XenonStack Recommends

Cyber Security

Microsoft Sentinel OverView and Cloud Native SIEM

Navdeep Singh Gill | 19 April 2023

Microsoft Sentinel and its components

What is Microsoft Sentinel - Cloud Native SIEM?

It is a Cloud SIEM (Security Information and Event Management) and Security Orchestration and Automated Response (SOAR) system in Microsoft's public cloud platform. It can provide a single solution for alert detection, threat visibility, proactive hunting, and threat response. It collects data from different data sources, performs data correlation, and Data Visualisation of the processed data in a single dashboard. It helps to collect, detect, investigate and respond to security threats and incidents.

Thus delivering intelligent security analytics and threat intelligence all across the enterprise ecosystem. It natively incorporates Azure Logic Apps and Log Analytics which enhances its capabilities. It also has built-in advanced machine learning capabilities that can detect actors of threats and suspicious behaviours that can significantly help security analysts to analyse their environment.

With the growing intelligence of edge devices, capable of making real-time and near-real-time determinations, security can be built into every transaction. Source: How AI Is Revolutionising Fraud Detection And Risk Assessment.

It is easy to deploy in single and multi-tenant scenarios. In the case of a multi-tenant scenario, It will be deployed on each tenant, and Azure Lighthouse will be used to have a multi-tenant visualisation of all tenants.

Four Stages of Microsoft Sentinel 

Collect Data

It can collect data on all users, devices, applications, and infrastructure both on-premises and across multiple cloud environments. It can easily connect to security sources out of the box. There are several connectors available for Microsoft solutions that provide real-time integration. It also includes built-in connectors for third-party products and services (non-Microsoft Solutions). Apart from this, Common Event Format (CEF), Syslog, or REST-API can also connect the required data sources with it.
  • The services that can be connected directly via out-of-the-box integration include Azure Active Directory, Azure Activity, Azure DDoS Protection, Azure AD Identity Protection, Azure Firewall, Azure Security Center, Azure Web Application Firewall, Office 365, Microsoft Defender for Identity, Amazon Web Services - CloudTrail, Cloud App Security and other Microsoft solutions.
  • The appliances that can connect to Okta SSO, Orca Security, Qualys VM, Citrix Analytics, Barracuda CloudGen Firewall, Perimeter 81 Logs, Proofpoint TAP, and some others via API .
  • It can also be connect through an agent to any other data source. Syslog protocol is usable for this purpose and enables real-time log streaming. The Azure Sentinel Agent function, i.e., the Log Analytics Agent. It is to convert CEF-formatted logs into a format ingested by Log Analytics. External solutions supported in it via agents include Linux Servers, DNS Servers, Azure Stack VMs, DLP Solutions.
  • Threat Intelligence Providers (MISP Open Source Threat Intelligence Platform, Anomali ThreatStream, Palo Alto Networks MineMeld, ThreatConnect Platform, ThreatQ Threat Intelligence Platform, etc.). Firewalls, proxies and endpoints supported through CEF (Check Point, F5 ASM, Palo Alto Networks, Zscaler, Cisco ASA, Fortinet, and other CEF-based appliances), and firewalls, proxies and endpoints supported through Syslog (Sophos XG, Symantec Proxy SG, Pulse Connect Secure and other Syslog-based appliances).
It supports both Fluentd and LogStash to connect and collect data and logs.

Detect Threats

It can detect threats and minimizes false positives by using analytics and threat intelligence drawn directly from Microsoft. Azure Analytics plays a major role in correlating alerts into incidents identified by the security team. It provides built-in templates directly out-of-the-box to create threat detection rules and automate threat responses. Apart from this, it also provides the feasibility to create custom rules. The four available build-in templates are below:

  • Microsoft Security Templates- When using this template, it incidents will automatically create a real-time from of alerts that generate in other Microsoft security solutions.
  • Fusion Template- This template can only create only one rule and is enable by default. It is based on the logic of advanced multistage attack detection. It uses scalable machine learning algorithms that can correlate many low-fidelity alerts and events across multiple products into high-fidelity and actionable incidents.
  • Machine Learning Behavioural Analytics Template- These templates can create only one rule with each type template. These are based on proprietary Microsoft Machine Learning Algorithms, and the users can't know the internal working of this template logic and the time it runs.
  • Scheduled Templates- It is the only available template in which the users can view the query logic and make changes as per the requirements in the environment. Scheduled templates are scheduled analytics rules depend on build-in queries written by Microsoft. These templates are customizable in terms of query logic and scheduling settings to create new rules.

How an analyst can leverage the Investigation and Log Search capabilities in Azure Security Center to determine whether an alert represents a security compromise, and understand the scope of that compromise. Source- How Azure Security Center Analyze Attacks

Investigation Suspicious Activities

It can investigate and hunt suspicious activities across the environment. It helps reduce noise and hunt for security threats based on the MITRE framework. Use Artificial Intelligence to proactively identify threats before an alert  trigger across the protected assest to detect suspicious activities. When you are using it for hunting and investigation, you can make use of the following capabilities:
  • Built-in Queries: It is develop by Microsoft and available to familiarize yourself with tables and the query language. However, you can create new queries and even fine-tune existing queries to enhance your detection capabilities.
  • Powerful Query Language with Intelligence: It is built on top of a query language that provides you with the flexibility that you need to take your hunting capabilities to the next level.
  • Create your Bookmarks: You can create bookmarks of your findings that you come across during the hunting process so that you can check them later in the future and create an incident for investigation.
  • Use notebooks to Automate Investigation: Notebooks are like a step-by-step guide resembling playbooks. That you can create to keep track of the steps involved during an investigation and hunting process. These notebooks summarize all the steps involved in the hunting process into a reusable playbook shared with other members within your organization.
  • Query the Stored Data: The data associated and generated by it is readily available and accessible in the form of tables that can be easily queried.
  • Links to Community: The Azure Sentinel Github's community is a central place to find additional queries and data sources.


It can react smoothly and respond quickly to built-in orchestration incidents, and common and frequent tasks can easily be converted into automation. It is capable of creating simplified security orchestration with playbook. It can also make tickets in ServiceNow, Jira, etc. when an event occurs.
IAM is a combination of processes and policies to manage the identity of individuals or groups and access to the resources within an organization. Click to explore, How Identity and Access Management Work?

Key Components of Microsoft Sentinel?

As shown in the figure below, there are nine significant Azure Sentinel components.
  1. Dashboards: It has built-in dashboards that provide visualisation of data gathered from different data sources. Enables the security team to gain insights into the events generated by those services.
  2. Cases: A collection of all relevant evidence belonging to a specific investigation is referred to as a case. A case can contain one or more than one alert based on the analytics defined by the user.
  3. Hunting: It is a powerful component for security analysts and threat analysts. It is responsible for performing proactive threat analysis across the environment to detect and analyse security threats. KQL (Kusto Query Language) enhances its searching capabilities in it. Due to its machine-learning capabilities that can detect suspicious behaviours. Such as abnormal traffic and traffic patterns in firewall data, suspicious authentication patterns, and resource creation anomalies.
  4. Notebooks: It provides flexibility and widens the scope of what can be done with the collected data by providing out-of-the-box integration with Jupyter Notebook with an in-built collection of libraries and modules for machine learning, embedded analytics, visualisation, and data analysis.
  5. Data Connectors: Built-in connectors are available in it to facilitate data ingestion from Microsoft products and solutions and partner solutions.
  6. Playbook: A Playbook is a collection of procedures to execute in response to an alert triggered by it. They leverage Azure Logic Apps. So, the user can use flexibility, capability, customisability, and built-in templates of Logic Apps. To automate and orchestrate tasks/workflows that can be readily configured to run manually or execute automatically when specific alerts are triggered.
  7. Analytics: Analytics enables the users to create custom alerts using Kusto Query Language (KQL).
  8. Community: The GitHub Azure Sentinel Community page contains detections based on different data sources. The users can leverage it to create alerts and respond to threats in their environments. The community page also contains sample hunting queries, a security playbook, and other artefacts.
  9. Workspace: Workspace or Log Analytics Workspace is a container that consists of data and configuration information. It uses this container to store data collected from different data sources. You can create a new workspace or use an existing workspace for storing the data. But it would help if you had a dedicated workspace because alert rules and investigations don't work across workspaces.
A Log Analytics workspace provides the following features:
  • A geographic location for data storage.
  • Data isolation by granting different users access rights following Log Analytics' recommended design strategies for workspaces.
  • A scope for configuration settings, such as pricing tier, retention, and data capping.

Azure provides tools and capabilities for security to create a secure Azure platform. Click to explore, Azure Security Services Checklist

How to deploy Microsoft Sentinel?

It uses a Role-Based Access Control (RBAC) authorization model that enables administrators to set up a granular level of permissions based on different requirements and permissions. It has three built-in roles available.
  • Reader: Users assigned to this role can view incidents and data but cannot make changes.
  • Responder: Users assigned to this role can view incidents and data and perform some actions on adventures, such as assigning to another user or changing the incident's severity.
  • Contributor: Users assigned to this role can view incidents and data, perform some actions on incidents and create or delete analytic rules.
To deploy it, one needs contributor permissions to the subscription in which the Azure Sentinel workspace resides. To provide access to different teams based on their work with it, leverage the RBAC model to assign granular permissions to various groups.

What is Azure Sentinel Center?

Azure Security Center is a cloud workload protection platform that targets server workload protection's unique requirements in today's hybrid data centre architectures. In contrast, it is a cloud-native SIEM that analyses event data in real-time for early detection of targeted attacks and data breaches and to collect, store, investigate and respond to security events.

What is Azure Security Center?

Azure Security Center deals with your Azure assets' configuration following the best practices in simpler terms. It deals with detecting bad actors and preventing unauthorised access to data. Suppose you want to deploy Azure Security Center and it simultaneously. In that case, you must then make sure not to use the default workspace created by Azure Security Center to deploy it as you can't enable it on this default namespace.
According to the U.S. State of Cybercrime Report, 50% of data breaches and information leakage happened unintentionally due to employees' negligence. Click to explore the Impact of Insider Threats on Cyber Security

How to Hunt for Security Threats?

When using Azure Sentinel, there are four different ways to hunt for security threats.
  1. Jupyter Notebook for Hunting: Using Jupyter Notebooks for carrying out the hunting process extends the scope of what can be analysed from the gathered data. The Kqlmagic library provides the necessary functions to take Azure Sentinel queries and run them directly inside a notebook. Azure delivers the Azure Notebooks, an integrated Jupyter Notebook for the Azure environment that can store, share and execute notebooks.
  2. Using Bookmarks for Hunting: Using bookmarks helps you preserve the query logs and the results you executed in it. It also allows you to add notes and tags to your reference bookmarks. Viewing bookmarks from the Hunting Bookmark table in your Log Analytics workspace enables you to filter and join bookmarked data with other data sources, making it easy to look for corroborating evidence.
  3. Using Livestream for hunting: You can use hunting Livestream to create interactive sessions that let to perform the following tasks:
    1. Test newly created queries as events occur.
    2. Get notified when threats occur.
    3. Launch investigations that involve an asset such as a host or user
    4. Livestream sessions can be created using any Log Analytics query.
  4. Manage hunting and Livestream queries using REST API:
It allows you to use Log Analytics' REST API to manage hunting and Livestream queries. Such queries display in Azure Sentinel UI.

Microsoft Azure Sentinel Pricing

  1. Capacity Reservation-based Pricing Model
    • Capacity Reservation is a fixed-fee license, where you pay for the capacity of data ingested into it (this pricing model is provided at a discounted rate)
    • For example, if you purchase a capacity of 100 GB per day in the Central India region, it will cost you around ₹9,253.48 per day for it and ₹18,136.82 per day for ₹18,136.82 per day for Log Analytics. The price differs from region to region.
  2. Pay-As-You-Go Pricing Model
    • The first 5 GB is free, and then you are charged ₹185.07 per GB for data ingested into it.
    • Pay-As-You-Go is based on Log Analytics pricing, and it's set at ₹212.830 per GB with 5GB free per month per billing account.
Note: The data ingested into Azure Monitor Log Analytics workspace can be retained free of charge for the first 90 days. After which you will be charged ₹9.254 per GB per month. By default, the collected data is available for 90 days but can be extended to 730 days. Ingest Azure Activity Logs, Office 365 Activity Logs, and alerts from Microsoft Threat Protection in it at no cost.
Azure Sentinel Managed Services
Get the automation you need to stop sophisticated, cross-domain attacks across your organization with SIEM and XDR solutions from Microsoft. Xenonstack Managed Services for Azure Sentinel


Azure Sentinel is a scalable cloud-native tool that helps detect, investigate, and respond to threats if any are found. It enables users to catch potential issues more quickly. It uses Machine learning to reduce threats and capture unusual behaviours. Also, IT teams save time and effort for maintenance. It helps to monitor an ecosystem from cloud to on-premise, workstation, and personal devices.

What's Next?