Connect data sources


For information about feature availability in US Government clouds, see the Azure Sentinel tables in Cloud feature availability for US Government customers.

Once you have enabled Azure Sentinel, the first thing you need to do is connect your data sources. Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, Microsoft 365 sources (including Office 365), Azure AD, Microsoft Defender for Identity (formerly Azure ATP), Microsoft Cloud App Security, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use Common Event Format (CEF), Syslog or REST-API to connect your data sources with Azure Sentinel.

  1. On the menu, select Data connectors. This page lets you see the full list of connectors that Azure Sentinel provides and their status. Select the connector you want to connect and select Open connector page.

    Data connectors gallery

  2. On the specific connector page, make sure you have fulfilled all the prerequisites and follow the instructions to connect the data to Azure Sentinel. It may take some time for the logs to start syncing with Azure Sentinel. After you connect, you see a summary of the data in the Data received graph, and connectivity status of the data types.

    Configure data connectors

  3. Click the Next steps tab to get a list of out-of-the-box content Azure Sentinel provides for the specific data type.

    Next steps for connectors

Data connection methods

The following data connection methods are supported by Azure Sentinel:

Agent connection options

To connect your external appliance to Azure Sentinel, the agent must be deployed on a dedicated machine (VM or on premises) to support the communication between the appliance and Azure Sentinel. You can deploy the agent automatically or manually. Automatic deployment is only available if your dedicated machine is a new VM you are creating in Azure.

CEF in Azure

Alternatively, you can deploy the agent manually on an existing Azure VM, on a VM in another cloud, or on an on-premises machine.

CEF on premises

Map data types with Azure Sentinel connection options

Data type How to connect Data connector? Comments
AWSCloudTrail Connect AWS
AzureActivity Connect Azure Activity and Activity logs overview
AuditLogs Connect Azure AD
SigninLogs Connect Azure AD
AzureFirewall Azure Diagnostics
InformationProtectionLogs_CL Azure Information Protection reports
Connect Azure Information Protection
This usually uses the InformationProtectionEvents function in addition to the data type. For more information, see How to modify the reports and create custom queries
AzureNetworkAnalytics_CL Traffic analytic schema Traffic analytics
CommonSecurityLog Connect CEF
OfficeActivity Connect Office 365
SecurityEvents Connect Windows security events For the Insecure Protocols workbooks, see Insecure protocols workbook setup
Syslog Connect Syslog
Microsoft Web Application Firewall (WAF) - (AzureDiagnostics) Connect Microsoft Web Application Firewall
SymantecICDx_CL Connect Symantec
ThreatIntelligenceIndicator Connect threat intelligence
Azure Monitor service map
Azure Monitor VM insights onboarding
Enable Azure Monitor VM insights
Using Single VM On-boarding
Using On-boarding Via Policy
VM insights workbook
DnsEvents Connect DNS
W3CIISLog Connect IIS logs
WireData Connect Wire Data
WindowsFirewall Connect Windows Firewall
AADIP SecurityAlert Connect Azure AD Identity Protection
AATP SecurityAlert Connect Microsoft Defender for Identity (formerly Azure ATP)
ASC SecurityAlert Connect Azure Defender alerts from Azure Security Center
MCAS SecurityAlert Connect Microsoft Cloud App Security
Sysmon (Event) Connect Sysmon
Connect Windows Events
Get the Sysmon Parser
Sysmon collection is not installed by default on virtual machines. For more information on how to install the Sysmon Agent, see Sysmon.
ConfigurationData Automate VM inventory
ConfigurationChange Automate VM tracking
F5 BIG-IP Connect F5 BIG-IP
Barracuda_CL Connect Barracuda

Next steps