisco | Firepower Threat Defense |
CEF Syslog |
|
| Cisco | FireSight |
CEF |
|
| Cisco | IronPort Web Security Appliance | Syslog | |
| Cisco | Nexus | Syslog | |
| Cisco | Umbrella | Built-in (Function) |
Also, see this blog post for a custom solution |
| Cisco | Unified Computing System (UCS) | Built-in (Syslog) | |
| Cisco | Viptela SD-WAN | Syslog | |
| Citrix | Analytics | Built-in (Direct) | |
| Citrix | NetScaler | Syslog | |
| Citrix | NetScaler App FW | Built-in (CEF) | Instructions |
|
Clearswift |
Web Security Gateway |
Syslog | |
|
Cloudflare |
|
Use Cloudflare Logpush to send to storage and a custom connector to read events from storage (for example, reading AWS S3 buckets). |
|
|
Cribl |
LogStream |
Direct |
|
|
CrowdStrike |
Falcon |
CEF |
Instructions. Use a SIEM connector installed on-premises. |
|
CyberArk |
Endpoint Privilege Manager (EPM) |
Syslog Logstash |
Instructions (for both) |
|
CyberArk |
Privileged Access Security (PTA) |
CEF |
|
|
Darktrace |
Immune |
CEF |
See announcement. Contact vendor for instructions. |
|
Digital Guardian |
|
CEF |
|
|
DocuSign |
Monitor |
Custom |
See this blog post |
|
Duo Security |
|
CEF |
Using Duo LogSync |
|
Extrahop |
Reveal |
Built-in (CEF) |
|
|
F5 |
ASM (WAF) |
Built-in (CEF) |
|
|
F5 |
BigIP (System, LTM, AFM, ASM, APM, AVR) |
Built-in (Direct) |
|
|
Fastly |
WAF | Custom |
See this blog post (Logic Apps or Azure Function) |
|
Forcepoint |
Web Security (WebSense) | CEF | |
|
Forcepoint |
CASB | CEF | |
|
Forcepoint |
DLP | Direct | |
|
Forcepoint |
NGFW | CEF | |
|
Forescout |
CounterAct | CEF | |
|
Fortinet |
CEF | ||
|
Fortinet |
FortiSIEM |
CEF |
|
|
Fortinet |
FortiSOAR |
Integration |
|
|
GitHub |
|
Custom |
See connector, rules, and hunting queries |
|
GCP |
Cloud Storage |
Logstash |
See Plug-in. Use to get events stored in GCP Cloud Storage, not for Cloud Storage own audit events. |
|
GCP |
Pub/Sub |
Logstash |
See Plug-in. Use to get events sent using Pub/Sub, not for Pub/Sub own audit events. |
|
GCP |
Stacdriver |
Logstash
Custom |
Through GCP Cloud Storage or GCP Pub/Sub as described above. Using GCP Cloud Function. See here. |
|
Group-IB |
|
Custom (TI Platform) |
Using Logic Apps. See instructions |
|
GuardiCore |
Centra |
CEF |
Contact vendor for instructions |
|
HP |
Printers |
Syslog |
|
|
IBM |
iSeries |
CEF |
See here. |
|
IBM |
QRadar events |
Syslog |
Forward raw events or correlation events in raw, parsed, or JSON format. See instructions. |
|
IBM |
QRadar offenses |
Custom (Function) |
|
|
IBM |
X-Force |
TI (TAXII) |
|
|
IBM |
zSecure |
CEF |
See What's new for zSecure V2.3.0 Note that it supports alerts only. |
|
Illusive |
Attack Management System |
Syslog |
|
|
Imperva |
SecureSphere |
CEF |
|
| Infoblox | NIOS |
Built-in (Syslog) |
|
| InSights |
TI (TAXII) |
||
| Jamf | Pro |
Syslog |
|
| Juniper | ATP |
CEF |
|
| Juniper | JunOS based devices |
Built-in (Syslog) |
|
| Kaspersky | Security Center | CEF | Instructions |
|
ManageEngine |
AD Audit Plus |
CEF |
Instructions (use ArcSight instructions) |
|
ManageEngine |
Exchange Reporter Plus |
Syslog |
|
|
McAfee |
ePO |
Syslog |
Instructions (Note: TLS only (requires rsyslog TLS configuration) |
|
McAfee |
MVISION EDR |
Syslog |
|
|
McAfee |
Web Gateway |
CEF |
|
|
Microfocus |
Fortify AppDefender |
CEF |
Instructions (require authentication; contact vendor for further details). |
|
Microsoft |
Active Directory |
Agent |
Most AD events are logged as part of security events. Also, See in this list:
|
|
Microsoft |
Advanced Threat Protection (ATA) |
CEF |
|
|
Microsoft |
Azure Active Directory (AAD) |
Built-in (Diagnostics) |
|
|
Microsoft |
Azure Active Directory Domain Services |
Diagnostics |
|
|
Microsoft |
|
||
|
Microsoft |
Azure Azure Activity Azure Subscriptions Azure Management Groups |
Direct |
|
|
Microsoft |
Application Insights |
Direct |
|
|
Microsoft |
App Services & Web Application monitoring |
Direct |
Instructions and reference architecture |
|
Microsoft |
Azure B2B |
Direct |
Included as part of AAD events |
|
Microsoft |
Azure B2C |
Direct |
collect B2C logs from your B2C tenant to your primary tenant AAD logs as described here |
|
Microsoft |
Azure Cosmos DB |
Direct |
Instructions |
|
Microsoft |
Azure Data Lake Gen 1 |
Direct |
|
|
Microsoft |
Azure Data Factory |
Direct |
Instructions |
|
Microsoft |
Azure Databricks |
Direct |
Instructions |
|
Microsoft |
Azure DDOS |
Built-in (diagnostics) |
|
| Microsoft | Azure Defender and Azure Security Center (ASC) |
Direct |
|
|
Microsoft |
Built-in (Direct) |
||
|
Microsoft |
Azure DevOps |
Direct |
|
|
Microsoft |
Azure Event Hub (subscription) |
Logstash |
See Logstash Plug-in. Use to get events sent using an Event Hub, not for Event Hub own audit events. |
|
Microsoft |
Azure Files |
Direct (Diagnostics) |
|
|
Microsoft |
Azure Firewall |
Built-in (diagnostics) |
|
|
Microsoft |
Azure Front Door |
Direct |
Instructions |
| Microsoft | Azure Key Vault (AKV) |
Built-in (Diagnostics) |
Connect:
Use: |
| Microsoft | Azure Information Protection (Classic and Unified Labeling) |
Built-in (Direct) |
Instructions |
| Microsoft | Azure Kubernetes Service (AKS) |
Direct |
|
| Microsoft | Azure Log Analytics |
Direct |
Collect query auditing and other metrics: Instructions |
| Microsoft | Azure Logic Apps |
Direct |
Instructions |
| Microsoft | Azure Network Security Groups (NSG) |
Direct |
|
| Microsoft | Azure SQL |
Built-in (diagnostics) |
|
| Microsoft | Azure SQL Managed Instance |
Direct |
Instructions |
| Microsoft | Azure Site Recovery |
Direct |
Instructions |
| Microsoft | Azure Storage |
Direct |
|
| Microsoft | Azure Storage Content |
Custom (Azure Function) |
Ingest the content of Azure Storage Blobs. See GitHub. |
| Microsoft | Azure Synapse |
Direct |
Instructions |
| Microsoft | Azure Web Application Firewall (WAF) |
Built-in (Diagnostics) |
|
|
Microsoft |
BitLocker / MBAM |
Agent |
Using Windows Event collection. Blog post |
|
Microsoft |
Cloud App Security (Alerts, Discovery logs) |
Built-in (Direct) |
|
|
Microsoft |
Cloud App Security (Activity Log) |
CEF |
|
|
Microsoft |
Defender for Office |
Built-in Custom
|
For AIRs alerts: instructions For other alerts: Use Either a Logic App or an Azure function custom connector. For the Azure Function connector, query for RecordType_d == "28", "41" or "47" . |
|
Microsoft |
Defender for Identity (Azure ATP) Alerts |
Built-in |
|
|
Microsoft |
Defender for Identity (Azure ATP) Events |
CEF |
|
|
Microsoft |
Desktop Analytics |
Direct |
|
|
Microsoft |
DNS |
Agent |
|
|
Microsoft |
Dynamics 365 |
Built-in |
|
|
Microsoft |
Dynamics (not 365) |
Agent |
|
|
Microsoft |
IIS |
Agent |
|
|
Microsoft |
Intune |
Direct |
|
|
Microsoft |
LDAP (Windows Server) |
Agent |
Configure AD diagnostics logging and set "16 LDAP Interface Events" to 2 or above. |
|
Microsoft |
Office 365 (Exchange, SharePoint, OneDrive, DLP Alerts) |
Built-in |
For details about DLP alerts, read here. |
|
Microsoft |
Office 365 (Microsoft Defender for Office; formerly Office ATP, PowerBI, Yammer, Sway, Forms, eDiscovery, and others) |
Custom (Azure Function, Logic Apps) |
Use Either a Logic App or an Azure function custom connector |
|
Microsoft |
Office 365 e-mail trace logs |
Custom (Logic Apps) |
See Blog Post. |
|
Microsoft |
PowerBI Embedded |
Direct (Diagnostics) |
|
|
Microsoft |
SMBv1 (Windows Server) |
Agent |
See Enable Auditing on SMB Servers, and the CmdLet reference |
|
Microsoft |
Teams (Call Logs) |
Custom |
Using Logic Apps |
|
Microsoft |
Teams (Management Activity) |
Built-in |
|
|
Microsoft |
Teams Shifts |
Custom |
Use Either a Logic App or an Azure function custom connector. For the Azure Function connector, query for RecordType_d == "73" |
|
Microsoft |
SCCM |
Agent |
|
|
Microsoft |
SQL Server |
Agent |
Instructions, parser, rules, and hunting queries You can also audit at the engine level. |
|
Microsoft |
Sysmon |
Agent |
Using Windows Event collection. Blog post |
|
Microsoft |
Windows (Security Events) |
Agent |
|
|
Microsoft |
Windows (Other Events, Sysmon) |
Agent |
|
|
Microsoft |
Windows network connections |
Agent |
|
|
Microsoft |
Windows Firewall |
Agent |
Sentinel built-in connector |
|
Microsoft |
Windows Virtual Desktop |
Direct |
|
|
Mimecast |
|
Agent |
Announcement. For technical instructions, contact the vendor. |
|
Minerva Labs |
|
CEF |
Please ask the vendor for instructions. |
|
MISP |
|
TI (Platform) |
|
|
NetApp |
ONTAP |
Syslog |
Note that those are management activity audit logs and not file usage activity logs. |
|
Netflow |
|
Logstash |
Use the Netflow codec plug-in |
|
Nexthink |
|
CEF |
|
|
Nozomi |
Guardian |
CEF |
Contact vendor for details |
|
NXlog |
|
Direct |
|
|
Okta |
SSO |
Built-in (Function) |
|
|
One Identity |
Safeguard |
Built-in (CEF) |
|
|
Oracle |
Cloud (OCI) |
Custom (Azure Function) |
Available Here |
|
Oracle |
DB |
Syslog |
|
|
Orca |
|
Built-in (API) |
|
|
OSSEC |
|
CEF |
|
|
Pager Duty |
|
Automation (Playbook) |
|
|
Palo Alto |
Cloudgenix |
Syslog |
|
|
Palo Alto |
Minemeld |
TI (Platform) |
|
|
Palo Alto |
PanOS |
CEF |
|
|
Palo Alto |
Panorama |
CEF |
|
|
Palo Alto |
Prisma |
Syslog Custom |
Logic Apps using a Webhook and clarification |
|
Palo Alto |
Traps through Cortex |
Syslog |
Notes: - Require rsyslog configuration to support RFC5424 - TLS only (requires rsyslog TLS configuration) - The certificate has to be signed by a public CA |
|
Palo Alto |
XDR |
CEF |
|
|
Palo Alto |
XSOAR |
Integration |
|
|
Perimeter 81 |
|
Built-in (API) |
|
|
Ping Identity |
Federate |
CEF |
|
|
Ping Identity |
Provisioner |
CEF |
|
| Postgress | DB | Syslog, Windows Event log | |
| Proofpoint | On Demand | Built-in (API) | |
| Proofpoint | TAP | Built-in (Function) | |
| Pulse | Connect | Built-in (Syslog) | |
| Qualys | VM | Built-in (Function) | |
| Radware | Cloud WAF | Logstash | |
| RedHat | OpenShift | Syslog API |
Instructions for Syslog |
| RedHat | Azure OpenShift | Syslog Custom |
Instructions for Syslog |
| RiskIQ | Action (Logic Apps) | ||
| Salesforce | Service Cloud | Built-in (Function) | |
| SAP | Hana | Syslog |
Instructions (requires an SAP account) |
| SentinelOne | CEF |
Please consult the vendor for instructions |
|
| SNMP | Syslog | ||
| Snort | Agent | ||
| SonicWall | CEF |
Make sure you: - Select ArcSight as the Syslog format. |
|
| Sophos | Central | CEF | Instructions. Note that the script provided by Sophos has to be scheduled using a cron job, which is not documented on the reference page. |
| Sophos | XF Firewall | Built-in (Syslog) | Instructions |
| Squadra | secRMM | Built-in (API) | Instructions |
| Squid Proxy |
Built-in (Agent) Syslog |
Configure access logs with either the TCP or UDP modules. Sentinel's built-in queries use the default log format. |
|
|
Symantec |
DLP |
Syslog CEF |
Instructions. Note that only UDP is supported Instructions. Uses response automation. |
|
Symantec |
ICDX |
Built-in (API) |
|
|
Symantec |
Proxy SG (Bluecoat) |
Built-in (Syslog) |
|
| Symantec | Endpoint Protection Manager | Syslog | Instructions |
| Symantec | Cloud Workload Protection | API | Instructions |
| Symantec | VIP | Built-in (Syslog) | Instructions |
| TheHive |
Integration |
||
| Thinkst | Canary |
Syslog |
|
| ThreatConnect |
TI (Platform) |
||
| ThreatQuotient |
TI (Platform) |
||
| Thycotic | Secret Server |
CEF |
|
| TitanHQ | WebTitan Cloud |
Syslog |
|
| Trend Micro |
CEF |
||
| Trend Micro | Apax Central (Cloud and On-prem) |
CEF |
|
| Trend Micro | Deep Security |
CEF |
|
| Tufin | SecureTrack |
Syslog |
|
|
Varonis |
DatAlert |
CEF |
|
| WatchGuard | CEF | Instructions | |
| Zimperium |
Mobile Threat Defense | Built-in (API) | Instructions |
| zScaler | Internet Access (ZIA) | Built-in (CEF) | Instructions |
| zScaler | Private Access (ZPA) | Logstash | Use LSS. Since LSS sends raw TCP but not Syslog, you will have to use Logstash and not Azure Sentinel's native connector. |
| Zoom | Custom | Using Azure Function. See blog post. |
Microsoft
