This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article describes how to make API-based connections to Microsoft Sentinel. Microsoft Sentinel uses the Azure foundation to provide built-in, service-to-service support for data ingestion from many Azure and Microsoft 365 services, Amazon Web Services, and various Windows Server services. There are a few different methods through which these connections are made.
This article presents information that is common to the group of API-based data connectors.
Note
For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.
You must have read and write permissions on the Log Analytics workspace.
You must have a Security administrator role on your Microsoft Sentinel workspace's tenant, or the equivalent permissions.
Data connector specific requirements:
| Data connector | Licensing, costs, and other prerequisites |
|---|---|
| Microsoft Entra ID Protection | - Microsoft Entra ID P2 subscription - Other charges may apply |
| Dynamics 365 | - Microsoft Dynamics 365 production license. Not available for sandbox environments. - At least one user assigned a Microsoft/Office 365 E1 or greater license. - Audit logging enabled in Microsoft Purview. See Turn auditing on or off. - Audit logging enabled in your Microsoft Dataverse environment. See Microsoft Dataverse and model-driven apps activity logging. - Other charges may apply. |
| Microsoft Defender for Cloud Apps | For Cloud Discovery logs, enable Microsoft Sentinel as your SIEM in Microsoft Defender for Cloud Apps |
| Microsoft Defender for Endpoint | Valid license for Microsoft Defender for Endpoint deployment |
| Microsoft Defender for Office 365 | Valid license for Office 365 ATP Plan 2 |
| Microsoft 365 | - Your Microsoft 365 deployment must be on the same tenant as your Microsoft Sentinel workspace. - Other charges may apply. |
| Microsoft Power BI | - Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace. - Other charges may apply. |
| Microsoft Purview Information Protection | - Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace. - Other charges may apply. |
| Microsoft Purview Insider Risk Management (IRM) | - Valid subscription for Microsoft 365 E5/A5/G5, or their accompanying Compliance or IRM add-ons. - Microsoft Purview Insider Risk Management fully onboarded, and IRM policies defined and producing alerts. - Microsoft 365 IRM configured to enable the export of IRM alerts to the Office 365 Management Activity API in order to receive the alerts through the Microsoft Sentinel connector. |
From the Microsoft Sentinel navigation menu, select Data connectors.
Select your service from the data connectors gallery, and then select Open Connector Page on the preview pane.
Select Connect to start streaming events and/or alerts from your service into Microsoft Sentinel.
If on the connector page there is a section titled Create incidents - recommended!, select Enable if you want to automatically create incidents from alerts.
You can find and query the data for each service using the table names that appear in the section for the service's connector in the Data connectors reference page.
For more information, see:
Training
Module
Connect Microsoft services to Microsoft Sentinel - Training
Connect Microsoft services to Microsoft Sentinel
Certification
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.