Connect data sources
Once you have enabled Azure Sentinel, the first thing you need to do is connect your data sources. Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, Microsoft 365 sources (including Office 365), Azure AD, Microsoft Defender for Identity (formerly Azure ATP), Microsoft Cloud App Security, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use Common Event Format (CEF), Syslog or REST-API to connect your data sources with Azure Sentinel.
On the menu, select Data connectors. This page lets you see the full list of connectors that Azure Sentinel provides and their status. Select the connector you want to connect and select Open connector page.
On the specific connector page, make sure you have fulfilled all the prerequisites and follow the instructions to connect the data to Azure Sentinel. It may take some time for the logs to start syncing with Azure Sentinel. After you connect, you see a summary of the data in the Data received graph, and connectivity status of the data types.
Click the Next steps tab to get a list of out-of-the-box content Azure Sentinel provides for the specific data type.
Data connection methods
The following data connection methods are supported by Azure Sentinel:
Service to service integration:
Some services are connected natively, such as AWS and Microsoft services, these services leverage the Azure foundation for out-of-the box integration, the following solutions can be connected in a few clicks:
- Amazon Web Services - CloudTrail
- Azure Active Directory - audit logs and sign-in logs
- Azure Activity
- Azure AD Identity Protection
- Azure DDoS Protection
- Azure Defender for IoT (formerly Azure Security Center for IoT)
- Azure Information Protection
- Azure Firewall
- Azure Security Center - alerts from Azure Defender solutions
- Azure Web Application Firewall (WAF) (formerly Microsoft WAF)
- Cloud App Security
- Domain name server
- Microsoft 365 Defender - includes MDATP raw data
- Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection)
- Microsoft Defender for Identity (formerly Azure Advanced Threat Protection)
- Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection)
- Office 365 (now with Teams!)
- Windows firewall
- Windows security events
External solutions via API: Some data sources are connected using APIs that are provided by the connected data source. Typically, most security technologies provide a set of APIs through which event logs can be retrieved.The APIs connect to Azure Sentinel and gather specific data types and send them to Azure Log Analytics. Appliances connected via API include:
External solutions via agent: Azure Sentinel can be connected via an agent to any other data source that can perform real-time log streaming using the Syslog protocol.
Most appliances use the Syslog protocol to send event messages that include the log itself and data about the log. The format of the logs varies, but most appliances support CEF-based formatting for log data.
The Azure Sentinel agent, which is actually the Log Analytics agent, converts CEF-formatted logs into a format that can be ingested by Log Analytics. Depending on the appliance type, the agent is installed either directly on the appliance, or on a dedicated Linux-based log forwarder. The agent for Linux receives events from the Syslog daemon over UDP, but if a Linux machine is expected to collect a high volume of Syslog events, they are sent over TCP from the Syslog daemon to the agent and from there to Log Analytics.
- Firewalls, proxies, and endpoints - CEF:
- Firewalls, proxies, and endpoints - Syslog:
- DLP solutions
- Threat intelligence providers
- DNS machines - agent installed directly on the DNS machine
- Azure Stack VMs
- Linux servers
- Other clouds
To connect your external appliance to Azure Sentinel, the agent must be deployed on a dedicated machine (VM or on premises) to support the communication between the appliance and Azure Sentinel. You can deploy the agent automatically or manually. Automatic deployment is only available if your dedicated machine is a new VM you are creating in Azure.
Alternatively, you can deploy the agent manually on an existing Azure VM, on a VM in another cloud, or on an on-premises machine.
Map data types with Azure Sentinel connection options
|Data type||How to connect||Data connector?||Comments|
|AzureActivity||Connect Azure Activity and Activity logs overview||✓|
|AuditLogs||Connect Azure AD||✓|
|SigninLogs||Connect Azure AD||✓|
|InformationProtectionLogs_CL||Azure Information Protection reports
Connect Azure Information Protection
|✓||This usually uses the InformationProtectionEvents function in addition to the data type. For more information, see How to modify the reports and create custom queries|
|AzureNetworkAnalytics_CL||Traffic analytic schema Traffic analytics|
|OfficeActivity||Connect Office 365||✓|
|SecurityEvents||Connect Windows security events||✓||For the Insecure Protocols workbooks, see Insecure protocols workbook setup|
|Microsoft Web Application Firewall (WAF) - (AzureDiagnostics)||Connect Microsoft Web Application Firewall||✓|
|ThreatIntelligenceIndicator||Connect threat intelligence||✓|
|Azure Monitor service map
Azure Monitor VM insights onboarding
Enable Azure Monitor VM insights
Using Single VM On-boarding
Using On-boarding Via Policy
|✗||VM insights workbook|
|W3CIISLog||Connect IIS logs||✗|
|WireData||Connect Wire Data||✗|
|WindowsFirewall||Connect Windows Firewall||✓|
|AADIP SecurityAlert||Connect Azure AD Identity Protection||✓|
|AATP SecurityAlert||Connect Microsoft Defender for Identity (formerly Azure ATP)||✓|
|ASC SecurityAlert||Connect Azure Defender alerts from Azure Security Center||✓|
|MCAS SecurityAlert||Connect Microsoft Cloud App Security||✓|
|Sysmon (Event)||Connect Sysmon
Connect Windows Events
Get the Sysmon Parser
|✗||Sysmon collection is not installed by default on virtual machines. For more information on how to install the Sysmon Agent, see Sysmon.|
|ConfigurationData||Automate VM inventory||✗|
|ConfigurationChange||Automate VM tracking||✗|
|F5 BIG-IP||Connect F5 BIG-IP||✗|
- To get started with Azure Sentinel, you need a subscription to Microsoft Azure. If you do not have a subscription, you can sign up for a free trial.
- Learn how to onboard your data to Azure Sentinel, and get visibility into your data, and potential threats.