Microsoft Sentinel integrates with over 350 data sources through built-in connectors, enabling comprehensive security monitoring across your entire environment. This guide walks you through connecting various data sources to build a unified security operations platform.
Prerequisites
Before connecting data sources, ensure you have:
- Microsoft Sentinel workspace deployed in your Azure subscription
- Appropriate Azure RBAC permissions (Microsoft Sentinel Contributor or higher)
- Content Hub access to install required solutions
- Data source credentials or API keys for third-party services
- Network connectivity allowing outbound HTTPS (443) from agents if using on-premises sources
Understanding Data Connector Types
Microsoft Sentinel offers several connector categories to accommodate different data sources:
| Connector Type | Best For | Example Sources |
|---|---|---|
| Service-to-Service | Microsoft services | Microsoft 365, Azure AD, Defender XDR |
| Agent-Based | On-premises systems | Windows servers, Linux servers, firewalls |
| API-Based | Cloud services | AWS, Okta, Salesforce |
| Syslog/CEF | Network devices | Firewalls, routers, IDS/IPS |
| Custom | Proprietary systems | Internal applications, legacy systems |
Step 1: Access the Data Connectors Page
Via the Defender Portal (Recommended)
- Navigate to the Microsoft Defender portal at https://security.microsoft.com
- Select Microsoft Sentinel from the navigation menu
- Choose your workspace if you have multiple
- Go to Configuration > Data connectors
Via the Azure Portal
- Navigate to the Azure portal at https://portal.azure.com
- Search for Microsoft Sentinel
- Select your workspace
- Under Configuration, click Data connectors
Step 2: Install Required Solutions from Content Hub
Many data connectors require installing the corresponding solution from the Content Hub first:
- In Microsoft Sentinel, go to Content management > Content hub
- Search for the solution matching your data source (e.g., "Microsoft Defender for Cloud")
- Click on the solution to view details
- Click Install or Update if already installed
- Wait for installation to complete (typically 1-2 minutes)
Tip: Installing a solution often includes analytics rules, workbooks, and hunting queries in addition to the data connector.
Step 3: Connect Microsoft Services
Microsoft services offer the simplest integration experience with service-to-service connectors.
Connect Microsoft Entra ID (Azure AD)
- In Data connectors, search for "Microsoft Entra ID"
- Click on the connector and select Open connector page
- Review the Prerequisites section
- Under Configuration, select the log types to enable:
- Sign-in logs - User authentication events
- Audit logs - Directory changes and admin activities
- Provisioning logs - User provisioning events
- Risky users - Identity Protection risk data
- Click Apply Changes
Connect Microsoft Defender XDR
- Search for "Microsoft Defender XDR" in Data connectors
- Open the connector page
- Under Configuration, select Connect incidents & alerts
- Choose the Defender products to include:
- Microsoft Defender for Endpoint
- Microsoft Defender for Office 365
- Microsoft Defender for Identity
- Microsoft Defender for Cloud Apps
- Enable Turn off all Microsoft incident creation rules to avoid duplicates
- Click Apply Changes
Connect Microsoft 365
- Install the "Microsoft 365" solution from Content Hub
- Open the Office 365 connector
- Select the data types to ingest:
- Exchange - Email audit logs
- SharePoint - Document activity
- Teams - Collaboration events
- Click Apply Changes
Step 4: Connect Third-Party Cloud Services
Connect Amazon Web Services (AWS)
- Install the "Amazon Web Services" solution from Content Hub
- Open the Amazon Web Services connector
- Review prerequisites:
- AWS account with CloudTrail enabled
- IAM role with appropriate permissions
- In AWS Console, create an IAM role:
- Trust relationship allowing your Azure tenant
- Attach the required policy for CloudTrail access
- In Sentinel, enter your:
- AWS Account ID
- Role ARN from the created IAM role
- Click Add to connect
Connect Okta
- Install the "Okta Single Sign-On" solution
- Open the Okta SSO connector
- Generate an API token in your Okta admin console:
- Go to Security > API > Tokens
- Create a new token with read permissions
- In Sentinel, enter:
- Okta domain (e.g., yourcompany.okta.com)
- API Token
- Click Connect
Step 5: Connect On-Premises Sources with Agents
Install Azure Monitor Agent (AMA)
For Windows servers:
- In the Azure portal, navigate to your server's Virtual Machine resource
- Go to Settings > Extensions + applications
- Click Add and select Azure Monitor Agent
- Configure the agent settings and install
For Linux servers:
# Download and install the AMA
wget https://aka.ms/InstallAzureMonitorAgentLinux -O InstallDCRAgent.sh
sudo bash InstallDCRAgent.sh
Create Data Collection Rules (DCR)
- In Microsoft Sentinel, go to Configuration > Data collection rules
- Click Create
- Configure the rule:
- Name: Descriptive name for the rule
- Platform type: Windows or Linux
- Data sources: Select log types (Windows Events, Syslog, etc.)
- Destination: Your Log Analytics workspace
- Add resources (VMs) that should use this rule
- Click Create
Connect Syslog Sources
- Deploy a Linux log forwarder VM if collecting from network devices
- Install the Azure Monitor Agent on the forwarder
- Configure the Syslog daemon to receive logs:
# Edit rsyslog configuration
sudo nano /etc/rsyslog.conf
# Add these lines to enable UDP and TCP reception
module(load="imudp")
input(type="imudp" port="514")
module(load="imtcp")
input(type="imtcp" port="514")
- Restart the Syslog service:
sudo systemctl restart rsyslog
- Configure your network devices to send logs to the forwarder's IP address
Connect CEF Sources
Common Event Format (CEF) provides standardized logging for security devices:
- Install the AMA on your log forwarder
- Create a DCR for CEF data collection
- Configure your security appliance to send CEF-formatted logs to the forwarder
- Verify data in the CommonSecurityLog table
Step 6: Verify Data Ingestion
Check Connector Status
- Return to the Data connectors page
- Locate your connected source
- Verify the status shows Connected (green indicator)
- Review the Data received graph for recent activity
Run Verification Queries
Open Logs and run queries to confirm data is flowing:
// Check Microsoft Entra ID sign-in logs
SigninLogs
| where TimeGenerated > ago(1h)
| take 10
// Check Windows Security Events
SecurityEvent
| where TimeGenerated > ago(1h)
| summarize count() by EventID
| order by count_ desc
// Check Syslog data
Syslog
| where TimeGenerated > ago(1h)
| summarize count() by Facility, SeverityLevel
Monitor Ingestion Health
- Go to Settings > Workspace settings
- Click on Logs under your Log Analytics workspace
- Run the workspace health query:
Usage
| where TimeGenerated > ago(24h)
| summarize TotalGB = sum(Quantity)/1000 by DataType
| order by TotalGB desc
Troubleshooting Common Issues
Data Not Appearing After Connection
Symptoms: Connector shows connected but no data in logs.
Solutions:
- Wait at least 2 hours for initial data ingestion
- Verify permissions on both the source and Sentinel workspace
- Check the connector's diagnostic logs for errors
- Ensure required APIs are enabled (for cloud services)
- Verify network connectivity from agents to Azure
Agent Communication Failures
Symptoms: On-premises agent shows disconnected.
Solutions:
- Verify outbound HTTPS (443) connectivity to Azure
- Check proxy settings if applicable
- Restart the Azure Monitor Agent service
- Review agent logs for specific errors
High Data Volume Warnings
Symptoms: Unexpected data ingestion costs or volume alerts.
Solutions:
- Review which log types are enabled and disable unnecessary ones
- Implement data collection rules to filter events
- Use transformation rules to reduce data before ingestion
- Consider archiving to the Sentinel data lake for long-term storage
Best Practices for Data Connectors
| Practice | Benefit |
|---|---|
| Start with critical sources | Prioritize high-value security logs first |
| Use Content Hub solutions | Get analytics rules and workbooks included |
| Implement DCRs for filtering | Reduce costs by filtering at collection |
| Document your connections | Maintain an inventory of all sources |
| Monitor ingestion regularly | Catch issues before they impact detection |
| Test with sample queries | Verify data quality after connection |
Next Steps
After connecting your data sources:
- Create analytics rules to detect threats in your ingested data
- Build workbooks to visualize security metrics
- Configure automation to respond to detected incidents
- Set up hunting queries to proactively search for threats
- Review cost management to optimize your data retention strategy
Additional Resources
Need help with your Microsoft Sentinel deployment? Inventive HQ provides expert SIEM implementation services, from initial data source integration to advanced analytics configuration. Contact us for a free consultation.