Azure Sentinel: The connectors grand (CEF, Syslog, Direct, Agent, Custom and more)

Sharing is caring!

Azure Sentinel is Microsoft’s cloud-native SIEM solution and the first cloud-native SIEM from a major public cloud provider. Azure Sentinel is deployed in an organization’s Azure tenant and accessed via the Microsoft Azure portal, ensuring alignment with preexisting organizational policies.

Azure Sentinel allows organizations to ingest, correlate, and analyze security signals from across the enterprise. Additionally, Azure Sentinel can make use of infrastructure as a service (IaaS) and platform as a service (PaaS) available in Azure to deliver capabilities like workflow automation and long-term log retention that is typically
provided as add-on services from other SIEM providers.

Azure Built-in Connectors

Azure Sentinel includes many connectors that can be deployed in a few clicks via the Azure Sentinel portal and the requisite RBAC permissions. This includes Azure Active Directory, Azure subscription activity, Office 365,
and the whole family of Microsoft Defender products. New data connectors for other products are added on a regular basis. Consider the built-in data connectors over custom ones, where feasible, as they are fully supported by Microsoft and the Azure Sentinel community.

This list is not actively maintained anymore. Refer to the Azure Sentinel connector documentation for more information. 

Syslog and CEF

Most network and security systems support either Syslog or CEF (which stands for Common Event Format) over Syslog as means for sending data to a SIEM. This makes Syslog or CEF the most straightforward ways to stream security and networking events to Azure Sentinel.

The advantage of CEF over Syslog is that it ensures the data is normalized, making it more immediately useful for analysis using Sentinel. However, unlike many other SIEM products, Sentinel allows ingesting unparsed Syslog events and performing analytics on them using query time parsing. 

The number of systems supporting Syslog or CEF is in the hundreds, making the table below by no means comprehensive. The table links the source device’s vendor documentation for configuring the device to send events in Syslog or CEF.

Direct

Most Microsoft cloud sources and many other clouds and on-prem systems can send to Azure Sentinel natively. For Microsoft Azure sources, this often uses their diagnostics feature.

Agent

The Log Analytics agent can collect different types of events from servers and endpoints listed here. Windows and Linux machines deployed on-premises or in any other cloud environments. Microsoft Internet Information Server (IIS) Web Servers logs can be collected via this agent. Any logs from other applications running on the same machine where MMA agent is running. This is collected via MMA Custom Log settings.

Threat Intelligence (TI)

You can use one of the threat intelligence connectors:

  • Platform, which uses the Graph Security API
  • TAXII, which uses the TAXII 2.0 protocol

to ingest threat intelligence indicators, which are used by Azure Sentinel’s built-in TI analytics rules, and to build your own rules.

Custom: Logic Apps, Logstash, Azure Functions, Rest API and others

In addition to CEF and Syslog, many solutions are based on Sentinel’s data collector API and create custom log tables in the workspace. Those belong to 3 groups:

  • Sources that support Logstash have an output plug-in that can send the events to Azure Sentinel.
  • Sources that have native support for the API.
  • Sources for which there is a community or Microsoft field-created solution that uses the API, usually using Logic Apps or an Azure function.
  • As a low-footprint, relatively inexpensive resource, Azure Function Apps are one of the most stable and performant log ingestion methods. Functions apps provide the full capabilities of .Net, Python, PowerShell, and recently, Node.js and can be used to perform a wide range of log ingestion tasks, including but not limited to log retrieval via REST APIs, pagination, filtering or parsing, and enrichment of data.

Automation and integration

While all the types above focused on getting telemetry into Azure Sentinel, connectors marked as automation/integration enable Azure Sentinel to implement other use cases such as sending information to another system or performing an action on another system. Those might be API-based on integration or Logic App-based integrations. 

The main engine behind the Azure Sentinel automation capability is Azure Logic Apps. Azure Sentinel playbooks can perform very advanced tasks with activities branching based on criteria identified in alerts or data retrieved using indicators collected in alerts. The full processing can be performed within the Azure Sentinel environment and is limited only by the automation capabilities provided by the third-party security controls required to provide information or perform additional tasks.

The Grand List

The wide variety of potential data types as log sources means that the consideration paid to each
different data type is important at the outset of an Azure Sentinel project. Azure Sentinel includes
more than 100 connectors, out of the box, with the ability to create custom sources to meet individual
requirements. We have collected a summary table of some of the more common data source types, with
experiential commentary relevant for deployment teams configuring new data ingest sources.

VendorProductConnector
Type
Connecting and using
AgariPhishing Defense and Brand ProtectionBuilt-in (Function, Graph Security API)Instructions
AI VectraDetectBuilt-in (CEF)Instructions
Akamai Built-in (CEF)Instructions
AlcidekAuditBuilt-in (API)Instructions
AlgoSecASMSCEFInstructions and examples
AnomaliLimoBuilt-in (TAXII)Instructions
AnomaliThreatStreamBuilt-in (TI Platform)Instructions
AnomaliMatchIntegrationOverview and instructions
ApachehttpdBuilt-in (Agent custom logs)InstructionsAlso, read using rsyslog or logger as a file forwarder for an alternative method.
ApacheKafkaLogstashSee Logstash plug-in. Use to get events sent using Kafka, not for Kafka’s own audit events.
ArubaClearPassCEFInstructions
AT&T CyberAlienVault OTXTI (Platform)Using Logic Apps, See instructions
AWSCloudTrailBuilt-inSentinel built-in connector
AWSCloudTrail S3 logsCustomUsing an Azure Function. See here.Using an AWS Lambda Function. See here.
AWSCloudWatchLogstashSee Logstash Plug-in.
AWSKinesisLogstashSee Logstash Plug-in.
AWSObject Level S3 LoggingLogstash See here.
AWSSecurity HubCustomAzure Function. See here.
BarracudaWAFBuilt-in (API)Instructions
BarracudaCloudGen FirewallAPISentinel built-in connector
BETTER MobileThreat DefenseBuilt-in (API)Instructions
Beyond SecuritybeSECUREBuilt-in (API)Instructions
Carbon BlackCloud Endpoint Standard (Cb Defense)Built-in (Function)SyslogSentinel built-in connector  Instructions
Carbon Black(Cb Response)SyslogInstructions
Checkpoint CEFSentinel Built-in connector
CiscoACSSyslogInstructions
CiscoASACisco (CEF)Sentinel built-in connectorNotes:- Cisco ASA support uses Sentinel’s CEF pipeline. However, Cisco’s logging is not in CEF format.- Make sure you disable logging timestamp using “no logging timestamp”. See here for more details.
CiscoCloud Security Gateway (CWS)CEFUse the Cisco Advanced Web Security Reporting.
CiscoFTDCisco (CEF)FTP Platform logs are compatible with ASA logs and can use the same connector (see here).
CiscoIOSSyslogInstructions
CiscoISE  (NAC)SyslogInstructions
CiscoWeb Security Appliance (WSA)CEFUse the Cisco Advanced Web Security Reporting.
CiscoMerakiSyslogInstructionsEvent Types and Log Samples
CiscoeStreamerCEFUsing enCore
CiscoFirepower Threat DefenseCEFSyslogUsing eStreamer enCoreInstructions, Event reference
CiscoFireSightCEFUsing eStreamer enCore
CiscoIronPort Web Security ApplianceSyslogInstructions
CiscoNexusSyslogInstructions
CiscoUmbrellaBuilt-in (Function)InstructionsAlso, see this blog postfor a custom solution
CiscoUnified Computing System (UCS)Built-in (Syslog)Instructions
CiscoViptela SD-WANSyslogInstructions
CitrixAnalyticsBuilt-in (Direct)Instructions
CitrixNetScaler SyslogInstructionsMessage format
CitrixNetScaler App FWBuilt-in (CEF)Instructions
ClearswiftWeb Security GatewaySyslogInstructions
Cloudflare  Use Cloudflare Logpush to send to storage and a custom connector to read events from storage (for example, reading AWS S3 buckets).
CriblLogStreamDirectInstructions
CrowdStrikeFalconCEFInstructions. Use a SIEM connector installed on-premises.
CyberArkEndpoint Privilege Manager (EPM)SyslogLogstashInstructions (for both)
CyberArkPrivileged Access Security (PTA)CEFInstructionsMessage format
DarktraceImmuneCEFSee announcement. Contact vendor for instructions.
Digital Guardian CEF3rd party instructions
DocuSignMonitorCustomSee this blog post
Duo Security CEFUsing Duo LogSync
ExtrahopRevealBuilt-in (CEF)Instructions
F5ASM (WAF)Built-in (CEF)Instructions
F5BigIP (System, LTM, AFM, ASM, APM, AVR)Built-in (Direct)Instructions 
FastlyWAFCustomSee this blog post (Logic Apps or Azure Function)
ForcepointWeb Security (WebSense)CEFInstructionsDetailed reference
ForcepointCASBCEFSentinel built-in connector
ForcepointDLPDirectSentinel built-in connector
ForcepointNGFWCEFSentinel built-in connector
ForescoutCounterActCEFInstructions
Fortinet CEFSentinel built-in connectorLog message referenceCEF mapping and examples
FortinetFortiSIEMCEFInstructions
FortinetFortiSOARIntegrationInstructions
GitHub CustomSee connector, rules, and hunting queries here
GCPCloud StorageLogstashSee Plug-in. Use to get events stored in GCP Cloud Storage, not for Cloud Storage own audit events.
GCPPub/SubLogstashSee Plug-in. Use to get events sent using Pub/Sub, not for Pub/Sub own audit events.
GCPStacdriverLogstash CustomThrough GCP Cloud Storage or GCP Pub/Sub as described above. Using GCP Cloud Function. See here.
Group-IB Custom (TI Platform)Using Logic Apps. See instructions
GuardiCoreCentraCEFContact vendor for instructions
HPPrintersSyslogInstructions
IBMiSeriesCEFSee here.
IBMQRadar eventsSyslogForward raw events or correlation events in raw, parsed, or JSON format. See instructions.
IBMQRadar offensesCustom (Function)Blog post
IBMX-ForceTI (TAXII)Instructions
IBMzSecureCEFSee What’s new for zSecure V2.3.0Note that it supports alerts only.
Illusive Attack Management SystemSyslogSentinel built-in connector
ImpervaSecureSphereCEFInstructions
InfobloxNIOSBuilt-in (Syslog)Instructions
InSights TI (TAXII)TAXII Instructions and related workbook
JamfProSyslogInstructions
JuniperATPCEFInstructions
JuniperJunOS based devicesBuilt-in (Syslog)Instructions
KasperskySecurity Center CEFInstructions
ManageEngineAD Audit PlusCEFInstructions (use ArcSight instructions)
ManageEngineExchange Reporter PlusSyslogInstructions
McAfeeePOSyslogInstructions (Note: TLS only (requires rsyslog TLS configuration)
McAfeeMVISION EDRSyslogInstructions
McAfeeWeb GatewayCEFInstructions
MicrofocusFortify AppDefenderCEFInstructions (require authentication; contact vendor for further details).
MicrosoftActive DirectoryAgentMost AD events are logged as part of security events. Also, See in this list:LDAP auditingSMBv1 auditing
MicrosoftAdvanced Threat Protection (ATA)CEFInstructionsLog reference
MicrosoftAzure Active Directory (AAD)Built-in (Diagnostics)InstructionsDetections: Sign-in LogsAudit LogsBuilt-in workbooks:Azure AD Audit Logs,Azure AD Audit, Activity and Sign-in LogsAzure AD Sign-in logsWebinars: “A day in a SOC analyst life” (YouTubeMP4Presentation)”Tackling Identity”  (YouTubeMP4Presentation
MicrosoftAzure Active Directory Domain ServicesDiagnosticsInstructionsUse Workbooks to analyze
MicrosoftAzure Active Directory Identity Protection InstructionsAlert information
MicrosoftAzureAzure ActivityAzure SubscriptionsAzure Management GroupsDirectBuilt-in connector,Connect through the subscription diagnostic settings to ensure lower latency and broader collection.For Management groups, Use the API to turn on diagnostics settingsAzure Activity schemaDetections
MicrosoftApplication InsightsDirectSend to a sentinel workspaceOr use queries across workspaces
MicrosoftApp Services & Web Application monitoring DirectInstructions and reference architecture 
MicrosoftAzure B2BDirectIncluded as part of AAD events
MicrosoftAzure B2CDirectcollect B2C logs from your B2C tenant to your primary tenant AAD logs as described here
MicrosoftAzure Cosmos DBDirectInstructions
MicrosoftAzure Data Lake Gen 1DirectInstructionsQuery examples
MicrosoftAzure Data FactoryDirectInstructions
MicrosoftAzure DatabricksDirectInstructions
MicrosoftAzure DDOSBuilt-in (diagnostics)Built-in connectorDiagnostics instructionsEnable collection using PowerShellWebinar: Detecting and Responding to Threats using Azure Network Security tools and Azure Sentinel
MicrosoftAzure Defender  and Azure Security Center (ASC)DirectBuilt-in connector for getting ASC alerts Alert list and alert schema.Use Azure Defender’s continuous export feature to get recommendations, findings, secure score, and compliance data to Sentinel.
MicrosoftAzure Defender for IoTBuilt-in (Direct)InstructionsAlerts Overview
MicrosoftAzure DevOpsDirectInstructions
MicrosoftAzure Event Hub (subscription)LogstashSee Logstash Plug-in. Use to get events sent using an Event Hub, not for Event Hub own audit events.
MicrosoftAzure FilesDirect (Diagnostics)InstructionsSchema information
MicrosoftAzure FirewallBuilt-in (diagnostics)Built-in connectorWorkbookEnable collection using PowerShell or diagnosticsWebinar: Detecting and Responding to Threats using Azure Network Security tools and Azure Sentinel
MicrosoftAzure Front DoorDirectInstructions
MicrosoftAzure Key Vault (AKV)Built-in (Diagnostics)Connect:Instructions (Built-in, Using policy)Enable AKV diagnostics using the portalEnable AKV diagnostics using PowerShellUse:Log schemaDetection rulesWorkbook
MicrosoftAzure Information Protection (Classic and Unified Labeling)Built-in (Direct)Instructions
MicrosoftAzure Kubernetes Service (AKS)DirectBlog post: Monitoring Azure Kubernetes Service (AKS) with Azure SentinelDocumentation: Enable Azure Monitor for containers
MicrosoftAzure Log AnalyticsDirectCollect query auditing and other metrics: Instructions
MicrosoftAzure Logic AppsDirectInstructions
MicrosoftAzure Network Security Groups (NSG)DirectFlow logsRule activationWebinar: Detecting and Responding to Threats using Azure Network Security tools and Azure Sentinel
MicrosoftAzure SQLBuilt-in (diagnostics)Built-in connectorDiagnostics settings instructions
MicrosoftAzure SQL Managed InstanceDirectInstructions
MicrosoftAzure Site RecoveryDirectInstructions
MicrosoftAzure StorageDirectInstructionsBlog: Blob and File Storage Investigations
MicrosoftAzure Storage ContentCustom (Azure Function)Ingest the content of Azure Storage Blobs. See GitHub.
MicrosoftAzure SynapseDirectInstructions
MicrosoftAzure Web Application Firewall (WAF)Built-in (Diagnostics)Blog postBuilt-in connectorWebinar: Detecting and Responding to Threats using Azure Network Security tools and Azure Sentinel
MicrosoftBitLocker / MBAMAgentUsing Windows Event collection. Blog post
MicrosoftCloud App Security (Alerts, Discovery logs)Built-in (Direct)InstructionsAlerts Information
MicrosoftCloud App Security (Activity Log)CEFInstructions
MicrosoftDefender for OfficeBuilt-inCustom   For AIRs alerts: instructionsFor other alerts: Use Either a Logic App or an Azure function custom connector. For the Azure Function connector, query for RecordType_d == “28”, “41” or “47” .
MicrosoftDefender for Identity (Azure ATP) AlertsBuilt-inInstructions (Direct)Instructions (Microsoft 365 Defender) Alerts overview
MicrosoftDefender for Identity (Azure ATP) EventsCEFInstructionsLog reference
MicrosoftDesktop AnalyticsDirectConnect
MicrosoftDNSAgentSentinel built-in connector
MicrosoftDynamics 365Built-inSentinel built-in connector
MicrosoftDynamics (not 365)AgentUsing IIS logsUsing Dynamics Trace Files
MicrosoftIISAgentInstructions
MicrosoftIntuneDirectConnectUse cases
MicrosoftLDAP (Windows Server)AgentConfigure AD diagnostics logging and set “16 LDAP Interface Events” to 2 or above.
MicrosoftOffice 365 (Exchange, SharePoint, OneDrive, DLP Alerts)Built-in Sentinel built-in connectorFor details about DLP alerts, read here
Microsoft Office 365 (Microsoft Defender for Office; formerly Office ATP, PowerBI, Yammer, Sway, Forms, eDiscovery, and others)Custom (Azure Function, Logic Apps)Use Either a Logic App or an Azure function custom connector
MicrosoftOffice 365 e-mail trace logsCustom (Logic Apps)See Blog Post.
MicrosoftPowerBI EmbeddedDirect (Diagnostics)Instructions
MicrosoftSMBv1 (Windows Server)AgentSee Enable Auditing on SMB Servers, and the CmdLet reference 
MicrosoftTeams (Call Logs)CustomUsing Logic Apps
MicrosoftTeams (Management Activity)Built-inUse the built-in Office 365 connectorUse the Hunting use cases or Graph Visualization of External MS Teams Collaborations.Understand the Teams event schemaUse the custom Logic App or Azure function connectors for special use cases.Expanding Microsoft Teams Log Data in Azure Sentinel:Extracting Teams file-sharing informationMapping Teams logs to Teams call recordsMerging Teams logs with sign-in activity to detect anomalous actions
MicrosoftTeams ShiftsCustomUse Either a Logic App or an Azure function custom connector. For the Azure Function connector, query for RecordType_d == “73”
MicrosoftSCCMAgentInstructions
MicrosoftSQL ServerAgentInstructions, parser, rules, and hunting queriesYou can also audit at the engine level.
MicrosoftSysmonAgentUsing Windows Event collection. Blog post
MicrosoftWindows (Security Events)AgentSentinel built-in connectorEnriching Windows Security Events with Parameterized Function
MicrosoftWindows (Other Events, Sysmon)AgentInstructions
MicrosoftWindows network connectionsAgentVM InsightsWire Data
MicrosoftWindows FirewallAgentSentinel built-in connector
MicrosoftWindows Virtual DesktopDirectConnect using the portal and samples queriesConnect using PowerShell and Sample queriesBlog post covering connecting and using: Monitoring Windows Virtual Desktop environmentsCommon error codes
Mimecast AgentAnnouncement. For technical instructions, contact the vendor.
Minerva Labs CEFPlease ask the vendor for instructions.
MISP TI (Platform)Sentinel built-in connector
NetAppONTAPSyslogInstructionsNote that those are management activity audit logs and not file usage activity logs.
Netflow LogstashUse the Netflow codec plug-in
Nexthink CEFInstructions
NozomiGuardianCEFContact vendor for details
NXlog DirectInstructions
OktaSSOBuilt-in (Function)Instructions
One IdentitySafeguardBuilt-in (CEF)Instructions
OracleCloud (OCI)Custom (Azure Function)Available Here
OracleDBSyslogInstructions
Orca Built-in (API)Instructions
OSSEC CEFInstructions
Pager Duty Automation (Playbook)Blog post
Palo AltoCloudgenixSyslogInstructions
Palo AltoMinemeldTI (Platform)Sentinel built-in connector
Palo AltoPanOSCEFSentinel built-in connector
Palo AltoPanoramaCEFInstructions
Palo AltoPrismaSyslogCustomInstructionsFieldsLogic Apps using a Webhook and clarification
Palo AltoTraps through CortexSyslogInstructionsNotes:- Require rsyslog configuration to support RFC5424- TLS only (requires rsyslog TLS configuration)- The certificate has to be signed by a public CA
Palo AltoXDRCEFInstructions
Palo AltoXSOARIntegrationForward Azure Sentinel incidents to Palo Alto XSOAR 
Perimeter 81 Built-in (API)Instructions
Ping IdentityFederateCEFInstructions
Ping IdentityProvisionerCEFInstructions
PostgressDBSyslog, Windows Event logInstructions
ProofpointOn DemandBuilt-in (API)Instructions
ProofpointTAPBuilt-in (Function)Instructions
PulseConnectBuilt-in (Syslog)Instructions
QualysVMBuilt-in (Function)Instructions
RadwareCloud WAFLogstashInstructions
RedHatOpenShiftSyslog
API
Instructions for Syslog
Fluentd Log Analytics plugin for API
RedHatAzure OpenShiftSyslog
Custom
Instructions for Syslog
Fluentd Log Analytics plugin for API
RiskIQ Action (Logic Apps)Azure Logic-Apps built-in connector
SalesforceService CloudBuilt-in (Function)Instructions
SAPHanaSyslogInstructions (requires an SAP account)
SentinelOne CEFPlease consult the vendor for instructions
SNMP SyslogInstructions
Snort AgentInstructions
SonicWall CEFInstructionsMake sure you:
– Select local use 4 as the facility.- Select ArcSight as the Syslog format.
SophosCentralCEFInstructions. Note that the script provided by Sophos has to be scheduled using a cron job, which is not documented on the reference page.
SophosXF FirewallBuilt-in (Syslog)Instructions
Squadra secRMMBuilt-in (API)Instructions
Squid Proxy Built-in (Agent)SyslogInstructions Configure access logs with either the TCP or UDP modules. Sentinel’s built-in queries use the default log format.
SymantecDLPSyslogCEFInstructions. Note that only UDP is supportedInstructions. Uses response automation.
SymantecICDXBuilt-in (API)Instructions
SymantecProxy SG (Bluecoat)Built-in (Syslog)Instructions
Symantec  Endpoint Protection ManagerSyslogInstructions  
SymantecCloud Workload ProtectionAPIInstructions
SymantecVIPBuilt-in (Syslog)Instructions
TheHive IntegrationSend new incidents to TheHive
ThinkstCanarySyslogInstructions
ThreatConnect TI (Platform)Sentinel built-in connector
ThreatQuotient TI (Platform)Sentinel built-in connector
ThycoticSecret ServerCEFInstructions
TitanHQWebTitan CloudSyslogInstructions
Trend Micro CEFUsing Control ManagerUsing LogForwarder
Trend MicroApax Central (Cloud and On-prem)CEFInstructions
Trend MicroDeep SecurityCEFSentinel built-in connector
TufinSecureTrackSyslogInstructions
VaronisDatAlertCEFInstructions
WatchGuard CEFInstructions
Zimperium  Mobile Threat DefenseBuilt-in (API)Instructions 
zScalerInternet Access (ZIA)Built-in (CEF)Instructions
zScalerPrivate Access (ZPA)LogstashUse LSS. Since LSS sends raw TCP but not Syslog, you will have to use Logstash and not Azure Sentinel’s native connector. 
Zoom CustomUsing Azure Function.