What datasources are onboarded in Sentinel?
When you onboard Microsoft Sentinel through Attic Security, we automatically deploy and configure a Log Analytics Workspace with Microsoft Sentinel enabled, along with several datasources. This article explains exactly what gets deployed, what data each datasource collects, and how long that data is retained.
Workspace Configuration
Attic Security creates a Log Analytics Workspace in your Azure subscription with the following settings:
| Setting | Value |
|---|---|
| SKU | PerGB2018 (pay-as-you-go) |
| Default retention | 90 days |
Microsoft Sentinel is enabled on top of this workspace.
Datasources Overview
The table below summarizes all datasources that are configured during onboarding:
| Datasource | Sentinel Table | Scope | Included |
|---|---|---|---|
| Azure Activity Logs | AzureActivity |
All home-tenant subscriptions | Always |
| Office 365 Connector | OfficeActivity |
Tenant-wide | Always |
| Microsoft Defender Alerts | AlertInfo |
Tenant-wide | Always |
| Entra ID Logs | Multiple (see below) | Tenant-wide | Extended logging |
| Microsoft Defender Evidence | AlertEvidence |
Tenant-wide | Extended logging |
Extended logging: During onboarding, you will be asked whether you want to enable extended logging (Entra ID Logs and Defender Alert Evidence). These datasources generate additional log volume and will incur extra ingestion costs in your Log Analytics Workspace. If you opt in, both datasources are enabled together. Attic Security recommends enabling extended logging, as these logs are essential for detecting identity-based threats and investigating security incidents.
1. Azure Activity Logs
Azure Activity Logs are configured via Diagnostic Settings on every accessible subscription in your home tenant. Subscriptions from other tenants and Azure Lighthouse-delegated subscriptions are excluded.
Log categories collected:
- Administrative -- Resource management operations (create, update, delete)
- Security -- Alerts generated by Microsoft Defender for Cloud
- ServiceHealth -- Service health incidents affecting your resources
- Alert -- Azure Monitor alert activations
- Recommendation -- Azure Advisor recommendations
- Policy -- Azure Policy evaluation events
- Autoscale -- Autoscale engine operations
- ResourceHealth -- Resource health status changes
Retention: 90 days (workspace default)
2. Office 365 Data Connector
The Office 365 data connector is enabled for your tenant with the following data types:
- Exchange -- Mailbox audit logs (admin and user activities in Exchange Online)
- SharePoint -- User and admin activities in SharePoint Online and OneDrive for Business
- Teams -- User and admin activities in Microsoft Teams (chats, meetings, team operations)
Retention: 90 days (workspace default)
3. Microsoft Defender Alerts (via Streaming API)
Alerts from Microsoft Defender for Endpoint are streamed to your Sentinel workspace using the Microsoft Defender SecurityCenter streaming API.
Data collected:
- AlertInfo -- Alert metadata including alert ID, title, severity, category, detection source, and status
Retention: 90 days (workspace default)
4. Entra ID Logs (Extended Logging)
Entra ID (formerly Azure Active Directory) diagnostic logs provide deep visibility into identity activity across your tenant. This datasource is enabled when you opt in to extended logging during onboarding. Because these logs can generate significant volume, they incur additional ingestion costs.
Log categories collected:
| Category | Description |
|---|---|
| SignInLogs | Interactive user sign-in activity |
| AuditLogs | Directory changes (user, group, app management) |
| NonInteractiveUserSignInLogs | Sign-ins by client apps or OS components on behalf of a user |
| ServicePrincipalSignInLogs | Sign-ins by applications and service principals |
| ManagedIdentitySignInLogs | Sign-ins by Azure managed identities |
| ProvisioningLogs | User provisioning activities by the provisioning service |
| ADFSSignInLogs | Active Directory Federation Services sign-in activity |
Retention: 90 days (workspace default)
5. Microsoft Defender Alert Evidence (Extended Logging)
When you opt in to extended logging, the Defender streaming API is also extended to include:
- AlertEvidence -- Detailed evidence associated with alerts (files, processes, IP addresses, URLs, registry entries, and other entities related to each alert)
This datasource is always enabled together with Entra ID Logs as part of the extended logging option.
Retention: 90 days (workspace default)
Data Retention Summary
All data ingested into your Sentinel workspace has a default retention of 90 days. After this period, data is automatically purged from the workspace. If you require longer retention, this can be adjusted in the Log Analytics Workspace settings in the Azure portal (note: extended retention may incur additional costs).