|
2 | 2 | author: EdB-MSFT |
3 | 3 | ms.author: edbayansh |
4 | 4 | ms.topic: include |
5 | | -ms.date: 07/14/2025 |
| 5 | +ms.date: 07/17/2025 |
6 | 6 | --- |
7 | 7 |
|
8 | 8 | ## Sentinel data connectors |
@@ -129,7 +129,7 @@ ms.date: 07/14/2025 |
129 | 129 | |<a name="google-cloud-platform-dns-via-codeless-connector-framework"></a><details><summary>**Google Cloud Platform DNS (via Codeless Connector Framework)** </summary> <br> The Google Cloud Platform DNS data connector provides the capability to ingest Cloud DNS Query logs and Cloud DNS Audit logs into Microsoft Sentinel using the Google Cloud DNS API. Refer to [Cloud DNS API](https://cloud.google.com/dns/docs/reference/rest/v1) documentation for more information.<p> **Log Analytics table(s):** <br> - `GCPDNS`<p>**Data collection rule support:** <br>Not currently supported</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
130 | 130 | |<a name="google-cloud-platform-iam-via-codeless-connector-framework"></a><details><summary>**Google Cloud Platform IAM (via Codeless Connector Framework)** </summary> <br> The Google Cloud Platform IAM data connector provides the capability to ingest the Audit logs relating to Identity and Access Management (IAM) activities within Google Cloud into Microsoft Sentinel using the Google IAM API. Refer to [GCP IAM API](https://cloud.google.com/iam/docs/reference/rest) documentation for more information.<p> **Log Analytics table(s):** <br> - `GCPIAM`<p>**Data collection rule support:** <br>Not currently supported</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
131 | 131 | |<a name="google-security-command-center"></a><details><summary>**Google Security Command Center** </summary> <br> The Google Cloud Platform (GCP) Security Command Center is a comprehensive security and risk management platform for Google Cloud, ingested from Sentinel's connector. It offers features such as asset inventory and discovery, vulnerability and threat detection, and risk mitigation and remediation to help you gain insight into your organization's security and data attack surface. This integration enables you to perform tasks related to findings and assets more effectively.<p> **Log Analytics table(s):** <br> - `GoogleCloudSCC`<p>**Data collection rule support:** <br>Not currently supported</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
132 | | -|<a name="google-workspace-g-suite-using-azure-functions"></a><details><summary>**Google Workspace (G Suite) (using Azure Functions)** </summary> <br> The [Google Workspace](https://workspace.google.com/) data connector provides the capability to ingest Google Workspace Activity events into Microsoft Sentinel through the REST API. The connector provides ability to get [events](https://developers.google.com/admin-sdk/reports/v1/reference/activities) which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems, track who signs in and when, analyze administrator activity, understand how users create and share content, and more review events in your org.<p> **Log Analytics table(s):** <br> - `GWorkspace_ReportsAPI_admin_CL`<br>- `GWorkspace_ReportsAPI_calendar_CL`<br>- `GWorkspace_ReportsAPI_drive_CL`<br>- `GWorkspace_ReportsAPI_login_CL`<br>- `GWorkspace_ReportsAPI_mobile_CL`<br>- `GWorkspace_ReportsAPI_token_CL`<br>- `GWorkspace_ReportsAPI_user_accounts_CL`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. For more information, see [Azure Functions](/azure/azure-functions/).<p> - **REST API Credentials/permissions**: **GooglePickleString** is required for REST API. For more information, see [API](https://developers.google.com/admin-sdk/reports/v1/reference/activities). Instructions to obtain the credentials are shown during the installation process. You can check all [requirements and follow the instructions](https://developers.google.com/admin-sdk/reports/v1/quickstart/python) from here as well.</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
| 132 | +|<a name="google-workspace-activities-via-codeless-connector-framework-preview"></a><details><summary>**Google Workspace Activities (via Codeless Connector Framework) (Preview)** </summary> <br> The [Google Workspace](https://workspace.google.com/) Activities data connector provides the capability to ingest Activity Events from [Google Workspace API](https://developers.google.com/admin-sdk/reports/reference/rest/v1/activities/list) into Microsoft Sentinel.<p> **Log Analytics table(s):** <br> - `GoogleWorkspaceReports`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **Google Workspace API access**: Access to the Google Workspace activities API through Oauth are required.</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
133 | 133 | |<a name="greynoise-threat-intelligence-using-azure-functions"></a><details><summary>**GreyNoise Threat Intelligence (using Azure Functions)** </summary> <br> This Data Connector installs an Azure Function app to download GreyNoise indicators once per day and inserts them into the ThreatIntelligenceIndicator table in Microsoft Sentinel.<p> **Log Analytics table(s):** <br> - `ThreatIntelligenceIndicator`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. For more information, see [Azure Functions](/azure/azure-functions/).<p> - **GreyNoise API Key**: Retrieve your GreyNoise API Key [here](https://viz.greynoise.io/account/api-key).</details> | [GreyNoise](https://docs.greynoise.io/) | |
134 | 134 | |<a name="hackerview-intergration-using-azure-functions"></a><details><summary>**HackerView Intergration (using Azure Functions)** </summary> <br> Through the API integration, you have the capability to retrieve all the issues related to your HackerView organizations via a RESTful interface.<p> **Log Analytics table(s):** <br> - `HackerViewLog_Azure_1_CL`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. For more information, see [Azure Functions](/azure/azure-functions/).</details> | [Cyber Threat Management 360](https://www.ctm360.com/contact-us/) | |
135 | 135 | |<a name="holm-security-asset-data-using-azure-functions"></a><details><summary>**Holm Security Asset Data (using Azure Functions)** </summary> <br> The connector provides the capability to poll data from Holm Security Center into Microsoft Sentinel.<p> **Log Analytics table(s):** <br> - `net_assets_CL`<br>- `web_assets_CL`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. For more information, see [Azure Functions](/azure/azure-functions/).<p> - **Holm Security API Token**: Holm Security API Token is required. [Holm Security API Token](https://support.holmsecurity.com/)</details> | [Holm Security](https://support.holmsecurity.com/) | |
@@ -192,7 +192,7 @@ ms.date: 07/14/2025 |
192 | 192 | |<a name="okta-single-sign-on"></a><details><summary>**Okta Single Sign-On** </summary> <br> The [Okta Single Sign-On (SSO)](https://www.okta.com/products/single-sign-on/) data connector provides the capability to ingest audit and event logs from the Okta Sysem Log API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Framework and uses the Okta System Log API to fetch the events. The connector supports DCR-based [ingestion time transformations](/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.<p> **Log Analytics table(s):** <br> - `OktaSSO`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **Okta API Token**: An Okta API token. Follow the [following instructions](https://developer.okta.com/docs/guides/create-an-api-token/main/) to create an See the [documentation](https://developer.okta.com/docs/reference/api/system-log/) to learn more about Okta System Log API.</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
193 | 193 | |<a name="okta-single-sign-on-using-azure-functions"></a><details><summary>**Okta Single Sign-On (using Azure Functions)** </summary> <br> The [Okta Single Sign-On (SSO)](https://www.okta.com/products/single-sign-on/) connector provides the capability to ingest audit and event logs from the Okta API into Microsoft Sentinel. The connector provides visibility into these log types in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.<p> **Log Analytics table(s):** <br> - `Okta_CL`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. For more information, see [Azure Functions](/azure/azure-functions/).<p> - **Okta API Token**: An Okta API Token is required. See the documentation to learn more about the [Okta System Log API](https://developer.okta.com/docs/reference/api/system-log/).</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
194 | 194 | |<a name="onelogin-iam-platform-via-codeless-connector-framework"></a><details><summary>**OneLogin IAM Platform (via Codeless Connector Framework)** </summary> <br> The [OneLogin](https://www.onelogin.com/) data connector provides the capability to ingest common OneLogin IAM Platform events into Microsoft Sentinel through REST API by using OneLogin [Events API](https://developers.onelogin.com/api-docs/1/events/get-events) and OneLogin [Users API](https://developers.onelogin.com/api-docs/1/users/get-users). The connector enables event retrieval to assess potential security risks, monitor collaboration, and diagnose and troubleshoot configuration issues.<p> **Log Analytics table(s):** <br> - `OneLoginEventsV2_CL`<br>- `OneLoginUsersV2_CL`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **OneLogin IAM API Credentials**: To create API Credentials follow the document link provided here, [Click Here](https://developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials). <br> Make sure to have an account type of either account owner or administrator to create the API credentials. <br> Once you create the API Credentials you get your Client ID and Client Secret.</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
195 | | -|<a name="oracle-cloud-infrastructure-using-azure-functions"></a><details><summary>**Oracle Cloud Infrastructure (using Azure Functions)** </summary> <br> The Oracle Cloud Infrastructure (OCI) data connector provides the capability to ingest OCI Logs from [OCI Stream](https://docs.oracle.com/iaas/Content/Streaming/Concepts/streamingoverview.htm) into Microsoft Sentinel using the [OCI Streaming REST API](https://docs.oracle.com/iaas/api/#/streaming/streaming/20180418).<p> **Log Analytics table(s):** <br> - `OCI_Logs_CL`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. For more information, see [Azure Functions](/azure/azure-functions/).<p> - **OCI API Credentials**: **API Key Configuration File** and **Private Key** are required for OCI API connection. See the documentation to learn more about [creating keys for API access](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm)</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
| 195 | +|<a name="oracle-cloud-infrastructure-via-codeless-connector-framework-preview"></a><details><summary>**Oracle Cloud Infrastructure (via Codeless Connector Framework) (Preview)** </summary> <br> The Oracle Cloud Infrastructure (OCI) data connector provides the capability to ingest OCI Logs from [OCI Stream](https://docs.oracle.com/iaas/Content/Streaming/Concepts/streamingoverview.htm) into Microsoft Sentinel using the [OCI Streaming REST API](https://docs.oracle.com/iaas/api/#/streaming/streaming/20180418).<p> **Log Analytics table(s):** <br> - `OCI_LogsV2_CL`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **OCI Streaming API access**: Access to the OCI Streaming API through a API Signing Keys is required.</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
196 | 196 | |<a name="orca-security-alerts"></a><details><summary>**Orca Security Alerts** </summary> <br> The Orca Security Alerts connector allows you to easily export Alerts logs to Microsoft Sentinel.<p> **Log Analytics table(s):** <br> - `OrcaAlerts_CL`<p>**Data collection rule support:** <br>Not currently supported</details> | [Orca Security](https://docs.orcasecurity.io/) | |
197 | 197 | |<a name="palo-alto-cortex-xdr"></a><details><summary>**Palo Alto Cortex XDR** </summary> <br> The [Palo Alto Cortex XDR](https://cortex-panw.stoplight.io/docs/cortex-xdr/branches/main/09agw06t5dpvw-cortex-xdr-rest-api) data connector allows ingesting logs from the Palo Alto Cortex XDR API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Framework. It uses the Palo Alto Cortex XDR API to fetch logs and it supports DCR-based [ingestion time transformations](/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.<p> **Log Analytics table(s):** <br> - `PaloAltoCortexXDR_Incidents_CL`<br>- `PaloAltoCortexXDR_Endpoints_CL`<br>- `PaloAltoCortexXDR_Audit_Management_CL`<br>- `PaloAltoCortexXDR_Audit_Agent_CL`<br>- `PaloAltoCortexXDR_Alerts_CL`<p>**Data collection rule support:** <br>Not currently supported</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
198 | 198 | |<a name="palo-alto-prisma-cloud-cspm-using-azure-functions"></a><details><summary>**Palo Alto Prisma Cloud CSPM (using Azure Functions)** </summary> <br> The Palo Alto Prisma Cloud CSPM data connector provides the capability to ingest [Prisma Cloud CSPM alerts](https://prisma.pan.dev/api/cloud/cspm/alerts#operation/get-alerts) and [audit logs](https://prisma.pan.dev/api/cloud/cspm/audit-logs#operation/rl-audit-logs) into Microsoft sentinel using the Prisma Cloud CSPM API. Refer to [Prisma Cloud CSPM API documentation](https://prisma.pan.dev/api/cloud/cspm) for more information.<p> **Log Analytics table(s):** <br> - `PaloAltoPrismaCloudAlert_CL`<br>- `PaloAltoPrismaCloudAudit_CL`<p>**Data collection rule support:** <br>Not currently supported<p>**Prerequisites:**<br> - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. For more information, see [Azure Functions](/azure/azure-functions/).<p> - **Palo Alto Prisma Cloud API Credentials**: **Prisma Cloud API Url**, **Prisma Cloud Access Key ID**, **Prisma Cloud Secret Key** are required for Prisma Cloud API connection. See the documentation to learn more about [creating Prisma Cloud Access Key](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prisma-cloud-administrators/create-access-keys.html) and about [obtaining Prisma Cloud API Url](https://prisma.pan.dev/api/cloud/api-urls)</details> | [Microsoft Corporation](https://support.microsoft.com/) | |
|
0 commit comments