Get Started Free

Module 6: Data Connectors & Ingestion Strategy

75 minutes · Manage a Security Operations Environment (20-25%)

Module 5 built the workspace. This module fills it with data.

The quality of your detections is limited by the quality of your data. A workspace with one connector and no filtering produces either too little data (missed detections) or too much noise (alert fatigue). This module teaches you to build an ingestion strategy — choosing which data sources matter, connecting them reliably, filtering out noise at the point of collection, and verifying that data is flowing correctly.

DATA CONNECTOR CATEGORIESMicrosoft First-PartyM365 Defender · Entra IDAzure Activity · PurviewOne-click setup · Native tablesThird-PartySyslog/CEF · API connectorsFirewalls · SaaS · EndpointAMA agent · DCR filteringCustom / APICustom log tables · REST APICodeless connectors (CCP)Custom schemas · Full controlSentinel WorkspaceUnified tables · Analytics rules · Hunting
Prerequisites

Complete Module 5 first. You need a working Sentinel workspace with the M365 Defender and Entra ID connectors already enabled. This module expands on that foundation with additional Microsoft connectors, third-party data sources, and Data Collection Rules.

Sections in this module

6.1 Building an Ingestion Strategy

6.2 Microsoft First-Party Connectors

6.3 Third-Party Connectors: Syslog and CEF

6.4 Data Collection Rules (DCRs)

6.5 Custom Logs and API Ingestion

6.6 Connector Troubleshooting

6.7 Connector Validation and Ongoing Monitoring

6.8 Module Assessment

Start: 6.1 Building an Ingestion Strategy →