Microsoft Sentinel: AI-Powered Intelligent Security Analytics

Microsoft Sentinel

What Is Microsoft Sentinel?

Microsoft Sentinel (formally Azure Sentinel) is a SIEM (Security Information and Event Management) and SOAR (Security Orchestration and Automated Response) solution that is used in Microsoft Azure – a public cloud platform – and offers a unified approach to threat awareness, proactive hunting, alert detection, and threat response. In Microsoft sentinel, data is gathered from several data sources, data correlation is carried out, and the processed data is visualized in a single dashboard. Microsoft Sentinel also assists in gathering, identifying, looking into, and responding to security risks and occurrences.

Consequently, it delivers threat intelligence and intelligent security analytics in Microsoft Azure cloud infrastructure. Microsoft Sentinel now incorporates Azure Logic Apps and Log Analytics, expanding its functionalities. Additionally, it features strong built-in machine learning capabilities that can identify both people that pose dangers and suspicious activities, greatly assisting security analysts in the analysis of their environment.

Cloud security engineers can use Microsoft Sentinel for analyzing security events in on-premises as well as cloud environments. Typical usage scenarios comprise:

  • Data visualization for logs
  • Finding anomalies and notifying
  • Examination of security-related occurrences
  • Active threat detection and response by automation to security events

How Does Microsoft Sentinel Work?

Microsoft Sentinel allows you to centrally manage the collection, detection, response, and investigation of security threats in the environment and provides tools for threat intelligence and intelligent security analysis that improves the visibility of threats, detection of alerts, threat response, and proactive hunting.

Microsoft Sentinel operates following a cycle that begins with log management and includes automated alert responses before moving on to schema normalization, data validation, detection, and investigation. 

How does Sentinel provide this end-to-end functionality?

Collection: Microsoft Sentinel gathers information on all hardware, users, software, and infrastructure, including elements that are housed on-site and in various cloud environments. What detections can be applied to data depends on how it is gathered.

Detection: Microsoft Sentinel offers analytics and threat intelligence capabilities to help identify security threats that have already been discovered and minimize false positives. KQL-written detections can be stored as code.

Investigation: Microsoft Sentinel offers Artificial Intelligence technology to assist you in investigating suspicious activity on a large scale. Successful SOC (Security Operation Center) operations are aided by automation in both enrichment and containment.

Retaliation: Teams employing Microsoft technology may respond quickly to incidents using Sentinel’s proprietary orchestration and automation of routine security operations and business integration tasks.

Sentinel Malicious Traffic

Components of Microsoft Sentinel

Below are the notable Microsoft Sentinel components:

Workbooks: After you connect data sources to Microsoft Sentinel, you can monitor data using Microsoft Sentinel connectivity with Azure Monitor Workbooks. You can create customized workbooks based on your data using Microsoft Sentinel’s pre-built workbook templates and adaptable solutions.

Workspace: A log analytics is a place where data and configuration settings are kept. Data gathered from various sources is stored there by Microsoft Sentinel.

Dashboard: With this Microsoft Sentinel component, you can define rules in real time and visualize data from several sources using a straightforward standalone dashboard. You can give the security administrator more information about the occurrences those services are responsible for producing.

Hunting: Before an incident is reported, hunting is responsible for carrying out independent and creative investigations to identify and evaluate security vulnerabilities across the data sources used by your association. The MITRE ATT&CK frame serves as the foundation for the powerful stalking hunt and query technologies included in Microsoft Sentinel. The search functionality of Microsoft Sentinel is enhanced by KQL (Kusto Query Language).

Playbooks: Playbooks are tools to automate and streamline security unity that is associated with Microsoft services. Playbooks leverage Azure Logic Apps and are a collection of generalities to execute in response to a guard suggestion. For security admins, playbooks are intended to automate and streamline activities including data intake, enrichment, and disquisition.

Notebooks: Azure machine learning workspaces that use Jupyter scrapbooks, which are pre-built collections of resources and modules for machine literacy, visualization, and data analysis, are supported by this Microsoft Sentinel component. Through the provision of security views and training, a notebook can review errors and look for dangerous behavior. Using a notebook component, you may run real-time visualizations and legal applications online.

Data Connectors: In Microsoft Sentinel, connectors are sent out to allow data from Microsoft users and products. The benefits of out-of-the-box access to the greater security ecosystem can benefit non-Microsoft goods.

Statistics: Microsoft Sentinel employs analytics rules to connect warnings to potentially serious security incidents and to alert security inquirers in advance. Users can create custom criteria to trigger cautions in Analytics using Kusto Query Language (KQL). There are a variety of built-in regulations and connections to Microsoft sources including Azure ATP and Cloud App Security.

Community: Community is a Microsoft Sentinel page that uses GitHub as a power source and has several data sources for orchestration and troubleshooting. Users can use it to issue warnings and react to risks and threats in their environment.

Investigation: You can pinpoint an implicit security issue’s direction and identify its underlying cause with the aid of Microsoft Sentinel’s discourse capabilities.

How do you deploy Microsoft Sentinel?

Microsoft Sentinel monitors linked sources for data incidents and notify you when action is required. Microsoft Sentinel overviews, dashboards, and custom queries can be used to get a better understanding of unprocessed data and possibly harmful occurrences.

Install Microsoft Sentinel connections on services to retrieve data from various data sources that your management needs to keep track of. Microsoft Sentinel performs cross-data-source correlation after obtaining the log data from the services. Utilizing the Azure Monitor Log Analytics workspace, you can manage that data.

Artificial Intelligence and Machine Learning are used by Microsoft Sentinel to perform:

  • Threat assessment
  • Alert recognition
  • Quick action after an incident

To deploy Microsoft Sentinel in your environment, you can perform the following steps:

1.    Log in to the Azure website.

2.    Choose the subscription for which Microsoft Sentinel will be made. This entry ought to have:

a.    The subscription where the Microsoft Sentinel workspace will be created must have contributor permissions.

b.    The resource group to which the Microsoft Sentinel workspace will belong has Contributor or Reader rights.

1.    Select Add after searching for and choosing Microsoft Sentinel. No Microsoft Sentinel workspace to display pane appears as the message.

2.    Select Create Microsoft Sentinel. The page for adding Microsoft Sentinel to a workspace loads.

3.    To create a new workspace, select it. The workspace pane for creating log analytics appears.

4.    Use the dropdown menus to choose the settings listed below on the Basics tab:

a. Select the Pricing tier to proceed.

b. Decide on a pricing tier.

c. After selecting Review + Create and letting Azure verify your Log Analytics workspace’s configuration, choose to Create.

d. The process of creating your work could take some time. You will be notified and your workspace’s name will show up in the Workspace list once it has been deployed to your resource group. When the Notification icon is selected in the upper right of the Azure toolbar, choose Pin to the dashboard.

e. Select Create new on the Pin to dashboard pane, give your dashboard a name, and then click Add at the bottom of the pane. Your workspace’s Microsoft Sentinel dashboard appears.

f. Select Overview from the left menu.

Microsoft Sentinel Roles

With the help of the Role-Based Access Control (RBAC) authorization paradigm, security admins can set up granular levels of permission based on various criteria and permissions while using Microsoft Sentinel. For Microsoft Sentinel, there are three pre-built roles.

  • Reader: Only incidents and data can be seen by users with this position.
  • Responder: Users who have been granted access to this position can examine incidents and data as well as participate in various activities related to adventures, such as assigning to another user or changing the incident’s severity.
  • Contributor: Users with this job have access to examine incidents and data, interact with incidents, and add or remove analytical rules.

To deploy Microsoft Sentinel, the subscription where the workspace is situated must have contributor permissions. Use the Microsoft Sentinel roles to give specific rights to distinct groups so that different teams can have access based on how they use Azure Sentinel.

Connect Data Sources to Microsoft Sentinel

Connecting Microsoft Sentinel to the services you want to use is the next step after enabling it.

The following Azure and non-Azure services are compatible with Microsoft Sentinel natively:

  • Azure AD (Active Directory)
  • Azure Activity log
  • Cloud-based Microsoft Defender
  • Azure Web Application Firewall
  • Azure AD Identity Protection
  • Windows Defender Firewall
  • AWS (Amazon Web Services) CloudTrail
  • DNS
  • Cloud ATP
  • Defender for Cloud Apps
  • Microsoft 365
  • Microsoft Defender ATP
  • Windows security events

Microsoft Sentinel Pricing

Microsoft Sentinel’s billing is determined by how much data it analyzes and saves in the Azure Monitor Log Analytics workspace. Analytics Logs and Basic Logs are two different forms of logs that can be used to absorb data.

Microsoft Sentinel may be purchased in Analytic Logs in two different methods:


In this pricing model, you are charged per GB for the amount of data saved in the Azure Monitor Log Analytics workspace and ingested by Microsoft Sentinel for security analysis. The amount of data that will be stored in GB is used as a measure of data volume, and $2.45 is charged for each GB that is consumed.

Commitment Tiers

Commitment tiers enable a predictable overall cost for Microsoft Sentinel by billing you a fixed price based on the chosen tier. In comparison to Pay-as-you-Go pricing, the commitment tier offers you a reduction on the price based on your choice. After the initial 31 days of commitment, you have the choice to withdraw from the commitment tier at any time.

For 100 GB of data each day, it costs $123; for 200 GB, it costs $222; and for 300 GB, it costs $320. Visit Microsoft Sentinel Pricing for the complete details on pricing.

Microsoft Sentinel vs Splunk

The product portfolios of Microsoft Sentinel and Splunk are comparable. But some significant variations might affect how you decide:

  • In general, Microsoft Sentinel is thought to be simpler to use, configure, and administer.
  • Splunk consistently receives higher marks for customer service excellence and ease of use.
  • Microsoft’s products, such as Network Management, Incident Management, and Security Intelligence, enjoy greater consumer trust.
  • Only incident reporting and event management seem to be areas where Splunk truly shines.
  • Splunk takes more time to learn as compared to Microsoft Sentinel due to its query language.

Cost is one area that could raise some red flags for your business. Depending on your company’s size and usage, Microsoft Sentinel and Splunk have different prices. Until you have quotations from both, it might not be possible for your company to determine which will be more inexpensive for it. Microsoft Sentinel and Splunk don’t offer free trials, however, you can ask for walkthroughs and samples.

Overall, Microsoft Sentinel has better technology, but Splunk is a smaller company and offers advantages unique to small businesses, such as customer support. Microsoft Sentinel will probably be successful for businesses that depend on its security and dependability services. Splunk does receive higher grades for support quality, but most of its technology receives lower marks. Regardless, an MSP will likely serve as the interface between your business and your solution.

Microsoft Sentinel training on Cloud Academy

Microsoft Sentinel is a powerful, SOAR-capable, cloud-native SIEM platform. If you just want to know the basics of Sentinel, we recommend our Introduction to Microsoft Sentinel course. But, If you want to master it, you can enroll in Cloud Academy’s Becoming a Microsoft Sentinel Expert learning path.

Learn how to leverage Data Connectors in the Sentinel workspace, construct and apply Analytics Rules to investigate risks, create Playbooks to automate threat response, and use the Threat Hunting dashboard to proactively search for threats with the aid of this course.

If you want to become an Azure Security Engineer, these courses will help you to achieve your career goal.

Cloud Academy