7.2 Data Connectors and Security Signals
Key Takeaways
- Data connectors are the starting point for bringing security signals into Microsoft Sentinel.
- Analytics, hunting, workbooks, and incidents depend on connected data being available.
- SC-900 tests connector awareness as a concept, not detailed connector configuration.
- When a question says connect security data for analysis, Sentinel is usually the product match.
Data Connectors Come Before Analysis
A data connector is the exam-level idea that security data must reach Microsoft Sentinel before Sentinel can help analyze it. The source brief names data connectors as a Sentinel concept, so you should connect them to the beginning of the Sentinel workflow. If a question says an organization wants to collect security signals so it can detect and investigate threats, the Sentinel answer usually starts with connectors.
Do not overcomplicate this topic for SC-900. You are not expected to memorize a specific connector setup path, a deployment checklist, or a data engineering design. The important point is that Sentinel uses connected data as the material for analytics rules, incidents, workbooks, hunting queries, notebooks, automation rules, and playbooks.
| Sentinel element | Why connected data matters | Exam cue |
|---|---|---|
| Data connectors | Bring security signals into the SIEM and SOAR workspace | Connect data for analysis |
| Analytics rules | Evaluate available signals for suspicious patterns | Detect threats from collected data |
| Workbooks | Visualize and review available security information | Create dashboards or visual views |
| Hunting | Search through available data for suspicious activity | Proactively investigate threats |
Think in terms of flow. A connector does not by itself prove that a threat exists. It makes data available for the rest of the Sentinel experience. Analytics can then evaluate activity, hunting can search through it, workbooks can visualize it, and incidents can help operations teams manage investigation work.
This distinction matters because SC-900 questions often describe the goal in plain language. If the scenario says the company needs email and collaboration protection, choose Defender for Office 365. If it says the company needs endpoint device protection, choose Defender for Endpoint. If it says the company needs to bring security data together for SIEM or SOAR, choose Microsoft Sentinel.
Use this list to keep connector scenarios straight:
-
Connector-first wording includes collect security events, connect data sources, ingest security signals, or feed a SIEM.
-
Detection wording includes analytics rules, suspicious activity, threat detection, or incidents.
-
Investigation wording includes hunting, KQL awareness, notebooks, or reviewing incidents.
-
Response wording includes automation rules, Logic Apps playbooks, mitigation, or coordinated response.
The exam may not use the word connector directly. It may describe an organization that has security signals in multiple places and wants a Microsoft solution to bring those signals into one security operations process. That is still the Sentinel idea. The connector is the bridge into the Sentinel workflow; the other Sentinel features use the data after it arrives.
Connector Decision Check
Use connector language as an input signal, not as the whole answer. A connector makes data available so Sentinel features can work with it later. The exam scenario may then move into analytics, workbooks, hunting, incidents, or response, but the first product cue remains the need to feed security signals into a SIEM and SOAR workflow.
-
Connect data before analyzing it.
-
Treat connectors as Sentinel onboarding concepts.
-
Keep compliance and identity governance scenarios separate.
What is the main exam-level purpose of a Microsoft Sentinel data connector?
Which Sentinel capability depends most directly on connected data being available first?
A company wants to feed security events into a Microsoft SIEM for threat detection. Which product should you identify?