Data Connectors & Log Ingestion
Understanding the Concept
Microsoft Sentinel is a cloud-native SIEM and SOAR solution built on Azure Log Analytics. Data connectors bring security data from Microsoft services, third-party vendors, and custom sources into Sentinel for centralized analysis.
First-party connectors (Microsoft Defender XDR, Entra ID, Azure Activity) provide seamless integration with minimal configuration. Third-party connectors support formats like CEF, Syslog, and REST API. Custom connectors can be built using the Log Analytics API.
Data ingestion costs are a key consideration. Sentinel uses pay-per-GB pricing, and data comes into specific tables (SecurityEvent, CommonSecurityLog, custom tables). Commitment tiers and basic logs provide cost optimization options.
Key Points
- Cloud-native SIEM built on Azure Log Analytics
- First-party, third-party, and custom data connectors
- Common formats: CEF, Syslog, REST API
- Pay-per-GB pricing with commitment tier discounts
- Basic logs for high-volume, low-value data at reduced cost
- Microsoft Defender XDR connector for unified XDR+SIEM
Sentinel Data Flow
Data Sources
Microsoft, third-party, custom logs
Connectors
CEF, Syslog, API, native integration
Log Analytics
Data stored in workspace tables
Analytics
Rules detect threats in ingested data
Automation
Playbooks respond to detections
Why This Matters in Real Organizations
Security visibility is only as good as the data you collect. Sentinel aggregates security data from the entire environment - on-premises, multi-cloud, and SaaS - into a single platform for correlation and analysis.
Common Mistakes to Avoid
Interview Tips
- Discuss data connector configuration experience
- Explain strategies for cost optimization with commitment tiers and basic logs
Exam Tips (SC-200)
- Know the types of data connectors available
- Understand pricing: pay-per-GB vs commitment tiers
- Know basic logs vs analytics logs differences
Course Complete!
You've finished all lessons