This chapter covers Microsoft Sentinel, Azure's cloud-native Security Information and Event Management (SIEM) solution. Understanding Sentinel is critical for the AZ-900 exam as it represents a key component of Azure's security portfolio under the 'Azure Architecture Services' domain (Objective 2.5). While questions on Sentinel are not the most heavily weighted, they appear regularly, and the exam expects you to know its purpose, key features, and how it differs from other security services. Master this topic to secure easy points on exam day.
Jump to a section
Imagine you run a large office building with hundreds of employees, visitors, and vendors. To keep the building secure, you install security cameras everywhere—hallways, stairwells, server rooms, parking lots, and even the break room. Each camera records video 24/7 and stores it locally on its own hard drive. If something suspicious happens, you have to physically go to each camera's storage location, remove the hard drive, and play back the footage to find the incident. This is like traditional SIEM: each security device (firewall, server, workstation) generates logs and stores them locally. Now imagine a smarter system: all cameras stream their video to a central cloud video hub that uses artificial intelligence to analyze the footage in real time. It automatically detects unusual behavior—like someone entering a restricted door after hours—and alerts you immediately. It also correlates events across cameras: it notices that the same person who entered the server room also logged into a workstation 10 minutes earlier. That is Microsoft Sentinel. It ingests security logs from all your Azure and on-premises resources into a central Azure Log Analytics workspace, applies built-in and custom analytics rules to detect threats, and provides a unified dashboard for investigation and response. The mechanism is identical: log ingestion, analytics, alerting, and investigation—all in one cloud-native SIEM.
What is Microsoft Sentinel and What Business Problem Does It Solve?
Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution. It helps organizations detect, investigate, and respond to security threats across their entire digital estate—including on-premises, Azure, and other clouds. The core business problem it solves is the overwhelming volume of security alerts and log data that security teams face. Without a centralized SIEM, analysts would have to manually check logs from firewalls, servers, endpoints, and applications, which is slow and error-prone. Sentinel ingests all that data into one place, uses analytics to filter out noise, and surfaces only the most critical threats.
How It Works – Step by Step Mechanism
Data Ingestion: Sentinel connects to various data sources using built-in connectors. These sources include Azure services (e.g., Azure AD, Azure Activity Log, Azure Security Center), Microsoft 365 (e.g., Office 365, Microsoft Teams), and third-party solutions (e.g., AWS CloudTrail, Cisco, Palo Alto). Data is sent to a Log Analytics workspace, which acts as the central repository.
Data Storage and Normalization: All ingested logs are stored in tables within the Log Analytics workspace. Sentinel normalizes the data into a common schema (e.g., CommonSecurityLog for firewall logs) so that analytics can run across different sources seamlessly.
Analytics and Threat Detection: Sentinel includes built-in analytics rules that use machine learning, behavioral analytics, and threat intelligence to detect suspicious activities. For example, a rule might detect multiple failed logins followed by a successful login from an unusual location. You can also create custom rules using Kusto Query Language (KQL).
Incident Creation: When an analytics rule triggers, Sentinel creates an incident. An incident is a collection of related alerts that together represent a potential security breach. Incidents are prioritized by severity (Informational, Low, Medium, High).
Investigation and Response: Security analysts use the Sentinel dashboard to investigate incidents. They can explore entities (users, IPs, machines) and see related events. Sentinel also provides built-in playbooks (automated workflows) that can run automatically or manually to respond to threats—for example, blocking an IP address or disabling a compromised user account.
Key Components, Tiers, and Pricing
Log Analytics Workspace: The foundation. Each Sentinel instance is tied to a workspace. You pay for data ingestion (GB/month) and data retention (default 31 days, up to 2 years for interactive retention, and long-term retention at lower cost).
Data Connectors: Pre-built connectors for Azure, Microsoft, and third-party sources. Some connectors require additional licensing (e.g., Azure AD P1/P2 for certain logs).
Analytics Rules: Templates for detection. Built-in rules are free; custom rules incur compute costs based on the amount of data processed.
Incidents and Alerts: Incidents are the primary work item. Alerts are individual detections that can be grouped into incidents.
Workbooks: Interactive dashboards built on KQL queries for visualization.
Playbooks: Automated response workflows built on Azure Logic Apps. Each execution of a playbook incurs Logic Apps costs.
Threat Intelligence: Integrates with Microsoft and third-party threat intelligence feeds to enrich detection.
Pricing is consumption-based: you pay for data ingestion (about $2.50/GB for the first 10 GB, then lower tiers) plus separate charges for Logic Apps (playbooks) and extended retention. There is no upfront cost.
Comparison to On-Premises SIEM
Traditional on-premises SIEM solutions (like Splunk on-prem or IBM QRadar) require you to provision and manage servers, storage, and networking. Scaling involves buying more hardware. They also require manual updates and maintenance. In contrast, Sentinel is fully managed by Microsoft—no infrastructure to maintain. Scaling is automatic: you just send more data and pay for it. Sentinel also integrates natively with Azure and Microsoft 365, reducing complexity. However, on-premises SIEMs may offer more customization in certain areas (like custom parsers) and may be preferred for air-gapped environments with no cloud connectivity.
Azure Portal and CLI Touchpoints
Portal: Navigate to 'Azure Sentinel' in the portal. From there, you can add data connectors, create analytics rules, view incidents, and set up playbooks. The portal is the primary management interface.
CLI: You can use Azure CLI to manage Sentinel resources, though the CLI is less feature-rich. Example commands:
# Create a Log Analytics workspace
az monitor log-analytics workspace create --resource-group myRG --workspace-name sentinel-workspace --location eastus
# Enable Sentinel on the workspace (this is actually done via the portal, but you can use ARM templates)
az deployment group create --resource-group myRG --template-file sentinel-deploy.jsonPowerShell: Similar to CLI, you can use Az PowerShell modules to manage workspaces and connectors.
ARM/Bicep: You can deploy Sentinel via ARM templates or Bicep files, enabling infrastructure-as-code.
Concrete Business Scenarios
**Scenario 1: A multinational corporation wants to monitor for insider threats across its Azure and Office 365 environment. They enable Sentinel, connect Azure AD and Office 365 logs, and use the built-in 'Anomalous sign-in' analytics rule. When an employee signs in from a new location at an unusual time, Sentinel creates an incident. The security team investigates and uses a playbook to force a password reset.
**Scenario 2: A healthcare organization needs to comply with HIPAA by monitoring access to patient data. They use Sentinel to ingest logs from Azure SQL Database and on-premises firewalls. They create custom analytics rules to detect unusual query patterns. Sentinel also integrates with Microsoft 365 audit logs to track document access.
**Scenario 3: A gaming company experiences frequent DDoS attacks. They use Sentinel to correlate Azure DDoS Protection alerts with network traffic logs. They set up a playbook that automatically triggers Azure DDoS Protection scaling and notifies the team via Teams.
Create a Log Analytics Workspace
First, you need a Log Analytics workspace in your Azure subscription. This workspace is the container for all Sentinel data. You can create it via the portal, CLI, or ARM. Important defaults: choose a region close to your data sources to minimize latency and egress costs. The workspace has a retention setting (default 31 days) that you can adjust. Note: Sentinel can only be enabled on a workspace that is in a supported region (most regions are supported). Once the workspace exists, you enable Sentinel by selecting it in the portal and clicking 'Enable'.
Connect Data Sources Using Connectors
After enabling Sentinel, the next step is to bring in data. Go to 'Data connectors' in the Sentinel blade. You'll see a gallery of connectors for Azure services (e.g., Azure Activity, Azure AD, Azure Firewall), Microsoft services (e.g., Office 365, Microsoft Defender), and third-party solutions (e.g., AWS, Cisco, Palo Alto). Click on a connector, read the instructions, and click 'Open connector page'. For Azure services, you typically just need to enable streaming; for third-party, you may need to install an agent or configure syslog. Each connector has a status indicator showing if data is being received.
Create or Enable Analytics Rules
Analytics rules define what threats to look for. Sentinel provides a library of built-in rule templates covering common threats like brute force, malware, and suspicious sign-ins. You can enable these directly from the 'Analytics' blade. For custom detection, click 'Create' and choose 'Scheduled query rule'. Write a KQL query, set the frequency (how often to run), and define alert details. Example: a rule that runs every 5 minutes, queries for failed logins > 10 in 5 minutes from a single IP, and creates an alert. You can also set incident grouping to combine related alerts into one incident.
Investigate Incidents in the Dashboard
When an analytics rule triggers, an incident appears in the 'Incidents' blade. Incidents have a severity level, title, and description. Click on an incident to see full details: related alerts, entities (users, IPs, machines), and timeline. Use the investigation graph to visually explore relationships between entities. You can assign the incident to an analyst, add comments, and change status. The goal is to determine if the incident is a true positive, false positive, or requires further action. Sentinel also provides built-in workbooks for common investigations.
Automate Response with Playbooks
Playbooks automate responses to incidents. They are built on Azure Logic Apps and can be triggered automatically when an incident is created or manually by an analyst. To create a playbook, go to 'Automation' > 'Playbooks' and click 'Add'. You design a workflow using Logic Apps designer—common actions include sending email, creating a ticket in ServiceNow, blocking an IP in Azure Firewall, or disabling a user in Azure AD. Playbooks can also include conditions and loops. Each playbook execution incurs Logic Apps costs. Test the playbook before attaching it to an automation rule.
Real-World Business Scenarios
Scenario 1: Retail chain with hybrid infrastructure A retail company with hundreds of stores uses a mix of on-premises servers, Azure VMs, and Office 365. They need to detect point-of-sale (POS) malware and insider data theft. They deploy Sentinel and connect Azure AD, Office 365 audit logs, and on-premises Windows Event logs via the Log Analytics agent. They enable the built-in 'Suspicious process execution' rule. One day, Sentinel detects a process on a store server that is communicating with an unknown external IP. An incident is created, and the playbook automatically isolates the server from the network and sends an alert to the store manager. The security team investigates and finds a POS malware variant. The incident is resolved in minutes instead of hours.
Scenario 2: Financial services compliance A bank must comply with PCI DSS and SOX by monitoring all access to financial data. They use Sentinel to ingest logs from Azure SQL Database, Azure Key Vault, and on-premises file servers. They create custom analytics rules to detect unusual query patterns (e.g., a user downloading thousands of records). Sentinel also integrates with their SIEM tool for legacy systems. The bank sets up a playbook that triggers when a 'high severity' incident is created, automatically opening a ticket in their ITSM system and sending a message to the compliance team. They also use workbooks to generate monthly compliance reports. When an employee accidentally accesses a restricted database, Sentinel detects it and the playbook revokes their access temporarily, preventing a potential breach.
Scenario 3: SaaS provider defending against DDoS A SaaS company hosts its application on Azure and is frequently targeted by DDoS attacks. They use Azure DDoS Protection Standard and Sentinel. They connect Azure DDoS Protection logs and Azure Firewall logs to Sentinel. They create an analytics rule that correlates a spike in incoming traffic with a sudden increase in failed connections. When a DDoS attack is detected, a playbook automatically scales out the application instances and notifies the operations team via Teams. Sentinel also provides a workbook that visualizes attack patterns over time. One misconfiguration: if the analytics rule is too sensitive, it might trigger false positives during legitimate traffic spikes (e.g., product launch). The team must tune the rule threshold to avoid alert fatigue.
Common pitfalls: (1) Not enabling enough data connectors—you miss threats. (2) Using default retention (31 days) for compliance requiring longer retention. (3) Underestimating costs due to high log volume—set budgets and cost alerts. (4) Not tuning analytics rules, leading to too many false positives or missed detections.
Exam Focus for AZ-900 Objective 2.5
What AZ-900 Tests: The exam asks about Microsoft Sentinel under the 'Azure Architecture Services' domain, specifically Objective 2.5: 'Describe identity, governance, privacy, and compliance features'. You need to know: (1) Sentinel is a cloud-native SIEM/SOAR solution. (2) It ingests data from multiple sources including Azure, on-premises, and other clouds. (3) It uses analytics to detect threats and can automate responses. (4) It is built on Azure Log Analytics workspaces. (5) It is a PaaS (Platform as a Service) offering—no infrastructure management.
Common Wrong Answers and Why: 1. 'Sentinel is an on-premises SIEM' – Wrong because Sentinel is cloud-native. Candidates confuse it with traditional SIEMs. 2. 'Sentinel is a firewall' – No, it's a SIEM. Firewalls block traffic; Sentinel detects and responds to threats. 3. 'Sentinel replaces Azure Security Center' – Wrong. They complement each other. Security Center provides unified security management, while Sentinel is for advanced threat detection and response. 4. 'Sentinel requires a separate agent on every VM' – While you can use agents to collect logs, Sentinel also collects data via connectors without agents (e.g., Azure Activity Log, Office 365). 5. 'Sentinel is free' – No, it is consumption-based (pay for data ingestion and Logic Apps).
Specific Terms and Values: Know that Sentinel uses Kusto Query Language (KQL) for queries. Retention default is 31 days. Pricing is per GB ingested. It integrates with Azure Logic Apps for automation.
Edge Cases and Tricky Distinctions:
Sentinel vs. Azure Security Center: Security Center provides continuous assessment and recommendations; Sentinel is for SIEM/SOAR. Security Center can send alerts to Sentinel.
Sentinel vs. Azure Monitor: Azure Monitor collects telemetry for performance and availability; Sentinel focuses on security logs and threats.
Sentinel can be used on a single workspace or multiple workspaces (for large enterprises).
Memory Trick: 'Sentinel stands guard and sounds the alarm' – Sentinel is the security guard that watches all logs (ingestion), detects intruders (analytics), and calls for backup (automation).
Decision Tree for Eliminating Wrong Answers:
If the question asks about 'centralized security monitoring and alerting' → Sentinel.
If it asks about 'security recommendations and compliance' → Azure Security Center.
If it asks about 'collecting performance metrics' → Azure Monitor.
If it asks about 'a cloud-native SIEM' → Sentinel.
Microsoft Sentinel is a cloud-native SIEM/SOAR solution, not an on-premises tool.
Sentinel is built on Azure Log Analytics workspaces; you must have a workspace to enable Sentinel.
It ingests data from Azure, Microsoft 365, on-premises, and third-party sources via connectors.
Analytics rules (built-in or custom) detect threats and create incidents.
Automation is achieved through playbooks built on Azure Logic Apps.
Pricing is consumption-based: pay for data ingestion (per GB) and Logic Apps executions.
Sentinel complements, not replaces, Azure Security Center (Defender for Cloud).
Key exam terms: SIEM, SOAR, KQL, Log Analytics workspace, data connectors, playbooks.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Sentinel
Cloud-native SIEM/SOAR
Ingests logs from multiple sources (Azure, on-prem, other clouds)
Focuses on threat detection and incident response
Uses analytics rules and KQL queries
Consumption-based pricing per GB ingested
Azure Security Center (Defender for Cloud)
Cloud security posture management (CSPM) and workload protection
Provides security recommendations and compliance assessments
Focuses on hardening Azure resources
Uses built-in policies and secure score
Pricing includes free tier (limited features) and standard tier (per server)
Mistake
Microsoft Sentinel is just a rebranded version of Azure Security Center.
Correct
Azure Security Center (now Microsoft Defender for Cloud) is a cloud security posture management (CSPM) and workload protection platform. Sentinel is a separate SIEM/SOAR solution that ingests security data from multiple sources for advanced threat detection and response. They integrate but are distinct.
Mistake
Sentinel can only collect data from Azure resources.
Correct
Sentinel has connectors for on-premises systems (via Log Analytics agent or syslog), other clouds (AWS, GCP), and Microsoft 365. It is designed to be a unified SIEM for hybrid and multi-cloud environments.
Mistake
Sentinel automatically blocks all detected threats without human intervention.
Correct
Sentinel can automate responses via playbooks, but by default it creates incidents for analysts to investigate. Automated blocking requires you to configure a playbook that performs the blocking action (e.g., via Azure Firewall or Azure AD).
Mistake
Sentinel is free to use for up to 5 GB per day.
Correct
There is no free tier. You pay for data ingestion into the Log Analytics workspace (starting at ~$2.50/GB for the first 10 GB). Playbook executions incur additional Logic Apps costs.
Mistake
Sentinel is only for large enterprises with dedicated security teams.
Correct
Sentinel scales from small businesses to large enterprises. Small businesses can use built-in analytics and automated responses to handle security with minimal staff. Cost scales with data volume.
Microsoft Sentinel is a SIEM/SOAR solution for threat detection and response across your entire environment. Azure Security Center (now part of Microsoft Defender for Cloud) is a cloud security posture management (CSPM) tool that provides recommendations and threat protection for Azure resources. They integrate: Security Center can send alerts to Sentinel for correlation. For the exam, remember Sentinel is for advanced security analytics and automation, while Security Center is for assessing and securing your Azure environment.
Not necessarily. Sentinel collects data from many sources without agents, such as Azure Activity Log, Azure AD logs, and Office 365 audit logs. For on-premises VMs or non-Azure VMs, you may need to install the Log Analytics agent or use a syslog forwarder. For Azure VMs, you can use the Azure Monitor agent (AMA) or the legacy Log Analytics agent. The exam does not require deep agent knowledge, but know that Sentinel can collect data via connectors without agents for many Azure services.
Sentinel uses a consumption-based pricing model. You pay for the volume of data ingested into the Log Analytics workspace (per GB). There are two tiers: Pay-as-you-go (starting at ~$2.50/GB for the first 10 GB) and Commitment tiers (discounts for reserving capacity). Additionally, you pay for extended data retention beyond 31 days and for Logic Apps executions when using playbooks. There is no upfront cost or licensing fee. For the exam, remember that Sentinel is not free and pricing is based on data volume.
Yes. Sentinel is designed for hybrid and multi-cloud environments. You can connect on-premises servers using the Log Analytics agent (for Windows and Linux) or via syslog/Cisco ASA. For other clouds like AWS, there are built-in connectors (e.g., AWS CloudTrail). Sentinel also supports Common Event Format (CEF) for many security appliances. The exam expects you to know that Sentinel can ingest data from on-premises and other clouds, not just Azure.
A playbook is an automated workflow that responds to security incidents. It is built using Azure Logic Apps and can be triggered automatically when an incident is created or manually by an analyst. Common actions include sending email notifications, creating tickets in ITSM systems, blocking IP addresses, or disabling users. Playbooks help automate repetitive tasks and speed up response times. For the exam, know that playbooks are part of Sentinel's SOAR capabilities and rely on Logic Apps.
The default retention period for data in a Log Analytics workspace (and thus Sentinel) is 31 days. You can configure retention up to 2 years for interactive retention, and up to 7 years for long-term retention (at a lower cost). For compliance requirements, you may need to extend retention. The exam may test that the default is 31 days.
Sentinel provides built-in playbook templates for common scenarios, but automated response is not enabled by default. You must create and assign playbooks to automation rules. The exam may present a scenario where Sentinel automatically blocks a threat—remember that this requires configuration, not default behavior.
You've just covered Microsoft Sentinel (SIEM) — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?