Az - Defender

Reading time: 8 minutes

Microsoft Sentinel

Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution on Azure​.

It aggregates security data from across an organization (on-premises and cloud) into a single platform and uses built-in analytics and threat intelligence to identify potential threats​. Sentinel leverages Azure services like Log Analytics (for massive log storage and query) and Logic Apps (for automated workflows) – this means it can scale on demand and integrate with Azure’s AI and automation capabilities​.

In essence, Sentinel collects and analyzes logs from various sources, detects anomalies or malicious activities, and allows security teams to investigate and respond to threats quickly, all through the Azure portal without needing on-premises SIEM infrastructure​.

Microsoft Sentinel Configuration

You start by enabling Sentinel on an Azure Log Analytics workspace (the workspace is where logs will be stored and analyzed). Below are the high-level steps to get started:

1. Enable Microsoft Sentinel on a Workspace: In the Azure portal, create or use an existing Log Analytics workspace and add Microsoft Sentinel to it. This deploys Sentinel’s capabilities to your workspace.
2. Connect Data Sources (Data Connectors): Once Sentinel is enabled, connect your data sources using built‑in data connectors. Whether it’s Entra ID logs, Office 365, or even firewall logs, Sentinel begins ingesting logs and alerts automatically. This is commonly done creating diagnostic settings to send logs into the log workspace being used.
3. Apply Analytics Rules and Content: With data flowing in, enable built‑in analytics rules or create custom ones to detect threats. Use the Content Hub for pre‑packaged rule templates and workbooks that jump‑start your detection capabilities.
4. (Optional) Configure Automation: Set up automation with playbooks to respond automatically to incidents—such as sending alerts or isolating compromised accounts—enhancing your overall response.

Main Features

• Logs: The Logs blade opens the Log Analytics query interface, where you can dive deep into your data using Kusto Query Language (KQL). This area is crucial for troubleshooting, forensic analysis, and custom reporting. You can write and execute queries to filter log events, correlate data across different sources, and even create custom dashboards or alerts based on your findings. It’s the raw data exploration center of Sentinel.
• Search: The Search tool offers a unified interface to quickly locate security events, incidents, and even specific log entries. Rather than manually navigating through multiple blades, you can type in keywords, IP addresses, or user names to instantly pull up all related events. This feature is particularly useful during an investigation when you need to quickly connect different pieces of information.
• Incidents: The Incidents section centralizes all grouped alerts into manageable cases. Sentinel aggregates related alerts into a single incident, providing context like severity, timeline, and affected resources. Within an incident, you can view a detailed investigation graph that maps out the relationship between alerts, making it easier to understand the scope and impact of a potential threat. Incident management also includes options to assign tasks, update statuses, and integrate with response workflows.
• Workbooks: Workbooks are customizable dashboards and reports that help you visualize and analyze your security data. They combine various charts, tables, and queries to offer a comprehensive view of trends and patterns. For instance, you might use a workbook to display a timeline of sign-in activities, geographic mapping of IP addresses, or the frequency of specific alerts over time. Workbooks are both pre-built and fully customizable to suit your organization's specific monitoring needs.
• Hunting: The Hunting feature provides a proactive approach to finding threats that might not have triggered standard alerts. It comes with pre-built hunting queries that align with frameworks like MITRE ATT&CK but also allows you to write custom queries. This tool is ideal for advanced analysts looking to uncover stealthy or emerging threats by exploring historical and real-time data, such as unusual network patterns or anomalous user behavior.
• Notebooks: With the Notebooks integration, Sentinel leverages Jupyter Notebooks for advanced data analytics and automated investigations. This feature allows you to run Python code directly against your Sentinel data, making it possible to perform machine learning analyses, build custom visualizations, or automate complex investigative tasks. It is particularly useful for data scientists or security analysts who need to conduct deep-dive analyses beyond standard queries.
• Entity Behavior: The Entity Behavior page uses User and Entity Behavior Analytics (UEBA) to establish baselines for normal activity across your environment. It displays detailed profiles for users, devices, and IP addresses, highlighting deviations from typical behavior. For example, if a normally low-activity account suddenly exhibits high-volume data transfers, this deviation will be flagged. This tool is critical for identifying insider threats or compromised credentials based on behavioral anomalies.
• Threat Intelligence: The Threat Intelligence section allows you to manage and correlate external threat indicators—such as malicious IP addresses, URLs, or file hashes—with your internal data. By integrating with external intelligence feeds, Sentinel can automatically flag events that match known threats. This helps you quickly detect and respond to attacks that are part of broader, known campaigns, adding another layer of context to your security alerts.
• MITRE ATT&CK: In the MITRE ATT&CK blade, Sentinel maps your security data and detection rules to the widely recognized MITRE ATT&CK framework. This view helps you understand which tactics and techniques are being observed in your environment, identify potential gaps in coverage, and align your detection strategy with recognized attack patterns. It provides a structured way to analyze how adversaries might be attacking your environment and helps in prioritizing defensive actions.
• Content Hub: The Content Hub is a centralized repository of pre-packaged solutions, including data connectors, analytics rules, workbooks, and playbooks. These solutions are designed to accelerate your deployment and improve your security posture by providing best-practice configurations for common services (like Office 365, Entra ID, etc.). You can browse, install, and update these content packs, making it easier to integrate new technologies into Sentinel without extensive manual setup.
• Repositories: The Repositories feature (currently in preview) enables version control for your Sentinel content. It integrates with source control systems such as GitHub or Azure DevOps, allowing you to manage your analytics rules, workbooks, playbooks, and other configurations as code. This approach not only improves change management and collaboration but also makes it easier to roll back to previous versions if necessary.
• Workspace Management: Microsoft Sentinel's Workspace manager enables users to centrally manage multiple Microsoft Sentinel workspaces within one or more Azure tenants. The Central workspace (with Workspace manager enabled) can consolidate content items to be published at scale to Member workspaces.
• Data Connectors: The Data Connectors page lists all available connectors that bring data into Sentinel. Each connector is pre-configured for specific data sources (both Microsoft and third-party) and shows its connection status. Setting up a data connector typically involves a few clicks, after which Sentinel begins to ingest and analyze logs from that source. This area is vital because the quality and breadth of your security monitoring depend on the range and configuration of your connected data sources.
• Analytics: In the Analytics blade, you create and manage the detection rules that power Sentinel’s alerting. These rules are essentially queries that run on a schedule (or near real-time) to identify suspicious patterns or threshold breaches in your log data. You can choose from built-in templates provided by Microsoft or craft your own custom rules using KQL. Analytics rules determine how and when alerts are generated, directly impacting how incidents are formed and prioritized.
• Watchlist: Microsoft Sentinel watchlist enables the collection of data from external data sources for correlation against the events in your Microsoft Sentinel environment. Once created, leverage watchlists in your search, detection rules, threat hunting, workbooks and response playbooks.
• Automation: Automation rules allow you to centrally manage all the automation of incident handling. Automation rules streamline automation use in Microsoft Sentinel and enable you to simplify complex workflows for your incident orchestration processes.