Common Event Format solution for Sentinel
Solution: Common Event Format
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.5 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2022-05-30 |
| Solution Folder | Common Event Format |
| Marketplace | Azure Marketplace · Popularity: 🟢 High (84%) |
The Common Event Format (CEF) solution for Microsoft Sentinel allows you to ingest logs from any product and/or appliance that can send logs in the Common Event Format (CEF) over Syslog messages.
Installing this solution will deploy two data connectors,
- Common Event Format via AMA - This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector
- Common Event Format via Legacy Agent - This data connector helps in ingesting CEF formatted logs into your Log Analytics Workspace using the legacy Log Analytics agent.
**NOTE**: Microsoft recommends Installation of Common Event Format via AMA. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported.
Underlying Microsoft Technologies used:
This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
a. Agent-based log collection (CEF over Syslog)
Contents
Data Connectors
This solution provides 1 data connector(s) (plus 1 discovered⚠️):
🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.
Tables Used
This solution uses 1 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
CommonSecurityLog |
Common Event Format (CEF), Common Event Format (CEF) via AMA | Workbooks |
Content Items
This solution includes 1 content item(s):
| Content Type | Count |
|---|---|
| Workbooks | 1 |
Workbooks
| Name | Tables Used |
|---|---|
| CEFOverviewWorkbook | CommonSecurityLog |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.6 | 20-08-2025 | The main template solution has been updated by changing arrays to fields for datatypes, graphqueries and samplequeries. |
| 3.0.5 | 08-07-2025 | Modifying the availability status. |
| 3.0.4 | 24-06-2025 | Updated Connector kind of Legacy CEF Data Connector so that the queries will be reflected. |
| 3.0.3 | 18-06-2025 | Updated Connectivity Criteria for Legacy CEF Data Connector to add Device Vendors |
| 3.0.2 | 30-04-2025 | Updated Connectivity Criteria for CEFAMA Data Connector |
| 3.0.1 | 04-07-2024 | CEFOverview workbook added |
| 3.0.0 | 22-05-2024 | Updated connectivity criteria for Data Connector |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊