This chapter covers Microsoft Sentinel, a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution. For the CS0-003 exam, questions on cloud-based SIEM/SOAR, including Sentinel, typically appear in the Security Operations domain (Objective 1.2) and may account for 5-10% of the exam. Understanding Sentinel's architecture, data ingestion, analytics rules, and incident management is critical for answering scenario-based questions about threat detection and response in hybrid and cloud environments.
Jump to a section
Microsoft Sentinel is like a modern Security Operations Center (SOC) staffed by a team of analysts, automated tools, and a massive case management system. The SOC has a central dashboard (Azure portal) where all security alerts from various sensors (data sources) are collected. Each data source is like a camera or alarm system in a building—they generate logs (video feeds, sensor data) that stream into a central data lake (Log Analytics workspace). The SOC analysts use correlation rules (detection rules) to identify suspicious patterns, like a person entering a restricted area after hours. When a rule triggers, it creates an incident (a case file) that is assigned to an analyst for investigation. The SOC also has threat intelligence feeds (like a wanted posters database) that help identify known bad actors. Automated playbooks (like standard operating procedures) can take immediate actions, such as blocking an IP address or isolating a workstation. The entire operation is governed by a retention policy that determines how long logs are kept before being archived or deleted. Just as a SOC must tune its rules to reduce false positives, Sentinel requires careful configuration of data connectors, analytics rules, and playbooks to be effective. Misconfigurations can lead to missed threats or alert fatigue.
What is Microsoft Sentinel?
Microsoft Sentinel is a scalable, cloud-native SIEM and SOAR solution that provides intelligent security analytics and threat intelligence across an enterprise. Unlike traditional on-premises SIEMs like Splunk or ArcSight, Sentinel is built on Azure and leverages the power of the cloud to ingest massive amounts of data, scale automatically, and reduce infrastructure overhead. It integrates with Microsoft 365, Azure services, and third-party sources via connectors.
Core Components
Sentinel's architecture consists of several key components: - Data Connectors: These ingest logs from various sources (e.g., Azure Active Directory, Office 365, AWS CloudTrail, Syslog, CEF). Each connector has a specific configuration and may require additional software, such as the Log Analytics agent or Azure Monitor Agent. - Log Analytics Workspace: All data is stored in a Log Analytics workspace, which acts as the central repository. Each workspace has a unique ID and primary key. Data is organized into tables (e.g., SecurityEvent, SigninLogs, CommonSecurityLog). - Analytics Rules: These are detection rules that run periodically against ingested data to generate alerts. Rules can be scheduled (every X minutes) or near-real-time (Microsoft Security events). Each rule has a query (KQL), frequency, period, and severity. - Incidents: When an analytics rule matches, it creates an incident—a group of related alerts. Incidents are the primary unit for investigation and response. - Playbooks: Automated workflows built on Azure Logic Apps. They can perform actions like blocking IPs, resetting passwords, or sending notifications. - Workbooks: Interactive dashboards that visualize data and provide insights. They are built using KQL queries and can be customized. - Threat Intelligence: Integrates with threat intelligence feeds (e.g., Microsoft Threat Intelligence, TAXII servers) to enrich alerts with known indicators of compromise (IOCs).
Data Ingestion and Storage
Data flows into Sentinel via connectors. Each connector sends data to specific tables in the Log Analytics workspace. For example:
Azure Activity logs go to AzureActivity table.
Windows security events go to SecurityEvent table.
Syslog data goes to Syslog table.
Custom logs can be ingested via HTTP Data Collector API.
Data is retained in the workspace for a configurable period (default 30 days for interactive retention, 90 days for total retention). Longer retention requires additional costs or archiving to Azure Storage. Sentinel pricing is based on data volume ingested (GB/day) and is billed separately from Log Analytics.
Analytics Rules and Detection
Analytics rules are the heart of detection. They are written in Kusto Query Language (KQL) and run on a schedule. Key parameters: - Frequency: How often the rule runs (e.g., every 5 minutes). - Period: The time window of data the query looks at (e.g., last 5 minutes). - Trigger threshold: Minimum number of query results to generate an alert (e.g., 1). - Severity: Informational, Low, Medium, High. - Entity mapping: Maps fields in the query to entities (Account, IP, Host, etc.) for correlation.
Example rule: Detect multiple failed logins.
SigninLogs
| where ResultType == "50057" // User account is disabled
| summarize Count = count() by UserPrincipalName, IPAddress
| where Count > 5This rule runs every 5 minutes, looking at the last 5 minutes of data. If any user has more than 5 failed logins from the same IP, an alert is generated.
Incident Management
When an alert fires, it can be grouped into an incident based on entity matching. Incidents have a status (New, Active, Closed), severity, owner, and timeline. Analysts can investigate using the built-in investigation graph, which shows relationships between entities. Incidents can be closed with a classification (True Positive, Benign Positive, False Positive).
SOAR Capabilities (Playbooks)
Playbooks automate response actions. They are triggered by alerts or incidents. Common triggers include:
When an incident is created.
When an alert is generated.
When a specific condition is met (e.g., severity is High).
Playbooks can perform actions like:
Block an IP in Azure Firewall.
Disable a user account in Azure AD.
Send an email to an analyst.
Create a ticket in ServiceNow.
Integration with Microsoft 365 Defender
Sentinel integrates with Microsoft 365 Defender (formerly Microsoft Threat Protection) to ingest alerts from Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. This provides a unified view of threats across the Microsoft ecosystem.
Threat Intelligence
Sentinel supports importing threat indicators from TAXII servers or custom feeds. Indicators include IPs, domains, URLs, file hashes, etc. These indicators are used in analytics rules to detect matches (e.g., alert when a user visits a known malicious domain).
Workbooks and Dashboards
Workbooks are created using KQL and provide visualizations. Sentinel comes with built-in workbooks for common scenarios (e.g., Azure Activity, Office 365, Security Events). Custom workbooks can be created to track specific KPIs.
Best Practices
Use separate Log Analytics workspaces for production and non-production environments.
Enable UEBA (User and Entity Behavior Analytics) to detect anomalous behavior based on user profiles.
Tune analytics rules to reduce false positives by adjusting thresholds or using advanced KQL.
Set up retention and archiving policies to manage costs.
Use managed identity for playbooks to authenticate to Azure resources.
Common Misconfigurations
Insufficient data ingestion: Missing critical data sources (e.g., DNS logs) leads to blind spots.
Overly broad analytics rules: Generate too many alerts, causing alert fatigue.
Incorrect time zone settings: Logs from different time zones cause timing issues in queries.
Not using entity mapping: Reduces correlation and investigation effectiveness.
Verification Commands
To verify data ingestion, use KQL in Log Analytics:
Usage
| where TimeGenerated > ago(1d)
| summarize TotalGB = sum(Quantity) by DataTypeCheck connector health in Sentinel > Data connectors > Status.
Default Values
Default retention: 30 days interactive, 90 days total.
Default analytics rule frequency: 5 minutes.
Default incident severity: Medium.
Default data connector polling interval: 5 minutes for most connectors.
Interoperability
Sentinel can ingest from AWS (CloudTrail, VPC Flow Logs), GCP, on-premises via Syslog/CEF, and any REST API source. It can forward alerts to other SIEMs via webhooks or Logic Apps.
Deploy Sentinel workspace
Create a Log Analytics workspace in the Azure portal. Enable Sentinel on that workspace. This step defines the geographical region (e.g., East US) and sets the pricing tier (Pay-as-you-go or Capacity Reservations). The workspace ID and primary key are generated for data source authentication. A resource group must be specified. This is a one-time setup.
Connect data sources
Use data connectors to ingest logs. For example, to connect Azure Active Directory, select the connector and click 'Connect'. For Windows events, install the Log Analytics agent (MMA) on servers and configure it to forward events. For Syslog, configure a Syslog forwarder (e.g., rsyslog) to send logs to the workspace. Each connector has specific prerequisites (e.g., permissions, agent installation). After connection, data flows into designated tables (e.g., SigninLogs, SecurityEvent).
Create analytics rules
Navigate to Analytics > Create > Scheduled query rule. Write a KQL query that detects a specific pattern. Set the frequency (e.g., 5 minutes) and period (e.g., 5 minutes). Configure the alert threshold (e.g., 1 result). Map entities (Account, IP, Host) to enable correlation. Set the severity (e.g., High). Enable the rule. The rule will now run on schedule and generate alerts when the query returns results.
Respond to incidents
When an alert fires, it creates an incident. Analysts view incidents in Sentinel > Incidents. They can assign ownership, change status, and investigate using the investigation graph. The graph shows connected entities and related alerts. Analysts can run playbooks manually or automatically. After investigation, they close the incident with a classification (e.g., True Positive) and add comments. The incident timeline is recorded.
Automate with playbooks
Create a playbook in Azure Logic Apps. Choose a trigger (e.g., 'When an incident is created'). Add actions like 'Block IP in Azure Firewall' or 'Send email'. Save and assign the playbook to an analytics rule in Sentinel (under 'Automated response'). When the rule triggers, the playbook runs automatically. Playbooks can be parameterized to use incident data (e.g., malicious IP from the alert).
Monitor and tune
Regularly review analytics rule performance using the 'Tuning' tab in Analytics. Check for high false positive rates. Adjust query thresholds or add exceptions. Use workbooks to visualize data ingestion and alert trends. Set up UEBA to baseline user behavior. Periodically review connector health and ensure all critical sources are connected. Update threat intelligence feeds.
Enterprise Scenario 1: Hybrid Environment Monitoring
A multinational corporation uses a mix of on-premises Windows servers, Azure VMs, and SaaS applications (Office 365, Salesforce). They deploy Sentinel to centralize logs. They connect Azure AD for sign-in logs, Office 365 for audit logs, and install the Log Analytics agent on on-premises servers to collect security events. They also use the Syslog connector for network devices. They create analytics rules to detect brute-force attacks (e.g., multiple failed logins from a single IP) and malware outbreaks (e.g., multiple alerts from Defender for Endpoint). The SOC team uses workbooks to track top alert types and response times. A common issue is time skew between on-premises logs and cloud logs, which they resolve by ensuring all devices use NTP and setting the correct time zone in queries.
Enterprise Scenario 2: Cloud-Native SOC for AWS and Azure
A company runs workloads in both AWS and Azure. They deploy Sentinel in Azure and use the AWS connector to ingest CloudTrail and VPC Flow Logs. They also connect Azure Activity logs and Azure AD. They create analytics rules to detect cross-cloud threats, such as an IAM user creating resources in AWS and then accessing Azure resources. They use UEBA to establish baselines. They set up a playbook that automatically disables a user in Azure AD if a high-severity incident is created from AWS CloudTrail. Performance considerations: Sentinel can handle up to 50 GB/day per workspace, but they use multiple workspaces for different regions to keep data local. Misconfiguration: They initially forgot to enable the AWS connector's 'Ingest all events' option, missing critical API calls.
Enterprise Scenario 3: MSSP Using Sentinel
A Managed Security Service Provider (MSSP) monitors multiple customer environments. They deploy Sentinel in each customer's Azure subscription (or a central workspace with role-based access control). They use Azure Lighthouse to manage multiple tenants. They create standard analytics rules and workbooks that are deployed via Azure Blueprints. They set up automated playbooks to isolate infected VMs across customers. A common challenge is data ingestion costs—they must carefully estimate each customer's log volume and set budget alerts. Misconfiguration: They once set a retention policy of 1 year for all customers, causing unexpectedly high storage costs. They now use separate retention policies per data type (e.g., 30 days for verbose logs, 1 year for security events).
What CS0-003 Tests on Microsoft Sentinel
The exam covers Sentinel under Objective 1.2: 'Given a scenario, analyze data to identify security threats and recommend appropriate mitigation strategies.' Specifically, you must understand:
How to configure data connectors (e.g., Azure AD, Office 365, AWS)
How to create analytics rules using KQL (basic syntax)
Incident management workflow (status, classification)
Playbook automation (triggers, actions)
Integration with Microsoft 365 Defender
Pricing model (pay-as-you-go per GB ingested)
Common Wrong Answers and Why
'Sentinel is an on-premises SIEM' – Wrong because it is cloud-native. Candidates confuse it with on-premises solutions like Microsoft System Center Operations Manager (SCOM).
'Analytics rules run in real-time' – Wrong; they run on a schedule (minimum 5 minutes). Real-time detection is for Microsoft 365 Defender alerts.
'Playbooks are built in Sentinel' – Wrong; they are built in Azure Logic Apps and integrated with Sentinel.
'Data retention is unlimited by default' – Wrong; default is 30 days interactive, 90 days total. Longer retention incurs costs.
Specific Numbers and Terms
Default analytics rule frequency: 5 minutes.
Default retention: 30 days (interactive), 90 days (total).
Pricing: Pay-as-you-go per GB ingested (typically $2-5/GB).
Connectors: Over 100 built-in.
Supported KQL functions: summarize, where, project, extend, join.
Incident classification options: True Positive, Benign Positive, False Positive.
Entity types: Account, Host, IP, URL, FileHash.
Edge Cases the Exam Loves
Multiple workspaces: You may need to recommend separate workspaces for different environments.
Time zone handling: KQL queries use UTC; logs with local timestamps need conversion.
UEBA: Requires Azure AD Premium P2 licensing.
Retention vs. archiving: Archiving to Azure Storage is cheaper but not queryable.
How to Eliminate Wrong Answers
If a question mentions 'on-premises deployment' for Sentinel, eliminate that option.
If a question asks about 'real-time detection' for custom analytics rules, look for the scheduled rule option.
For playbook creation, the correct answer always involves Azure Logic Apps.
For data retention, the default is always 30/90 days unless specified otherwise.
Microsoft Sentinel is a cloud-native SIEM+SOAR solution built on Azure Log Analytics.
Data connectors ingest logs from over 100 sources into Log Analytics tables.
Analytics rules run on a schedule (minimum 5 minutes) and are written in KQL.
Incidents are groups of alerts and are managed with status, severity, and classification.
Playbooks are Azure Logic Apps that automate response actions triggered by incidents.
Default data retention is 30 days interactive, 90 days total; longer retention costs extra.
Sentinel integrates with Microsoft 365 Defender for unified threat detection.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Sentinel
Cloud-native SIEM+SOAR with advanced analytics and KQL.
Ingests data from multiple sources (cloud, on-prem, SaaS).
Provides incident management and investigation tools.
Supports automated response via playbooks (Logic Apps).
Billed per GB of data ingested.
Azure Security Center (Defender for Cloud)
Cloud Security Posture Management (CSPM) and workload protection.
Focuses on Azure resources and provides security recommendations.
Alerts are generated based on security policies and vulnerabilities.
Automated response limited to Azure policies and just-in-time access.
Billed per server or per resource, not per GB.
Mistake
Microsoft Sentinel is just a cloud version of Windows Event Forwarding.
Correct
Sentinel is a full SIEM+SOAR platform that ingests data from hundreds of sources, not just Windows events. It uses KQL for analytics, has built-in threat intelligence, and automates responses via playbooks. Windows Event Forwarding only forwards Windows event logs to a central collector.
Mistake
Analytics rules in Sentinel run in real-time.
Correct
They run on a schedule with a minimum frequency of 5 minutes. Near-real-time detection is only for Microsoft security alerts (e.g., from Defender for Endpoint) that are ingested automatically. Custom rules are always scheduled.
Mistake
Sentinel can replace Active Directory.
Correct
Sentinel is a security monitoring tool, not an identity provider. It can ingest logs from AD but does not manage users or authentication. AD is still required for identity management.
Mistake
All data ingested into Sentinel is stored for 90 days by default.
Correct
The default is 30 days of interactive retention (queryable) plus 90 days total (including archived). After 90 days, data is deleted unless you configure longer retention or archive to Azure Storage.
Mistake
Playbooks can be created directly in the Sentinel portal without any other service.
Correct
Playbooks are created in Azure Logic Apps and then connected to Sentinel. The Sentinel portal provides a link to Logic Apps, but the actual design and editing happen there.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Install the Log Analytics agent (MMA) on the servers. In the Sentinel portal, select the Windows Security Events connector and choose the agent to use. Configure the agent to forward events to the Log Analytics workspace. You can also use the Azure Monitor Agent (AMA) for newer servers. Ensure the agent has network connectivity to Azure (via proxy or direct).
An alert is a single detection from an analytics rule. An incident is a group of related alerts that are correlated based on entities (e.g., same user or IP). Incidents are the primary unit for investigation and response. Analysts work on incidents, not individual alerts. Incident creation can be configured in the analytics rule settings.
Yes, Sentinel provides connectors for AWS (CloudTrail, VPC Flow Logs, S3) and GCP (via the GCP connector). You need to configure the respective cloud services to forward logs to a Sentinel workspace. For AWS, you set up an S3 bucket and use the AWS connector to ingest logs. For GCP, you use the GCP connector with a service account.
Sentinel supports TAXII 2.0/2.1 servers and custom threat intelligence feeds. You configure a threat intelligence connector to import indicators (IPs, domains, URLs, hashes). These indicators are stored in the ThreatIntelligenceIndicator table. Analytics rules can then match against these indicators to generate alerts. You can also use built-in Microsoft Threat Intelligence.
User and Entity Behavior Analytics (UEBA) profiles users and entities based on historical activity to detect anomalies. It requires Azure AD Premium P2 licenses. Enable it in Sentinel Settings > Entity behavior configuration. Once enabled, it creates UEBA events that can be queried. It adds context to incidents by showing deviations from baseline behavior.
When creating a rule, you can use the 'Test with current data' option. This runs the query against existing data and shows how many results would have been generated. You can also set the rule to 'Disabled' initially, then manually run it to see results. Alternatively, use 'Log Analytics' to run the query directly without creating a rule.
Sentinel is billed per GB of data ingested into the Log Analytics workspace. There is no upfront cost. Additional costs include: Log Analytics data retention beyond 90 days, Azure Logic Apps for playbooks, and network egress. You can use Capacity Reservations to reduce cost if you have predictable volumes. There is also a free tier (1 GB/day for 31 days) for trial.
You've just covered Microsoft Sentinel for CySA+ — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?