XenonStack Recommends

A Complete Guide of Azure Sentinel and it's Components

Acknowledging Data Management
          Best Practices with DataOps Image


XenonStack White Arrow Image

What is Azure Sentinel?

Azure Sentinel is a SIEM (Security Information and Event Management) and Security Orchestration and Automated Response (SOAR) system in Microsoft's public cloud platform. It can provide a single solution for alert detection, threat visibility, proactive hunting, and threat response. It collects data from different data sources, performs data correlation, and Data Visualization the processed data in a single dashboard. Azure Sentinel helps to collect, detect, investigate and respond to security threats and incidents. Thus delivering intelligent security analytics and threat intelligence all across the enterprise ecosystem. Azure Sentinel natively incorporates Azure Logic Apps and Log Analytics that enhances its capabilities. It also has built-in advanced machine learning capabilities that can detect actors of threats and suspicious behaviors that can significantly help security analysts to analyze their environment.
With the growing intelligence of edge devices, capable of making real-time and near-real-time determinations, security can be built into every transaction. Source: How AI Is Revolutionizing Fraud Detection And Risk Assessment.

Azure Sentinel is easy to deploy in single and multi-tenant scenarios. In the case of a multitenant scenario, Azure Sentinel will be deployed on each tenant, and Azure Lighthouse will be used to have a multitenant visualization of all tenants.

What are the Stages of Azure Sentinel?

The four crucial areas or stages of Azure Sentinel are as follows:

1. Collect

Azure Sentinel can collect data on all users, devices, applications, and infrastructure both on-premises and across multiple cloud environments. It can easily connect to security sources out-of-the-box. There are several connectors available for Microsoft solutions that provide real-time integration. It also includes built-in connectors for third-party products and services (non-Microsoft Solutions). Apart from this, Common Event Format (CEF), Syslog, or REST-API can also connect the required data sources with Azure Sentinel.
  • The services that can be connected directly via out-of-the-box integration include Azure Active Directory, Azure Activity, Azure DDoS Protection, Azure AD Identity Protection, Azure Firewall, Azure Security Center, Azure Web Application Firewall, Office 365, Microsoft Defender for Identity, Amazon Web Services - CloudTrail, Cloud App Security and other Microsoft solutions.
  • The appliances that can connect to Okta SSO, Orca Security, Qualys VM, Citrix Analytics, Barracuda CloudGen Firewall, Perimeter 81 Logs, Proofpoint TAP, and some others via API .
  • Azure Sentinel can also be connect through an agent to any other data source. Syslog protocol is usable for this purpose and enables real-time log streaming. The Azure Sentinel Agent function, i.e., the Log Analytics Agent. It is to convert CEF-formatted logs into a format ingested by Log Analytics. External solutions supported in Azure Sentinel via agents include Linux Servers, DNS Servers, Azure Stack VMs, DLP Solutions.
  • Threat Intelligence Providers (MISP Open Source Threat Intelligence Platform, Anomali ThreatStream, Palo Alto Networks MineMeld, ThreatConnect Platform, ThreatQ Threat Intelligence Platform, etc.). Firewalls, proxies and endpoints supported through CEF (Check Point, F5 ASM, Palo Alto Networks, Zscaler, Cisco ASA, Fortinet, and other CEF-based appliances), and firewalls, proxies and endpoints supported through Syslog (Sophos XG, Symantec Proxy SG, Pulse Connect Secure and other Syslog-based appliances).
Azure Sentinel supports both Fluentd and LogStash to connect and collect data and logs.

2. Detect

Azure Sentinel can detect threats and minimizes false positives by using analytics and threat intelligence drawn directly from Microsoft. Azure Analytics plays a major role in correlating alerts into incidents identified by the security team. It provides built-in templates directly out-of-the-box to create threat detection rules and automate threat responses. Apart from this, Azure Sentinel also provides the feasibility to create custom rules. The four available build-in templates are below:
    • Microsoft Security Templates- When using this template, Azure Sentinel incidents will automatically create a real-time from of alerts that generate in other Microsoft security solutions.
    • Fusion Template- This template can only create only one rule and is enable by default. It is based on the logic of advanced multistage attack detection. It uses scalable machine learning algorithms that can correlate many low-fidelity alerts and events across multiple products into high-fidelity and actionable incidents.
    • Machine Learning Behavioural Analytics Template- These templates can create only one rule with each type template. These are based on proprietary Microsoft Machine Learning Algorithms, and the users can't know the internal working of this template logic and the time it runs.
    • Scheduled Templates- It is the only available template in which the users can view the query logic and make changes as per the requirements in the environment. Scheduled templates are scheduled analytics rules depend on build-in queries written by Microsoft. These templates are customizable in terms of query logic and scheduling settings to create new rules.

How an analyst can leverage the Investigation and Log Search capabilities in Azure Security Center to determine whether an alert represents a security compromise, and understand the scope of that compromise. Source- How Azure Security Center Analyze Attacks

3. Investigation

Azure Sentinel can investigate and hunt suspicious activities across the environment. It helps reduce noise and hunt for security threats based on the MITRE framework. Use Artificial Intelligence to proactively identify threats before an alert  trigger across the protected assest to detect suspicious activities. When you are using Azure Sentinel for hunting and investigation, you can make use of the following capabilities:
  • Built-in Queries: It is develop by Microsoft and available to familiarize yourself with tables and the query language. However, you can create new queries and even fine-tune existing queries to enhance your detection capabilities.
  • Powerful Query Language with Intelligence: It is built on top of a query language that provides you with the flexibility that you need to take your hunting capabilities to the next level.
  • Create your Bookmarks: You can create bookmarks of your findings that you come across during the hunting process so that you can check them later in the future and create an incident for investigation.
  • Use notebooks to Automate Investigation: Notebooks are like a step-by-step guide resembling playbooks. That you can create to keep track of the steps involved during an investigation and hunting process. These notebooks summarize all the steps involved in the hunting process into a reusable playbook shared with other members within your organization.
  • Query the Stored Data: The data associated and generated by Azure Sentinel is readily available and accessible in the form of tables that can be easily queried.
  • Links to Community: The Azure Sentinel Github's community is a central place to find additional queries and data sources.

4. Respond

Azure Sentinel can react smoothly and respond quickly to built-in orchestration incidents, and common and frequent tasks can easily be convert into automation. It is capable of creating simplified security orchestration with playbooks. It can also make tickets in ServiceNow, Jira, etc. when an event occurs.

What are the Components of Azure Sentinel?

As shown in the figure below, there are nine significant Azure Sentinel components.
  1. Dashboards: Azure Sentinel has built-in dashboards that provide visualization of data gathered from different data sources. Enables the security team to gain insights into the events generated by those services.
  2. Cases: A collection of all relevant evidence belongs to a specific investigation is referred to as a case. A case can contain one or more than one alert based on the analytics defined by the user.
  3. Hunting: It is a powerful component for security analysts and threat analysts. It is responsible for performing proactive threat analysis across the environment to detect and analyze security threats. KQL (Kusto Query Language) enhances the searching capabilities in Azure Sentinel. Due to its machine learning capabilities that can detect suspicious behaviors. Such as abnormal traffic and traffic patterns in firewall data, suspicious authentication patterns, and resource creation anomalies.
  4. Notebooks: Azure Sentinel provides flexibility and widens the scope of what can be done with the collected data by providing out-of-the-box integration with Jupyter Notebook with an in-built collection of libraries and modules for machine learning, embedded analytics, visualization, and data analysis.
  5. Data Connectors: Built-in connectors are available in Azure Sentinel to facilitate data ingestion from Microsoft products and solutions and partner solutions.
  6. Playbooks: A Playbook is a collection of procedures to execute in response to an alert trigger by Azure Sentinel. They leverage Azure Logic Apps. So, the user can use flexibility, capability, customizability, and built-in templates of Logic Apps. To automate and orchestrate tasks/workflows that can be ready to configure to run manually or execute automatically when specific alerts are triggered.
  7. Analytics: Analytics enables the users to create custom alerts using Kusto Query Language (KQL).
  8. Community: The GitHub Azure Sentinel Community page contains detections based on different data sources. The users can leverage to create alerts and respond to threats in their environments. The community page also contains sample hunting queries, security playbooks, and other artifacts.
  9. Workspace: Workspace or Log Analytics Workspace is a container that consists of data and configuration information. Azure Sentinel uses this container to store data collected from different data sources. You can create a new workspace or use an existing workspace for storing the data. But it would help if you had a dedicated workspace because alert rules and investigations don't work across workspaces.
A Log Analytics workspace provides the following features:
  • A geographic location for data storage.
  • Data isolation by granting different users access rights following Log Analytics' recommended design strategies for workspaces.
  • A scope for configuration settings, such as pricing tier, retention, and data capping.

Read more about Azure Security Services at Glance along with Complete Checklist for Security

How to Deploy Azure Sentinel?

Azure Sentinel uses a Role-Based Access Control (RBAC) authorization model that enables administrators to set up a granular level of permissions based on different requirements and permissions. Azure Sentinel has three built-in roles available.
  • Reader: Users assigned to this role can view incidents and data but cannot make changes.
  • Responder: Users assigned to this role can view incidents and data and perform some actions on adventures, such as assign to another user or change the incident's severity.
  • Contributor: Users assigned to this role can view incidents and data, perform some actions on incidents and create or delete analytic rules.
To deploy Azure Sentinel, one needs contributor permissions to the subscription in which the Azure Sentinel workspace resides. To provide access to different teams based on their work with Azure Sentinel, leverage the RBAC model to assign granular permissions to various groups.

What is Azure Sentinel Center?

Azure Security Center is a cloud workload protection platform that targets server workload protection's unique requirements in today's hybrid data center architectures. In contrast, Azure Sentinel is a cloud-native SIEM that analyzes event data in real-time for early detection of targeted attacks and data breaches and to collect, store, investigate and respond to security events.

What is Azure Security Center?

Azure Security Center deals with your Azure assets' configuration following the best practices in simpler terms. Azure Sentinel deals with detecting bad actors and preventing unauthorized access to data. Suppose you want to deploy Azure Security Center and Azure Sentinel simultaneously. In that case, you must then make sure not to use the default workspace created by Azure Security Center to deploy Azure Sentinel as you can't enable Azure Sentinel on this default namespace.
Read more about Azure Data Catalog – Enabling Greater Value of Enterprise Data Assets

How to Hunt for Security Threats?

When using Azure Sentinel, there are four different ways to hunt for security threats.
  1. Jupyter Notebook for Hunting: Using Jupyter Notebooks for carrying out the hunting process extends the scope of what can be analyzed from the gathered data. The Kqlmagic library provides the necessary functions to take Azure Sentinel queries and run them directly inside a notebook. Azure delivers the Azure Notebooks, an integrated Jupyter Notebook for Azure environment that can store, share and execute notebooks.
  2. Using Bookmarks for Hunting: Using bookmarks helps you preserve the query logs and the results you executed in Azure Sentinel. Azure Sentinel also allows you to add notes and tags to your reference bookmarks. Viewing bookmarks from the Hunting Bookmark table in your Log Analytics workspace enables you to filter and join bookmarked data with other data sources, making it easy to look for corroborating evidence.
  3. Using Livestream for hunting: You can use hunting Livestream to create interactive sessions that let to perform the following tasks:
    • Test newly created queries as events occur.
    • Get notified when threats occur.
    • Launch investigations that involve an asset such as a host or user
Livestream sessions can be created using any Log Analytics query.
  • Manage hunting and Livestream queries using REST API: It allows you to use Log Analytics' REST API to manage hunting and Livestream queries. Such queries display in Azure Sentinel UI.

Azure Sentinel Pricing

  1. Capacity Reservation based Pricing Model
    • Capacity Reservation is a fixed-fee license, where you pay for the capacity of data ingested into Azure Sentinel (this pricing model is provided at a discounted rate)
    • For example, if you purchase a capacity of 100 GB per day in the Central India region, it will cost you around ₹9,253.48 per day for Azure Sentinel and ₹18,136.82 per day for ₹18,136.82 per day for Log Analytics. The price differs from region to region.
  2. Pay-As-You-Go Pricing Model
    • The first 5 GB is free, and then you are charged ₹185.07 per GB for data ingested into Azure Sentinel.
    • Pay-As-You-Go is based on Log Analytics pricing, and it's set at ₹212.830 per GB with 5GB free per month per billing account.
Note: The data ingested into Azure Monitor Log Analytics workspace can be retained free of charge for the first 90 days. After which you will be charged ₹9.254 per GB per month. By default, the collected data is available for 90 days but can be extended to 730 days. Ingeste Azure Activity Logs, Office 365 Activity Logs, and alerts from Microsoft Threat Protection in Azure Sentinel at no cost.


Azure Sentinel is a scalable cloud-native tool that helps detect, investigate, and respond to threats if any found. It enables users to catch potential issues more quickly. It uses Machine learning to reduce threats and capture unusual behaviors. Also, IT teams save time and effort for maintenance. Azure Sentinel helps to monitor an ecosystem from cloud to on-premise, workstation, and personal devices.

Related blogs and Articles

Azure Security Services at Glance along with Security Checklist

Cyber Security

Azure Security Services at Glance along with Security Checklist

Introducing Azure Security Services Azure is a hybrid cloud service platform. It supports a wide variety of operating systems, computing languages, architectures, resources, applications, and computers. This will manage Docker-integrated Linux containers; develop Html, Python, .NET, PHP, Java, and Node.js apps; and develop backends for iOS, Android, and Windows computers. With more and more...