Microsoft Sentinel data connectors

After you onboard Microsoft Sentinel into your workspace, use data connectors to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many out of the box connectors for Microsoft services, which integrate in real time. For example, the Microsoft Defender XDR connector is a service-to-service connector that integrates data from Office 365, Microsoft Entra ID, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps.

Built-in connectors enable connection to the broader security ecosystem for non-Microsoft products. For example, use Syslog, Common Event Format (CEF), or REST APIs to connect your data sources with Microsoft Sentinel.

Note

For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.

Important

Microsoft Sentinel is available as part of the unified security operations platform in the Microsoft Defender portal. Microsoft Sentinel in the Defender portal is now supported for production use. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

Data connectors provided with solutions

Microsoft Sentinel solutions provide packaged security content, including data connectors, workbooks, analytics rules, playbooks, and more. When you deploy a solution with a data connector, you get the data connector together with related content in the same deployment.

The Microsoft Sentinel Data connectors page lists the installed or in-use data connectors.

To add more data connectors, install the solution associated with the data connector from the Content Hub. For more information, see the following articles:

REST API integration for data connectors

Many security technologies provide a set of APIs for retrieving log files. Some data sources can use those APIs to connect to Microsoft Sentinel.

Data connectors that use APIs either integrate from the provider side or integrate using Azure Functions, as described in the following sections.

Integration on the provider side

An API integration built by the provider connects with the provider data sources and pushes data into Microsoft Sentinel custom log tables by using the Azure Monitor Data Collector API. For more information, see Send log data to Azure Monitor by using the HTTP Data Collector API.

To learn about REST API integration, read your provider documentation and Connect your data source to Microsoft Sentinel's REST-API to ingest data.

Integration using Azure Functions

Integrations that use Azure Functions to connect with a provider API first format the data, and then send it to Microsoft Sentinel custom log tables using the Azure Monitor Data Collector API.

For more information, see:

Integrations that use Azure Functions might have extra data ingestion costs, because you host Azure Functions in your Azure organization. Learn more about Azure Functions pricing.

Agent-based integration for data connectors

Microsoft Sentinel can use agents provided by the Azure Monitor service (on which Microsoft Sentinel is based) to collect data from any data source that can perform real-time log streaming. For example, most on-premises data sources connect by using agent-based integration.

The following sections describe the different types of Microsoft Sentinel agent-based data connectors. To configure connections using agent-based mechanisms, follow the steps in each Microsoft Sentinel data connector page.

Important

The Log Analytics agent will be retired on 31 August, 2024 and succeeded by the Azure Monitor Agent (AMA). If you are using the Log Analytics agent in your Microsoft Sentinel deployment, we recommend that you start planning your migration to the AMA. For more information, see AMA migration for Microsoft Sentinel.

Syslog and Common Event Format (CEF)

You can stream events from Linux-based, Syslog-supporting devices into Microsoft Sentinel by using the Azure Monitor Agent (AMA). Log formats vary, but many sources support CEF-based formatting. Depending on the device type, the agent is installed either directly on the device, or on a dedicated Linux-based log forwarder. The AMA receives plain Syslog or CEF event messages from the Syslog daemon over UDP. The Syslog daemon forwards events to the agent internally, communicating over TCP or UDS (Unix Domain Sockets), depending on the version. The AMA then transmits these events to the Microsoft Sentinel workspace.

Here's a simple flow that shows how Microsoft Sentinel streams Syslog data.

  1. The device's built-in Syslog daemon collects local events of the specified types, and forwards the events locally to the agent.
  2. The agent streams the events to your Log Analytics workspace.
  3. After successful configuration, Syslog messages appear in the Log Analytics Syslog table, and CEF messages in the CommonSecurityLog table.

For more information, see Syslog and Common Event Format (CEF) via AMA connectors for Microsoft Sentinel.

Custom logs

For some data sources, you can collect logs as files on Windows or Linux computers using the Log Analytics custom log collection agent.

To connect using the Log Analytics custom log collection agent, follow the steps in each Microsoft Sentinel data connector page. After successful configuration, the data appears in custom tables.

For more information, see Collect data in custom log formats to Microsoft Sentinel with the Log Analytics agent.

Service-to-service integration for data connectors

Microsoft Sentinel uses the Azure foundation to provide out-of-the-box service-to-service support for Microsoft services and Amazon Web Services.

For more information, see the following articles:

Data connector support

Both Microsoft and other organizations author Microsoft Sentinel data connectors. Each data connector has one of the following support types listed on the data connector page in Microsoft Sentinel.

Support type Description
Microsoft-supported Applies to:
  • Data connectors for data sources where Microsoft is the data provider and author.
  • Some Microsoft-authored data connectors for non-Microsoft data sources.
Microsoft supports and maintains data connectors in this category according to the Microsoft Azure Support Plans.

Partners or the Community support data connectors authored by any party other than Microsoft.
Partner-supported Applies to data connectors authored by parties other than Microsoft.

The partner company provides support or maintenance for these data connectors. The partner company can be an Independent Software Vendor, a Managed Service Provider (MSP/MSSP), a Systems Integrator (SI), or any organization whose contact information is provided on the Microsoft Sentinel page for that data connector.

For any issues with a partner-supported data connector, contact the specified data connector support contact.
Community-supported Applies to data connectors authored by Microsoft or partner developers that don't have listed contacts for data connector support and maintenance on the data connector page in Microsoft Sentinel.

For questions or issues with these data connectors, you can file an issue in the Microsoft Sentinel GitHub community.

For more information, see Find support for a data connector.

Next steps

For more information about data connectors, see the following articles.

For a basic Infrastructure as Code (IaC) reference of Bicep, Azure Resource Manager, and Terraform to deploy data connectors in Microsoft Sentinel, see Microsoft Sentinel data connector IaC reference.