Intro to Azure Sentinel

Azure Sentinel is a cloud native Security Information Event Management (SIEM) and Security OrchestrationAutomation and Response (SOAR) solution. A SIEM solution aggregates data and provides real-time analysis of security alerts generated by applications and network appliances. A SOAR solution automates the investigationand responses of security alerts. It is common for IT Professionals to mix up the capabilities of SIEM and SOAR since they tend to work together for the goal of protection. However, these were traditionally two separate products or components. Microsoft designed Azure Sentinel to handle both SIEM and SOAR. 

What matters most about Sentinel is that it can: 

  • Bset up in a relatively short time 
  • Gather data from cloud and on-premises security sources 
  • Provide automated analysis and remediation of anomalies with little human intervention.

How Does It Work?

First, devices and services need to start streaming their data into Sentinel, via Data ConnectorsTechnically, the data flows into Azure Log AnalyticsWorkbooks are used to visualize the datapotential issues and trends, and help create specific queries. These queries can help create rules called analytics. After creating analytic rules, you start to see Incidents, as well as process automated actions via Playbooks. When analyzing Incidents, you can leave a trail of Bookmarks to flag interesting or anomalous data for follow up and discover other areas that may be affected. Finally, and after gaining experience, you can go Hunting for threats. Each concept is outlined in more detail below.

Data Connectors

These are connection methods to the variety of sources Azure Sentinel can integrate with. There are multiple different connector types: 

  • Service to ServiceOut of the box, native connections (i.e. Office 365) are integrated with a few clicks 
  • External solution via API3rd party solutions that have integration provided by a set of APIs 
  • External solution via agentAgent based deployment via Linux server to collect Syslog of Common Event Format (CEF) logs.  Also, can be deployed directly on servers that are not connected to Azure directly. 
Log Analytics

All data ingested into Azure Sentinel must come from a Log Analytics workspace. A workspace is basically a limitless storage container to hold all your data from a variety of sources. It is recommended to have a single, dedicated workspace created for Azure Sentinel. 


Provides a means of monitor the data that has been ingested into Azure Sentinel. Built-in workbooks allow you to evaluate data immediately. Custom workbooks can also be created to allow you to view your data the way you need to.


Custom rule sets that can be created to search across all ingested data to discover potential threats. There are many pre-built rules provided as well as connections to Microsoft sources such as Microsoft Defender ATP and Cloud App Security. Additional custom rules can be created based on queries. These can run on a scheduled interval. All hits from each rule can generate an incident and/or run a playbook.


Alerts that are generated based on Analytic rule sets. An incident can contain multiple alerts. They allow for further investigation to determine if there were additional areas of exposure using the investigation graph. Incidents can be assigned to an individual to delegate the investigative tasks.


Playbooks are essentially Azure Logic Apps with specific designation to Azure Sentinel alerts. They allow for an orchestrated and automated response to alerts that are triggered via Analytics. Anything that you can do within a new or existing Logic App can also be extended to run based on an Azure Sentinel alert.


Azure Sentinel has integrated Jupyter notebooks directly into the Azure Portal. A notebook is a web application integrated into your browser that allows you to have live visualizations and code\queries running directly within the browser. A few notebooks are provided by Microsoft to illustrate their capabilities.


Hunting allows for manual, proactive investigations into possible security threats based on the ingested data. Microsoft provided several built-in queries and custom queries can also be created. Once a query is created you can convert it into an analytic task to run on a schedule. Hunting capabilities include:

How Much Does It Cost?

Because you’re storing data in the cloud, and not in databases on premises, Sentinel’s cost is generally attractive. To calculate the anticipated costs, will need to estimate how much data will be ingested per day as well as how long the data will be retained. 

There are multiple areas where charges are incurred:

  • Data ingested from network appliances, AWS, etc.
  • Data ingested from Log analytics, Logic app runs, and machine learning models
  • Data storage for longer than 90 days

Here is the breakdown of anticipated costs for data ingestion (this does not include Logic app or Machine Learning costs):

If you choose a capacity reservation, you are charged a fixed fee up to the capacity limits. If you exceed the chosen capacity, you are charged the per GB rate over the capacity. 

The Pay-as-you-go rate is ideal for initial deployments, smaller organizations, or if you do not know how much data you will need to ingest. It takes between 65-70GB of data within the Pay-as-you-go model to match the costs of the 100GB/day capacity. You can increase or decrease your capacity at any time. 

There are several free elements as well including:

  • First 31 days of Azure Sentinel
  • 90 Day retention ($0.12/GB/Month after 90 days)
  • Microsoft Data source ingestion*:
    • Azure Activity Logs
    • Office 365 Audit Logs (all SharePoint activity and Exchange admin activity)
    • Microsoft Threat Protection products:
      • Azure Security Center
      • Office 365 ATP
      • Azure ATP
      • Microsoft Defender ATP
      • Microsoft Cloud App Security
      • Azure Information Protection

*Microsoft Entra ID (formerly Azure AD) data is not free.

Azure Sentinel may be the newcomer to the SIEM world; however, it is quickly becoming a top tier solution due to its cloud native design. Microsoft has made a significant investment into this service and has all intentions of driving its capabilities above and beyond what competitors offer. With the ease of deployment, minimal to no cost initial integrations into Microsoft services, and familiar Azure interface, Azure Sentinel provides the means for any organization to have a SIEM solution.

In the next article on Azure Sentinel, we will take you through the process of initial setup and onboarding data sources to Azure Sentinel. If you’d like assistance, eGroup | Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment.

Work with our team of Cloud Computing Consultants with years of experience that know all of the “minefields” to prevent missteps.

Last updated on August 3rd, 2023 at 01:38 pm