|
| 1 | +--- |
| 2 | +author: EdB-MSFT |
| 3 | +ms.author: edbayansh |
| 4 | +ms.topic: include |
| 5 | +ms.date: 05/27/2025 |
| 6 | +--- |
| 7 | + |
| 8 | +## Deprecated Sentinel data connectors |
| 9 | + |
| 10 | + |
| 11 | +> [!NOTE] |
| 12 | +> The following table lists the deprecated and legacy data connectors. Deprecated connectors are no longer supported. |
| 13 | + |
| 14 | + |
| 15 | + |
| 16 | +| Connector | Supported by | |
| 17 | +|-----------|--------------| |
| 18 | +|<a name="deprecated-atlassian-confluence-audit-using-azure-functions"></a><details><summary>**[Deprecated] Atlassian Confluence Audit (using Azure Functions)** </summary> <br> The [Atlassian Confluence](https://www.atlassian.com/software/confluence) Audit data connector provides the capability to ingest [Confluence Audit Records](https://support.atlassian.com/confluence-cloud/docs/view-the-audit-log/) for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.<p><span style='color:red; font-weight:bold;'>NOTE</span>: This data connector has been deprecated, consider moving to the CCP data connector available in the solution which replaces ingestion via the <a href='/azure/azure-monitor/logs/custom-logs-migrate' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>.</p><p> **Log Analytics table(s):** <br> - `Confluence_Audit_CL`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. For more information, see [Azure Functions](/azure/azure-functions/).<p> - **REST API Credentials/permissions**: **ConfluenceAccessToken**, **ConfluenceUsername** is required for REST API. For more information, see [API](https://developer.atlassian.com/cloud/confluence/rest/api-group-audit/). Check all [requirements and follow the instructions](https://developer.atlassian.com/cloud/confluence/rest/intro/#auth) for obtaining credentials.</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
| 19 | +|<a name="deprecated-google-cloud-platform-dns-using-azure-functions"></a><details><summary>**[Deprecated] Google Cloud Platform DNS (using Azure Functions)** </summary> <br> The Google Cloud Platform DNS data connector provides the capability to ingest [Cloud DNS query logs](https://cloud.google.com/dns/docs/monitoring#using_logging) and [Cloud DNS audit logs](https://cloud.google.com/dns/docs/audit-logging) into Microsoft Sentinel using the GCP Logging API. Refer to [GCP Logging API documentation](https://cloud.google.com/logging/docs/api) for more information.<br><br><p><span style='color:red; font-weight:bold;'>NOTE</span>: This data connector has been deprecated, consider moving to the CCP data connector available in the solution which replaces ingestion via the <a href='/azure/azure-monitor/logs/custom-logs-migrate' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>.</p><p> **Log Analytics table(s):** <br> - `GCP_DNS_CL`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. For more information, see [Azure Functions](/azure/azure-functions/).<p> - **GCP service account**: GCP service account with permissions to read logs (with "logging.logEntries.list" permission) is required for GCP Logging API. Also json file with service account key is required. See the documentation to learn more about [permissions](https://cloud.google.com/logging/docs/access-control#permissions_and_roles), [creating service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) and [creating service account key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys).</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
| 20 | +|<a name="deprecated-google-cloud-platform-iam-using-azure-functions"></a><details><summary>**[Deprecated] Google Cloud Platform IAM (using Azure Functions)** </summary> <br> The Google Cloud Platform Identity and Access Management (IAM) data connector provides the capability to ingest [GCP IAM logs](https://cloud.google.com/iam/docs/audit-logging) into Microsoft Sentinel using the GCP Logging API. Refer to [GCP Logging API documentation](https://cloud.google.com/logging/docs/api) for more information.<br><br><p><span style='color:red; font-weight:bold;'>NOTE</span>: This data connector has been deprecated, consider moving to the CCP data connector available in the solution which replaces ingestion via the <a href='/azure/azure-monitor/logs/custom-logs-migrate' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>.</p><p> **Log Analytics table(s):** <br> - `GCP_IAM_CL`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. For more information, see [Azure Functions](/azure/azure-functions/).<p> - **GCP service account**: GCP service account with permissions to read logs is required for GCP Logging API. Also json file with service account key is required. See the documentation to learn more about [required permissions](https://cloud.google.com/iam/docs/audit-logging#audit_log_permissions), [creating service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) and [creating service account key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys).</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
| 21 | +|<a name="deprecated-infoblox-soc-insight-data-connector-via-legacy-agent"></a><details><summary>**[Deprecated] Infoblox SOC Insight Data Connector via Legacy Agent** </summary> <br> The Infoblox SOC Insight Data Connector allows you to easily connect your Infoblox BloxOne SOC Insight data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. <br><br>This data connector ingests Infoblox SOC Insight CDC logs into your Log Analytics Workspace using the legacy Log Analytics agent.<br><br>**Microsoft recommends installation of Infoblox SOC Insight Data Connector via AMA Connector.** The legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and should only be installed where AMA is not supported.<br><br> Using MMA and AMA on the same machine can cause log duplication and extra ingestion cost. [More details](/azure/sentinel/ama-migrate).<p> **Log Analytics table(s):** <br> - `CommonSecurityLog`<p>**Data collection rule support:** <br>[Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal)</details> | [Infoblox](https://support.infoblox.com/) | |
| 22 | +|<a name="deprecated-microsoft-exchange-logs-and-events"></a><details><summary>**[Deprecated] Microsoft Exchange Logs and Events** </summary> <br> Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment<p> **Log Analytics table(s):** <br> - `Event`<br>- `SecurityEvent`<br>- `W3CIISLog`<br>- `MessageTrackingLog_CL`<br>- `ExchangeHttpProxy_CL`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)<p> - **Detailled documentation**: >**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)</details> | [Community](https://github.com/Azure/Azure-Sentinel/issues) | |
| 23 | +|<a name="deprecated-proofpoint-on-demand-email-security-using-azure-functions"></a><details><summary>**[Deprecated] Proofpoint On Demand Email Security (using Azure Functions)** </summary> <br> Proofpoint On Demand Email Security data connector provides the capability to get Proofpoint on Demand Email Protection data, allows users to check message traceability, monitoring into email activity, threats,and data exfiltration by attackers and malicious insiders. The connector provides ability to review events in your org on an accelerated basis, get event log files in hourly increments for recent activity.<p><span style='color:red; font-weight:bold;'>NOTE</span>: This data connector has been deprecated, consider moving to the CCP data connector available in the solution which replaces ingestion via the <a href='/azure/azure-monitor/logs/custom-logs-migrate' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>.</p><p> **Log Analytics table(s):** <br> - `ProofpointPOD_message_CL`<br>- `ProofpointPOD_maillog_CL`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. For more information, see [Azure Functions](/azure/azure-functions/).<p> - **Websocket API Credentials/permissions**: **ProofpointClusterID**, **ProofpointToken** is required. For more information, see [API](https://proofpointcommunities.force.com/community/s/article/Proofpoint-on-Demand-Pod-Log-API).</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
| 24 | +|<a name="deprecated-proofpoint-tap-using-azure-functions"></a><details><summary>**[Deprecated] Proofpoint TAP (using Azure Functions)** </summary> <br> The [Proofpoint Targeted Attack Protection (TAP)](https://www.proofpoint.com/us/products/advanced-threat-protection/targeted-attack-protection) connector provides the capability to ingest Proofpoint TAP logs and events into Microsoft Sentinel. The connector provides visibility into Message and Click events in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.<p><span style='color:red; font-weight:bold;'>NOTE</span>: This data connector has been deprecated, consider moving to the CCP data connector available in the solution which replaces ingestion via the <a href='/azure/azure-monitor/logs/custom-logs-migrate' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>.</p><p> **Log Analytics table(s):** <br> - `ProofPointTAPMessagesDelivered_CL`<br>- `ProofPointTAPMessagesBlocked_CL`<br>- `ProofPointTAPClicksPermitted_CL`<br>- `ProofPointTAPClicksBlocked_CL`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. For more information, see [Azure Functions](/azure/azure-functions/).<p> - **Proofpoint TAP API Key**: A Proofpoint TAP API username and password is required. For more information, see [Proofpoint SIEM API](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API).</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
| 25 | +|<a name="deprecated-slack-audit-using-azure-functions"></a><details><summary>**[Deprecated] Slack Audit (using Azure Functions)** </summary> <br> The [Slack](https://slack.com) Audit data connector provides the capability to ingest [Slack Audit Records](https://api.slack.com/admins/audit-logs) events into Microsoft Sentinel through the REST API. Refer to [API documentation](https://api.slack.com/admins/audit-logs#the_audit_event) for more information. The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.<p><span style='color:red; font-weight:bold;'>NOTE</span>: This data connector has been deprecated, consider moving to the CCP data connector available in the solution which replaces ingestion via the <a href='/azure/azure-monitor/logs/custom-logs-migrate' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>.</p><p> **Log Analytics table(s):** <br> - `SlackAudit_CL`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. For more information, see [Azure Functions](/azure/azure-functions/).<p> - **REST API Credentials/permissions**: **SlackAPIBearerToken** is required for REST API. For more information, see [API](https://api.slack.com/web#authentication). Check all [requirements and follow the instructions](https://api.slack.com/web#authentication) for obtaining credentials.</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
| 26 | +|<a name="security-events-via-legacy-agent"></a><details><summary>**Security Events via Legacy Agent** </summary> <br> You can stream all security events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2220093&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).<p> **Log Analytics table(s):** <br> - `SecurityEvent`<p>**Data collection rule support:** <br>Not currently supported</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
| 27 | +|<a name="subscription-based-microsoft-defender-for-cloud-legacy"></a><details><summary>**Subscription-based Microsoft Defender for Cloud (Legacy)** </summary> <br> Microsoft Defender for Cloud is a security management tool that allows you to detect and quickly respond to threats across Azure, hybrid, and multi-cloud workloads. This connector allows you to stream your security alerts from Microsoft Defender for Cloud into Microsoft Sentinel, so you can view Defender data in workbooks, query it to produce alerts, and investigate and respond to incidents.<br><br>[For more information>](https://aka.ms/ASC-Connector)<p> **Log Analytics table(s):** <br> - `SecurityAlert`<p>**Data collection rule support:** <br>Not currently supported</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
| 28 | +|<a name="syslog-via-legacy-agent"></a><details><summary>**Syslog via Legacy Agent** </summary> <br> Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace.<br><br>[Learn more >](https://aka.ms/sysLogInfo)<p> **Log Analytics table(s):** <br> - `Syslog`<p>**Data collection rule support:** <br>[Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal)</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
0 commit comments