This chapter covers Microsoft Sentinel, Azure's cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration Automated Response) solution. Sentinel is a core component of the Security Operations domain on the AZ-500 exam, and approximately 10-15% of exam questions touch on Sentinel deployment, data ingestion, analytics, and incident response. Mastering Sentinel is critical for passing the exam and for real-world security operations in Azure.
Jump to a section
Think of Microsoft Sentinel as a city's central security command center. Multiple buildings (cloud workloads, on-premises servers, SaaS apps) each have their own security cameras and alarm systems (data sources like Azure Activity logs, Microsoft 365 Defender, and third-party firewalls). These systems continuously stream video feeds and sensor data (logs and events) into the command center's monitoring wall (Log Analytics workspace). The command center has a team of analysts (analytics rules and automation) who watch for specific suspicious patterns—like a person entering a restricted door after hours (a sign-in from an unusual location) or a sudden spike in alarms from one building (anomalous data transfer). When an analyst spots a threat, they can instantly broadcast an alert to all security guards (incidents and alerts) and even automatically lock down the affected building (automation playbooks using Azure Logic Apps). The command center also keeps a detailed log of every alarm and action taken (workbooks and hunting queries) for later review and compliance. Just as a city command center centralizes security monitoring and response, Sentinel aggregates security data from across an enterprise, applies intelligent analytics, and enables rapid, coordinated incident response.
What is Microsoft Sentinel and Why It Exists
Microsoft Sentinel is a scalable, cloud-native SIEM and SOAR solution that provides intelligent security analytics and threat intelligence across an enterprise. It replaces traditional on-premises SIEMs like Splunk or ArcSight by leveraging Azure's elastic infrastructure and built-in AI. Sentinel collects data from any source—Azure services, Microsoft 365, on-premises systems, and third-party security tools—and centralizes it in a Log Analytics workspace for analysis.
How It Works Internally
Sentinel operates on a four-pillar architecture: Collect, Detect, Investigate, and Respond.
#### Collect
Data ingestion uses data connectors that pull logs into a Log Analytics workspace. There are over 100 built-in connectors for Microsoft sources (Azure Activity, Azure AD, Microsoft 365 Defender, Microsoft Defender for Cloud) and third-party sources (Syslog, CEF, AWS CloudTrail, etc.). Each connector maps data to specific tables (e.g., SigninLogs, SecurityEvent, CommonSecurityLog). Data can also be ingested via API or Azure Event Hubs.
#### Detect Detection is powered by analytics rules. These are Kusto Query Language (KQL) queries that run on a schedule (e.g., every 5 minutes) against the ingested data. When a query returns results that match a threshold (e.g., >5 failed logins from a single IP in 10 minutes), Sentinel creates an incident. Rules can be scheduled, Microsoft Security (built-in from Microsoft), or NRT (Near-Real-Time) for sub-minute latency.
#### Investigate Incidents are investigated using the incident management pane, which shows related alerts, entities (users, IPs, hosts), and a graphical investigation graph. Hunting queries allow proactive threat hunting using KQL, and livestream sessions let analysts monitor specific events in real time.
#### Respond Response is automated via playbooks built on Azure Logic Apps. Playbooks can trigger on incident creation or alert generation, performing actions like blocking a user, isolating a VM, or sending a Teams message. Automation rules allow simple condition-based actions without a full playbook.
Key Components, Defaults, and Timers
Log Analytics Workspace: The data store. Default retention is 30 days for interactive queries and up to 2 years for archived data (additional cost). Pricing tiers: Pay-as-you-go (~$2.30/GB ingested) and Capacity Reservations (starting at 100 GB/day).
Data Connectors: Each connector has a specific schema. Example: Azure AD connector ingests SigninLogs, AuditLogs, AADServicePrincipalSignInLogs. Default ingestion latency is 15-30 minutes for most connectors.
Analytics Rules: Default run interval is 5 minutes. Lookback period is configurable (e.g., past 1 hour). Incident creation threshold: e.g., when query results exceed 0 (any result creates incident).
Incident Status: New, Active, Closed. SLA: Sentinel automatically changes status to Active when an analyst starts investigation.
Playbooks: Execution timeout is 1 hour by default. Can be extended up to 90 days for long-running workflows.
Hunting Bookmarks: Saved queries with a 90-day retention.
Workbooks: Use Azure Workbooks (based on KQL) for dashboards. Default refresh is 5 minutes.
Configuration and Verification Commands
Sentinel is primarily configured through the Azure portal, but you can use Azure CLI or PowerShell.
Enable Sentinel on a Log Analytics workspace:
az sentinel enable --workspace-name <workspace> --resource-group <rg>List data connectors:
az sentinel data-connector list --workspace-name <workspace> --resource-group <rg>Create a scheduled analytics rule:
az sentinel alert-rule create --workspace-name <workspace> --resource-group <rg> \
--name "My Rule" --display-name "My Rule" --description "Detects X" \
--query "SecurityEvent | where EventID == 4625" --query-frequency PT5M \
--query-period PT1H --severity Medium --trigger-operator GreaterThan \
--trigger-threshold 0Verify data ingestion: Use the Log Analytics query Usage table:
Usage | where DataType == "SecurityEvent" | summarize sum(Quantity) by bin(TimeGenerated, 1h)Interaction with Related Technologies
Microsoft Defender for Cloud: Sends security alerts to Sentinel via the built-in connector. Defender for Cloud's workload protection plans (servers, SQL, storage) feed into Sentinel.
Microsoft 365 Defender: Integrates incidents and alerts from Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps.
Azure AD: Identity logs (sign-ins, audits) are ingested via the Azure AD connector. Sentinel can trigger playbooks to disable compromised accounts.
Azure Policy: Can enforce deployment of Sentinel and data connectors across subscriptions.
Azure Logic Apps: Powers playbooks. Each playbook is a Logic App workflow with Sentinel-specific triggers (e.g., 'When a response to an Azure Sentinel incident is triggered').
Azure Event Hubs: Used for high-throughput data ingestion from external sources (e.g., AWS CloudTrail).
Deploy Sentinel and Connect Data Sources
First, create or select a Log Analytics workspace in the Azure portal. Enable Microsoft Sentinel on that workspace (this doesn't create a new resource, it enables the Sentinel solution). Then, configure data connectors from the Sentinel 'Data connectors' blade. For example, to ingest Azure Activity logs, select the 'Azure Activity' connector and click 'Open connector page' then 'Connect'. Each connector has specific prerequisites; e.g., the Azure AD connector requires Azure AD Premium P2 licenses. Verify connection status shows 'Connected' and data starts flowing within 15-30 minutes.
Create Analytics Rules for Detection
Navigate to 'Analytics' in Sentinel. Click 'Create' and select 'Scheduled query rule'. Define a rule name, description, and severity. Write a KQL query, e.g., `SigninLogs | where ResultType != 0 | summarize Count = count() by IPAddress, UserPrincipalName | where Count > 5`. Set the query frequency (e.g., every 5 minutes) and lookback period (e.g., 1 hour). Configure incident creation: set 'Create incident from alerts triggered by this rule' to 'Enabled'. Optionally, group alerts into a single incident by entity (e.g., by IP). Review and create. The rule will now run on schedule and generate incidents when threshold is exceeded.
Investigate Incidents in the Incident Queue
When an alert triggers an incident, it appears in the 'Incidents' blade with status 'New'. Click on an incident to view details: title, severity, status, owner, and related entities. Use the 'Investigate' button to open the investigation graph, which shows a visual map of entities and connections (e.g., user -> IP -> host). You can add bookmarks, run hunting queries, and collect evidence. To assign the incident, change the owner. To track progress, change status to 'Active'. Add comments and tags for collaboration.
Automate Response with Playbooks
Create a playbook by going to 'Automation' > 'Playbooks' > 'Add playbook'. This opens Logic Apps designer. Choose the Sentinel trigger: 'When a response to an Azure Sentinel incident is triggered'. Then add actions, e.g., 'Block user' (using Azure AD connector), 'Send email' (Office 365), or 'Isolate VM' (Azure Automation). Save and associate the playbook with an automation rule: go to 'Automation' > 'Create' > 'Automation rule'. Define conditions (e.g., severity = High) and action (run playbook). The automation rule will execute the playbook automatically when an incident meets the conditions.
Proactive Threat Hunting with KQL
Use the 'Hunting' blade to run proactive queries. Sentinel includes a library of built-in hunting queries (e.g., 'Anomalous logon activity'). Select a query and click 'Run Query' to see results in Log Analytics. If you find suspicious activity, you can 'Add bookmark' to save the query results for later investigation. You can also create a 'livestream' session to monitor real-time events. For custom hunting, write your own KQL queries and save them as bookmarks. Hunting queries do not generate alerts; they are manual investigations.
Scenario 1: Enterprise SOC for a Large Financial Institution
A bank with 50,000 employees uses Sentinel to centralize logs from Azure, on-premises Active Directory, and custom banking apps. They ingest ~5 TB of data per day across multiple Log Analytics workspaces (one per region). They use capacity reservation at 1 TB/day to reduce costs. Their SOC team of 20 analysts uses Sentinel's incident queue to triage ~500 incidents daily. They have 50 analytics rules, including custom rules for wire transfer anomalies. Automation rules trigger playbooks that block compromised accounts in Azure AD and send Slack notifications to the fraud team. A common misconfiguration: they initially set all analytics rules to create incidents for every single alert, overwhelming the SOC. They later tuned rules to group alerts by entity and increased thresholds.
Scenario 2: Managed Security Service Provider (MSSP)
An MSSP monitors security for 200 small-to-medium customers. They deploy Sentinel in a central Azure tenant and use Azure Lighthouse to manage each customer's Sentinel workspace from a single pane. They ingest ~100 GB/day per customer. They use built-in analytics rules from the Sentinel content hub to provide baseline detection. For each customer, they deploy a standard set of playbooks that isolate compromised VMs and notify the customer's IT team. Performance consideration: they need to ensure each workspace has sufficient retention and that cross-workspace queries (using workspace()) are optimized. Common pitfall: failing to properly scope automation rules to specific customers, causing playbooks to run on the wrong workspace.
Scenario 3: Retail Company with Cloud and SaaS
A retailer uses Microsoft 365, Azure, and AWS. They use Sentinel to ingest Office 365 audit logs, Azure AD sign-ins, and AWS CloudTrail logs via Event Hubs. They have a custom analytics rule that detects brute-force attacks by correlating failed sign-ins from multiple sources. They use Sentinel's UEBA (User and Entity Behavior Analytics) to detect insider threats, such as an employee downloading large amounts of data before resignation. When misconfigured, they saw high false positives from UEBA because they didn't exclude service accounts. They resolved it by creating watchlists of known safe accounts.
AZ-500 Exam Focus on Microsoft Sentinel (Objective 4.2)
The exam tests your ability to configure and manage Sentinel for security operations. Key areas include: - Data Connectors: Know which connectors are built-in and what data they ingest. Expect questions on Azure Activity, Azure AD, Microsoft 365 Defender, and Windows Security Events. - Analytics Rules: Understand the difference between Scheduled, Microsoft Security, and NRT rules. Know that scheduled rules run on a frequency (default 5 min) and lookback period. The exam may ask about incident creation thresholds and grouping. - Incident Management: Know the incident statuses (New, Active, Closed) and that assignment changes status to Active. Understand that SLA is not a timer but a status change. - Playbooks and Automation: Recognize that playbooks are Logic Apps. Automation rules can trigger playbooks based on conditions. Know that playbooks can be incident triggers or alert triggers. - Hunting and Livestream: Hunting queries are manual; livestream is real-time monitoring. Bookmarks save query results.
Common Wrong Answers: 1. "Sentinel requires a separate Log Analytics workspace." Actually, Sentinel is enabled on an existing workspace; it does not create a new one. 2. "Playbooks are run directly within Sentinel." No, they are Azure Logic Apps that run in a separate resource group. 3. "All analytics rules run in near-real-time." Only NRT rules have sub-minute latency; scheduled rules have a minimum 5-minute frequency. 4. "Data retention is fixed at 90 days." Default is 30 days for interactive; archived data can be retained up to 2 years.
Specific Numbers and Terms:
- Default query frequency: PT5M (5 minutes)
- Default incident severity levels: Low, Medium, High, Informational
- Data connector names: Azure Activity, Azure AD, Windows Security Events via AMA (Azure Monitor Agent)
- KQL operators used in rules: summarize, where, extend, project, join
- Automation rule conditions: severity, status, name, tag, etc.
Edge Cases: - The exam may ask about cross-tenant data ingestion using Azure Lighthouse. - You may need to know that Sentinel can be deployed in government clouds (Azure Government) but with limited connectors. - Questions about cost: data ingestion costs are based on Log Analytics pricing; Sentinel itself is free but data ingestion is not.
How to Eliminate Wrong Answers: - If an answer says "create a new workspace," it's likely wrong because Sentinel reuses an existing workspace. - If an answer mentions "real-time" for scheduled rules, it's wrong; only NRT is near-real-time. - If an answer says "playbooks are stored in Sentinel," it's wrong; they are Logic Apps in Azure.
Sentinel is a cloud-native SIEM built on Log Analytics; it does not require a separate database.
Data connectors are the primary method to ingest logs; over 100 built-in connectors available.
Scheduled analytics rules run at a configurable frequency (default 5 min) and create incidents based on query results.
Playbooks are Azure Logic Apps and are used for automated response; they can be triggered by incidents or alerts.
Hunting queries are manual KQL queries for proactive threat detection; they do not generate incidents automatically.
Incident statuses: New, Active, Closed. Changing status to Active occurs when an analyst starts working on it.
Default data retention is 30 days for interactive queries; archived data can be retained up to 2 years.
Sentinel pricing is based on data ingestion volume into Log Analytics (pay-as-you-go or capacity reservations).
Automation rules allow simple condition-based actions without a full playbook (e.g., change severity, assign owner).
UEBA (User and Entity Behavior Analytics) is built-in and can detect anomalous behavior based on historical baselines.
These come up on the exam all the time. Here's how to tell them apart.
Scheduled Analytics Rule
Runs on a schedule, minimum 5-minute frequency.
Uses KQL query with a lookback period (e.g., past 1 hour).
Best for batch processing and threshold-based detection.
Incident creation can be configured with grouping by entity.
Lower cost because it queries data less frequently.
NRT (Near-Real-Time) Analytics Rule
Runs continuously with sub-minute latency (typically <1 minute).
Uses a simplified KQL query without lookback period (current data only).
Best for real-time detection of urgent threats (e.g., multiple failed logins in seconds).
Incidents are created per alert; no grouping option.
Higher cost due to constant querying.
Mistake
Microsoft Sentinel is a standalone service that requires a dedicated subscription.
Correct
Sentinel is enabled on an existing Log Analytics workspace within any subscription. It does not create a new resource; it adds the Sentinel solution to the workspace.
Mistake
All analytics rules in Sentinel run in real-time.
Correct
Only NRT (Near-Real-Time) rules run with sub-minute latency. Scheduled rules have a minimum frequency of 5 minutes. Microsoft Security rules run when the source service generates an alert.
Mistake
Playbooks are executed within Sentinel's infrastructure.
Correct
Playbooks are Azure Logic Apps that run in the Logic Apps runtime. They are triggered by Sentinel but execute independently in the Logic Apps service.
Mistake
Sentinel data retention is fixed at 90 days for all data.
Correct
Default interactive retention is 30 days. You can extend to up to 2 years with archived data (additional cost). Some tables may have different defaults (e.g., 90 days for some security tables).
Mistake
You cannot ingest data from on-premises sources into Sentinel.
Correct
Sentinel supports on-premises data via the Azure Monitor Agent (AMA) or legacy Log Analytics agent. You can also use Syslog or CEF connectors to forward logs from on-premises firewalls and servers.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Sentinel is a SIEM/SOAR that aggregates logs from multiple sources (including Defender for Cloud) and provides advanced analytics, hunting, and automation. Defender for Cloud is a Cloud Security Posture Management (CSPM) and workload protection platform that focuses on securing Azure, hybrid, and multi-cloud workloads. Defender for Cloud sends security alerts to Sentinel via a connector, but Sentinel is not required for Defender for Cloud to function. On the exam, remember that Sentinel is for centralized security operations, while Defender for Cloud is for cloud security posture and threat protection.
No, Sentinel requires a Log Analytics workspace. When you enable Sentinel, you select an existing workspace or create a new one. The workspace stores all ingested data and is where queries run. You can have multiple Sentinel workspaces, but each must be in a separate Log Analytics workspace. For the exam, know that Sentinel is an overlay on Log Analytics.
Costs are driven by data ingestion. To reduce costs: use capacity reservations (commit to a minimum daily ingestion for a discount), filter out unnecessary logs before ingestion (e.g., exclude informational events), use basic logs tier for verbose data (lower cost but limited query capabilities), and set appropriate data retention (archive older data). Also, avoid running unnecessary analytics rules frequently. The exam may ask about cost optimization strategies.
An alert is a single trigger from an analytics rule (a query match). An incident is a collection of related alerts that Sentinel groups together based on entities (e.g., same user or IP). Incidents are the main unit of investigation. You can configure analytics rules to create incidents directly or group alerts into incidents. On the exam, understand that incidents are what SOC analysts work on, not individual alerts.
Install the Azure Monitor Agent (AMA) on the Windows server. Then, configure a data collection rule (DCR) to collect Windows Security Events (e.g., Event ID 4625). In Sentinel, use the 'Windows Security Events via AMA' connector to ingest the logs. Alternatively, you can use the legacy Log Analytics agent (deprecated). For the exam, know that AMA is the recommended agent.
Yes, Sentinel can ingest logs from AWS (CloudTrail, VPC Flow Logs) via Azure Event Hubs or the AWS connector. For GCP, you can use the GCP Security Command Center connector or custom ingestion. The exam may ask about ingesting AWS CloudTrail logs; the process involves sending logs to an S3 bucket, then to Event Hubs, and finally to Sentinel.
A watchlist is a collection of known indicators (e.g., malicious IPs, compromised accounts) stored as a CSV file in Sentinel. You can use watchlists in analytics rules and hunting queries by referencing the `_GetWatchlist('watchlistname')` function. For example, to alert on sign-ins from known malicious IPs. On the exam, watchlists are a way to incorporate threat intelligence feeds.
You've just covered Microsoft Sentinel SIEM — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?