Domain 1 of 4 · Chapter 4 of 4

Ingest Data Sources in Microsoft Sentinel

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Security Operations Analyst Associate premium course — no separate purchase.

Included in this chapter:

  • The ingestion model: source to connector to table
  • Identify which data sources to ingest
  • Install and use Content hub solutions
  • Configure Microsoft connectors for Azure resources
  • Plan and configure Syslog and CEF collection
  • Collect Windows Security events with DCRs and WEF
  • Create custom log tables in the workspace
  • Monitor and optimize data ingestion

Picking a Sentinel ingestion mechanism by source

MechanismWhat it collectsAgent neededConfigured by
Native data connector (Content hub)Microsoft services + major clouds (Entra ID, M365, Defender XDR, AWS, GCP)No agent (service-to-service)Install solution, click Connect
AMA Syslog / CEF DCRNetwork appliances: firewalls, proxies, IDS over Syslog/CEFAMA on a Linux forwarder VMData collection rule (facility/severity filter)
AMA Windows-event DCRWindows Security/System/Application events, optionally via WEFAMA on Windows hosts or WEF collectorData collection rule (XPath filter)
Custom _CL tableAnything with no built-in connector (in-house apps, niche tools)AMA text-log DCR or none (API)Logs Ingestion API or custom DCR

Decision tree

Microsoft or major-cloudservice?Native connectorinstall from Content hubA machine sending logs?Syslog/CEF or WindowsCustom _CL tableLogs Ingestion APIWindows events?vs appliance Syslog/CEFAMA Syslog / CEF DCRLinux forwarder VMAMA Windows-event DCRXPath filter, optional WEFYesNoNo connectorYesNo, applianceYes

Cheat sheet

  • Sentinel ingests into a Log Analytics workspace, so every source becomes a table
  • Use the Azure Monitor Agent, not the retired Log Analytics agent (MMA)
  • A data collection rule decides what an agent keeps and which table it writes
  • Install a Content hub solution, then open the connector and click Connect
  • Microsoft SaaS and security products use agentless service-to-service connectors
  • Collect Azure resource logs with diagnostic settings, not an agent
  • Syslog and CEF arrive through a Linux forwarder running AMA
  • CEF lands in CommonSecurityLog; plain Syslog lands in the Syslog table
  • Windows Security events use an XPath DCR and the Windows Security Events connector tiers
  • Use Windows Event Forwarding to collectors when per-machine agents do not scale
  • Create a custom _CL table for sources with no built-in connector
  • Push custom logs with the Logs Ingestion API, not the retired Data Collector API
  • Filter and drop data with an ingestion-time transformation before it bills
  • Route security-critical data to Analytics logs and high-volume noise to Basic or Auxiliary logs
  • Find the noisy tables with the Usage table and Workspace usage report
  • Don't pay for the free first-party data
  • Watch connector health, because a silent connector means missed detections
  • Prioritize identity, email, endpoint, and Defender data over verbose network telemetry
  • Summary rules write their aggregated output to a custom _CL table in the Analytics tier
  • Diagnostic settings: Azure Diagnostics shares one table, Resource specific creates per-category tables

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. https://learn.microsoft.com/en-us/azure/sentinel/overview
  2. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview
  3. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-migration
  4. https://learn.microsoft.com/en-us/azure/sentinel/best-practices-data
  5. https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-deploy
  6. https://learn.microsoft.com/en-us/azure/sentinel/connect-defender-for-cloud
  7. https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-activity
  8. https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog-ama
  9. https://learn.microsoft.com/en-us/azure/sentinel/connect-windows-security-events
  10. https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview
  11. https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-transformations
  12. https://learn.microsoft.com/en-us/azure/sentinel/billing-monitor-costs