You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A structured approach to Microsoft Sentinel data connector onboarding, retention, and detection rationale for the Dutch Security TS team.
Tip
This maturity model is the what-to-ingest layer. It is paired with the Guidance section that explains why each decision is made (risk, retention, cost, compliance), and the interactive Assessment Checklist that tracks how far an organisation has implemented it. Use the model to define the target, the guidance to justify it, and the assessment to measure progress.
Tier 2 extends monitoring into network security, cloud posture, data protection, multi-cloud, endpoint compliance, and threat intelligence. These connectors are aligned with frameworks like MCSB, NIST, CIS and more. Connectors marked conditional only apply when the relevant product or cloud is in use. Tier 2 is aligned with the ASD ACSC Best Practices for Event Logging and Threat Detection logging priorities.
Tier 3 provides full-spectrum monitoring for mature organisations that have completed Tier 1 and Tier 2. These connectors cover OT/IoT, DevOps supply chain, databases, custom business applications, and advanced infrastructure telemetry.
Third-Party OT / IoT (Claroty, Nozomi Networks, Armis)
Vendor-specific tables via CEF/Syslog
No — conditional
Retention Philosophy
For the full retention framework analysis including specific requirements from MCSB, NIST, CIS, NIS2, and GDPR, see Retention. For investigation readiness considerations, see Forensic Readiness. Our retention recommendations are informed by:
Forensic readiness — The ability to investigate incidents that may have started weeks or months before detection (average dwell time in 2024: ~10 days for ransomware, but APTs can persist for months)
Layered security approach — Defence in depth requires correlated data across identity, endpoint, network, and cloud layers
Regulatory and compliance requirements — GDPR, NIS2, SOC 2, ISO 27001
The default long-term retention for all Tier 1 tables is 365 days in the Sentinel Data Lake. Adjust per table based on compliance or forensic requirements.
Why a Layered Approach?
For the full rationale, see Layered Detection Approach. EDR solutions like Microsoft Defender for Endpoint are essential but not sufficient on their own. A layered approach combining EDR with native OS logging (Windows Security Events, Syslog) provides defence in depth:
EDR can be bypassed — attackers continuously develop techniques to evade endpoint detection. Native OS logs provide an independent audit trail that persists even if EDR is tampered with.
Forensic readiness — native logs provide authoritative evidence admissible in investigations, complementing EDR telemetry.
Correlation across data sources — combining identity, endpoint, email, and cloud activity logs enables detection of multi-stage attacks that no single source can catch alone.
Recommended Reading
Title
Description
Link
The Evolution of EDR Bypasses
Historical timeline showing how EDR bypass techniques evolve, reinforcing why native logs are essential as a fallback
To help identify retention settings, monitor ingestion volumes, estimate costs, and validate data connector coverage. Each tool has a step-by-step walkthrough in the Procedures section.
Tool
Type
Purpose
Source
Guide
Workspace Usage Report
Workbook
Monitor ingestion volumes per table, identify cost optimisation opportunities, and validate data connector health across all connectors
Use the interactive Sentinel Maturity Assessment Checklist to track progress during a connector onboarding engagement. The checklist covers every Tier 1 connector with per-table checks, retention validation, and configuration items. Each section has a comment field for rationale and notes.
The tool offers two modes, selectable from the header toggle:
Full — every Tier 1/2/3 connector with detailed per-item checks (Setup, Tables, Content Hub, Retention, Validation), per-table tier-change planning (Analytics ↔ Lake) and per-table retention planning, plus a comments field per connector. Use for delivery engagements, formal assessments, and customer hand-off.
Lite — a focused four-check landing page for quick conversations. Check 2 ("Defender XDR — Per-Table Ingestion") mirrors the same per-table tier and retention planner used in Full mode and feeds the same to-do output (signed GB/day delta + per-tier breakdown). The accepted-risk panel and to-do summary remain visible. Use for intro calls, executive briefings, and demos.
Features: save/load progress (JSON), export to PDF, export to Excel.
For a consolidated, categorised index of every external URL cited across this maturity model (Microsoft Learn docs, Azure pricing pages, tools and workbooks, blogs, standards and frameworks), see references.md.