Skip to content

A Complete Guide To Azure Sentinel

What exactly is Azure Sentinel?

It is an SIEM (Security Information and Event Management) and Security Orchestration and Automated Response (SOAR) software that Microsoft has integrated into its public cloud platform. It provides a single platform for alert detection security, threat visibility as well as proactive hunting and threat response. It collects data from different sources, then makes data correlations, and Data Visualization the processed data into a single dashboard. It helps collect information, discover, analyze and respond to security-related incidents and threats.

In this way, it provides smart security analytics and threat analysis across the enterprise. It natively incorporates Azure Logic Apps and Log Analytics which improve its capabilities. It also has built-in advanced machine learning capabilities that can detect actors of threats and suspicious behavior. This can greatly assist security analysts in their efforts to analyze their environment.

It’s easy to deploy both in single and multi-tenant scenarios. In the event of multitenant situations, it will be deployed on each tenant, and Azure Lighthouse will be used to display a multitenant image of all tenants.

What are the phases in it?

The four most important areas or stages within Azure Sentinel are as follows:

Collect Data

It can collect data on all users, devices, applications, and infrastructure in both on-premises and cloud environments. It is easily connected to security services out of the box. There are numerous connectors that work with Microsoft solutions that offer real-time integration. There are also built-in connectors for third-party products and services (non-Microsoft Solutions). Apart from this, Common Event Format (CEF), Syslog, or REST-API can also connect the necessary data sources to it.

The services that are directly connected through out-of the-box integration are Azure Active Directory, Azure Activity, Azure DDoS Protection, Azure AD Identity Protection, Azure Firewall, Azure Security Center, Azure Web Application Firewall, Office 365, Microsoft Defender for Identity, Amazon Web Services – CloudTrail, Cloud App Security and other Microsoft solutions.

The appliances that can connect to Okta SSO, Orca Security, Qualys VM, Citrix Analytics, Barracuda CloudGen Firewall, Perimeter 81 Logs, Proofpoint TAP, and a few others using an API.

It could also be connected through another agent or agent. Syslog protocol is usable for this purpose , and it allows real-time log streaming. It is the Azure Sentinel Agent function, i.e., Log Analytics Agent. Log Analytics Agent. It converts CEF formatted logs into a format that can be accessed from Log Analytics. Other solutions that can be used through agent include Linux Servers, DNS Servers as well as Azure Stack Virtual Machines. DLP Solutions.

Threat Intelligence Providers (MISP Open Source Threat Intelligence Platform, Anomali ThreatStream, Palo Alto Networks MineMeld, ThreatConnect Platform, ThreatQ Threat Intelligence Platform, etc.). Endpoints, firewalls and proxies that are supported by CEF (Check Point F5 ASM, Check Point, Palo Alto Networks, Zscaler, Cisco ASA, Fortinet and other CEF-based devices), and firewalls, proxies and other endpoints made possible by Syslog (Sophos XG, Symantec Proxy SG, Pulse Connect Secure and other Syslog-based appliances).

It is compatible with Fluentd and LogStash to allow you to connect to and collect information and logs.

Detection of the threat

It detects threats and reduce false positives by using analytics and threat intelligence drawn straight from Microsoft. Azure Analytics plays a major role in correlating alerts into incidents identified by the security team. It has built-in templates out-of-the-box to create rules for detection of threats and automate threat responses. Apart from this, it also provides the capability to build custom rules. The four available build-in templates are below:

Microsoft Security Templates- When using this template events will generate a real-time stream of alerts that produce in other Microsoft security solutions.

Fusion Template- This template can only be used to create one rule and is enable by default. This template relies on logic of advanced Multistage Attack Detection. It uses scalable machine learning algorithms to correlate a variety of low-fidelity alerts , events, and events across different products into high-fidelity actionsable events.

Machine Learning Behavioural Analytics TemplateThis template can be used to generate only one rule for each type template. These templates are based on the proprietary Microsoft Machine Learning Algorithms, and the user isn’t able to know the inner workings of this template logic and the time it is running.

Scheduled Templates- It is the only available template that allows users to look at the query logic and make changes as per the requirements in the environment. Scheduled templates are scheduled analytics rules depend on built-in queries developed by Microsoft. These templates are customizable by query logic and scheduling settings to design new rules.

Investigation Suspicious Activities

It can investigate and hunt for suspicious activities in the world. It can help reduce noise and hunt for security threats based on the MITRE framework. Make use of Artificial Intelligence to proactively identify threats prior to triggering an alert through the secured assest to detect suspicious activities. When you are using it for hunting and investigation you can make use of the following capabilities:

Built-in-Queries: It’s develop by Microsoft and available to familiarize you with tables and query language. However, you can create new queries and even fine-tune existing queries to enhance your ability to detect.

Powerful Query Language with Intelligence: This is built upon an existing query language which provides you with the flexibility that you require to elevate your hunt capabilities beyond the limits.

Create Bookmarks: You can create bookmarks for your discoveries that you discover in the course of your hunt so that you can check them later and create an incident for further investigation.

Notebooks can be used use notebooks to Automate Investigation: Notebooks are similar to a step-by-step manual that resembles playbooks. That you can create to keep track of the various steps that are involved in an investigation and hunt. These notebooks summarize all the aspects of the hunting process into a reusable playbook shared with other members within the organization.

The stored data can be accessed by querying it The information associated with and generated by it is easily available and accessible in the table form that can be easily queried.

Communities Links: Azure Sentinel Github community is the best place to find additional queries and data sources.


It’s able to smoothly react and react quickly to orchestration-related incidents built into the system, and routine and repetitive tasks can easily be convert into automation. It can be used to create simple security orchestration using playbooks. It can also make tickets in ServiceNow, Jira, etc. whenever an event occurs.

What are the main elements?

There are nine significant Managed Azure Sentinel components.

Dashboards: It includes dashboards that provide visualization of data gathered from different data sources. Enables the security team to gain insight into the events generated by those services.

Cases: A collection of all evidence that is relevant to a particular investigation is called a case. A case could include at least one alert that is based on the analytics determined from the perspective of the client.

Hunting is an essential component for security analysts as well as threat analysts. It’s accountable for carrying out proactive threat analysis across the whole environment to analyze and detect security threats. KQL (Kusto Query Language) enhances the searching capabilities in it. Due to its machine learning capabilities, it is able to detect suspicious behaviors. Examples include abnormal traffic patterns and patterns of data in firewalls, suspicious authentication patterns, and anomalies in resource creation.

Notebooks: It provides flexibility and broadens the scope of what can be done using the data collected by providing a pre-built Integration with the Jupyter Notebook which comes with a built-in collection of modules and libraries for machine learning, embedded analytics visualization, and analysis of data.

Data Connectors built-in connectors are included within it to allow data transfer from Microsoft products , solutions and partner solutions.

Playbooks: Playbooks are an assortment of actions to execute in response to an alert trigger. They rely on Azure Logic Apps. Thus, users is able to benefit from flexibility, capacity to customize, as well as the built-in templates from Logic Apps. Automate and manage workflows which are able to configure to run manually or be executed automatically when certain alerts are triggered.

Analytics: Analytics permits users to make custom alerts using Kusto Query Language (KQL).

Community TheGitHubAzure Sentinel Community page has detections based upon different sources of data. Users can use the information to make alerts and react to threats within their environment. The community page also has sample hunting queries playing books for security, and other artifacts.

Workspace: Workspace or Log Analytics Workspace is an enclosure that contains details and configuration data. It utilizes this container to store data from various data sources. You can create a fresh workspace or utilize an existing workspace for storing the data. But it would help when you have a designated workspace because alert rules and investigations do not operate across different workspaces.

Log Analytics workspace Log Analytics workspace can provide these features:

The location of data storage.

Data isolation is achieved through giving access rights to various users according to Log Analytics’ recommended design methods for workspaces.

The possibility of setting configuration options for pricing tiers, like retention, price tier, and data capping.

How do you deploy it?

It uses the Role-Based Access Control (RBAC) authorization model which allows administrators to set up the level of access in accordance with different specifications and the permissions. It comes with three roles available.

Reader: Users assigned to this role can look at the data and incidents but not make changes.

Responder: Users in this role can review incidents and data and perform some actions on adventures, for example, assigning an additional user to handle the incident or change the severity of the incident.

Contributor: Users in this role are able to view incidents and data, perform specific actions to the incidents and even create or edit analytic rules.

In order to deploy it you need contributor rights for the subscription in which it is located. Azure Sentinel workspace is. To give access to different teams based on the work they do using it, make use of RBAC. RBAC model to grant the appropriate permissions to different groups.

What is Azure Sentinel Center?

Azure Security Center is a cloud-based platform for protection of workloads that targets server workload protection’s particular requirements in today’s hybrid data center designs. In contrast, it is a cloud-native SIEM , which examines data from events in real-time to help detect targeted security breaches and attacks, as well as to store, collect as well as investigate and react to security events.

What is Azure Security Center?

Azure Security Center deals with your Azure assets’ configuration based on the best practices , in simpler terms. It is responsible for identifying bad actors and stopping unauthorized access to your data. In the event that you wish to deploy Azure Security Center and it simultaneously. In this scenario then, you need to be sure not to use the default workspace created by Azure Security Center to deploy it since you aren’t able to enable it to use the default namespace.

How do you find Security Threats?

When you use Azure Sentinel There are four different ways of searching for security threats.

Jupyter Notebook For Hunting Making use of Jupyter Notebooks to conduct the hunt extends the possibilities of what can be examined from information gathered. The Kqlmagic library provides the necessary features to be able to use Azure Sentinel queries and run directly in notebooks. Azure is the home of Azure Notebooks, which is an integral Jupyter Notebook for Azure environment which can be used to store, share and execute notebooks.

Making use of Bookmarks for Hunting: Utilizing bookmarks will help you save the query logs and the results that you ran in them. You can also add notes and tags to your reference bookmarks. The view of bookmarks in the Hunting Bookmark table in your Log Analytics workspace enables you to search and join bookmark information with other data sources and makes it easier to find evidence that supports your claims.

Making use of Livestream for hunting It is possible to use hunting Livestream to make interactive sessions that let players perform the following actions:

Create new queries and test them as the events happen.

Be notified of threats that occur.

Start investigations that require an asset like a host or user

Livestream sessions are created with any Log Analytics queries.

Manage hunter and Livestream queries using REST API It lets you utilize Log Analytics REST API to manage hunting and Livestream queries. These queries appear in Azure Sentinel UI.


Azure Sentinel is a scalable cloud-based software that helps to detect as well as investigate and respond to any threats that are discovered. It allows users to detect the potential threats earlier. It utilizes Machine learning to minimize threats and detect unusual behaviors. IT departments also are able to save time and money on maintenance. It allows them to monitor their ecosystem , from cloud to workingstations on premises, as well as personal devices.