Edit

Share via


Connect data sources to Microsoft Sentinel by using data connectors

To connect data sources to Microsoft Sentinel, you need to install and configure data connectors. This article generally explains how to install data connectors available in the Microsoft Sentinel Content hub to ingest and analyze data for improved threat detection.

Important

Microsoft Sentinel is generally available in the Microsoft Defender portal, including for customers without Microsoft Defender XDR or an E5 license.

Starting in July 2026, all customers using Microsoft Sentinel in the Azure portal will be redirected to the Defender portal and will use Microsoft Sentinel in the Defender portal only. Starting in July 2025, many new customers are automatically onboarded and redirected to the Defender portal.

If you're still using Microsoft Sentinel in the Azure portal, we recommend that you start planning your transition to the Defender portal to ensure a smooth transition and take full advantage of the unified security operations experience offered by Microsoft Defender. For more information, see It’s Time to Move: Retiring Microsoft Sentinel’s Azure portal for greater security.

Prerequisites

Before you begin, make sure you have the appropriate access and you or someone in your organization installs the related solution.

Enable a data connector

After you or someone in your organization installs the solution that includes the data connector you need, configure the data connector to start ingesting data.

  1. For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Configurations > Data connectors. For Microsoft Sentinel in the Azure portal, under Configuration, select Data connectors.

  2. Search for and select the connector. If you don't see the data connector you want, check again that the relevant solution is installed in the Content hub.

  3. Select Open connector page.

  4. Review the Prerequisites for your data connector and ensure that they're fulfilled.

  5. Follow the steps outlined in the Configurations section for your data connector.

    For some connectors, find more specific configuration information in the Collect data section in the Microsoft Sentinel documentation.

Configure data retention and tiering

If you have onboarded to the Microsoft Sentinel data lake, you can configure data retention and tiering for the data connector. The data lake consists of an analytics tier - your current Microsoft Sentinel workspaces, and a data lake tier where you can store data for up to 12 years. For more information on onboarding, see Onboarding to Microsoft Sentinel data lake.

When you enable a connector, by default the data is sent to the analytics tier and mirrored in the data lake tier. Configure data retention in each tier or send the data only to the data lake tier. Retention and tiering are managed from the connector setup pages, or using the Table management page in the Defender portal. For more information on table management and retention, see Manage data tiers and retention in Microsoft Defender Portal.

Once you have set up your connector, configure data retention and tiering using the following steps:

  1. On the Connector details page, in the Table management section, select the table you want to manage.

    A screenshot showing a connector details page.

  2. The table panel is displayed showing the current retention settings.

  3. To configure retention, select Manage table. A screenshot showing the manage table panel.

  4. The Manage table panel is displayed, showing the current retention settings. You can change the retention settings for the analytics tier and the data lake tier. The default is to mirror the data to the data lake tier with the same retention as the analytics tier.

  5. Under Analytics retention select the retention period for the analytics tier.

  6. To configure the data lake tier, select a retention period from the Total retention drop-down list. A screenshot showing the analytics and data lake tier options.

  7. To change the tier to data lake only, select the Data lake tier and select a retention period from the Retention drop-down list. Selecting this option stops further ingestion to the analytics tier.

  8. Select Save to save the changes.

A screenshot showing the data lake tier retention only option.

After you configure the data connector, it might take some time for the data to be ingested into Microsoft Sentinel. It takes 90 - 120 minutes for data to be ingested into the data lake. When the data connector is connected, you see a summary of the data in the Data received graph, and the connectivity status of the data types.

Screenshot of a data connector page with status connected and graph that shows the data received.

Find your data

After you enable the connector successfully, the connector begins to stream data to the table schemas related to the data types you configured.

In the Defender portal, query data in the Advanced hunting page, or in the Azure portal, query data in the Logs page.
Navigate to Data lake explorer , KQL queries to query data in the data lake. For more information, see KQL and the Microsoft Sentinel data lake.

Find support for a data connector

Both Microsoft and other organizations author Microsoft Sentinel data connectors. Find the support contact from data connector page in Microsoft Sentinel.

  1. In the Microsoft Sentinel Data connectors page, select the relevant connector.

  2. To access support and maintenance for the connector, use the support contact link in the Supported by field on the side panel for the connector.

    Screenshot showing the Supported by field for a data connector in Microsoft Sentinel.

For more information, see Data connector support.

For more information about solutions and data connectors in Microsoft Sentinel, see the following articles.