Skip to content

Commit 9bb49a9

Browse files
batamigbatamig
authored
adding data connector details
1 parent 9366aeb commit 9bb49a9

File tree

1 file changed

+8
-0
lines changed

1 file changed

+8
-0
lines changed

unified-secops-platform/overview-plan.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,14 @@ Microsoft's unified SecOps platform ingests data from first-party Microsoft serv
9090

9191
You might determine this information during your business use case review, or by evaluating a current SIEM that you already have in place. If you already have a SIEM in place, analyze your data to understand which data sources provide the most value and should be ingested into Microsoft Sentinel.
9292

93+
For example, you might want to use any of the following recommended data sources:
94+
95+
|Scenario |Data sources |
96+
|---------|---------|
97+
|**Azure services** | If any of the following services are deployed in Azure, use the following connectors to send these resources' Diagnostic Logs to Microsoft Sentinel: <br><br> - **Azure Firewall** <br>- **Azure Application Gateway** <br>- **Keyvault**<br> - **Azure Kubernetes Service**<br> - **Azure SQL**<br>- **Network Security Groups**<br> - **Azure-Arc Servers** <br><br>We recommend that you set up Azure Policy to require that their logs be forwarded to the underlying Log Analytics workspace. For more on information, see [Create diagnostic settings at scale using Azure Policy](/azure/azure-monitor/essentials/diagnostic-settings-policy). |
98+
|**Virtual machines** | For virtual machines hosted on-premises or in other clouds that require their logs collected, use the following data connectors: <br><br> - **Windows Security Events using AMA**<br> - Events via **Defender for Endpoint** (for server)<br>- **Syslog** |
99+
|**Network virtual appliances / on-premises sources** | For network virtual appliances or other on-premises sources that generate Common Event Format (CEF) or SYSLOG logs, use the following data connectors: <br><br>- **Syslog via AMA** <br>- **Common Event Format (CEF) via AMA** <br><br> For more information, see [Ingest Syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent](/azure/sentinel/connect-cef-syslog-ama?branch=main&tabs=single%2Ccef%2Cportal). |
100+
93101
For more information, see [Prioritize data connectors](/azure/sentinel/prioritize-data-connectors).
94102

95103
- **Plan your Microsoft Sentinel budget, considering cost implications for each planned scenario**.

0 commit comments

Comments
 (0)