Service 39

Microsoft Sentinel

SIEMSecurity

Microsoft Sentinel is a cloud-native SIEM and SOAR built on Log Analytics. It collects security signals from across the estate — Azure, other clouds, on-premises, SaaS, network devices — into one workspace, hunts for threats with KQL, and automates response with playbooks. It is the place a security team investigates and responds, as opposed to where individual services raise their own alerts.

Its power and its cost both come from data. Sentinel bills primarily on the volume of data ingested and retained, so what you connect and how you tier it drives the bill as much as the value. A Sentinel that ingests everything indiscriminately is expensive; one that ingests the right signals and tiers the rest is effective and affordable.

Data Connectors and Log Analytics

Sentinel sits on a Log Analytics workspace, and data connectors stream in logs from Microsoft services, other clouds, firewalls, identity providers, and custom sources. The workspace is the shared store that Sentinel queries — and the same store Azure Monitor uses — so the choice of what to connect is the foundation of everything Sentinel can detect. Sentinel is now generally available in the Microsoft Defender portal as part of Microsoft's unified security operations, alongside Defender XDR; the workspace remains the data store, while the standalone Azure-portal experience is being phased out.

Hunting and Analytics Rules

Analytics rules run scheduled KQL queries that raise incidents when they match — built-in rules for known attack patterns, plus custom rules you write. Proactive hunting queries let analysts search for threats that have not triggered a rule. KQL is the lingua franca: the same query language as Azure Monitor and Resource Graph, so skills transfer across the platform.

SOAR Playbooks

Playbooks are automated response workflows built on Logic Apps, triggered by incidents — isolate a host, disable a user, open a ticket, post to a channel. Automating the routine first response shortens the time from detection to containment and frees analysts for the judgment calls. This is the SOAR (orchestration and automated response) half of Sentinel.

Cost and Data Tiers

Because billing follows ingestion and retention, controlling data is controlling cost. Commitment tiers discount predictable volume; auxiliary and basic logs ingest high-volume, low-value data cheaply for search without full analytics; and not every log belongs in Sentinel at all. The first Sentinel design question is always which data earns its ingestion cost.

Microsoft Sentinel vs Defender for Cloud

Microsoft Sentinel — SIEM/SOAR across the whole estate — ingest, hunt with KQL, automate response. The investigation-and-response platform.

Defender for Cloud — Posture management and per-resource workload protection. Generates findings and alerts that often feed into Sentinel.

Common Mistakes

Ingesting every available log indiscriminately, driving the ingestion bill far past the value the data provides.
Putting high-volume, low-value telemetry into full analytics tiers instead of cheaper auxiliary or basic log tiers.
Enabling Sentinel with no analytics rules or playbooks, paying for ingestion while detection and response stay manual.
Confusing Sentinel with Defender for Cloud — a SIEM is not posture management, and you usually want both.
Setting retention longer than compliance or investigation needs, paying to keep data nobody queries.
Not connecting the highest-value sources (identity, Defender alerts, firewall) while connecting noise, so coverage has gaps where it matters.

Best Practices

Connect the highest-value signals first — identity, Defender for Cloud, network — and decide deliberately what each log is worth.
Tier data: full analytics for what you alert on, auxiliary or basic logs for high-volume search-only data.
Use commitment tiers to discount predictable ingestion volume.
Build analytics rules and playbooks so detection and first response are automated, not manual.
Set retention to what compliance and investigation actually require, no longer.
Feed Defender for Cloud alerts into Sentinel so posture findings and threat signals land in one investigation surface.

Comparable servicesAWS Security Lake / GuardDutyGCP Google Security Operations (Chronicle)

Knowledge Check

What primarily drives Microsoft Sentinel's cost?

The volume of data ingested and retained
The number of analytics rules configured
The number of named users granted workspace access
A flat per-workspace monthly subscription fee

What is the role of a Sentinel playbook?

An automated response workflow (built on Logic Apps) triggered by an incident — isolate a host, disable a user, open a ticket
A scheduled KQL query that runs on a fixed timer to detect suspicious patterns in the logs and raise new incidents for analyst triage
A data connector that continuously streams logs from a source into the Log Analytics workspace
A retention policy controlling how long ingested workspace data is kept before it is purged

How should high-volume, low-value telemetry be handled in Sentinel to control cost?

Ingest it into cheaper auxiliary or basic log tiers for search rather than full analytics
Ingest all of it into the full analytics tier right alongside the high-value security data
Increase the workspace retention period so the data ends up queried far less often
Route it through Defender for Cloud first to have it tier the telemetry cheaply instead

You got correct