Find your Microsoft Sentinel data connector
This article lists all supported, out-of-the-box data connectors and links to each connector's deployment steps.
Important
- Noted Microsoft Sentinel data connectors are currently in Preview. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
- For connectors that use the Log Analytics agent, the agent will be retired on 31 August, 2024. If you are using the Log Analytics agent in your Microsoft Sentinel deployment, we recommend that you start planning your migration to the AMA. For more information, see AMA migration for Microsoft Sentinel.
- Microsoft Sentinel is available as part of the unified security operations platform in the Microsoft Defender portal. Microsoft Sentinel in the Defender portal is now supported for production use. For more information, see Microsoft Sentinel in the Microsoft Defender portal.
Data connectors are available as part of the following offerings:
Solutions: Many data connectors are deployed as part of Microsoft Sentinel solution together with related content like analytics rules, workbooks, and playbooks. For more information, see the Microsoft Sentinel solutions catalog.
Community connectors: More data connectors are provided by the Microsoft Sentinel community and can be found in the Azure Marketplace. Documentation for community data connectors is the responsibility of the organization that created the connector.
Custom connectors: If you have a data source that isn't listed or currently supported, you can also create your own, custom connector. For more information, see Resources for creating Microsoft Sentinel custom connectors.
Note
For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.
Data connector prerequisites
Each data connector has its own set of prerequisites. Prerequisites might include that you must have specific permissions on your Azure workspace, subscription, or policy. Or, you must meet other requirements for the partner data source you're connecting to.
Prerequisites for each data connector are listed on the relevant data connector page in Microsoft Sentinel.
Syslog and Common Event Format (CEF) connectors
Some Microsoft Sentinel solutions are supported by the data connectors Syslog via AMA or Common Event Format (CEF) via AMA in Microsoft Sentinel. To forward data to your Log Analytics workspace for Microsoft Sentinel, complete the steps in Ingest Syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent. These steps include installing either the Common Event Format or Syslog solution from the Content hub in Microsoft Sentinel. Then, configure the related AMA connector that's installed with the solution. Complete the setup by configuring the appropriate devices or appliances. For more information, see the solution provider's installation instructions or contact the solution provider.
42Crunch
Abnormal Security Corporation
Akamai
AliCloud
Amazon Web Services
Apache
Apache Software Foundation
archTIS
ARGOS Cloud Security Pty Ltd
Arista Networks
Armis, Inc.
- Armis Activities (using Azure Functions)
- Armis Alerts (using Azure Functions)
- Armis Devices (using Azure Functions)
Armorblox
Aruba
Atlassian
Auth0
Better Mobile Security Inc.
Bitglass
Bitsight Technologies, Inc.
Blackberry
Bosch Global Software Technologies Pvt Ltd
Box
Broadcom
Cisco
- Cisco Application Centric Infrastructure
- Cisco ASA/FTD via AMA (Preview)
- Cisco Duo Security (using Azure Functions)
- Cisco Identity Services Engine
- Cisco Meraki
- Cisco Secure Endpoint (AMP) (using Azure Functions)
- Cisco Secure Cloud Analytics
- Cisco Stealthwatch
- Cisco UCS
- Cisco Umbrella (using Azure Functions)
- Cisco Web Security Appliance
Cisco Systems, Inc.
Citrix
Claroty
Cloudflare
Cognni
cognyte technologies israel ltd
CohesityDev
Corelight Inc.
Crowdstrike
- [Deprecated] CrowdStrike Falcon Endpoint Protection via Legacy Agent
- Crowdstrike Falcon Data Replicator (using Azure Functions)
- Crowdstrike Falcon Data Replicator V2 (using Azure Functions)
Cyber Defense Group B.V.
CyberArk
CyberPion
Cybersixgill
Cyborg Security, Inc.
Cynerio
Darktrace plc
Dataminr, Inc.
Defend Limited
DEFEND Limited
Derdack
Digital Guardian
Digital Shadows
Dynatrace
Elastic
Exabeam
F5, Inc.
Feedly, Inc.
Fireeye
- [Deprecated] FireEye Network Security (NX) via Legacy Agent
- [Recommended] FireEye Network Security (NX) via AMA
Flare Systems
Forescout
Fortinet
- [Deprecated] Fortinet via Legacy Agent
- Fortinet FortiNDR Cloud (using Azure Functions)
- [Deprecated] Fortinet FortiWeb Web Application Firewall via Legacy Agent
Gigamon, Inc
GitLab
- Google Cloud Platform DNS (using Azure Functions)
- Google Cloud Platform IAM (using Azure Functions)
- Google Cloud Platform Cloud Monitoring (using Azure Functions)
- Google ApigeeX (using Azure Functions)
- Google Workspace (G Suite) (using Azure Functions)
Greynoise Intelligence, Inc.
H.O.L.M. Security Sweden AB
HYAS Infosec Inc
Illumio
Imperva
Infoblox
Infosec Global
Insight VM / Rapid7
ISC
Island Technology Inc.
- Island Enterprise Browser Admin Audit (Polling CCP)
- Island Enterprise Browser User Activity (Polling CCP)
Ivanti
Jamf Software, LLC
Juniper
Kaspersky
- [Deprecated] Kaspersky Security Center via Legacy Agent
- [Recommended] Kaspersky Security Center via AMA
Linux
Lookout, Inc.
- Lookout (using Azure Function)
- Lookout Cloud Security for Microsoft Sentinel (using Azure Functions)
MailGuard Pty Limited
MarkLogic
McAfee
Microsoft
- Automated Logic WebCTRL
- Microsoft Entra ID
- Microsoft Entra ID Protection
- Azure Activity
- Azure Cognitive Search
- Azure DDoS Protection
- Azure Key Vault
- Azure Kubernetes Service (AKS)
- Microsoft Purview (Preview)
- Azure Storage Account
- Azure Web Application Firewall (WAF)
- Azure Batch Account
- Common Event Format (CEF)
- Common Event Format (CEF) via AMA
- Windows DNS Events via AMA
- Azure Event Hubs
- Microsoft 365 Insider Risk Management
- Azure Logic Apps
- Microsoft Defender for Identity
- Microsoft Defender XDR
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Endpoint
- Subscription-based Microsoft Defender for Cloud (Legacy)
- Tenant-based Microsoft Defender for Cloud (Preview)
- Microsoft Defender for Office 365 (Preview)
- Microsoft Power BI
- Microsoft Project
- Microsoft Purview Information Protection
- Network Security Groups
- Microsoft 365
- Security Events via Legacy Agent
- Windows Security Events via AMA
- Azure Service Bus
- Azure Stream Analytics
- Syslog
- Syslog via AMA
- Microsoft Defender Threat Intelligence (Preview)
- Threat intelligence - TAXII
- Threat Intelligence Platforms
- Threat Intelligence Upload Indicators API (Preview)
- Microsoft Defender for IoT
- Windows Firewall
- Windows Firewall Events via AMA (Preview)
- Windows Forwarded Events
Microsoft Corporation
Microsoft Corporation - sentinel4github
Microsoft Sentinel Community, Microsoft Corporation
- [Deprecated] Forcepoint CASB via Legacy Agent
- [Deprecated] Forcepoint CSG via Legacy Agent
- [Deprecated] Forcepoint NGFW via Legacy Agent
- [Recommended] Forcepoint CASB via AMA
- [Recommended] Forcepoint CSG via AMA
- [Recommended] Forcepoint NGFW via AMA
- Barracuda CloudGen Firewall
- Exchange Security Insights Online Collector (using Azure Functions)
- Exchange Security Insights On-Premise Collector
- Microsoft Exchange Logs and Events
- Forcepoint DLP
- MISP2Sentinel
Mimecast North America
- Mimecast Audit & Authentication (using Azure Functions)
- Mimecast Secure Email Gateway (using Azure Functions)
- Mimecast Intelligence for Microsoft - Microsoft Sentinel (using Azure Functions)
- Mimecast Targeted Threat Protection (using Azure Functions)
MongoDB
MuleSoft
Nasuni Corporation
NetClean Technologies AB
Netskope
- Netskope (using Azure Functions)
- Netskope Data Connector (using Azure Functions)
- Netskope Web Transactions Data Connector (using Azure Functions)
Netwrix
Nginx
Noname Gate, Inc.
Nozomi Networks
NXLog Ltd.
Okta
OneLogin
OpenVPN
Oracle
- Oracle Cloud Infrastructure (using Azure Functions)
- Oracle Database Audit
- Oracle WebLogic Server (using Azure Functions)
Orca Security, Inc.
OSSEC
Palo Alto Networks
- [Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent
- [Recommended] Palo Alto Networks Cortex Data Lake (CDL) via AMA
- Palo Alto Prisma Cloud CSPM (using Azure Functions)
Perimeter 81
Ping Identity
PostgreSQL
Prancer Enterprise
Proofpoint
Pulse Secure
Qualys
- Qualys Vulnerability Management (using Azure Functions)
- Qualys VM KnowledgeBase (using Azure Functions)
RedHat
Ridge Security Technology Inc.
RSA
Rubrik, Inc.
SailPoint
Salesforce
Secure Practice
SecurityBridge
Senserva, LLC
SentinelOne
SERAPHIC ALGORITHMS LTD
Slack
Snowflake
SonicWall Inc
Sonrai Security
Sophos
Squid
Symantec
- Symantec Endpoint Protection
- Symantec VIP
- Symantec ProxySG
- Symantec Integrated Cyber Defense Exchange
TALON CYBER SECURITY LTD
Tenable
The Collective Consulting BV
TheHive
Theom, Inc.
Trend Micro
TrendMicro
Ubiquiti
Valence Security Inc.
Vectra AI, Inc
VMware
WatchGuard Technologies
WithSecure
Wiz, Inc.
ZERO NETWORKS LTD
Zimperium, Inc.
Zoom
Zscaler
Next steps
For more information, see:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for