Connect data sources
To on-board Azure Sentinel, you first need to connect to your data sources. Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft Threat Protection solutions, and Microsoft 365 sources, including Office 365, Azure AD, Azure ATP, and Microsoft Cloud App Security, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use common event format, Syslog or REST-API to connect your data sources with Azure Sentinel as well.
On the menu, select Data connectors. This page lets you see the full list of connectors that Azure Sentinel provides and their status. Select the connector you want to connect and select Open connector page.
On the specific connector page, make sure you have fulfilled all the prerequisites and follow the instructions to connect the data to Azure Sentinel. It may take some time for the logs to start syncing with Azure Sentinel. After you connect, you see a summary of the data in the Data received graph, and connectivity status of the data types.
Click the Next steps tab to get a list of out-of-the-box content Azure Sentinel provides for the specific data type.
Data connection methods
The following data connection methods are supported by Azure Sentinel:
Microsoft services are connected natively, leveraging the Azure foundation for out-of-the box integration, the following solutions can be connected in a few clicks:
External solutions via API: Some data sources are connected using APIs that are provided by the connected data source. Typically, most security technologies provide a set of APIs through which event logs can be retrieved.The APIs connect to Azure Sentinel and gather specific data types and send them to Azure Log Analytics. Appliances connected via API include:
External solutions via agent: Azure Sentinel can be connected to all other data sources that can perform real-time log streaming using the Syslog protocol, via an agent.
Most appliances use the Syslog protocol to send event messages that include the log itself and data about the log. The format of the logs varies, but most appliances support the Common Event Format (CEF) based formatting for logs data.
The Azure Sentinel agent, which is based on the Log Analytics agent, converts CEF formatted logs into a format that can be ingested by Log Analytics. Depending on the appliance type, the agent is installed either directly on the appliance, or on a dedicated Linux server. The agent for Linux receives events from the Syslog daemon over UDP, but if a Linux machine is expected to collect a high volume of Syslog events, they are sent over TCP from the Syslog daemon to the agent and from there to Log Analytics.
- Firewalls, proxies, and endpoints:
- DLP solutions
- Threat intelligence providers
- DNS machines - agent installed directly on the DNS machine
- Linux servers
- Other clouds
To connect your external appliance to Azure Sentinel, the agent must be deployed on a dedicated machine (VM or on premises) to support the communication between the appliance and Azure Sentinel. You can deploy the agent automatically or manually. Automatic deployment is only available if your dedicated machine is a new VM you are creating in Azure.
Alternatively, you can deploy the agent manually on an existing Azure VM, on a VM in another cloud, or on an on-premises machine.
Map data types with Azure Sentinel connection options
|Data type||How to connect||Data connector?||Comments|
|AzureActivity||Connect Azure Activity and Activity logs overview||V|
|AuditLogs||Connect Azure AD||V|
|SigninLogs||Connect Azure AD||V|
|InformationProtectionLogs_CL||Azure Information Protection reports
Connect Azure Information Protection
|V||This usually uses the InformationProtectionEvents function in addition to the data type. For more information, see How to modify the reports and create custom queries|
|AzureNetworkAnalytics_CL||Traffic analytic schema Traffic analytics|
|OfficeActivity||Connect Office 365||V|
|SecurityEvents||Connect Windows security events||V||For the Insecure Protocols workbooks, see Insecure protocols workbook setup|
|Microsoft Web Application Firewall (WAF) - (AzureDiagnostics)||Connect Microsoft Web Application Firewall||V|
|ThreatIntelligenceIndicator||Connect threat intelligence||V|
|Azure Monitor service map
Azure Monitor VM insights onboarding
Enable Azure Monitor VM insights
Using Single VM On-boarding
Using On-boarding Via Policy
|X||VM insights workbook|
|W3CIISLog||Connect IIS logs||X|
|WireData||Connect Wire Data||X|
|WindowsFirewall||Connect Windows Firewall||V|
|AADIP SecurityAlert||Connect Azure AD Identity Protection||V|
|AATP SecurityAlert||Connect Azure ATP||V|
|ASC SecurityAlert||Connect Azure Security Center||V|
|MCAS SecurityAlert||Connect Microsoft Cloud App Security||V|
|Sysmon (Event)||Connect Sysmon
Connect Windows Events
Get the Sysmon Parser
|X||Sysmon collection is not installed by default on virtual machines. For more information on how to install the Sysmon Agent, see Sysmon.|
|ConfigurationData||Automate VM inventory||X|
|ConfigurationChange||Automate VM tracking||X|
|F5 BIG-IP||Connect F5 BIG-IP||X|
- To get started with Azure Sentinel, you need a subscription to Microsoft Azure. If you do not have a subscription, you can sign up for a free trial.
- Learn how to onboard your data to Azure Sentinel, and get visibility into your data, and potential threats.