Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes how to make API-based connections to Microsoft Sentinel. Microsoft Sentinel uses the Azure foundation to provide built-in, service-to-service support for data ingestion from many Azure and Microsoft 365 services, Amazon Web Services, and various Windows Server services. There are a few different methods through which API-based connections to Microsoft Sentinel are made.
The following requirements and steps apply to Microsoft Sentinel API-based data connectors.
Note
For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.
Prerequisites
Before you connect a service, make sure you meet the following prerequisites:
You must have read and write permissions on the Log Analytics workspace.
You must have a Security administrator role on your Microsoft Sentinel workspace's tenant, or the equivalent permissions.
Data connector specific requirements:
Data connector Licensing, costs, and other prerequisites Microsoft Entra ID Protection - Microsoft Entra ID P2 subscription
- Other charges may applyDynamics 365 - Microsoft Dynamics 365 production license. Not available for sandbox environments.
- At least one user assigned a Microsoft/Office 365 E1 or greater license.
- Audit logging enabled in Microsoft Purview. See Turn auditing on or off.
- Audit logging enabled in your Microsoft Dataverse environment. See Microsoft Dataverse and model-driven apps activity logging.
- Other charges may apply.Microsoft Defender for Cloud Apps For Cloud Discovery logs, enable Microsoft Sentinel as your SIEM in Microsoft Defender for Cloud Apps Microsoft Defender for Endpoint Valid license for Microsoft Defender for Endpoint deployment Microsoft Defender for Office 365 Valid license for Office 365 ATP Plan 2 Microsoft 365 - Your Microsoft 365 deployment must be on the same tenant as your Microsoft Sentinel workspace.
- Other charges may apply.Microsoft Power BI - Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace.
- Other charges may apply.Microsoft Purview Information Protection - Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace.
- Other charges may apply.Microsoft Purview Insider Risk Management (IRM) - Valid subscription for Microsoft 365 E5/A5/G5, or their accompanying Compliance or IRM add-ons.
- Microsoft Purview Insider Risk Management fully onboarded, and IRM policies defined and producing alerts.
- Insider Risk Management settings for exporting alerts configured to enable the export of IRM alerts to the Office 365 Management Activity API in order to receive the alerts through the Microsoft Sentinel connector.
Connect to Microsoft services via API-based connectors
To connect a Microsoft service by using an API-based connector, complete the following steps:
From the Microsoft Sentinel navigation menu, select Data connectors.
Select your service from the data connectors gallery, and then select Open Connector Page on the preview pane.
Select Connect to start streaming events and/or alerts from your service into Microsoft Sentinel.
If on the connector page there is a section titled Create incidents - recommended!, select Enable if you want to automatically create incidents from alerts.
You can find and query the data for each service using the table names that appear in the section for the service's connector in the Data connectors reference page.
Related content
For more information, see: