2.3 Data Connectors & Ingestion
Key Takeaways
- Connector families are service-to-service (API), agent-based via the Azure Monitor Agent (AMA), codeless (CCP), and custom; the legacy Log Analytics agent (MMA) is retired.
- A Data Collection Rule (DCR) tells the AMA what to collect, how to transform it at ingestion time, and which workspace/table to target.
- CEF via AMA lands in CommonSecurityLog, Syslog via AMA lands in Syslog, and DCR ingestion-time transformation can drop fields before billing.
- The Advanced SIEM Information Model (ASIM) normalizes heterogeneous sources so one query/detection works vendor-agnostically across products.
- The Content hub deploys Microsoft Sentinel solutions that bundle connectors with their analytics rules, workbooks, playbooks, and parsers.
Why This Matters for SC-200
Detections, hunting, and incident response are only as good as the data reaching Microsoft Sentinel and Microsoft Defender XDR. The 2026 skills outline explicitly lists ingesting Windows Security Events via AMA, Windows Event Forwarding (WEF), Syslog/CEF via AMA, Azure activities, threat indicators, and custom log tables. Expect "which connector / which agent" scenario questions.
Connector Types
Microsoft Sentinel data connectors fall into a few families:
- Service-to-service (API) connectors — Native, low-effort connectors for Microsoft and major third-party clouds: Microsoft Entra ID, Microsoft Defender XDR, Office 365, Azure Activity, AWS, GCP. Typically enabled with a few clicks plus permissions.
- Agent-based connectors — Use the Azure Monitor Agent (AMA) to collect logs from Windows and Linux machines (security events, Syslog, CEF, custom text/JSON logs).
- Codeless / Codeless Connector Platform (CCP) connectors — Configuration-driven connectors for many SaaS/REST sources without custom code.
- Custom connectors — Logs API / Logstash / Logic Apps / direct HTTP Data Collector for sources without a built-in connector.
The legacy Log Analytics agent (MMA/OMS) is retired. For SC-200 in 2026, the correct agent answer for collecting Windows or Linux logs is the Azure Monitor Agent (AMA), never the old Log Analytics agent.
Common Event Format, Syslog, and AMA / DCR
Many network and security appliances export logs over Syslog. When the appliance formats those Syslog messages using Common Event Format (CEF) — a structured key-value standard — Sentinel can parse them into the rich CommonSecurityLog table.
Modern collection works like this:
Appliance (CEF or Syslog)
--> Linux forwarder VM running the Azure Monitor Agent (AMA)
--> Data Collection Rule (DCR) defines what to collect & where
--> Microsoft Sentinel / Log Analytics workspace
- A Data Collection Rule (DCR) is the central configuration object that tells the Azure Monitor Agent what data to collect, how to filter/transform it, and which workspace/table to send it to.
- CEF via AMA lands in
CommonSecurityLog; generic Syslog via AMA lands inSyslog. - Windows Security Events via AMA collects domain/endpoint security events (and you choose All / Common / Minimal / Custom event sets in the DCR).
- Windows Event Forwarding (WEF) funnels events from many Windows hosts to a collector server, which AMA then forwards — useful when you cannot install an agent on every endpoint.
Ingestion-time transformation in a DCR can drop or reshape data before billing — a common SC-200 cost-optimization and PII-filtering answer.
Custom Logs and Normalization (ASIM)
Custom logs
For applications without a built-in connector, ingest via custom text/JSON log collection through AMA + DCR, the Logs Ingestion API, Logstash, or Logic Apps. Custom data lands in a custom table (suffixed _CL). Choose the Auxiliary/Basic plan for high-volume, low-value custom logs to cut cost.
Advanced SIEM Information Model (ASIM)
Different sources name the same field differently (SourceIP, src_ip, ClientIP). The Advanced SIEM Information Model (ASIM) is Microsoft Sentinel's normalization layer. It provides:
- Normalized schemas (for example, Authentication, Network Session, DNS, Process Event) with consistent field names.
- Parsers that translate source-specific data into the normalized schema at query time.
- Unifying/source-specific parsers so one analytics or hunting query (
imAuthentication,_Im_NetworkSession, etc.) works across many products.
ASIM lets a single detection or hunting query run across heterogeneous sources without rewriting it per product — the SC-200 answer when a scenario asks for vendor-agnostic, source-independent detections.
Content Hub and Solutions
The Content hub is the in-product marketplace for Microsoft Sentinel solutions — packaged bundles that can include data connectors, analytics rules, hunting queries, workbooks, playbooks, parsers, and watchlists for a specific product or scenario (e.g., a vendor firewall solution). Installing the solution from the Content hub is the recommended, supported way to deploy a connector and its companion content together, instead of importing each artifact manually.
| Need | Correct choice |
|---|---|
| Collect Windows security events from servers | Windows Security Events via AMA (DCR) |
| Ingest a firewall's CEF logs | CEF via AMA to CommonSecurityLog |
| Drop noisy/PII fields before billing | DCR ingestion-time transformation |
| One detection across many identity products | ASIM normalized parsers |
| Deploy a vendor connector + its rules/workbooks | Install the solution from the Content hub |
You must collect Windows Security event logs from on-premises domain controllers into Microsoft Sentinel in 2026, controlling exactly which event set is gathered. Which combination is correct?
A firewall sends high-volume Syslog messages formatted in Common Event Format. The SOC wants the structured data in CommonSecurityLog but must drop several verbose fields before they are billed. What should you configure?
An analytics rule must detect suspicious sign-ins consistently across Microsoft Entra ID, an on-premises VPN, and a third-party identity provider that each name fields differently. Which Microsoft Sentinel capability should the rule be built on?