Find your Microsoft Sentinel data connector

Note

Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.

This article describes how to deploy data connectors in Microsoft Sentinel, listing all supported, out-of-the-box data connectors, together with links to generic deployment procedures, and extra steps required for specific connectors.

Tip

Some data connectors are deployed only via solutions. For more information, see the Microsoft Sentinel solutions catalog. You can also find other, community-built data connectors in the Microsoft Sentinel GitHub repository.

How to use this guide

  1. First, locate and select the connector for your product, service, or device in the headings menu to the right.

    The first piece of information you'll see for each connector is its data ingestion method. The method that appears there will be a link to one of the following generic deployment procedures, which contain most of the information you'll need to connect your data sources to Microsoft Sentinel:

    Data ingestion method Linked article with instructions
    Azure service-to-service integration Connect to Azure, Windows, Microsoft, and Amazon services
    Common Event Format (CEF) over Syslog Get CEF-formatted logs from your device or appliance into Microsoft Sentinel
    Microsoft Sentinel Data Collector API Connect your data source to the Microsoft Sentinel Data Collector API to ingest data
    Azure Functions and the REST API Use Azure Functions to connect Microsoft Sentinel to your data source
    Syslog Collect data from Linux-based sources using Syslog
    Custom logs Collect data in custom log formats to Microsoft Sentinel with the Log Analytics agent

    Note

    The Azure service-to-service integration data ingestion method links to three different sections of its article, depending on the connector type. Each connector's section below specifies the section within that article that it links to.

  2. When deploying a specific connector, choose the appropriate article linked to its data ingestion method, and use the information and extra guidance in the relevant section below to supplement the information in that article.

Tip

  • Many data connectors can also be deployed as part of a Microsoft Sentinel solution, together with related analytics rules, workbooks and playbooks. For more information, see the Microsoft Sentinel solutions catalog.

  • More data connectors are provided by the Microsoft Sentinel community and can be found in the Azure Marketplace. Documentation for community data connectors is the responsibility of the organization that created the connector.

  • If you have a data source that isn't listed or currently supported, you can also create your own, custom connector. For more information, see Resources for creating Microsoft Sentinel custom connectors.

Important

Noted Microsoft Sentinel data connectors are currently in Preview. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Agari Phishing Defense and Brand Protection (Preview)

Connector attribute Description
Data ingestion method Azure Functions and the REST API

Before deployment: Enable the Security Graph API (Optional).
After deployment: Assign necessary permissions to your Function App
Log Analytics table(s) agari_bpalerts_log_CL
agari_apdtc_log_CL
agari_apdpolicy_log_CL
Azure Function App code https://aka.ms/Sentinel-agari-functionapp
API credentials
  • Client ID
  • Client Secret
  • (Optional: Graph Tenant ID, Graph Client ID, Graph Client Secret)
  • Vendor documentation/
    installation instructions
  • Quick Start
  • Agari Developers Site
  • Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Application settings
  • clientID
  • clientSecret
  • workspaceID
  • workspaceKey
  • enableBrandProtectionAPI (true/false)
  • enablePhishingResponseAPI (true/false)
  • enablePhishingDefenseAPI (true/false)
  • resGroup (enter Resource group)
  • functionName
  • subId (enter Subscription ID)
  • enableSecurityGraphSharing (true/false; see below)
    Required if enableSecurityGraphSharing is set to true (see below):
  • GraphTenantId
  • GraphClientId
  • GraphClientSecret
  • logAnalyticsUri (optional)
  • Supported by Agari

    Enable the Security Graph API (Optional)

    Important

    If you perform this step, do this before you deploy your data connector.

    The Agari Function App allows you to share threat intelligence with Microsoft Sentinel via the Security Graph API. To use this feature, you'll need to enable the Sentinel Threat Intelligence Platforms connector and also register an application in Azure Active Directory.

    This process will give you three pieces of information for use when deploying the Function App: the Graph tenant ID, the Graph client ID, and the Graph client secret (see the Application settings in the table above).

    Assign necessary permissions to your Function App

    The Agari connector uses an environment variable to store log access timestamps. In order for the application to write to this variable, permissions must be assigned to the system assigned identity.

    1. In the Azure portal, navigate to Function App.
    2. In the Function App page, select your Function App from the list, then select Identity under Settings in the Function App's navigation menu.
    3. In the System assigned tab, set the Status to On.
    4. Select Save, and an Azure role assignments button will appear. Select it.
    5. In the Azure role assignments screen, select Add role assignment. Set Scope to Subscription, select your subscription from the Subscription drop-down, and set Role to App Configuration Data Owner.
    6. Select Save.

    AI Analyst (AIA) by Darktrace (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog

    Configure CEF log forwarding for AI Analyst
    Log Analytics table(s) CommonSecurityLog
    Supported by Darktrace

    Configure CEF log forwarding for AI Analyst

    Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Log Analytics agent.

    1. Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin.
    2. From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.
    3. A configuration window will open. Locate Microsoft Sentinel Syslog CEF and select New to reveal the configuration settings, unless already exposed.
    4. In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls.
    5. Configure any alert thresholds, time offsets, or extra settings as required.
    6. Review any extra configuration options you may wish to enable that alter the Syslog syntax.
    7. Enable Send Alerts and save your changes.

    AI Vectra Detect (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog

    Configure CEF log forwarding for AI Vectra Detect
    Log Analytics table(s) CommonSecurityLog
    Supported by Vectra AI

    Configure CEF log forwarding for AI Vectra Detect

    Configure Vectra (X Series) Agent to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Log Analytics agent.

    From the Vectra interface, navigate to Settings > Notifications and choose Edit Syslog configuration. Follow the instructions below to set up the connection:

    • Add a new Destination (the hostname of the log forwarder)
    • Set the Port as 514
    • Set the Protocol as UDP
    • Set the format to CEF
    • Set Log types (select all log types available)
    • Select Save

    You can select the Test button to force the sending of some test events to the log forwarder.

    For more information, see the Cognito Detect Syslog Guide, which can be downloaded from the resource page in Detect UI.

    Akamai Security Events (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto function parser
    Log Analytics table(s) CommonSecurityLog
    Kusto function alias: AkamaiSIEMEvent
    Kusto function URL: https://aka.ms/Sentinel-akamaisecurityevents-parser
    Vendor documentation/
    installation instructions
    Configure Security Information and Event Management (SIEM) integration
    Set up a CEF connector.
    Supported by Akamai

    Alcide kAudit

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) alcide_kaudit_activity_1_CL - Alcide kAudit activity logs
    alcide_kaudit_detections_1_CL - Alcide kAudit detections
    alcide_kaudit_selections_count_1_CL - Alcide kAudit activity counts
    alcide_kaudit_selections_details_1_CL - Alcide kAudit activity details
    Vendor documentation/
    installation instructions
    Alcide kAudit installation guide
    Supported by Alcide

    Alsid for Active Directory

    Connector attribute Description
    Data ingestion method Log Analytics agent - custom logs

    Extra configuration for Alsid
    Log Analytics table(s) AlsidForADLog_CL
    Kusto function alias: afad_parser
    Kusto function URL: https://aka.ms/Sentinel-alsidforad-parser
    Supported by Alsid

    Extra configuration for Alsid

    1. Configure the Syslog server

      You will first need a linux Syslog server that Alsid for AD will send logs to. Typically you can run rsyslog on Ubuntu.

      You can then configure this server as you wish, but we recommend that to be able to output AFAD logs in a separate file. Alternatively you can use a Quickstart template to deploy the Syslog server and the Microsoft agent for you. If you do use the template, you can skip the agent installation instructions.

    2. Configure Alsid to send logs to your Syslog server

      On your Alsid for AD portal, go to System, Configuration, and then Syslog. From there, you can create a new Syslog alert toward your Syslog server.

      Once you've created a new Syslog alert, check that the logs are correctly gathered on your server in a separate file. For example, to check your logs, you can use the Test the configuration button in the Syslog alert configuration in AFAD. If you used the Quickstart template, the Syslog server will by default listen on port 514 in UDP and 1514 in TCP, without TLS.

    Amazon Web Services

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data
    (Top connector article)
    Log Analytics table(s) AWSCloudTrail
    Supported by Microsoft

    Amazon Web Services S3 (Preview)

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data
    (Top connector article)
    Log Analytics table(s) AWSCloudTrail
    AWSGuardDuty
    AWSVPCFlow
    Supported by Microsoft

    Apache HTTP Server

    Connector attribute Description
    Data ingestion method Log Analytics agent - custom logs
    Log Analytics table(s) ApacheHTTPServer_CL
    Kusto function alias: ApacheHTTPServer
    Kusto function URL: https://aka.ms/Sentinel-apachehttpserver-parser
    Custom log sample file: access.log or error.log

    Apache Tomcat

    Connector attribute Description
    Data ingestion method Log Analytics agent - custom logs
    Log Analytics table(s) Tomcat_CL
    Kusto function alias: TomcatEvent
    Kusto function URL: https://aka.ms/Sentinel-ApacheTomcat-parser
    Custom log sample file: access.log or error.log

    Aruba ClearPass (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto function parser
    Log Analytics table(s) CommonSecurityLog
    Kusto function alias: ArubaClearPass
    Kusto function URL: https://aka.ms/Sentinel-arubaclearpass-parser
    Vendor documentation/
    installation instructions
    Follow Aruba's instructions to configure ClearPass.
    Supported by Microsoft

    Atlassian Confluence Audit (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API
    Log Analytics table(s) Confluence_Audit_CL
    Azure Function App code https://aka.ms/Sentinel-confluenceauditapi-functionapp
    API credentials
  • ConfluenceAccessToken
  • ConfluenceUsername
  • ConfluenceHomeSiteName
  • Vendor documentation/
    installation instructions
  • API Documentation
  • Requirements and instructions for obtaining credentials
  • View the audit log
  • Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Kusto function alias ConfluenceAudit
    Kusto function URL/
    Parser config instructions
    https://aka.ms/Sentinel-confluenceauditapi-parser
    Application settings
  • ConfluenceUsername
  • ConfluenceAccessToken
  • ConfluenceHomeSiteName
  • WorkspaceID
  • WorkspaceKey
  • logAnalyticsUri (optional)
  • Supported by Microsoft

    Atlassian Jira Audit (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API
    Log Analytics table(s) Jira_Audit_CL
    Azure Function App code https://aka.ms/Sentinel-jiraauditapi-functionapp
    API credentials
  • JiraAccessToken
  • JiraUsername
  • JiraHomeSiteName
  • Vendor documentation/
    installation instructions
  • API Documentation - Audit records
  • Requirements and instructions for obtaining credentials
  • Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Kusto function alias JiraAudit
    Kusto function URL/
    Parser config instructions
    https://aka.ms/Sentinel-jiraauditapi-parser
    Application settings
  • JiraUsername
  • JiraAccessToken
  • JiraHomeSiteName
  • WorkspaceID
  • WorkspaceKey
  • logAnalyticsUri (optional)
  • Supported by Microsoft

    Azure Active Directory

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Connect Azure Active Directory data to Microsoft Sentinel
    (Top connector article)
    License prerequisites/
    Cost information
  • Azure Active Directory P1 or P2 license for sign-in logs
  • Any Azure AD license (Free/O365/P1/P2) for other log types
    Other charges may apply
  • Log Analytics table(s) SigninLogs
    AuditLogs
    AADNonInteractiveUserSignInLogs
    AADServicePrincipalSignInLogs
    AADManagedIdentitySignInLogs
    AADProvisioningLogs
    ADFSSignInLogs
    Supported by Microsoft

    Azure Active Directory Identity Protection

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    API-based connections
    License prerequisites/
    Cost information
    Azure AD Premium P2 subscription
    Other charges may apply
    Log Analytics table(s) SecurityAlert
    Supported by Microsoft

    Azure Activity

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Diagnostic settings-based connections, managed by Azure Policy


    Upgrade to the new Azure Activity connector
    Log Analytics table(s) AzureActivity
    Supported by Microsoft

    Upgrade to the new Azure Activity connector

    Data structure changes

    This connector recently changed its back-end mechanism for collecting Activity log events. It is now using the diagnostic settings pipeline. If you're still using the legacy method for this connector, you are strongly encouraged to upgrade to the new version, which provides better functionality and greater consistency with resource logs. See the instructions below.

    The diagnostic settings method sends the same data that the legacy method sent from the Activity log service, although there have been some changes to the structure of the AzureActivity table.

    Here are some of the key improvements resulting from the move to the diagnostic settings pipeline:

    • Improved ingestion latency (event ingestion within 2-3 minutes of occurrence instead of 15-20 minutes).
    • Improved reliability.
    • Improved performance.
    • Support for all categories of events logged by the Activity log service (the legacy mechanism supports only a subset - for example, no support for Service Health events).
    • Management at scale with Azure Policy.

    See the Azure Monitor documentation for more in-depth treatment of Azure Activity log and the diagnostic settings pipeline.

    Disconnect from old pipeline

    Before setting up the new Azure Activity log connector, you must disconnect the existing subscriptions from the legacy method.

    1. From the Microsoft Sentinel navigation menu, select Data connectors. From the list of connectors, select Azure Activity, and then select the Open connector page button on the lower right.

    2. Under the Instructions tab, in the Configuration section, in step 1, review the list of your existing subscriptions that are connected to the legacy method (so you know which ones to add to the new), and disconnect them all at once by clicking the Disconnect All button below.

    3. Continue setting up the new connector with the instructions linked in the table above.

    Azure DDoS Protection

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Diagnostic settings-based connections
    License prerequisites/
    Cost information
  • You must have a configured Azure DDoS Standard protection plan.
  • You must have a configured virtual network with Azure DDoS Standard enabled
    Other charges may apply
  • Log Analytics table(s) AzureDiagnostics
    Recommended diagnostics DDoSProtectionNotifications
    DDoSMitigationFlowLogs
    DDoSMitigationReports
    Supported by Microsoft

    Microsoft Defender for Cloud

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Connect security alerts from Microsoft Defender for Cloud
    (Top connector article)
    Log Analytics table(s) SecurityAlert
    Supported by Microsoft

    Microsoft Defender for IoT

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    API-based connections
    Log Analytics table(s) SecurityAlert
    Supported by Microsoft

    Azure Firewall

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Diagnostic settings-based connections
    Log Analytics table(s) AzureDiagnostics
    Recommended diagnostics AzureFirewallApplicationRule
    AzureFirewallNetworkRule
    AzureFirewallDnsProxy
    Supported by Microsoft

    Azure Information Protection

    Connector attribute Description
    Data ingestion method Azure service-to-service integration
    Log Analytics table(s) InformationProtectionLogs_CL
    Supported by Microsoft

    For more information, see the Azure Information Protection documentation.

    Azure Key Vault

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Diagnostic settings-based connections, managed by Azure Policy
    Log Analytics table(s) KeyVaultData
    Supported by Microsoft

    Azure Kubernetes Service (AKS)

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Diagnostic settings-based connections, managed by Azure Policy
    Log Analytics table(s) kube-apiserver
    kube-audit
    kube-audit-admin
    kube-controller-manager
    kube-scheduler
    cluster-autoscaler
    guard
    Supported by Microsoft

    Azure SQL Databases

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Diagnostic settings-based connections, managed by Azure Policy


    Also available in the Azure SQL and Microsoft Sentinel for SQL PaaS solutions
    Log Analytics table(s) SQLSecurityAuditEvents
    SQLInsights
    AutomaticTuning
    QueryStoreWaitStatistics
    Errors
    DatabaseWaitStatistics
    Timeouts
    Blocks
    Deadlocks
    Basic
    InstanceAndAppAdvanced
    WorkloadManagement
    DevOpsOperationsAudit
    Supported by Microsoft

    Azure Storage Account

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Diagnostic settings-based connections


    Notes about storage account diagnostic settings configuration
    Log Analytics table(s) StorageBlobLogs
    StorageQueueLogs
    StorageTableLogs
    StorageFileLogs
    Recommended diagnostics Account resource
  • Transaction
    Blob/Queue/Table/File resources
  • StorageRead
  • StorageWrite
  • StorageDelete
  • Transaction
  • Supported by Microsoft

    Notes about storage account diagnostic settings configuration

    The storage account (parent) resource has within it other (child) resources for each type of storage: files, tables, queues, and blobs.

    When configuring diagnostics for a storage account, you must select and configure, in turn:

    • The parent account resource, exporting the Transaction metric.
    • Each of the child storage-type resources, exporting all the logs and metrics (see the table above).

    You will only see the storage types that you actually have defined resources for.

    Azure Web Application Firewall (WAF)

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Diagnostic settings-based connections
    Log Analytics table(s) AzureDiagnostics
    Recommended diagnostics Application Gateway
  • ApplicationGatewayAccessLog
  • ApplicationGatewayFirewallLog
    Front Door
  • FrontdoorAccessLog
  • FrontdoorWebApplicationFirewallLog
    CDN WAF policy
  • WebApplicationFirewallLogs
  • Supported by Microsoft

    Barracuda CloudGen Firewall

    Connector attribute Description
    Data ingestion method Syslog
    Log Analytics table(s) Syslog
    Kusto function alias: CGFWFirewallActivity
    Kusto function URL: https://aka.ms/Sentinel-barracudacloudfirewall-function
    Vendor documentation/
    installation instructions
    https://aka.ms/Sentinel-barracudacloudfirewall-connector
    Supported by Barracuda

    Barracuda WAF

    Connector attribute Description
    Data ingestion method Log Analytics agent - custom logs
    Log Analytics table(s) Syslog
    Vendor documentation/
    installation instructions
    https://aka.ms/asi-barracuda-connector
    Supported by Barracuda

    BETTER Mobile Threat Defense (MTD) (Preview)

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) BetterMTDDeviceLog_CL
    BetterMTDIncidentLog_CL
    BetterMTDAppLog_CL
    BetterMTDNetflowLog_CL
    Vendor documentation/
    installation instructions
    BETTER MTD Documentation

    Threat Policy setup, which defines the incidents that are reported to Microsoft Sentinel:
    1. In Better MTD Console, select Policies on the side bar.
    2. Select the Edit button of the Policy that you are using.
    3. For each Incident type that you want to be logged, go to Send to Integrations field and select Sentinel.
    Supported by Better Mobile

    Beyond Security beSECURE

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) beSECURE_ScanResults_CL
    beSECURE_ScanEvents_CL
    beSECURE_Audit_CL
    Vendor documentation/
    installation instructions
    Access the Integration menu:
    1. Select the More menu option.
    2. Select Server
    3. Select Integration
    4. Enable Microsoft Sentinel
    5. Paste the Workspace ID and Primary Key values in the beSECURE configuration.
    6. Select Modify.
    Supported by Beyond Security

    BlackBerry CylancePROTECT (Preview)

    Connector attribute Description
    Data ingestion method Syslog
    Log Analytics table(s) Syslog
    Kusto function alias: CylancePROTECT
    Kusto function URL: https://aka.ms/Sentinel-cylanceprotect-parser
    Vendor documentation/
    installation instructions
    Cylance Syslog Guide
    Supported by Microsoft

    Broadcom Symantec Data Loss Prevention (DLP) (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto function parser
    Log Analytics table(s) CommonSecurityLog
    Kusto function alias: SymantecDLP
    Kusto function URL: https://aka.ms/Sentinel-symantecdlp-parser
    Vendor documentation/
    installation instructions
    Configuring the Log to a Syslog Server action
    Supported by Microsoft

    Check Point

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog

    Available from the Check Point solution
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Log Exporter - Check Point Log Export
    Supported by Check Point

    Cisco ASA

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog

    Available in the Cisco ASA solution
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Cisco ASA Series CLI Configuration Guide
    Supported by Microsoft

    Cisco Firepower eStreamer (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog

    Extra configuration for Cisco Firepower eStreamer
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    eStreamer eNcore for Sentinel Operations Guide
    Supported by Cisco

    Extra configuration for Cisco Firepower eStreamer

    1. Install the Firepower eNcore client
      Install and configure the Firepower eNcore eStreamer client. For more information, see the full Cisco install guide.

    2. Download the Firepower Connector from GitHub
      Download the latest version of the Firepower eNcore connector for Microsoft Sentinel from the Cisco GitHub repository. If you plan on using python3, use the python3 eStreamer connector.

    3. Create a pkcs12 file using the Azure/VM IP Address
      Create a pkcs12 certificate using the public IP of the VM instance in Firepower under System > Integration > eStreamer. For more information, see the install guide.

    4. Test Connectivity between the Azure/VM Client and the FMC
      Copy the pkcs12 file from the FMC to the Azure/VM instance and run the test utility (./encore.sh test) to ensure a connection can be established. For more information, see the setup guide.

    5. Configure eNcore to stream data to the agent
      Configure eNcore to stream data via TCP to the Log Analytics Agent. This configuration should be enabled by default, but extra ports and streaming protocols can be configured depending on your network security posture. It is also possible to save the data to the file system. For more information, see Configure eNcore.

    Cisco Meraki (Preview)

    Connector attribute Description
    Data ingestion method Syslog

    Available in the Cisco ISE solution
    Log Analytics table(s) Syslog
    Kusto function alias: CiscoMeraki
    Kusto function URL: https://aka.ms/Sentinel-ciscomeraki-parser
    Vendor documentation/
    installation instructions
    Meraki Device Reporting documentation
    Supported by Microsoft

    Cisco Umbrella (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API

    Available in the Cisco Umbrella solution
    Log Analytics table(s) Cisco_Umbrella_dns_CL
    Cisco_Umbrella_proxy_CL
    Cisco_Umbrella_ip_CL
    Cisco_Umbrella_cloudfirewall_CL
    Azure Function App code https://aka.ms/Sentinel-CiscoUmbrellaConn-functionapp
    API credentials
  • AWS Access Key ID
  • AWS Secret Access Key
  • AWS S3 Bucket Name
  • Vendor documentation/
    installation instructions
  • Logging to Amazon S3
  • Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Kusto function alias Cisco_Umbrella
    Kusto function URL/
    Parser config instructions
    https://aka.ms/Sentinel-ciscoumbrella-function
    Application settings
  • WorkspaceID
  • WorkspaceKey
  • S3Bucket
  • AWSAccessKeyId
  • AWSSecretAccessKey
  • logAnalyticsUri (optional)
  • Supported by Microsoft

    Cisco Unified Computing System (UCS) (Preview)

    Connector attribute Description
    Data ingestion method Syslog
    Log Analytics table(s) Syslog
    Kusto function alias: CiscoUCS
    Kusto function URL: https://aka.ms/Sentinel-ciscoucs-function
    Vendor documentation/
    installation instructions
    Set up Syslog for Cisco UCS - Cisco
    Supported by Microsoft

    Citrix Analytics (Security)

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) CitrixAnalytics_SAlerts_CL​
    Vendor documentation/
    installation instructions
    Connect Citrix to Microsoft Sentinel
    Supported by Citrix Systems

    Citrix Web App Firewall (WAF) (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    To configure WAF, see Support WIKI - WAF Configuration with NetScaler.

    To configure CEF logs, see CEF Logging Support in the Application Firewall.

    To forward the logs to proxy, see Configuring Citrix ADC appliance for audit logging.
    Supported by Citrix Systems

    Cognni (Preview)

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) CognniIncidents_CL
    Vendor documentation/
    installation instructions
    Connect to Cognni
    1. Go to Cognni integrations page.
    2. Select Connect on the Microsoft Sentinel box.
    3. Paste workspaceId and sharedKey (Primary Key) to the fields on Cognni's integrations screen.
    4. Select the Connect button to complete the configuration.
    Supported by Cognni

    Continuous Threat Monitoring for SAP (Preview)

    Connector attribute Description
    Data ingestion method Only available after installing the Continuous Threat Monitoring for SAP solution
    Log Analytics table(s) See Microsoft Sentinel SAP solution logs reference
    Vendor documentation/
    installation instructions
    Deploy SAP continuous threat monitoring
    Supported by Microsoft

    CyberArk Enterprise Password Vault (EPV) Events (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Security Information and Event Management (SIEM) Applications
    Supported by CyberArk

    Cyberpion Security Logs (Preview)

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) CyberpionActionItems_CL
    Vendor documentation/
    installation instructions
    Get a Cyberpion subscription
    Integrate Cyberpion security alerts into Microsoft Sentinel
    Supported by Cyberpion

    DNS (Preview)

    See Windows DNS Server (Preview).

    Dynamics 365

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    API-based connections


    Also available as part of the Microsoft Sentinel 4 Dynamics 365 solution
    License prerequisites/
    Cost information
  • Microsoft Dynamics 365 production license. Not available for sandbox environments.
  • Microsoft 365 Enterprise E3 or E5 subscription is required to do Activity Logging.
    Other charges may apply
  • Log Analytics table(s) Dynamics365Activity
    Supported by Microsoft

    ESET Enterprise Inspector (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API

    Create an API user
    Log Analytics table(s) ESETEnterpriseInspector_CL​
    API credentials
  • EEI Username
  • EEI Password
  • Base URL
  • Vendor documentation/
    installation instructions
  • ESET Enterprise Inspector REST API documentation
  • Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) template
    Supported by ESET

    Create an API user

    1. Log into the ESET Security Management Center / ESET PROTECT console with an administrator account, select the More tab and the Users subtab.
    2. Select the ADD NEW button and add a native user.
    3. Create a new user for the API account. Optional: Select a Home group other than All to limit what detections are ingested.
    4. Under the Permission Sets tab, assign the Enterprise Inspector reviewer permission set.
    5. Sign out of the administrator account and log into the console with the new API credentials for validation, then sign out of the API account.

    ESET Security Management Center (SMC) (Preview)

    Connector attribute Description
    Data ingestion method Syslog

    Configure the ESET SMC logs to be collected
    Configure OMS agent to pass Eset SMC data in API format
    Change OMS agent configuration to catch tag oms.api.eset and parse structured data
    Disable automatic configuration and restart agent
    Log Analytics table(s) eset_CL
    Vendor documentation/
    installation instructions
    ESET Syslog server documentation
    Supported by ESET

    Configure the ESET SMC logs to be collected

    Configure rsyslog to accept logs from your Eset SMC IP address.

        sudo -i
        # Set ESET SMC source IP address
        export ESETIP={Enter your IP address}
    
        # Create rsyslog configuration file
        cat > /etc/rsyslog.d/80-remote.conf << EOF
        \$ModLoad imudp
        \$UDPServerRun 514
        \$ModLoad imtcp
        \$InputTCPServerRun 514
        \$AllowedSender TCP, 127.0.0.1, $ESETIP
        \$AllowedSender UDP, 127.0.0.1, $ESETIP user.=alert;user.=crit;user.=debug;user.=emerg;user.=err;user.=info;user.=notice;user.=warning  @127.0.0.1:25224
        EOF
    
        # Restart rsyslog
        systemctl restart rsyslog
    

    Configure OMS agent to pass Eset SMC data in API format

    In order to easily recognize Eset data, push it to a separate table and parse at agent to simplify and speed up your Microsoft Sentinel query.

    In the /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsagent.conf file, modify the match oms.** section to send data as API objects, by changing the type to out_oms_api.

    The following code is an example of the full match oms.** section:

        <match oms.** docker.**>
          type out_oms_api
          log_level info
          num_threads 5
          run_in_background false
    
          omsadmin_conf_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsadmin.conf
          cert_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/certs/oms.crt
          key_path /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/certs/oms.key
    
          buffer_chunk_limit 15m
          buffer_type file
          buffer_path /var/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/state/out_oms_common*.buffer
    
          buffer_queue_limit 10
          buffer_queue_full_action drop_oldest_chunk
          flush_interval 20s
          retry_limit 10
          retry_wait 30s
          max_retry_wait 9m
        </match>
    

    Change OMS agent configuration to catch tag oms.api.eset and parse structured data

    Modify the /etc/opt/microsoft/omsagent/{REPLACEyourworkspaceid}/conf/omsagent.d/syslog.conf file.

    For example:

        <source>
          type syslog
          port 25224
          bind 127.0.0.1
          protocol_type udp
          tag oms.api.eset
        </source>
    
        <filter oms.api.**>
          @type parser
          key_name message
          format /(?<message>.*?{.*})/
        </filter>
    
        <filter oms.api.**>
          @type parser
          key_name message
          format json
        </filter>
    

    Disable automatic configuration and restart agent

    For example:

        # Disable changes to configuration files from Portal
        sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'
    
        # Restart agent
        sudo /opt/microsoft/omsagent/bin/service_control restart
    
        # Check agent logs
        tail -f /var/opt/microsoft/omsagent/log/omsagent.log
    

    Configure Eset SMC to send logs to connector

    Configure Eset Logs using BSD style and JSON format.

    • Go to the Syslog server configuration configure the Host (your connector), Format BSD, and Transport TCP
    • Go to the Logging section and enable JSON

    For more information, see the Eset documentation.

    Exabeam Advanced Analytics (Preview)

    Connector attribute Description
    Data ingestion method Syslog
    Log Analytics table(s) Syslog
    Kusto function alias: ExabeamEvent
    Kusto function URL: https://aka.ms/Sentinel-Exabeam-parser
    Vendor documentation/
    installation instructions
    Configure Advanced Analytics system activity notifications
    Supported by Microsoft

    ExtraHop Reveal(x)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    ExtraHop Detection SIEM Connector
    Supported by ExtraHop

    F5 BIG-IP

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) F5Telemetry_LTM_CL
    F5Telemetry_system_CL
    F5Telemetry_ASM_CL
    Vendor documentation/
    installation instructions
    Integrating the F5 BIG-IP with Microsoft Sentinel
    Supported by F5 Networks

    F5 Networks (ASM)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Configuring Application Security Event Logging
    Supported by F5 Networks

    Forcepoint Cloud Access Security Broker (CASB) (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Forcepoint CASB and Microsoft Sentinel
    Supported by Forcepoint

    Forcepoint Cloud Security Gateway (CSG) (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Forcepoint Cloud Security Gateway and Microsoft Sentinel
    Supported by Forcepoint

    Forcepoint Data Loss Prevention (DLP) (Preview)

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) ForcepointDLPEvents_CL
    Vendor documentation/
    installation instructions
    Forcepoint Data Loss Prevention and Microsoft Sentinel
    Supported by Forcepoint

    Forcepoint Next Generation Firewall (NGFW) (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Forcepoint Next-Gen Firewall and Microsoft Sentinel
    Supported by Forcepoint

    ForgeRock Common Audit (CAUD) for CEF (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Install this first! ForgeRock Common Audit (CAUD) for Microsoft Sentinel
    Supported by ForgeRock

    Fortinet

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog

    Send Fortinet logs to the log forwarder

    Available in the Fortinet Fortigate solution
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Fortinet Document Library
    Choose your version and use the Handbook and Log Message Reference PDFs.
    Supported by Fortinet

    Send Fortinet logs to the log forwarder

    Open the CLI on your Fortinet appliance and run the following commands:

    config log syslogd setting
    set status enable
    set format cef
    set port 514
    set server <ip_address_of_Forwarder>
    end
    
    • Replace the server ip address with the IP address of the log forwarder.
    • Set the syslog port to 514 or the port set on the Syslog daemon on the forwarder.
    • To enable CEF format in early FortiOS versions, you might need to run the command set csv disable.

    Google Workspace (G-Suite) (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API

    Extra configuration for the Google Reports API
    Log Analytics table(s) GWorkspace_ReportsAPI_admin_CL
    GWorkspace_ReportsAPI_calendar_CL
    GWorkspace_ReportsAPI_drive_CL
    GWorkspace_ReportsAPI_login_CL
    GWorkspace_ReportsAPI_mobile_CL
    GWorkspace_ReportsAPI_token_CL
    GWorkspace_ReportsAPI_user_accounts_CL
    Azure Function App code https://aka.ms/Sentinel-GWorkspaceReportsAPI-functionapp
    API credentials
  • GooglePickleString
  • Vendor documentation/
    installation instructions
  • API Documentation
  • Get credentials at Perform Google Workspace Domain-Wide Delegation of Authority
  • Convert token.pickle file to pickle string
  • Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Kusto function alias GWorkspaceActivityReports
    Kusto function URL/
    Parser config instructions
    https://aka.ms/Sentinel-GWorkspaceReportsAPI-parser
    Application settings
  • GooglePickleString
  • WorkspaceID
  • workspaceKey
  • logAnalyticsUri (optional)
  • Supported by Microsoft

    Extra configuration for the Google Reports API

    Add http://localhost:8081/ under Authorized redirect URIs while creating Web application credentials.

    1. Follow the instructions to obtain the credentials.json.
    2. To get the Google pickle string, run this python script (in the same path as credentials.json).
    3. Copy the pickle string output in single quotes and save. It will be needed for deploying the Function App.

    Illusive Attack Management System (AMS) (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Illusive Networks Admin Guide
    Supported by Illusive Networks

    Imperva WAF Gateway (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog

    Available in the Imperva Cloud WAF solution
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Steps for Enabling Imperva WAF Gateway Alert Logging to Microsoft Sentinel
    Supported by Imperva

    Infoblox Network Identity Operating System (NIOS) (Preview)

    Connector attribute Description
    Data ingestion method Syslog

    available in the InfoBlox Threat Defense solution
    Log Analytics table(s) Syslog
    Kusto function alias: InfobloxNIOS
    Kusto function URL: https://aka.ms/sentinelgithubparsersinfoblox
    Vendor documentation/
    installation instructions
    NIOS SNMP and Syslog Deployment Guide
    Supported by Microsoft

    Juniper SRX (Preview)

    Connector attribute Description
    Data ingestion method Syslog
    Log Analytics table(s) Syslog
    Kusto function alias: JuniperSRX
    Kusto function URL: https://aka.ms/Sentinel-junipersrx-parser
    Vendor documentation/
    installation instructions
    Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices
    Configure System Logging
    Supported by Juniper Networks

    Lookout Mobile Threat Defense (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API

    Only available after installing the Lookout Mobile Threat Defense for Microsoft Sentinel solution
    Log Analytics table(s) Lookout_CL
    API credentials
  • Lookout Application Key
  • Vendor documentation/
    installation instructions
  • Installation Guide (sign-in required)
  • API Documentation (sign-in required)
  • Lookout Mobile Endpoint Security
  • Supported by Lookout

    Microsoft 365 Defender

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Connect data from Microsoft 365 Defender to Microsoft Sentinel
    (Top connector article)
    License prerequisites/
    Cost information
    Valid license for Microsoft 365 Defender
    Log Analytics table(s) Alerts:
    SecurityAlert
    SecurityIncident
    Defender for Endpoint events:
    DeviceEvents
    DeviceFileEvents
    DeviceImageLoadEvents
    DeviceInfo
    DeviceLogonEvents
    DeviceNetworkEvents
    DeviceNetworkInfo
    DeviceProcessEvents
    DeviceRegistryEvents
    DeviceFileCertificateInfo
    Defender for Office 365 events:
    EmailAttachmentInfo
    EmailUrlInfo
    EmailEvents
    EmailPostDeliveryEvents
    Supported by Microsoft

    Microsoft 365 Insider Risk Management (IRM) (Preview)

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    API-based connections


    Also available in the Microsoft 365 Insider Risk Management solution
    License and other prerequisites
    Log Analytics table(s) SecurityAlert
    Data query filter SecurityAlert
    \| where ProductName == "Microsoft 365 Insider Risk Management"
    Supported by Microsoft

    Microsoft Defender for Cloud Apps

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    API-based connections


    For Cloud Discovery logs, enable Microsoft Sentinel as your SIEM in Microsoft Defender for Cloud Apps
    Log Analytics table(s) SecurityAlert - for alerts
    McasShadowItReporting​ - for Cloud Discovery logs
    Supported by Microsoft

    Microsoft Defender for Endpoint

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    API-based connections
    License prerequisites/
    Cost information
    Valid license for Microsoft Defender for Endpoint deployment
    Log Analytics table(s) SecurityAlert
    Supported by Microsoft

    Microsoft Defender for Identity

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    API-based connections
    Log Analytics table(s) SecurityAlert
    Supported by Microsoft

    Microsoft Defender for Office 365

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    API-based connections
    License prerequisites/
    Cost information
    You must have a valid license for Office 365 ATP Plan 2
    Log Analytics table(s) SecurityAlert
    Supported by Microsoft

    Microsoft Office 365

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    API-based connections
    License prerequisites/
    Cost information
    Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace.
    Other charges may apply
    Log Analytics table(s) OfficeActivity
    Supported by Microsoft

    Morphisec UTPP (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto function parser
    Log Analytics table(s) CommonSecurityLog
    Kusto function alias: Morphisec
    Kusto function URL https://aka.ms/Sentinel-Morphiescutpp-parser
    Supported by Morphisec

    Netskope (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API
    Log Analytics table(s) Netskope_CL
    Azure Function App code https://aka.ms/Sentinel-netskope-functioncode
    API credentials
  • Netskope API Token
  • Vendor documentation/
    installation instructions
  • Netskope Cloud Security Platform
  • Netskope API Documentation
  • Obtain an API Token
  • Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Kusto function alias Netskope
    Kusto function URL/
    Parser config instructions
    https://aka.ms/Sentinel-netskope-parser
    Application settings
  • apikey
  • workspaceID
  • workspaceKey
  • uri (depends on region, follows schema: https://<Tenant Name>.goskope.com)
  • timeInterval (set to 5)
  • logTypes
  • logAnalyticsUri (optional)
  • Supported by Microsoft

    NGINX HTTP Server (Preview)

    Connector attribute Description
    Data ingestion method Log Analytics agent - custom logs
    Log Analytics table(s) NGINX_CL
    Kusto function alias: NGINXHTTPServer
    Kusto function URL https://aka.ms/Sentinel-NGINXHTTP-parser
    Vendor documentation/
    installation instructions
    Module ngx_http_log_module
    Custom log sample file: access.log or error.log
    Supported by Microsoft

    NXLog Basic Security Module (BSM) macOS (Preview)

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) BSMmacOS_CL
    Vendor documentation/
    installation instructions
    NXLog Microsoft Sentinel User Guide
    Supported by NXLog

    NXLog DNS Logs (Preview)

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) DNS_Logs_CL
    Vendor documentation/
    installation instructions
    NXLog Microsoft Sentinel User Guide
    Supported by NXLog

    NXLog LinuxAudit (Preview)

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) LinuxAudit_CL
    Vendor documentation/
    installation instructions
    NXLog Microsoft Sentinel User Guide
    Supported by NXLog

    Okta Single Sign-On (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API
    Log Analytics table(s) Okta_CL
    Azure Function App code https://aka.ms/sentineloktaazurefunctioncodev2
    API credentials
  • API Token
  • Vendor documentation/
    installation instructions
  • Okta System Log API Documentation
  • Create an API token
  • Connect Okta SSO to Microsoft Sentinel
  • Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Application settings
  • apiToken
  • workspaceID
  • workspaceKey
  • uri (follows schema https://<OktaDomain>/api/v1/logs?since=. Identify your domain namespace.)
  • logAnalyticsUri (optional)
  • Supported by Microsoft

    Onapsis Platform (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto lookup and enrichment function

    Configure Onapsis to send CEF logs to the log forwarder
    Log Analytics table(s) CommonSecurityLog
    Kusto function alias: incident_lookup
    Kusto function URL https://aka.ms/Sentinel-Onapsis-parser
    Supported by Onapsis

    Configure Onapsis to send CEF logs to the log forwarder

    Refer to the Onapsis in-product help to set up log forwarding to the Log Analytics agent.

    1. Go to Setup > Third-party integrations > Defend Alarms and follow the instructions for Microsoft Sentinel.
    2. Make sure your Onapsis Console can reach the log forwarder machine where the agent is installed. Logs should be sent to port 514 using TCP.

    One Identity Safeguard (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    One Identity Safeguard for Privileged Sessions Administration Guide
    Supported by One Identity

    Oracle WebLogic Server (Preview)

    Connector attribute Description
    Data ingestion method Log Analytics agent - custom logs
    Log Analytics table(s) OracleWebLogicServer_CL
    Kusto function alias: OracleWebLogicServerEvent
    Kusto function URL: https://aka.ms/Sentinel-OracleWebLogicServer-parser
    Vendor documentation/
    installation instructions
    Oracle WebLogic Server documentation
    Custom log sample file: server.log
    Supported by Microsoft

    Orca Security (Preview)

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) OrcaAlerts_CL
    Vendor documentation/
    installation instructions
    Microsoft Sentinel integration
    Supported by Orca Security

    OSSEC (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto function parser
    Log Analytics table(s) CommonSecurityLog
    Kusto function alias: OSSECEvent
    Kusto function URL: https://aka.ms/Sentinel-OSSEC-parser
    Vendor documentation/
    installation instructions
    OSSEC documentation
    Sending alerts via syslog
    Supported by Microsoft

    Palo Alto Networks

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog

    Also available in the Palo Alto PAN-OS and Prisma solutions
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Common Event Format (CEF) Configuration Guides
    Configure Syslog Monitoring
    Supported by Palo Alto Networks

    Perimeter 81 Activity Logs (Preview)

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) Perimeter81_CL
    Vendor documentation/
    installation instructions
    Perimeter 81 documentation
    Supported by Perimeter 81

    Proofpoint On Demand (POD) Email Security (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API

    Also available in the Proofpoint POD solution
    Log Analytics table(s) ProofpointPOD_message_CL
    ProofpointPOD_maillog_CL
    Azure Function App code https://aka.ms/Sentinel-proofpointpod-functionapp
    API credentials
  • ProofpointClusterID
  • ProofpointToken
  • Vendor documentation/
    installation instructions
  • Sign in to the Proofpoint Community
  • Proofpoint API documentation and instructions
  • Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Kusto function alias ProofpointPOD
    Kusto function URL/
    Parser config instructions
    https://aka.ms/Sentinel-proofpointpod-parser
    Application settings
  • ProofpointClusterID
  • ProofpointToken
  • WorkspaceID
  • WorkspaceKey
  • logAnalyticsUri (optional)
  • Supported by Microsoft

    Proofpoint Targeted Attack Protection (TAP) (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API

    Also available in the Proofpoint TAP solution
    Log Analytics table(s) ProofPointTAPClicksPermitted_CL
    ProofPointTAPClicksBlocked_CL
    ProofPointTAPMessagesDelivered_CL
    ProofPointTAPMessagesBlocked_CL
    Azure Function App code https://aka.ms/sentinelproofpointtapazurefunctioncode
    API credentials
  • API Username
  • API Password
  • Vendor documentation/
    installation instructions
  • Proofpoint SIEM API Documentation
  • Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Application settings
  • apiUsername
  • apiUsername
  • uri (set to https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=300)
  • WorkspaceID
  • WorkspaceKey
  • logAnalyticsUri (optional)
  • Supported by Microsoft

    Pulse Connect Secure (Preview)

    Connector attribute Description
    Data ingestion method Syslog
    Log Analytics table(s) Syslog
    Kusto function alias: PulseConnectSecure
    Kusto function URL: https://aka.ms/sentinelgithubparserspulsesecurevpn
    Vendor documentation/
    installation instructions
    Configuring Syslog
    Supported by Microsoft

    Qualys VM KnowledgeBase (KB) (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API

    Extra configuration for the Qualys VM KB

    Also available in the Qualys VM solution
    Log Analytics table(s) QualysKB_CL
    Azure Function App code https://aka.ms/Sentinel-qualyskb-functioncode
    API credentials
  • API Username
  • API Password
  • Vendor documentation/
    installation instructions
  • QualysVM API User Guide
  • Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Kusto function alias QualysKB
    Kusto function URL/
    Parser config instructions
    https://aka.ms/Sentinel-qualyskb-parser
    Application settings
  • apiUsername
  • apiUsername
  • uri (by region; see API Server list. Follows schema https://<API Server>/api/2.0.
  • WorkspaceID
  • WorkspaceKey
  • filterParameters (add to end of URI, delimited by &. No spaces.)
  • logAnalyticsUri (optional)
  • Supported by Microsoft

    Extra configuration for the Qualys VM KB

    1. Log into the Qualys Vulnerability Management console with an administrator account, select the Users tab and the Users subtab.
    2. Select the New drop-down menu and select Users.
    3. Create a username and password for the API account.
    4. In the User Roles tab, ensure the account role is set to Manager and access is allowed to GUI and API
    5. Sign out of the administrator account and sign into the console with the new API credentials for validation, then sign out of the API account.
    6. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to GUI.
    7. Save all changes.

    Qualys Vulnerability Management (VM) (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API

    Extra configuration for the Qualys VM
    Manual deployment - after configuring the Function App
    Log Analytics table(s) QualysHostDetection_CL
    Azure Function App code https://aka.ms/sentinelqualysvmazurefunctioncode
    API credentials
  • API Username
  • API Password
  • Vendor documentation/
    installation instructions
  • QualysVM API User Guide
  • Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Application settings
  • apiUsername
  • apiUsername
  • uri (by region; see API Server list. Follows schema https://<API Server>/api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=.
  • WorkspaceID
  • WorkspaceKey
  • filterParameters (add to end of URI, delimited by &. No spaces.)
  • timeInterval (set to 5. If you modify, change Function App timer trigger accordingly.)
  • logAnalyticsUri (optional)
  • Supported by Microsoft

    Extra configuration for the Qualys VM

    1. Log into the Qualys Vulnerability Management console with an administrator account, select the Users tab and the Users subtab.
    2. Select the New drop-down menu and select Users.
    3. Create a username and password for the API account.
    4. In the User Roles tab, ensure the account role is set to Manager and access is allowed to GUI and API
    5. Sign out of the administrator account and log into the console with the new API credentials for validation, then sign out of the API account.
    6. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to GUI.
    7. Save all changes.

    Manual deployment - after configuring the Function App

    Configure the host.json file

    Due to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five minutes. Increase the default timeout duration to the maximum of 10 minutes, under the Consumption Plan, to allow more time for the Function App to execute.

    1. In the Function App, select the Function App Name and select the App Service Editor page.
    2. Select Go to open the editor, then select the host.json file under the wwwroot directory.
    3. Add the line "functionTimeout": "00:10:00", above the managedDependancy line.
    4. Ensure SAVED appears on the top-right corner of the editor, then exit the editor.

    If a longer timeout duration is required, consider upgrading to an App Service Plan.

    Salesforce Service Cloud (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API
    Log Analytics table(s) SalesforceServiceCloud_CL
    Azure Function App code https://aka.ms/Sentinel-SalesforceServiceCloud-functionapp
    API credentials
  • Salesforce API Username
  • Salesforce API Password
  • Salesforce Security Token
  • Salesforce Consumer Key
  • Salesforce Consumer Secret
  • Vendor documentation/
    installation instructions
    Salesforce REST API Developer Guide
    Under Set up authorization, use Session ID method instead of OAuth.
    Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Kusto function alias SalesforceServiceCloud
    Kusto function URL/
    Parser config instructions
    https://aka.ms/Sentinel-SalesforceServiceCloud-parser
    Application settings
  • SalesforceUser
  • SalesforcePass
  • SalesforceSecurityToken
  • SalesforceConsumerKey
  • SalesforceConsumerSecret
  • WorkspaceID
  • WorkspaceKey
  • logAnalyticsUri (optional)
  • Supported by Microsoft

    Security events via Legacy Agent (Windows)

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Log Analytics agent-based connections
    Log Analytics table(s) SecurityEvents
    Supported by Microsoft

    For more information, see Insecure protocols workbook setup.

    See also: Windows Security Events via AMA connector based on Azure Monitor Agent (AMA)

    Configure the Security events / Windows Security Events connector for anomalous RDP login detection.

    SentinelOne (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API

    Extra configuration for SentinelOne
    Log Analytics table(s) SentinelOne_CL
    Azure Function App code https://aka.ms/Sentinel-SentinelOneAPI-functionapp
    API credentials
  • SentinelOneAPIToken
  • SentinelOneUrl (https://<SOneInstanceDomain>.sentinelone.net)
  • Vendor documentation/
    installation instructions
  • https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview
  • See instructions below
  • Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Kusto function alias SentinelOne
    Kusto function URL/
    Parser config instructions
    https://aka.ms/Sentinel-SentinelOneAPI-parser
    Application settings
  • SentinelOneAPIToken
  • SentinelOneUrl
  • WorkspaceID
  • WorkspaceKey
  • logAnalyticsUri (optional)
  • Supported by Microsoft

    Extra configuration for SentinelOne

    Follow the instructions to obtain the credentials.

    1. Sign-in to the SentinelOne Management Console with Admin user credentials.
    2. In the Management Console, select Settings.
    3. In the SETTINGS view, select USERS
    4. Select New User.
    5. Enter the information for the new console user.
    6. In Role, select Admin.
    7. Select SAVE
    8. Save credentials of the new user for using in the data connector.

    SonicWall Firewall (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Log > Syslog
    Select facility local4 and ArcSight as the Syslog format.
    Supported by SonicWall

    Sophos Cloud Optix (Preview)

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) SophosCloudOptix_CL
    Vendor documentation/
    installation instructions
    Integrate with Microsoft Sentinel, skipping the first step.
    Sophos query samples
    Supported by Sophos

    Sophos XG Firewall (Preview)

    Connector attribute Description
    Data ingestion method Syslog
    Log Analytics table(s) Syslog
    Kusto function alias: SophosXGFirewall
    Kusto function URL: https://aka.ms/sentinelgithubparserssophosfirewallxg
    Vendor documentation/
    installation instructions
    Add a syslog server
    Supported by Microsoft

    Squadra Technologies secRMM

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) secRMM_CL
    Vendor documentation/
    installation instructions
    secRMM Microsoft Sentinel Administrator Guide
    Supported by Squadra Technologies

    Squid Proxy (Preview)

    Connector attribute Description
    Data ingestion method Log Analytics agent - custom logs
    Log Analytics table(s) SquidProxy_CL
    Kusto function alias: SquidProxy
    Kusto function URL https://aka.ms/Sentinel-squidproxy-parser
    Custom log sample file: access.log or cache.log
    Supported by Microsoft

    Symantec Integrated Cyber Defense Exchange (ICDx)

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API
    Log Analytics table(s) SymantecICDx_CL
    Vendor documentation/
    installation instructions
    Configuring Microsoft Sentinel (Log Analytics) Forwarders
    Supported by Broadcom Symantec

    Symantec ProxySG (Preview)

    Connector attribute Description
    Data ingestion method Syslog
    Log Analytics table(s) Syslog
    Kusto function alias: SymantecProxySG
    Kusto function URL: https://aka.ms/sentinelgithubparserssymantecproxysg
    Vendor documentation/
    installation instructions
    Sending Access Logs to a Syslog server
    Supported by Microsoft

    Symantec VIP (Preview)

    Connector attribute Description
    Data ingestion method Syslog
    Log Analytics table(s) Syslog
    Kusto function alias: SymantecVIP
    Kusto function URL: https://aka.ms/sentinelgithubparserssymantecvip
    Vendor documentation/
    installation instructions
    Configuring syslog
    Supported by Microsoft

    Thycotic Secret Server (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Secure Syslog/CEF Logging
    Supported by Thycotic

    Trend Micro Deep Security

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto function parser
    Log Analytics table(s) CommonSecurityLog
    Kusto function alias: TrendMicroDeepSecurity
    Kusto function URL https://aka.ms/TrendMicroDeepSecurityFunction
    Vendor documentation/
    installation instructions
    Forward Deep Security events to a Syslog or SIEM server
    Supported by Trend Micro

    Trend Micro TippingPoint (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog, with a Kusto function parser
    Log Analytics table(s) CommonSecurityLog
    Kusto function alias: TrendMicroTippingPoint
    Kusto function URL https://aka.ms/Sentinel-trendmicrotippingpoint-function
    Vendor documentation/
    installation instructions
    Send Syslog messages in ArcSight CEF Format v4.2 format.
    Supported by Trend Micro

    Trend Micro Vision One (XDR) (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API
    Log Analytics table(s) TrendMicro_XDR_CL
    API credentials
  • API Token
  • Vendor documentation/
    installation instructions
  • Trend Micro Vision One API
  • Obtaining API Keys for Third-Party Access
  • Connector deployment instructions Single-click deployment via Azure Resource Manager (ARM) template
    Supported by Trend Micro

    VMware Carbon Black Endpoint Standard (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API
    Log Analytics table(s) CarbonBlackEvents_CL
    CarbonBlackAuditLogs_CL
    CarbonBlackNotifications_CL
    Azure Function App code https://aka.ms/sentinelcarbonblackazurefunctioncode
    API credentials API access level (for Audit and Event logs):
  • API ID
  • API Key

    SIEM access level (for Notification events):
  • SIEM API ID
  • SIEM API Key
  • Vendor documentation/
    installation instructions
  • Carbon Black API Documentation
  • Creating an API Key
  • Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Application settings
  • apiId
  • apiKey
  • WorkspaceID
  • WorkspaceKey
  • uri (by region; see list of options. Follows schema: https://<API URL>.conferdeploy.net.)
  • timeInterval (Set to 5)
  • SIEMapiId (if ingesting Notification events)
  • SIEMapiKey (if ingesting Notification events)
  • logAnalyticsUri (optional)
  • Supported by Microsoft

    VMware ESXi (Preview)

    Connector attribute Description
    Data ingestion method Syslog
    Log Analytics table(s) Syslog
    Kusto function alias: VMwareESXi
    Kusto function URL: https://aka.ms/Sentinel-vmwareesxi-parser
    Vendor documentation/
    installation instructions
    Enabling syslog on ESXi 3.5 and 4.x
    Configure Syslog on ESXi Hosts
    Supported by Microsoft

    WatchGuard Firebox (Preview)

    Connector attribute Description
    Data ingestion method Syslog
    Log Analytics table(s) Syslog
    Kusto function alias: WatchGuardFirebox
    Kusto function URL: https://aka.ms/Sentinel-watchguardfirebox-parser
    Vendor documentation/
    installation instructions
    Microsoft Sentinel Integration Guide
    Supported by WatchGuard Technologies

    WireX Network Forensics Platform (Preview)

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Contact WireX support in order to configure your NFP solution to send Syslog messages in CEF format.
    Supported by WireX Systems

    Windows DNS Server (Preview)

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Log Analytics agent-based connections
    Log Analytics table(s) DnsEvents
    DnsInventory
    Supported by Microsoft

    Windows Forwarded Events (Preview)

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Azure Monitor Agent-based connections


    Additional instructions for deploying the Windows Forwarded Events connector
    Prerequisites You must have Windows Event Collection (WEC) enabled and running.
    Install the Azure Monitor Agent on the WEC machine.
    xPath queries prefix "ForwardedEvents!*"
    Log Analytics table(s) WindowsEvents
    Supported by Microsoft

    Additional instructions for deploying the Windows Forwarded Events connector

    We recommend installing the Advanced SIEM Information Model (ASIM) parsers to ensure full support for data normalization. You can deploy these parsers from the Azure-Sentinel GitHub repository using the Deploy to Azure button there.

    Windows Firewall

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Log Analytics agent-based connections
    Log Analytics table(s) WindowsFirewall
    Supported by Microsoft

    Windows Security Events via AMA

    Connector attribute Description
    Data ingestion method Azure service-to-service integration:
    Azure Monitor Agent-based connections
    xPath queries prefix "Security!*"
    Log Analytics table(s) SecurityEvents
    Supported by Microsoft

    See also: Security events via legacy agent connector.

    Configure the Security events / Windows Security Events connector for anomalous RDP login detection

    Important

    Anomalous RDP login detection is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

    Microsoft Sentinel can apply machine learning (ML) to Security events data to identify anomalous Remote Desktop Protocol (RDP) login activity. Scenarios include:

    • Unusual IP - the IP address has rarely or never been observed in the last 30 days

    • Unusual geo-location - the IP address, city, country, and ASN have rarely or never been observed in the last 30 days

    • New user - a new user logs in from an IP address and geo-location, both or either of which were not expected to be seen based on data from the 30 days prior.

    Configuration instructions

    1. You must be collecting RDP login data (Event ID 4624) through the Security events or Windows Security Events data connectors. Make sure you have selected an event set besides "None", or created a data collection rule that includes this event ID, to stream into Microsoft Sentinel.

    2. From the Microsoft Sentinel portal, select Analytics, and then select the Rule templates tab. Choose the (Preview) Anomalous RDP Login Detection rule, and move the Status slider to Enabled.

      Note

      As the machine learning algorithm requires 30 days' worth of data to build a baseline profile of user behavior, you must allow 30 days of Windows Security events data to be collected before any incidents can be detected.

    Workplace from Facebook (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API

    Configure Webhooks
    Add Callback URL to Webhook configuration
    Log Analytics table(s) Workplace_Facebook_CL
    Azure Function App code https://aka.ms/Sentinel-WorkplaceFacebook-functionapp
    API credentials
  • WorkplaceAppSecret
  • WorkplaceVerifyToken
  • Vendor documentation/
    installation instructions
  • Configure Webhooks
  • Configure permissions
  • Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Kusto function alias Workplace_Facebook
    Kusto function URL/
    Parser config instructions
    https://aka.ms/Sentinel-WorkplaceFacebook-parser
    Application settings
  • WorkplaceAppSecret
  • WorkplaceVerifyToken
  • WorkspaceID
  • WorkspaceKey
  • logAnalyticsUri (optional)
  • Supported by Microsoft

    Configure Webhooks

    1. Sign in to the Workplace with Admin user credentials.
    2. In the Admin panel, select Integrations.
    3. In the All integrations view, select Create custom integration.
    4. Enter the name and description and select Create.
    5. In the Integration details panel, show the App secret and copy it.
    6. In the Integration permissions panel, set all read permissions. Refer to permission page for details.

    Add Callback URL to Webhook configuration

    1. Open your Function App's page, go to the Functions list, select Get Function URL, and copy it.
    2. Go back to Workplace from Facebook. In the Configure webhooks panel, on each Tab set the Callback URL as the Function URL you copied in the last step, and the Verify token as the same value you received during automatic deployment, or entered during manual deployment.
    3. Select Save.

    Zimperium Mobile Thread Defense (Preview)

    Zimperium Mobile Threat Defense data connector connects the Zimperium threat log to Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This connector gives you more insight into your organization's mobile threat landscape and enhances your security operation capabilities.

    For more information, see Connect Zimperium to Microsoft Sentinel.

    Connector attribute Description
    Data ingestion method Microsoft Sentinel Data Collector API

    Configure and connect Zimperium MTD
    Log Analytics table(s) ZimperiumThreatLog_CL
    ZimperiumMitigationLog_CL
    Vendor documentation/
    installation instructions
    Zimperium customer support portal (sign-in required)
    Supported by Zimperium

    Configure and connect Zimperium MTD

    1. In zConsole, select Manage on the navigation bar.
    2. Select the Integrations tab.
    3. Select the Threat Reporting button and then the Add Integrations button.
    4. Create the Integration:
      1. From the available integrations, select Microsoft Sentinel.
      2. Enter your workspace ID and primary key, select Next.
      3. Fill in a name for your Microsoft Sentinel integration.
      4. Select a Filter Level for the threat data you wish to push to Microsoft Sentinel.
      5. Select Finish.

    Zoom Reports (Preview)

    Connector attribute Description
    Data ingestion method Azure Functions and the REST API
    Log Analytics table(s) Zoom_CL
    Azure Function App code https://aka.ms/Sentinel-ZoomAPI-functionapp
    API credentials
  • ZoomApiKey
  • ZoomApiSecret
  • Vendor documentation/
    installation instructions
  • Get credentials using JWT With Zoom
  • Connector deployment instructions
  • Single-click deployment via Azure Resource Manager (ARM) template
  • Manual deployment
  • Kusto function alias Zoom
    Kusto function URL/
    Parser config instructions
    https://aka.ms/Sentinel-ZoomAPI-parser
    Application settings
  • ZoomApiKey
  • ZoomApiSecret
  • WorkspaceID
  • WorkspaceKey
  • logAnalyticsUri (optional)
  • Supported by Microsoft

    Zscaler

    Connector attribute Description
    Data ingestion method Common Event Format (CEF) over Syslog
    Log Analytics table(s) CommonSecurityLog
    Vendor documentation/
    installation instructions
    Zscaler and Microsoft Sentinel Deployment Guide
    Supported by Zscaler

    Zscaler Private Access (ZPA) (Preview)

    Connector attribute Description
    Data ingestion method Log Analytics agent - custom logs

    Extra configuration for Zscaler Private Access
    Log Analytics table(s) ZPA_CL
    Kusto function alias: ZPAEvent
    Kusto function URL https://aka.ms/Sentinel-zscalerprivateaccess-parser
    Vendor documentation/
    installation instructions
    Zscaler Private Access documentation
    Also, see below
    Supported by Microsoft

    Extra configuration for Zscaler Private Access

    Follow the configuration steps below to get Zscaler Private Access logs into Microsoft Sentinel. For more information, see the Azure Monitor Documentation. Zscaler Private Access logs are delivered via Log Streaming Service (LSS). Refer to LSS documentation for detailed information.

    1. Configure Log Receivers. While configuring a Log Receiver, choose JSON as Log Template.

    2. Download config file zpa.conf.

      wget -v https://aka.ms/sentinel-zscalerprivateaccess-conf -O zpa.conf
      
    3. Sign in to the server where you have installed the Azure Log Analytics agent.

    4. Copy zpa.conf to the /etc/opt/microsoft/omsagent/workspace_id/conf/omsagent.d/ folder.

    5. Edit zpa.conf as follows:

      1. Specify the port that you have set your Zscaler Log Receivers to forward logs to (line 4)
      2. Replace workspace_id with real value of your Workspace ID (lines 14,15,16,19)
    6. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:

      sudo /opt/microsoft/omsagent/bin/service_control restart
      

    You can find the value of your workspace ID on the ZScaler Private Access connector page or on your Log Analytics workspace's agents management page.

    Next steps

    For more information, see: