|
2 | 2 | author: EdB-MSFT |
3 | 3 | ms.author: edbaynash |
4 | 4 | ms.topic: include |
5 | | -ms.date: 03/17/2026 |
| 5 | +ms.date: 03/23/2026 |
6 | 6 |
|
7 | 7 | # This file is auto-generated. Do not edit manually. Changes will be overwritten. |
8 | 8 | --- |
@@ -480,6 +480,23 @@ You can stream the audit logs from the WebCTRL SQL server hosted on Windows mach |
480 | 480 |
|
481 | 481 | --- |
482 | 482 |
|
| 483 | +<a name="aws-eks-data-connector-via-codeless-connector-framework"></a><details><summary>**AWS EKS Data Connector (via Codeless Connector Framework)**</summary> |
| 484 | + |
| 485 | +**Supported by:** [Microsoft Corporation](https://support.microsoft.com/) |
| 486 | + |
| 487 | +The AWS EKS data connector provides the capability to ingest audit logs from [Amazon Elastic Kubernetes Service](https://aws.amazon.com/eks/) into Microsoft Sentinel. This connector focuses on EKS audit logs (JSON format) which contain detailed information about API server requests, authentication decisions, and cluster activities. The connector uses AWS SQS to receive notifications when new audit log files are exported to S3, ensuring real-time security monitoring and compliance tracking for your Kubernetes clusters. |
| 488 | + |
| 489 | +**Log Analytics table(s):** |
| 490 | + |
| 491 | +|Table|DCR support|Lake-only ingestion| |
| 492 | +|---|---|---| |
| 493 | +|`AWSEKSLogs_CL`|No|No| |
| 494 | + |
| 495 | +**Data collection rule support:** Not currently supported<br><br> |
| 496 | +</details> |
| 497 | + |
| 498 | + --- |
| 499 | + |
483 | 500 | <a name="aws-s3-server-access-logs-via-codeless-connector-framework"></a><details><summary>**AWS S3 Server Access Logs (via Codeless Connector Framework)**</summary> |
484 | 501 |
|
485 | 502 | **Supported by:** [Microsoft Corporation](https://support.microsoft.com/) |
@@ -5909,6 +5926,30 @@ SecurityBridge enhances SAP security by integrating seamlessly with Microsoft Se |
5909 | 5926 |
|
5910 | 5927 | --- |
5911 | 5928 |
|
| 5929 | +<a name="semperis-lightning-logs"></a><details><summary>**Semperis Lightning Logs**</summary> |
| 5930 | + |
| 5931 | +**Supported by:** [Semperis](https://www.semperis.com/support/) |
| 5932 | + |
| 5933 | +The [Semperis Lightning](https://www.semperis.com/platform/) connector uses Azure Functions to ingest Semperis Lightning identity security data into Microsoft Sentinel. The connector deploys an Azure Function and collects data into custom Log Analytics tables for investigation and threat hunting. |
| 5934 | + |
| 5935 | +**Log Analytics table(s):** |
| 5936 | + |
| 5937 | +|Table|DCR support|Lake-only ingestion| |
| 5938 | +|---|---|---| |
| 5939 | +|`LightningTier0Nodes_CL`|No|No| |
| 5940 | +|`LightningAttackPaths_CL`|No|No| |
| 5941 | +|`LightningIOEResults_CL`|No|No| |
| 5942 | + |
| 5943 | +**Data collection rule support:** Not currently supported |
| 5944 | + |
| 5945 | +**Prerequisites:** |
| 5946 | + |
| 5947 | +- **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. For more information, see [Azure Functions](/azure/azure-functions/). |
| 5948 | +- **Semperis Lightning API credentials**: A Semperis Lightning **API Key** and selected **Zone** (na or eu) are required to authenticate the connector to Semperis Lightning.<br><br> |
| 5949 | +</details> |
| 5950 | + |
| 5951 | + --- |
| 5952 | + |
5912 | 5953 | <a name="sentinelone"></a><details><summary>**SentinelOne**</summary> |
5913 | 5954 |
|
5914 | 5955 | **Supported by:** [Microsoft Corporation](https://support.microsoft.com/) |
@@ -6068,23 +6109,6 @@ Use this data connector to integrate with Sonrai Security and get Sonrai tickets |
6068 | 6109 | |---|---|---| |
6069 | 6110 | |`Sonrai_Tickets_CL`|No|No| |
6070 | 6111 |
|
6071 | | -**Data collection rule support:** Not currently supported<br><br> |
6072 | | -</details> |
6073 | | - |
6074 | | - --- |
6075 | | - |
6076 | | -<a name="sophos-cloud-optix"></a><details><summary>**Sophos Cloud Optix**</summary> |
6077 | | - |
6078 | | -**Supported by:** [Sophos](https://community.sophos.com/products/sophos-cloud-optix/) |
6079 | | - |
6080 | | -The [Sophos Cloud Optix](https://www.sophos.com/products/cloud-optix.aspx) connector allows you to easily connect your Sophos Cloud Optix logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's cloud security and compliance posture and improves your cloud security operation capabilities. |
6081 | | - |
6082 | | -**Log Analytics table(s):** |
6083 | | - |
6084 | | -|Table|DCR support|Lake-only ingestion| |
6085 | | -|---|---|---| |
6086 | | -|`SophosCloudOptix_CL`|No|No| |
6087 | | - |
6088 | 6112 | **Data collection rule support:** Not currently supported<br><br> |
6089 | 6113 | </details> |
6090 | 6114 |
|
@@ -7008,6 +7032,58 @@ The [Workplace](https://www.workplace.com/) data connector provides the capabili |
7008 | 7032 |
|
7009 | 7033 | --- |
7010 | 7034 |
|
| 7035 | +<a name="xbow-security-platform-via-azure-function"></a><details><summary>**XBOW Security Platform (via Azure Function)**</summary> |
| 7036 | + |
| 7037 | +**Supported by:** [XBOW](https://xbow.com/contact) |
| 7038 | + |
| 7039 | +The **XBOW** data connector ingests asset snapshots, vulnerability findings, and assessment activity from the [XBOW Security Platform](https://console.xbow.com) into Microsoft Sentinel. An Azure Function polls the XBOW API on a timer and pushes asset JSON snapshots into `XbowAssets_CL`, enriched findings (with evidence, PoC recipes, impact, and mitigations) into `XbowFindings_CL`, and assessment lifecycle events into `XbowAssessments_CL`, using the [Azure Monitor Ingestion API](/azure/azure-monitor/logs/logs-ingestion-api-overview) (DCE/DCR). |
| 7040 | + |
| 7041 | +**Log Analytics table(s):** |
| 7042 | + |
| 7043 | +|Table|DCR support|Lake-only ingestion| |
| 7044 | +|---|---|---| |
| 7045 | +|`XbowAssets_CL`|No|No| |
| 7046 | +|`XbowFindings_CL`|No|No| |
| 7047 | +|`XbowAssessments_CL`|No|No| |
| 7048 | + |
| 7049 | +**Data collection rule support:** Not currently supported |
| 7050 | + |
| 7051 | +**Prerequisites:** |
| 7052 | + |
| 7053 | +- **XBOW API Token**: A XBOW Personal Access Token is required. Generate one in the [XBOW console](https://console.xbow.com) under **Settings > Personal Access Tokens**. Scope the token to the organization you want to monitor. |
| 7054 | +- **XBOW Organization ID**: The Organization ID from your XBOW account. Find it in the XBOW console URL or via the API. |
| 7055 | +- **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. For more information, see [Azure Functions](/azure/azure-functions/). |
| 7056 | +- **Custom prerequisites if necessary, otherwise delete this customs tag**: Description for any custom pre-requisites |
| 7057 | +- **Azure AD App Registration**: An Azure AD App Registration (service principal) is required. You must manually assign the **Monitoring Metrics Publisher** role on the Data Collection Rule (DCR) to this App Registration after deployment.<br><br> |
| 7058 | +</details> |
| 7059 | + |
| 7060 | + --- |
| 7061 | + |
| 7062 | +<a name="zero-networks-segment-push"></a><details><summary>**Zero Networks Segment (Push)**</summary> |
| 7063 | + |
| 7064 | +**Supported by:** [Zero Networks](https://zeronetworks.com/) |
| 7065 | + |
| 7066 | +The [Zero Networks Segment](https://zeronetworks.com/) push connector allows Zero Networks to send Audits, Network Activities, Identity Activities, and RPC Activities directly to Microsoft Sentinel in real time. Deploy the connector to create a Data Collection Rule (DCR) and Microsoft Entra app; then configure your Zero Networks application with the connection details to push events. |
| 7067 | + |
| 7068 | +**Log Analytics table(s):** |
| 7069 | + |
| 7070 | +|Table|DCR support|Lake-only ingestion| |
| 7071 | +|---|---|---| |
| 7072 | +|`ZNAudit_CL`|No|No| |
| 7073 | +|`ZNNetworkActivity_CL`|No|No| |
| 7074 | +|`ZNIdentityActivity_CL`|No|No| |
| 7075 | +|`ZNRPCActivity_CL`|No|No| |
| 7076 | + |
| 7077 | +**Data collection rule support:** Not currently supported |
| 7078 | + |
| 7079 | +**Prerequisites:** |
| 7080 | + |
| 7081 | +- **Microsoft Entra**: Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher. |
| 7082 | +- **Microsoft Azure**: Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role.<br><br> |
| 7083 | +</details> |
| 7084 | + |
| 7085 | + --- |
| 7086 | + |
7011 | 7087 | <a name="zero-networks-segment-audit"></a><details><summary>**Zero Networks Segment Audit**</summary> |
7012 | 7088 |
|
7013 | 7089 | **Supported by:** [Zero Networks](https://zeronetworks.com/) |
@@ -7134,20 +7210,19 @@ The [Zoom](https://zoom.us/) Reports data connector provides the capability to i |
7134 | 7210 |
|
7135 | 7211 | **Supported by:** [Microsoft Corporation](https://support.microsoft.com/) |
7136 | 7212 |
|
7137 | | -The [Zoom Reports](https://developers.zoom.us/docs/api/) data connector enables you to ingest Zoom Reports data into Microsoft Sentinel through the Zoom REST API v2, allowing you to monitor and audit Zoom usage across your organization. This connector uses server-to-server OAuth account credentials for authentication and supports ingestion of multiple report types including Daily Usage Reports for meeting statistics and usage metrics, User Reports for active/inactive user host information, Telephony Reports for telephony usage statistics, Cloud Recording Usage Reports for cloud storage and recording usage, Operation Logs for administrative operations and audit trail, and Activity Logs for user sign-in/sign-out activities. Each report type is collected in a separate polling configuration with automatic pagination support using NextPageToken, polling every 5 minutes per 7-day window with a rate limit of 2 queries per second per endpoint and up to 3 automatic retries with exponential backoff. The data connector is built on Microsoft Sentinel Codeless Connector Framework and supports DCR-based [ingestion time transformations](/azure/azure-monitor/logs/custom-logs-overview) for optimized query performance. |
| 7213 | +The [Zoom Reports](https://developers.zoom.us/docs/api/) data connector enables you to ingest Zoom Reports data into Microsoft Sentinel through the Zoom REST API v2, allowing you to monitor and audit Zoom usage across your organization. This connector uses server-to-server OAuth account credentials for authentication and supports ingestion of multiple report types including Daily Usage Reports for meeting statistics and usage metrics, User Reports for active/inactive user host information, Telephony Reports for telephony usage statistics, Cloud Recording Usage Reports for cloud storage and recording usage, Operation Logs for administrative operations and audit trail, and Activity Logs for user sign-in/sign-out activities. Each report type is collected in a separate polling configuration with automatic pagination support using NextPageToken. The data connector is built on Microsoft Sentinel Codeless Connector Framework and supports DCR-based [ingestion time transformations](/azure/azure-monitor/logs/custom-logs-overview) for optimized query performance. |
7138 | 7214 |
|
7139 | 7215 | **Log Analytics table(s):** |
7140 | 7216 |
|
7141 | 7217 | |Table|DCR support|Lake-only ingestion| |
7142 | 7218 | |---|---|---| |
7143 | | -|`Zoom_CL`|Yes|Yes| |
| 7219 | +|`ZoomV2_CL`|No|No| |
7144 | 7220 |
|
7145 | | -**Data collection rule support:** [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) |
| 7221 | +**Data collection rule support:** Not currently supported |
7146 | 7222 |
|
7147 | 7223 | **Prerequisites:** |
7148 | 7224 |
|
7149 | | -- **Zoom API access**: Access to Zoom REST API v2 with account credentials |
7150 | | -- **If you've used an `Azure Functions` based connector that uses the same table Zoom_CL before**: Migrate your classic custom table to use the CCF connector. Open your `Log Analytics Workspace` attached to the current `Microsoft Sentinel Workspace`, find the existing Zoom_CL and edit its schema, then click `Migrate to manual schema management` to migrate. Please close the current data connector page and reopen it after migration to see the effect, in case you run into errors asking for table migration.<br><br> |
| 7225 | +- **Zoom API access**: Access to Zoom REST API v2 with account credentials<br><br> |
7151 | 7226 | </details> |
7152 | 7227 |
|
7153 | 7228 | --- |
|
0 commit comments