Connect Microsoft Sentinel to other Microsoft services with an API-based data connector

This article describes how to make API-based connections to Microsoft Sentinel. Microsoft Sentinel uses the Azure foundation to provide built-in, service-to-service support for data ingestion from many Azure and Microsoft 365 services, and various Windows Server services. There are a few different methods through which these connections are made.

This article presents information that is common to the group of API-based data connectors.

Prerequisites

  • You must have read and write permissions on the Log Analytics workspace.

  • You must have a Security administrator role on your Microsoft Sentinel workspace's tenant, or the equivalent permissions.

  • Data connector specific requirements:

    Data connector Licensing, costs, and other prerequisites
    Microsoft Defender for Cloud Apps For Cloud Discovery logs, enable Microsoft Sentinel as your SIEM in Microsoft Defender for Cloud Apps
    Microsoft Office 365 - Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace.
    - Other charges may apply.

Instructions

  1. From the Microsoft Sentinel navigation menu, select Data connectors.

  2. Select your service from the data connectors gallery, and then select Open Connector Page on the preview pane.

  3. Select Connect to start streaming events and/or alerts from your service into Microsoft Sentinel.

  4. If on the connector page there is a section titled Create incidents - recommended!, select Enable if you want to automatically create incidents from alerts.

You can find and query the data for each service using the table names that appear in the section for the service's connector in the Data connectors reference page.

Next steps

For more information, see: