Home / Microsoft Sentinel
๐Ÿ“ก

Microsoft Sentinel

Cloud-native SIEM & SOAR . KQL, threat intelligence, workbooks, playbooks & automation

Overview

What is Microsoft Sentinel?

Microsoft Sentinel is a scalable, cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution. It delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response.

๐Ÿ“Š

Collect

Ingest data from all sources. users, devices, applications, infrastructure, cloud & on-premises
๐Ÿ”

Detect

Find threats with analytics rules, UEBA, ML, and built-in threat intelligence integration
โšก

Respond

Automate response with playbooks, automation rules, and integration with Logic Apps
Capabilities

Core Capabilities

Data Connectors

200+ built-in connectors for Microsoft services, AWS, GCP, Syslog, CEF, and third-party solutions. Ingest data at cloud scale with Log Analytics.

Analytics Rules

Scheduled, NRT (near-real-time), fusion, and anomaly rules to detect threats. Map detections to MITRE ATT&CK framework tactics and techniques.

Hunting

Proactive threat hunting with built-in queries, custom KQL queries, Jupyter notebooks, and bookmarks. Stream results with livestream for real-time monitoring.

Workbooks

Interactive dashboards and reports built with Azure Monitor Workbooks. Visualize security data, trends, and KPIs for SOC operations and executive reporting.

Playbooks & Automation

Automated response workflows using Logic Apps. Enrich incidents, isolate devices, block users, send notifications, and create tickets automatically.

Threat Intelligence

Integrate threat intelligence feeds (STIX/TAXII), Microsoft TI, and custom indicators. Correlate IOCs against telemetry for proactive detection.
KQL

Kusto Query Language

KQL is the primary query language for Sentinel. Master these patterns to effectively hunt threats and build analytics rules.

// Hunt for brute-force sign-in attempts
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == "50126" // Invalid username or password
| summarize
    FailedAttempts = count(),
    DistinctUsers = dcount(UserPrincipalName),
    TargetUsers = make_set(UserPrincipalName, 10)
    by IPAddress, Location = tostring(LocationDetails.city)
| where FailedAttempts > 20
| order by FailedAttempts desc
// Detect impossible travel (scheduled analytics rule)
let timeWindow = 1h;
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| project TimeGenerated, UserPrincipalName,
    City = tostring(LocationDetails.city),
    Country = tostring(LocationDetails.countryOrRegion),
    Lat = toreal(LocationDetails.geoCoordinates.latitude),
    Lon = toreal(LocationDetails.geoCoordinates.longitude)
| order by UserPrincipalName, TimeGenerated
| serialize
| extend PrevCity = prev(City), PrevTime = prev(TimeGenerated),
         PrevUser = prev(UserPrincipalName),
         PrevLat = prev(Lat), PrevLon = prev(Lon)
| where UserPrincipalName == PrevUser
| extend TimeDiffMinutes = datetime_diff('minute', TimeGenerated, PrevTime)
| where TimeDiffMinutes < 60 and City != PrevCity
| project TimeGenerated, UserPrincipalName, City, PrevCity, TimeDiffMinutes
// Analyze security events by category over time
SecurityEvent
| where TimeGenerated > ago(7d)
| summarize EventCount = count() by bin(TimeGenerated, 1h), Activity
| render timechart

// Top 10 IPs with most failed connections
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceAction == "Deny"
| summarize DenyCount = count() by SourceIP
| top 10 by DenyCount
| render barchart
Content Hub

Sentinel Content Hub

The Content Hub provides packaged solutions with data connectors, analytics rules, workbooks, hunting queries, and playbooks. ready to deploy for specific scenarios.

๐Ÿ“ฆ Solution Packages

Complete solutions for Microsoft 365, Azure AD, AWS, GCP, and 200+ vendor integrations.

๐Ÿ“‹ Analytics Templates

Pre-built detection rules mapped to MITRE ATT&CK with customizable thresholds.

๐Ÿ” Hunting Queries

Community and Microsoft hunting queries for proactive threat discovery.

๐Ÿ“Š Workbook Templates

Pre-built visualizations for security monitoring, compliance, and operational insights.

๐Ÿค– Playbook Templates

Automation workflows for incident enrichment, response actions, and notification.

๐Ÿ”— Data Connectors

Connect first-party and third-party data sources with guided setup experiences.
Hands-on Labs

Sentinel Labs

Enterprise-grade labs that walk you through real-world Sentinel deployments. from initial setup to advanced threat hunting.

01
Beginnerโฑ 60 min ยท 8 steps

Deploy Sentinel & Ingest Azure AD Sign-in Logs

Provision a Log Analytics workspace, deploy Microsoft Sentinel, configure the Azure Active Directory data connector, verify sign-in log ingestion, and create a basic analytics rule that triggers on repeated failed sign-ins across a multi-tenant environment.
02
Intermediateโฑ 90 min ยท 10 steps

Build KQL Detection Rules for Brute-Force Attacks

Write KQL queries to detect password-spray and brute-force patterns, create a scheduled analytics rule with proper entity mapping, configure alert grouping and suppression, and validate detections with simulated sign-in events in a production-like workspace.
03
Intermediateโฑ 120 min ยท 14 steps

Automate Incident Response with Playbooks

Create a Logic App playbook that auto-enriches incidents with threat intelligence lookups, posts formatted alerts to a Teams SOC channel, isolates compromised user accounts via Microsoft Graph, and updates the incident with remediation evidence.
04
Advancedโฑ 150 min ยท 16 steps

Enterprise Threat Hunting with MITRE ATT&CK

Build hunting queries mapped to MITRE ATT&CK techniques, use bookmarks to track and promote findings to incidents, configure livestream queries for real-time monitoring, and create a custom workbook that visualizes your hunting coverage across the kill chain.
Learn

Sentinel Resources

๐Ÿ“˜
Sentinel Documentation
Complete official Microsoft Sentinel documentation
๐ŸŽ“
Sentinel Training Path
Configure and manage Sentinel. Microsoft Learn
๐Ÿ“
KQL Reference
Complete Kusto Query Language documentation
๐Ÿ™
Sentinel GitHub
Community detections, hunting queries, and playbooks
FAQ

Microsoft Sentinel FAQ

How much does Microsoft Sentinel cost?

Sentinel pricing is based on the volume of data ingested into the Log Analytics workspace, measured in GB/day. There are two billing models:

  • Pay-As-You-Go: billed per GB ingested, best for unpredictable or low-volume workloads
  • Commitment Tiers: pre-purchased capacity at 100, 200, 300, 400, 500, 1000, 2000, or 5000 GB/day with discounts up to 50% vs. Pay-As-You-Go

Several data sources are free to ingest: Azure Activity logs, Office 365 Audit logs (SharePoint and Exchange), and Azure AD sign-in/audit logs. You can further reduce costs using Basic Logs (up to 60% cheaper for high-volume, low-query data), Archive tier (long-term retention at minimal cost), and data collection rules to filter noisy data before ingestion.

For a typical mid-size organisation ingesting 50 GB/day, expect approximately $5,000-7,000/month depending on region and commitment tier.

Sentinel pricing and billing

What is the difference between Analytics Logs, Basic Logs, and Archive?

Sentinel offers three data tiers to optimise cost and query capability:

  • Analytics Logs: Full KQL query support (joins, aggregations, functions), 90-day interactive retention, used for analytics rules, hunting, and workbooks. This is the default and most expensive tier.
  • Basic Logs: ~60% lower cost, supports simple queries only (single-table, time-filtered, no joins or summarize). Ideal for high-volume, low-value data like NetFlow, DNS logs, or verbose diagnostics that you rarely query but need for investigations. 30-day interactive retention.
  • Archive tier: Lowest cost for long-term retention (up to 12 years). Data is not immediately queryable but can be restored to Analytics or Basic Logs for investigation. Use for compliance and forensic retention requirements.

Best practice: put high-value security data (sign-ins, alerts, process events) in Analytics Logs, verbose telemetry in Basic Logs, and compliance archives in Archive tier.

Basic Logs use cases

How do I reduce Sentinel costs effectively?

Cost optimisation is critical for Sentinel at scale. Here are the most effective strategies:

  1. Use Commitment Tiers: If your daily ingestion is predictable, commitment tiers save 15-50%. Monitor your usage in the Usage workbook and right-size quarterly.
  2. Enable free connectors first: Microsoft 365 audit logs, Azure Activity logs, and Microsoft Defender XDR incidents are free to ingest.
  3. Filter at ingestion: Use Data Collection Rules (DCRs) and workspace transformations to drop or summarise noisy fields before they hit the workspace. This can reduce volume by 30-60% for verbose sources.
  4. Use Basic Logs: Move high-volume, low-query tables (Syslog, DNS, AuditLogs) to Basic Logs tier for immediate 60% savings.
  5. Review the Data Collection Health workbook: Identify tables with the highest volume and lowest query frequency, then optimise or move them.
  6. Deduplicate: Ensure you are not ingesting the same events through multiple connectors (e.g., Defender XDR and MDE separately).

Reduce Sentinel costs

What data connectors does Sentinel support?

Sentinel supports 300+ data connectors spanning the entire security ecosystem:

  • Microsoft services: Microsoft 365, Entra ID, Defender XDR (unified incidents and raw data), Azure Activity, Microsoft Purview, Intune
  • Cloud platforms: AWS CloudTrail and GuardDuty, Google Cloud SCC, multi-cloud via Azure Arc
  • Network security: Palo Alto, Fortinet, Check Point, Cisco ASA, Zscaler, F5, and other firewalls/proxies via CEF or Syslog
  • Endpoint solutions: Microsoft Defender for Endpoint, CrowdStrike, SentinelOne, Carbon Black (via API connectors)
  • Identity: Okta, Ping Identity, CyberArk via REST API or Azure Functions-based connectors
  • Custom sources: Any source that can output CEF, Syslog, JSON, or CSV can be ingested via the Log Analytics agent, Azure Monitor Agent, or codeless connector platform (CCP)

The Content Hub in Sentinel provides packaged solutions that include connectors, analytics rules, workbooks, and hunting queries for each data source.

Data connectors reference

Can Sentinel replace my existing SIEM?

Yes. Sentinel is designed as a cloud-native SIEM replacement and thousands of organisations have migrated from traditional on-premises SIEMs. Key advantages over legacy SIEMs:

  • No infrastructure: No servers to deploy, patch, or scale. Sentinel auto-scales to any data volume.
  • Elastic pricing: Pay only for what you ingest, with commitment tier discounts. No per-user or per-device licensing.
  • Native cloud integration: Deep integration with Microsoft 365, Azure, and Defender XDR eliminates complex connector configurations.
  • Built-in SOAR: Logic App playbooks provide automation without a separate SOAR product.
  • SIEM migration experience: Microsoft provides a guided migration tool that maps rules, queries, and dashboards from Splunk, QRadar, and ArcSight to Sentinel equivalents.

Common migration path: run Sentinel in parallel with your existing SIEM for 3-6 months, validate detection parity, then decommission the legacy solution.

SIEM migration guide

What is KQL and why is it important for Sentinel?

KQL (Kusto Query Language) is the query language that powers everything in Sentinel: analytics rules, hunting queries, workbook visualisations, and automation conditions. It is also used across Defender XDR advanced hunting, Azure Monitor, and Azure Data Explorer.

KQL uses a pipe-based syntax where data flows through operators: TableName | where TimeGenerated > ago(1d) | summarize count() by UserPrincipalName | sort by count_ desc. Key operators include:

  • where. filter rows by condition
  • summarize. aggregate data (count, sum, avg, dcount)
  • join. combine tables on shared columns
  • extend. create calculated columns
  • project. select specific columns
  • render. visualise results as charts

Learning KQL is the single most valuable skill for Sentinel analysts. Start with the Kusto Detective Agency interactive tutorial.

KQL in Sentinel

How do playbooks and automation rules work together?

Sentinel uses two automation layers that work in concert:

  • Automation rules: Lightweight, no-code rules that run instantly when incidents are created or updated. They can set severity, assign owners, add tags, close false positives, or trigger playbooks. They run in order of priority and are ideal for incident triage automation.
  • Playbooks: Full Logic App workflows with 400+ connectors that perform complex, multi-step actions: enrich incidents with threat intelligence (VirusTotal, AbuseIPDB), post alerts to Teams/Slack, isolate compromised user accounts in Entra ID, block IPs on firewalls, create ServiceNow tickets, or collect investigation evidence.

Typical workflow: An analytics rule detects suspicious activity → creates an incident → an automation rule sets severity and triggers a playbook → the playbook enriches the incident, notifies the SOC team, and takes initial containment actions. all within seconds, 24/7.

Playbooks can also be triggered manually by analysts from the incident page for on-demand response actions.

Playbooks overview