How to verify per-subscription delivery: in the Azure portal open Activity log (subscription scope) and choose Export Activity Logs at the top. This shows the diagnostic-setting that streams the subscription's Activity log to your Sentinel Log Analytics workspace — confirm a setting exists, points to the correct workspace, and has the required log categories enabled. Repeat per subscription, or use the Azure Activity Log Sentinel Audit script to enumerate coverage at scale.
Picked connectors show up inline with their full set of checks, retention and validation controls. Custom connectors are added to the chosen third-party category — pick the dropdown again to add more.
ℹ Totals are taken from Number of Windows / Linux workloads in Assessment Details.
Fill the Both / AMA only / MDE only counts from the Defender vs AMA coverage workbook —
Uncovered is derived automatically.
Community workbook comparing AMA and MDE inventory to surface uncovered workloads and DCR gaps. Import from the GitHub source linked in the header above.
Windows AMA + MDE
Total comes from Number of Windows workloads above. Count each workload once: use Both for overlap.
0
Uncovered: 0
Both
0%
AMA only
0%
MDE only
0%
Linux AMA + MDE
Total comes from Number of Linux workloads above. Count each workload once: use Both for overlap.
0
Uncovered: 0
Both
0%
AMA only
0%
MDE only
0%
Tier 2
Extended Visibility — Additional Connectors
0 / 0▼
Cloud Security Posture
Alerts and recommendations from cloud workload protection — detects threats against infrastructure, identifies misconfigurations, and tracks compliance posture across cloud resources.
Note: The Tenant-based Microsoft Defender for Cloud (Preview) connector is only listed in the Azure portal Data connectors page — it is not visible in the Defender portal (security.microsoft.com). Install the Microsoft Defender for Cloud solution from Content Hub and configure the tenant-based connector from the Azure portal.
Connector Setup
Tables
Content Hub
Retention
Validation
Data Protection & Governance
Monitors access to sensitive data, secrets, and AI-powered services — helps detect data leakage, unauthorized access to credentials, and policy violations.
Note: This is the Microsoft Purview connector for the Purview Data Map / Governance account. It surfaces data discovery and classification scan results (assets scanned, sensitive information types found, sensitivity labels applied) in the PurviewDataSensitivityLogs table. Setup is via the Purview account’s Diagnostic settings → DataSensitivityLogEvent → Log Analytics workspace. This is a different connector than Microsoft Purview Information Protection (Preview) below — enable both for full coverage.
Connector Setup
Tables
Content Hub
Retention
Validation
Microsoft Purview Information Protection (Preview)
Note: This is the Microsoft Purview Information Protection (Preview) connector. It surfaces sensitivity-label activity from MIP labelling clients and scanners (label apply / change / downgrade, protected document access) via the Office Management API, in the MicrosoftPurviewInformationProtection table. Setup is from the Sentinel Data connectors page (Azure portal) → Microsoft Purview Information Protection (Preview) → Connect. This connector replaces the retired Azure Information Protection (AIP) connector. It is a different connector than Microsoft Purview (Data Map / Discovery) above — enable both for full coverage.
Connector Setup
Tables
Content Hub
Retention
Validation
Detection Enrichment
Threat intelligence feeds that match indicators of compromise against log data — improves detection accuracy by correlating known-bad IPs, domains, URLs, and file hashes with observed activity.
Note: Microsoft Intune is not a Sentinel data connector — it does not appear in Content Hub or under Data connectors in the Sentinel/Defender portal. Intune log ingestion is configured directly from the Intune admin center → Reports → Diagnostics settings, sending logs to your Log Analytics workspace. Detections that use Intune tables come from generic or cross-solution analytic-rule templates rather than a dedicated Intune solution.
Connector Setup
Tables
Detections
Retention
Validation
Identity & Access (Extended)
Extends identity monitoring with third-party identity provider logs from non-Microsoft identity systems.
Third-Party Identity Providers
Paid0/0▼
Add each third-party identity provider individually. Common providers: Okta, CyberArk, Ping Identity, BeyondTrust.
Multi-Cloud
Extends visibility to workloads running outside the primary cloud environment — centralizes audit logs, threat detections, and network flow data from additional cloud providers.
Firewall, proxy, DNS, and flow-log data used to detect perimeter attacks, lateral movement, command-and-control traffic, and data exfiltration across the network.
Note: Azure Firewall is both a Sentinel data connector (install the Azure Firewall solution from Content Hub for analytic rules and workbooks) and a resource that requires diagnostic settings on every firewall instance. Logs are emitted only when diagnostic settings are enabled in resource-specific mode (per-table AZFW* destinations) — not via the legacy AzureDiagnostics table. Both steps are required for ingestion.
Add each third-party application connector individually. Common examples: ServiceNow, Salesforce, Oracle EBS.
Collaboration & Communication
Captures advanced collaboration platform telemetry — meeting activity, Teams admin actions, and third-party communication tool logs beyond the baseline Office 365 connector.
Third-Party Collaboration Tools
Paid0/0▼
Add each third-party collaboration platform individually. Common examples: Slack, Zoom, Cisco Webex.
Custom Applications
Crown jewel applications — custom-built or line-of-business apps sending logs via custom tables (CL_v2), DCR-based ingestion, or Azure Functions. Tracks access and transactions for the most business-critical assets.
Add each custom or line-of-business application individually. These are typically ingested via custom tables (CL_v2), DCR-based ingestion, or Azure Functions.
DevOps & CI/CD Security
Monitors development and deployment pipelines — captures repository access, pipeline executions, code changes, and secrets management activity to detect supply chain attacks and unauthorized code modifications.
Add each third-party DevOps platform individually. Common examples: GitLab, Bitbucket, Jenkins, CircleCI.
Infrastructure & Platform
Deep infrastructure telemetry — container orchestration logs, storage analytics, and Windows event forwarding for environments requiring centralized server audit trails.
Operational Technology and Internet of Things monitoring — captures alerts and asset inventory from industrial control systems, building management systems, and IoT device networks.
💬 Comments Summary 0▼