Prioritize your data connectors for Microsoft Sentinel

In this article, you learn how to plan and prioritize which data sources to use for your Microsoft Sentinel deployment. This article is part of the Deployment guide for Microsoft Sentinel.

Determine which connectors you need

Check which data connectors are relevant to your environment, in the following order:

1. Review this list of free data connectors. The free data connectors will start showing value from Microsoft Sentinel as soon as possible, while you continue to plan other data connectors and budgets.
2. Review the custom data connectors.
3. Review the partner data connectors.

For the custom and partner connectors, we recommend that you start by setting up CEF/Syslog connectors, with the highest priority first, as well as any Linux-based devices.

If your data ingestion becomes too expensive, too quickly, stop or filter the logs forwarded using the Azure Monitor Agent.

Порада

Custom data connectors enable you to ingest data into Microsoft Sentinel from data sources not currently supported by built-in functionality, such as via agent, Logstash, or API. For more information, see Resources for creating Microsoft Sentinel custom connectors.

Alternative data ingestion requirements

If the standard configuration for data collection doesn't work well for your organization, review these and possible alternative solutions and considerations.

Filter your logs

If you choose to filter your collected logs or log content before the data is ingested into Microsoft Sentinel, review these best practices.

Next steps

In this article, you learned how to prioritize data connectors to prepare for your Microsoft Sentinel deployment.

Plan roles and permissions