Which Log Analytics table receives CEF-format logs collected by the AMA from a firewall?

Correct: c. CEF (Common Event Format) logs collected via the AMA-based CEF connector land in CommonSecurityLog. Raw Syslog (non-CEF) goes to the Syslog table. SecurityEvent is for Windows events and AzureActivity is for Azure control-plane logs.

What is the primary purpose of ASIM parser functions in Sentinel?

Correct: b. ASIM parsers normalise heterogeneous vendor fields to a common schema (e.g. _Im_NetworkSession). A detection rule written against that schema fires on any ASIM-mapped source — Palo Alto, Fortinet, Cisco or a custom connector — without vendor-specific changes.

A SaaS vendor wants their product's REST API logs to appear in Sentinel's connector gallery without building an agent. What is the correct approach?

Correct: d. The Codeless Connector Platform (CCP) is specifically designed for REST-API sources. The vendor authors a JSON definition (endpoint, auth, polling, target table) and Sentinel handles ingestion. No agent code is needed and the connector appears in the gallery.

Your Sentinel workspace ingests large volumes of verbose web proxy access logs that are only needed for compliance audits once per quarter. Which table type minimises cost?

Correct: c. Auxiliary tables have the lowest ingestion cost and are ideal for data queried very rarely. Search jobs provide access when needed. Analytics would be wasteful for data never used in daily detections; Basic is better than Analytics but Auxiliary is cheapest for truly rarely-queried compliance data.

A Sentinel workspace's daily ingestion has stabilised at around 200 GB/day for three months. Which billing approach gives the best long-term cost outcome?

Correct: b. Commitment tiers offer significant per-GB savings over pay-as-you-go for predictable, stable ingestion volumes. A 200 GB/day tier matches the actual usage and is far cheaper than pay-as-you-go at that scale. The 100 GB/day tier would leave 100 GB/day billed at an even higher effective rate.

What is the strongest reason to deploy two Linux CEF forwarder VMs behind a load balancer rather than one?

Correct: a. A single Linux forwarder VM is a silent single point of failure. When it goes down, appliances continue sending CEF/Syslog but no data reaches Sentinel — no error, just silence. Two forwarders behind a VIP ensure continuity if one is patched or fails.

Microsoft Sentinel Data Connectors & Log Ingestion Guide (2026)

Q: Which connector family is the right choice for connecting Microsoft Entra ID sign-in logs?

Correct: c. Native (first-party) connectors cover Microsoft's own services including Entra ID, Defender XDR, and Office 365 via the Graph/Azure Resource API — no agent is needed.

Q: Where do CEF-format logs from a Palo Alto firewall land after AMA-based collection?

Correct: b. CEF (Common Event Format) logs collected by the AMA through the Linux forwarder land in the CommonSecurityLog table. Plain Syslog (non-CEF) goes to the Syslog table.

Q: A detection engineer wants a single Sentinel analytics rule to fire on network session data from Palo Alto, Fortinet, and Cisco simultaneously. What should she write the rule against?

Correct: a. The ASIM _Im_NetworkSession unified parser maps all vendor-specific network session tables to a common schema. One rule against that parser fires across Palo Alto, Fortinet, Cisco and any other ASIM-mapped source automatically.

Q: Your workspace ingests 500 GB/day. Azure Monitor verbose proxy logs are queried maybe once a quarter. What is the best cost approach?

Correct: b. Routing rarely-queried verbose logs to Basic/Auxiliary slashes ingestion cost for those streams. Locking the critical-log volume into a commitment tier gives predictable per-GB savings vs pay-as-you-go.

Most engineers think…

Most people assume 'connecting a source to Sentinel' means dropping an agent on a machine and logs magically appear. That works for Windows events — but it completely misses the architecture for 400+ other source types.

Sentinel has three distinct ingestion paths: native first-party connectors (for Entra ID, Defender, Office 365), AMA-based CEF and Syslog connectors for Linux appliances and firewalls, and the Logs Ingestion REST API (with the Codeless Connector Platform for partners). Once data arrives, ASIM normalization maps it into standard schemas so one detection fires on any vendor's firewall. And once you have volume, you must choose between Analytics, Basic and Auxiliary table types to keep costs predictable — three table types and commitment tiers that most engineers discover only after a surprise bill.

① The three ingestion paths — native, AMA and REST

Microsoft Sentinel organises its 400+ connectors into a few clear families. Native (first-party) connectors are one-click for Microsoft's own services: Entra ID sign-in and audit logs, Microsoft Defender XDR incidents, Office 365 audit events, Azure Activity, and Defender for Cloud alerts. These use the Microsoft Graph or Azure Resource API under the hood — no agent needed.

For everything else, the second family is agent-based connectors. The Azure Monitor Agent (AMA) is the current standard. It collects Windows Security Events natively and powers the CEF and Syslog connectors for Linux appliances. The legacy Microsoft Monitoring Agent (MMA) is retired — any existing MMA deployments should migrate.

The third family is the Logs Ingestion REST API (formerly the HTTP Data Collector API, which retires after September 2026). Custom integrations, scripted pipelines, and third-party SaaS products that do not have an AMA-based connector use this path to POST JSON logs directly into a Log Analytics workspace table. The Codeless Connector Platform (CCP) wraps this API so partners can publish a connector to the Sentinel gallery without writing agent code.

Figure 1 — Log ingestion paths into Sentinel

Three ingestion paths cover every source type — Microsoft native, AMA agent-based, and REST API for custom and partner sources.

Quick check · Q1 of 10 · Understand

Which connector family is the right choice for connecting Microsoft Entra ID sign-in logs?

a) Deploy the AMA agent to an Entra ID domain controllerb) Use the Logs Ingestion REST API with a custom scriptc) Use the native first-party Microsoft Entra ID connector — one-click, no agentd) Configure a Linux CEF forwarder

Correct: c. Native (first-party) connectors cover Microsoft's own services including Entra ID, Defender XDR, and Office 365 via the Graph/Azure Resource API — no agent is needed.

👉 So far: Three ingestion paths: native (Microsoft services, one-click), AMA-based (CEF/Syslog from Linux appliances), REST/CCP (custom and partner SaaS) — know which path fits each source type.

② AMA, CEF & Syslog — the appliance log-collection path

Network appliances — firewalls, intrusion detection systems, proxies, VPN concentrators — speak either raw Syslog or CEF (Common Event Format). The AMA-based collection path works in two hops. First, the appliance sends its Syslog or CEF stream to a Linux forwarder VM running the local Syslog daemon (rsyslog or syslog-ng). Second, the Azure Monitor Agent on that forwarder reads from the daemon and pushes the data to the Sentinel workspace over HTTPS — no inbound port to Sentinel is required.

For raw Syslog, logs land in the Syslog table. For CEF, they land in CommonSecurityLog. The AMA replaces both the older OMS/MMA agent and the legacy Syslog connector; the Data Collection Rule (DCR) on the forwarder defines which facilities and severity levels to collect, so you are not paying to ingest debug-level noise unless you choose to.

Why the forwarder matters

The Linux forwarder VM is a single chokepoint — if it goes down, your firewall logs stop. Production deployments run at least two forwarders behind a load balancer. Size the forwarder to the peak events-per-second of your appliance fleet; the AMA is lightweight but the Syslog daemon can become the bottleneck at very high event rates.

Figure 2 — AMA-based CEF/Syslog collection stack

Two hops from appliance to workspace: the appliance speaks to a Linux forwarder, the AMA agent forwards to Sentinel over HTTPS.

🔌

Azure Monitor Agent (AMA)

tap to flip

The current recommended collector for Windows and Linux. Replaces the legacy MMA/OMS agent. Powered by Data Collection Rules (DCRs) that define what to collect and where to send it.

📋

CEF (CommonSecurityLog)

tap to flip

Common Event Format — a structured Syslog extension with key=value pairs. CEF logs from network appliances land in the CommonSecurityLog table in Log Analytics.

🧩

Codeless Connector (CCP)

tap to flip

A JSON connector definition that tells Sentinel how to poll a REST API, authenticate, and write to a Log Analytics table — no agent code needed. Lets SaaS vendors self-publish to the Sentinel gallery.

📐

ASIM Parser

tap to flip

A KQL function that maps raw vendor-specific table fields to a standard ASIM schema field name (e.g. SrcIpAddr). Write one detection rule against the ASIM schema and it works for every mapped source.

Always run two forwarder VMs

The Linux CEF/Syslog forwarder is a single point of failure. In production, deploy at least two forwarder VMs behind a load balancer and point your appliances at the VIP — if one forwarder goes down your firewall logs keep flowing. Size each forwarder to handle the full peak EPS of your appliance fleet, not just half.

▶ Watch a firewall CEF event flow into a Sentinel incident

End-to-end: Palo Alto firewall deny event arrives, traverses the forwarder, lands in CommonSecurityLog, hits an ASIM detection rule, and becomes an incident. Press Play for the healthy path, then Break it.

① Firewall firesA Palo Alto firewall denies a connection attempt and emits a CEF-format Syslog message to the Linux forwarder VM on UDP 514.

▼

② AMA forwardsThe rsyslog daemon on the forwarder receives the CEF message and hands it to the Azure Monitor Agent, which batches and sends it over HTTPS to the Log Analytics workspace.

▼

③ ASIM normalisesThe log lands in CommonSecurityLog. The Sentinel ASIM _Im_NetworkSession parser maps fields (DeviceAction → DvcAction, DestinationIP → DstIpAddr) at query time.

▼

④ Detection firesA Sentinel scheduled analytics rule querying _Im_NetworkSession matches the deny event pattern and raises an incident in the Sentinel incident queue.

Press Play to watch a CEF deny event become a Sentinel incident. Then press Break it to see the silent-failure mode.

Quick check · Q2 of 10 · Remember

Where do CEF-format logs from a Palo Alto firewall land after AMA-based collection?

a) The SecurityEvent tableb) The CommonSecurityLog tablec) The AzureActivity tabled) The Syslog table

Correct: b. CEF (Common Event Format) logs collected by the AMA through the Linux forwarder land in the CommonSecurityLog table. Plain Syslog (non-CEF) goes to the Syslog table.

👉 So far: AMA replaces MMA for CEF and Syslog. Appliance sends to Linux forwarder VM, AMA reads from Syslog daemon, forwards over HTTPS to workspace. CEF lands in CommonSecurityLog; raw Syslog in Syslog table.

③ Codeless Connector Platform & ASIM normalization

The Codeless Connector Platform (CCP) lets anyone publish a Sentinel connector that pulls data from a REST API without writing a custom agent. You author a connector definition in JSON (specifying the API endpoint, authentication, polling interval, and the target Log Analytics table), publish it, and Sentinel's backend handles the scheduling and ingestion. The Sentinel connector catalog crossed 400 connectors partly because of CCP — SaaS vendors can self-serve their way into the gallery.

ASIM (Advanced Security Information Model) is the normalization layer that makes those 400 sources actually useful together. Every vendor calls the 'source IP' field something different. ASIM defines a set of standard schemas — Network Sessions, DNS, Web, Authentication, File Events, and more — and each schema has fixed field names. Parser functions map raw table fields (e.g. CommonSecurityLog, a Palo Alto table, a Cisco ASA table) to the ASIM schema. A Sentinel analytics rule written against _Im_NetworkSession fires on any vendor's firewall without vendor-specific edits.

ASIM parsers come in two flavours: built-in (native) parsers that run at query time and transform data on the fly, and ingestion-time transformations in a DCR that normalise before data lands in the table. Ingestion-time is faster to query but less flexible.

Figure 3 — ASIM: one schema, every vendor

ASIM parser functions map raw vendor tables to standard schemas, so one detection rule queries all sources.

Writing vendor-specific detection rules

Avoid writing detection rules directly against raw vendor tables like CommonSecurityLog filtered by DeviceVendor='Palo Alto'. When you add a second firewall vendor you must duplicate the rule. Write against the ASIM _Im_NetworkSession or _Im_WebSession parsers instead — new vendor, new parser, zero rule changes.

Quick check · Q3 of 10 · Apply

A detection engineer wants a single Sentinel analytics rule to fire on network session data from Palo Alto, Fortinet, and Cisco simultaneously. What should she write the rule against?

a) The ASIM _Im_NetworkSession unified parserb) Three separate union queries, one per vendor tablec) The CommonSecurityLog table filtered by DeviceVendord) A custom Workbook summarizing all three tables

Correct: a. The ASIM _Im_NetworkSession unified parser maps all vendor-specific network session tables to a common schema. One rule against that parser fires across Palo Alto, Fortinet, Cisco and any other ASIM-mapped source automatically.

👉 So far: ASIM parsers map 400+ vendor tables to standard schema field names — write one detection rule against _Im_NetworkSession and it covers every ASIM-mapped firewall vendor. CCP = codeless REST connector for SaaS sources.

④ Table types & commitment tiers — controlling what it costs

Log volume costs money, and Sentinel gives you three table types to manage that. Analytics tables are the default: full KQL query support, fast, indexed — and the most expensive. Use them for high-value security data you query every day (security events, CEF/firewall logs, identity logs). Basic tables are lower-cost with 8 days of interactive query and 90 days retention; they suit verbose-but-rarely-queried logs like verbose web proxy or application traces. Auxiliary tables go further still — cheapest ingestion, long retention, query via Search jobs only — for bulk data you keep for compliance but almost never touch interactively.

On top of table types, Sentinel charges ingestion per GB via two billing models. Pay-as-you-go is flexible but expensive at volume. Commitment tiers start at 100 GB/day and give a substantial per-GB discount in exchange for a minimum daily commitment — predictable cost for workspaces with stable ingestion. You can increase your tier at any time; lowering it is restricted to once every 31 days.

Architect for cost from day one

Route verbose, low-priority log types to Basic or Auxiliary from the start — it is far cheaper than ingesting everything into Analytics and then realising the bill. Use DCR filtering (on the AMA or the Logs Ingestion API) to drop log levels (e.g. Syslog debug and info) before they even reach Sentinel. Commit to a tier once your baseline stabilises, and revisit quarterly.

Figure 4 — Analytics vs Basic vs Auxiliary tables

Choose the table type at connector setup time — moving data later is not automatic and costs vary significantly.

Priya at a Mumbai fintech firm faces this

After enabling 15 new connectors for network firewalls and web proxies, the Sentinel monthly bill doubles overnight with no corresponding increase in detected threats.

Likely cause

All logs — including verbose Syslog debug messages and web proxy access logs queried only during quarterly audits — were ingested into Analytics (full-cost) tables using default connector settings.

Diagnosis

Cost management blade in Sentinel: Analytics table ingestion shows the proxy and debug Syslog streams are the top cost contributors but appear in zero detection rules.

Sentinel ▸ Settings ▸ Workspace Settings ▸ Tables + DCR configuration for each connector

Fix

Move verbose proxy logs to Basic tables. Add a DCR filter on the Syslog AMA connector to drop debug and info severity levels. Evaluate a 200 GB/day commitment tier for the remaining high-value streams.

Verify

Week-on-week cost in Azure Cost Management drops by roughly 40%; critical security alerts (firewall deny events, CEF malware detections) continue to fire normally from Analytics tables.

Confirm your DCR filter is actually dropping noise

After adding a Syslog severity filter in a DCR, run a quick KQL on the Syslog table: Syslog | where SeverityLevel == 'debug' | count. If you still see debug rows, the DCR change has not propagated or is targeting the wrong machine group — check DCR association in Azure Monitor before assuming cost savings.

Quick check · Q4 of 10 · Analyze

Your workspace ingests 500 GB/day. Azure Monitor verbose proxy logs are queried maybe once a quarter. What is the best cost approach?

a) Ingest all 500 GB into Analytics tables for fastest queryb) Route the verbose proxy logs to Basic or Auxiliary tables and commit to a 500 GB/day tier for the critical security logsc) Delete the proxy logs after 7 days to save spaced) Switch to pay-as-you-go to avoid commitment risk

Correct: b. Routing rarely-queried verbose logs to Basic/Auxiliary slashes ingestion cost for those streams. Locking the critical-log volume into a commitment tier gives predictable per-GB savings vs pay-as-you-go.

👉 So far: Analytics = full KQL, highest cost (daily-queried security data). Basic = 8-day interactive, lower cost. Auxiliary = Search jobs only, cheapest. Commitment tiers start at 100 GB/day for predictable billing.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: why does an ASIM parser mean you never need to rewrite a detection rule when you add a new firewall vendor? Then compare with the expert version.

Expert version: Because the detection rule is written against the ASIM unified parser (e.g. _Im_NetworkSession), not against any vendor-specific table. When you add a new firewall, you only need to write or install an ASIM parser that maps that vendor's raw fields to the standard schema. The existing detection rule automatically queries the new data source through that parser — write the rule once, add parsers as the estate grows, no rule duplication.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Microsoft Sentinel at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

Azure Monitor Agent (AMA): The current recommended log collection agent for Windows and Linux. Replaces the legacy MMA/OMS agent. Configured via Data Collection Rules (DCRs) that filter, transform and route data before ingestion.
CEF (Common Event Format): An industry-standard Syslog extension with structured key=value pairs, supported by most security appliances. CEF logs collected by AMA land in the CommonSecurityLog table in Log Analytics.
Data Collection Rule (DCR): An Azure resource that defines what data the AMA collects (event channels, Syslog facilities, severity levels), any transformations to apply, and which Log Analytics workspace to send it to.
Codeless Connector Platform (CCP): A JSON-based framework that lets partners and customers publish Sentinel connectors for REST-API data sources without writing agent code. Sentinel's backend handles polling and ingestion.
ASIM (Advanced Security Info Model): Sentinel's normalization layer. Parser functions map raw vendor-specific table fields to standard schema field names (e.g. SrcIpAddr, DstPort) so one detection rule covers all ASIM-mapped sources.
Analytics table: The default Log Analytics table type: full KQL, indexed, highest query performance, and highest ingestion cost. Used for security data queried in daily detections and investigations.
Basic / Auxiliary table: Lower-cost table types. Basic supports 8-day interactive KQL and 90-day retention. Auxiliary is cheapest with long retention but requires Search jobs for ad-hoc queries — used for verbose compliance logs.
Commitment tier: A Sentinel/Log Analytics billing option that commits to a minimum daily ingestion (starting at 100 GB/day) in exchange for a lower per-GB rate than pay-as-you-go pricing.
Linux CEF forwarder: A Linux VM running rsyslog or syslog-ng plus the AMA, which receives CEF/Syslog from network appliances on UDP/TCP 514 and forwards events to the Log Analytics workspace over HTTPS.

📚 Sources

Microsoft Learn — Microsoft Sentinel data connectors overview. learn.microsoft.com/en-us/azure/sentinel/connect-data-sources
Microsoft Learn — Syslog and CEF AMA connectors overview. learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-overview
Microsoft Learn — Log retention tiers in Microsoft Sentinel (Analytics, Basic, Auxiliary). learn.microsoft.com/en-us/azure/sentinel/log-plans
Microsoft Learn — Plan costs and understand pricing and billing — Microsoft Sentinel. learn.microsoft.com/en-us/azure/sentinel/billing
Microsoft Tech Community — What's new in Microsoft Sentinel: May 2026. techcommunity.microsoft.com/blog/microsoftsentinelblog
Microsoft Learn — ASIM (Advanced Security Information Model) overview. learn.microsoft.com/en-us/azure/sentinel/normalization

What's next?

Got the ingestion pipeline locked down? Next, go deep on Sentinel Analytics rules — scheduled queries, NRT rules, Fusion ML detections, and how to tune a rule without drowning the SOC in low-fidelity alerts.

Next · All interview lessons → Practice on exam.techclick.in →

Microsoft Sentinel Data Connectors — Log Ingestion, AMA, ASIM & Cost Tiers

🎯 By the end you will be able to

Pick where you want to start

Ingestion paths

AMA, CEF & Syslog

CCP & ASIM

Tables & cost tiers

① The three ingestion paths — native, AMA and REST

② AMA, CEF & Syslog — the appliance log-collection path

Why the forwarder matters

▶ Watch a firewall CEF event flow into a Sentinel incident

③ Codeless Connector Platform & ASIM normalization

④ Table types & commitment tiers — controlling what it costs

Architect for cost from day one

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?