Sentinel Log Ingestion

Microsoft Sentinel can ingest and process most types of log data for further analysis. Sentinel can ingest log data from the following sources:

• Microsoft 365 services, including Office 365 services and Entra ID
• Microsoft Defender XDR services, including Defender for Endpoint, Defender for Identity, and Defender for Office 365, as well as Microsoft Defender for Cloud Apps
• Microsoft Defender for Cloud (in preview)
• Sources that support the Microsoft Graph REST-based API 
• Sources with third-party APIs supported by Microsoft Sentinel, like Google Workspace or Salesforce Service Cloud (via Azure Functions)
• Sources supported by the Log Analytics agent software
• Common Event Format (CEF) or Syslog sources.

With a handful of exceptions, organizations must pay a per-GB data charge for all event and alert data ingested into Log Analytics, and again when that data is ingested into Sentinel.

Sentinel can also ingest data from third-party security solutions, including Check Point Systems, F5, Fortinet, Palo Alto Networks, Symantec, and other vendors, and most of these connectors are formally documented online in Sentinel documentation. However, customers using many of these technologies are likely to already have SIEM solutions like Splunk in place.