Skip to content

Data connectors

Data connectors are essential to ingesting events, telemetry, and data into Sentinel. You will often get data connectors from the content hub, but it is possible to get data into Sentinel without a data connector.

Data connectors come in a couple of different forms, you can have native connectors connecting your workspace to things like Entra ID or Defender XDR. There are third-party connectors designed to facilitate the ingestion of data from non-Microsoft sources, and finally there are common data format types such as Syslog and Common Event Format.

Data connectors are all connected in different ways, they may be as simple as a checkbox, require creation of Data Collection Rules, or use API keys. I have listed some common data connectors below and plan to expand the list as time allows.

Azure activity

Azure activity is a free connector for Sentinel

Azure activity involves configuring an Azure policy, if this is your first time connecting Azure activity follow these steps:

  1. Open the connector page.
  2. Go to the bottom of the page and click Launch Azure Policy Assingnment wizard.
  3. Select the subscription scope of the policy, you can select an individual Azure subscription or a management group if you have many Azure subscriptions. Note that you can select your root management group and then exclude some from the list as well. You do not need to specify a resource group.
  4. On the Parameters page you will select your destination log analytics workspace, this should be the log analytics space your Sentinel environment is a part of.
  5. Once you reach the Remediation page be sure to hit the checkbox to enable remediation.
    1. This is important, a new Azure policy only applies to new resources in the target subscription, the remediation ensures all pre-existing Azure resources are added for audit logging to our Sentinel workspace.
    2. You may also want to change the region to match the region your log analytics workspace region.
  6. Now review and create the policy.

If you have already connected Azure audit or want to verify it you can do so by:

  1. Going to Azure Policy. Make sure you have the correct subscription selected.
  2. Go to Compliance, assuming you kep the policy name its default you should see Configure Azure Policy logs to stream to specified Log Analytics workspace.
  3. Click on the policy, now at the top of the page click View assignment.
  4. Locate the logAnalytics parameter, expand the parameter value column, the end of the string after /workspaces/ should contain your log analytics workspace name.

To verify the remediation task exists:

  1. Go back to Azure Policy.
  2. Go to Remediation and locate Configure Azure Policy logs to stream to specified Log Analytics workspace or whatever you named your policy.
  3. If this is missing you can go back to the policy on the Compliance tab, open it up and select Create remediation task.
    1. Note if neither of these exist...
      1. You did not create the policy from Sentinel
      2. You are not viewing the right scope (or perhaps do not have access)
      3. You changed the default name that the data connector provides

Tip

If you know you connected your Azure activity data connector, and it is not showing as connected there is a good chance no one has generated any Audit events for Azure resources in 7 days. This is common in smaller Azure infrastructures, remember audit activity here is for Azure resources, not Entra ID audit logs.

Cisco Duo

This connector utilizes an Azure Function. It is relatively straightforward to connect, note that the default function includes all log types. If you are not paying for Duo Premier, not all log types will be available to you and you will receive an error. Be sure to scope your access down to specific log types you have access to.

Construction

Add more detailed instructions.

Microsoft 365

Microsoft 365 is a free connector for Sentinel

  1. Open the connector page.
  2. Select the logs you would like to collect.
  3. Click save.
Available logs
  • OfficeActivity (SharePoint)
  • OfficeActivity (Exchange)
  • OfficeActivity (Teams)

Microsoft Defender XDR

Ingesting incidents and alerts for this data connector is free, however ingesting any of the telemetry from MDE, MDCA, etc. is subject to ingestion pricing.

  1. Open the connector page.
  2. Be sure all the prerequisites have a green check at the top of the page, if you are missing an item fix that before attempting to connect Defender XDR.
  3. Connect Incidents and alerts.
  4. If desired, hit the checkboxes next to telemetry tables you wish to ingest, again these are subject to ingestion charges.
    1. If you added any tables be sure to hit save at the bottom of the page, this is not necessary if you are just ingesting incidents and alerts.
Available logs
  • Defender XDR
    • SecurityIncident 🆓
    • SecurityAlert 🆓
    • AlertEvidence
  • Defender for Endpoint
    • DeviceEvents
    • DeviceFileEvents
    • DeviceImageLoadEvents
    • DeviceInfo
    • DeviceLogonEvents
    • DeviceNetworkEvents
    • DeviceNetworkInfo
    • DeviceProcessEvents
    • DeviceRegistryEvents
    • DeviceFileCertificateInfo
  • Defender for Office 365
    • EmailEvents
    • EmailUrlInfo
    • EmailAttachmentInfo
    • EmailPostDeliveryEvents
    • UrlClickEvents
  • Defender for Identity
    • IdentityLogonEvents
    • IdentityQueryEvents
    • IdentityDirectoryEvents
  • Defender for Cloud Apps
    • CloudAppEvents

The above "Included with E5 data grant" tooltips are current as of Februrary 10th, 2025. You can see the current Microsoft list in the FAQ at the bottome of the page here.

Tip

You need to connect the incidents and alerts before you can enable the Unified SOC in Defender XDR. Once you have connected the Unified SOC you can access 30 days of all the available logs for free through Advanced hunting in the Defender portal. This appears to work with Analytic rules and Advanced hunting at this time but does not work with Workbooks currently.

If you are encountering an error when you try to access the data connector page, you may need to exclude yourself from a Conditional Access Classic Policy. The policy will have "Device policy" in the name, it should be find to remove the policy all together but that is out of scope for this article. I would recommend exlcuding yourself from the policy for now, note that if you disable a classic policy you cannot reenable it.

Once you connect this connector, you will see all the other Defender connectors showing on the data connector page as well as Entra ID Identity Protection.

Microsoft Entra ID

This data connector includes tables covered by the E5 data grant

  1. Open the connector page.
  2. Select the logs you would like to collect.
  3. Click save.
Available logs
  • SigninLogs
  • AuditLogs
  • AADNonInteractiveUserSignInLogs âš 
  • AADServicePrincipalSignInLogs
  • AADManagedIdentitySignInLogs
  • AADProvisioningLogs
  • ADFSSignInLogs
  • AADUserRiskEvents
  • AADRiskyUsers
  • NetworkAccessTraffic
  • AADRiskyServicePrincipals
  • AADServicePrincipalRiskEvents

The above "Included with E5 data grant" tooltips are current as of Februrary 10th, 2025. You can see the current Microsoft list in the FAQ at the bottome of the page here.