How to verify per-subscription delivery: in the Azure portal open Activity log (subscription scope) and choose Export Activity Logs at the top. This shows the diagnostic-setting that streams the subscription's Activity log to your Sentinel Log Analytics workspace — confirm a setting exists, points to the correct workspace, and has the required log categories enabled. Repeat per subscription, or use the Azure Activity Log Sentinel Audit script to enumerate coverage at scale.
UEBA dependency warning: If DeviceLogonEvents is moved to Data Lake only, Sentinel UEBA may miss this source. Validate UEBA data source coverage before and after the change.
Picked connectors show up inline with their full set of checks, retention and validation controls. Custom connectors are added to the chosen third-party category — pick the dropdown again to add more.
UEBA dependency warning: Moving DeviceLogonEvents to Data Lake only can remove it as a UEBA source. Validate UEBA source status before finalizing this design.
ℹ Totals are taken from Number of Windows / Linux workloads in Assessment Details.
Fill the Both / AMA only / MDE only counts from the Defender vs AMA coverage workbook —
Uncovered is derived automatically.
Community workbook comparing AMA and MDE inventory to surface uncovered workloads and DCR gaps. Import from the GitHub source linked in the header above.
Windows AMA + MDE
Total comes from Number of Windows workloads above. Count each workload once: use Both for overlap.
0
Uncovered: 0
Both
0%
AMA only
0%
MDE only
0%
Linux AMA + MDE
Total comes from Number of Linux workloads above. Count each workload once: use Both for overlap.
0
Uncovered: 0
Both
0%
AMA only
0%
MDE only
0%
Tier 2
Extended Visibility — Additional Connectors
0 / 0▼
Cloud Security Posture
Alerts and recommendations from cloud workload protection — detects threats against infrastructure, identifies misconfigurations, and tracks compliance posture across cloud resources.
Note: The Tenant-based Microsoft Defender for Cloud (Preview) connector is only listed in the Azure portal Data connectors page — it is not visible in the Defender portal (security.microsoft.com). Install the Microsoft Defender for Cloud solution from Content Hub and configure the tenant-based connector from the Azure portal.
Connector Setup
Tables
Content Hub
Retention
Validation
Data Protection & Governance
Monitors access to sensitive data, secrets, and AI-powered services — helps detect data leakage, unauthorized access to credentials, and policy violations.
Note: Sentinel Key Vault connector uses Azure-diagnostics mode and writes to AzureDiagnostics (filter ResourceProvider == "MICROSOFT.KEYVAULT"). Resource-specific mode writes to AZKVAuditLogs and AZKVPolicyEvaluationDetailsLogs. Edit the table name to match your deployment.
Note: This is the Microsoft Purview connector for the Purview Data Map / Governance account. It surfaces data discovery and classification scan results (assets scanned, sensitive information types found, sensitivity labels applied) in the PurviewDataSensitivityLogs table. Setup is via the Purview account’s Diagnostic settings → DataSensitivityLogEvent → Log Analytics workspace. This is a different connector than Microsoft Purview Information Protection (Preview) below — enable both for full coverage.
Connector Setup
Tables
Content Hub
Retention
Validation
Microsoft Purview Information Protection (Preview)
Note: This is the Microsoft Purview Information Protection (Preview) connector. It surfaces sensitivity-label activity from MIP labelling clients and scanners (label apply / change / downgrade, protected document access) via the Office Management API, in the MicrosoftPurviewInformationProtection table. Setup is from the Sentinel Data connectors page (Azure portal) → Microsoft Purview Information Protection (Preview) → Connect. This connector replaces the retired Azure Information Protection (AIP) connector. It is a different connector than Microsoft Purview (Data Map / Discovery) above — enable both for full coverage.
Connector Setup
Tables
Content Hub
Retention
Validation
Detection Enrichment
Threat intelligence feeds that match indicators of compromise against log data — improves detection accuracy by correlating known-bad IPs, domains, URLs, and file hashes with observed activity.
Note: Microsoft Intune is not a Sentinel data connector — it does not appear in Content Hub or under Data connectors in the Sentinel/Defender portal. Intune log ingestion is configured directly from the Intune admin center → Reports → Diagnostics settings, sending logs to your Log Analytics workspace. Detections that use Intune tables come from generic or cross-solution analytic-rule templates rather than a dedicated Intune solution.
Connector Setup
Tables
Detections
Retention
Validation
Identity & Access (Extended)
Extends identity monitoring with third-party identity provider logs from non-Microsoft identity systems.
Third-Party Identity Providers
Paid0/0▼
Add each third-party identity provider individually. Common providers: Okta, CyberArk, Ping Identity, BeyondTrust.
Multi-Cloud
Extends visibility to workloads running outside the primary cloud environment — centralizes audit logs, threat detections, and network flow data from additional cloud providers.
Firewall, proxy, DNS, and flow-log data used to detect perimeter attacks, lateral movement, command-and-control traffic, and data exfiltration across the network.
Note: Azure Firewall is both a Sentinel data connector (install the Azure Firewall solution from Content Hub for analytic rules and workbooks) and a resource that requires diagnostic settings on every firewall instance. Logs are emitted only when diagnostic settings are enabled in resource-specific mode (per-table AZFW* destinations) — not via the legacy AzureDiagnostics table. Both steps are required for ingestion.
Note: Sentinel WAF connector uses Azure-diagnostics mode and writes to AzureDiagnostics (ResourceType in APPLICATIONGATEWAYS, CDNWEBAPPLICATIONFIREWALLPOLICIES, FRONTDOORS). Resource-specific App Gateway tables: AGWAccessLogs, AGWFirewallLogs, AGWPerformanceLogs. Front Door / CDN: AzureFrontDoorAccessLog, AzureFrontDoorWebApplicationFirewallLog. Edit the table name to match your deployment.
Note: Windows DNS connector (AMA) writes to DnsEvents (queries / analytic events) and DnsInventory (resource records). Edit the table name to match your deployment and add a row for the second table.
Note: GSA does not have a Sentinel data connector. Logs are streamed via Microsoft Entra diagnostic settings (Entra ID → Monitoring & health → Diagnostic settings) — categories: NetworkAccessTrafficLogs, RemoteNetworkHealthLogs, NetworkAccessAlerts, NetworkAccessConnectionEvents, EnrichedOffice365AuditLogs. A Sentinel content-hub solution (“Global Secure Access”) provides the workbooks and analytics rules on top.
Note: Agentless connector ingests workspace-native tables (e.g. ABAPAuditLog, ABAPAuthorizationDetails, ABAPChangeDocsLog, ABAPUserDetails). Agent-based connector ingests custom *_CL tables (e.g. ABAPAuditLog_CL) queried via SAP solution functions (SAPAuditLog, SAPAppLog, …). Edit the table name to match your deployment and add rows for additional tables.
Note: Resource-specific diagnostic mode writes to dedicated tables. The two security-relevant defaults are pre-filled below: SQLSecurityAuditEvents (audit) and DevOpsOperationsAudit (Microsoft support operations). Legacy Azure-diagnostics mode instead writes everything to AzureDiagnostics — add a row for it if you're on that mode.
Other Azure SQL diagnostic log tables you can add via + Add another table if in scope (mostly performance/operational rather than security): SQLInsights, AutomaticTuning, QueryStoreWaitStatistics, Errors, DatabaseWaitStatistics, Timeouts, Blocks, Deadlocks. The Basic, InstanceAndAppAdvanced and WorkloadManagement categories are metrics — they land in AzureMetrics, not their own tables.
Other database engines (PostgreSQL, MySQL, on-prem SQL Server): rename the rows below to your platform's tables — e.g. AzureDiagnostics for Azure Database for PostgreSQL/MySQL, or your Arc/agent-collected table for on-prem — and set anything not applicable to N/A.
Tables
Content Hub
Retention
Validation
Third-Party Applications
Paid0/0▼
Add each third-party application connector individually. Common examples: ServiceNow, Salesforce, Oracle EBS.
Collaboration & Communication
Captures advanced collaboration platform telemetry — meeting activity, Teams admin actions, and third-party communication tool logs beyond the baseline Office 365 connector.
Third-Party Collaboration Tools
Paid0/0▼
Add each third-party collaboration platform individually. Common examples: Slack, Zoom, Cisco Webex.
Custom Applications
Crown jewel applications — custom-built or line-of-business apps sending logs via custom tables (CL_v2), DCR-based ingestion, or Azure Functions. Tracks access and transactions for the most business-critical assets.
Add each custom or line-of-business application individually. These are typically ingested via custom tables (CL_v2), DCR-based ingestion, or Azure Functions.
DevOps & CI/CD Security
Monitors development and deployment pipelines — captures repository access, pipeline executions, code changes, and secrets management activity to detect supply chain attacks and unauthorized code modifications.
Note: Active CCF connector (GitHubAuditDefinitionV2) ingests into GitHubAuditLogsV2_CL. Deprecated polling connector wrote to GitHubAuditLogPolling_CL. GitHub Webhooks connector ingests into githubscanaudit_CL. Edit the table name to match your deployment.
Tables
Content Hub
Retention
Validation
Third-Party DevOps Platforms
Paid0/0▼
Add each third-party DevOps platform individually. Common examples: GitLab, Bitbucket, Jenkins, CircleCI.
Infrastructure & Platform
Deep infrastructure telemetry — container orchestration logs, storage analytics, and Windows event forwarding for environments requiring centralized server audit trails.
Note: AKS supports both legacy and resource-specific collection modes. Legacy mode writes categories (for example kube-audit, kube-audit-admin, kube-apiserver) to AzureDiagnostics. Resource-specific mode writes to dedicated tables such as AKSAudit, AKSAuditAdmin, and AKSControlPlane and is preferred for security operations. ContainerInventory and KubeEvents are supplemental Container Insights telemetry. Use table rows below to model your actual mix.
Note: Azure Storage Account ingestion is configured through Azure Monitor Diagnostic settings on each storage account service. In current Sentinel guidance, the recommended mode is resource-specific, which writes to StorageBlobLogs, StorageQueueLogs, StorageTableLogs, and StorageFileLogs (plus AzureMetrics). AzureDiagnostics is a legacy Azure-diagnostics mode option and should only be used if your deployment is explicitly configured that way.
Connector Setup
Tables
Note: Table routing is configured per table. AzureMetrics is Analytics-only; Storage* tables support Analytics or Lake.
Operational Technology and Internet of Things monitoring — captures alerts and asset inventory from industrial control systems, building management systems, and IoT device networks.
💬 Comments Summary 0▼