This chapter covers Microsoft Sentinel, a cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR) solution. For the SC-900 exam, Sentinel is a critical topic within Objective 3.2, representing approximately 10-15% of security questions. You will need to understand its core components, how it collects data, how it detects threats, and how it automates responses. This chapter provides the depth required to answer any Sentinel-related exam question confidently.
Jump to a section
Microsoft Sentinel is like a highly trained security guard stationed at a corporate headquarters with a state-of-the-art monitoring room. The guard has cameras (data connectors) covering every entrance, hallway, server room, and office. Every event—a door opening, a person entering, a server alert—is logged in a central notebook (Log Analytics workspace). The guard doesn't just watch passively; he has a set of rules (analytics rules) that define suspicious behavior, such as someone entering the server room at 3 AM or an unknown person tailgating an employee. When a rule is triggered, the guard immediately investigates by reviewing the relevant camera footage (incident investigation). He can also automate responses: if a fire alarm sounds, he automatically unlocks all doors and calls the fire department (playbooks). Over time, the guard learns normal patterns—like which employees work late—and can spot subtle anomalies that might indicate an insider threat (UEBA). The guard also shares threat intelligence with other buildings in the company (Microsoft 365 Defender) and receives updates from a global security network (Microsoft Threat Intelligence). All his actions are recorded for compliance and later review. Sentinel is this guard, but operating in the cloud at massive scale, ingesting terabytes of logs per day, applying machine learning to detect known and unknown threats, and enabling security teams to respond faster than any human could alone.
What is Microsoft Sentinel?
Microsoft Sentinel is a scalable, cloud-native SIEM and SOAR solution that provides intelligent security analytics and threat intelligence across an enterprise. Unlike traditional on-premises SIEMs like Splunk or ArcSight, Sentinel is built on Azure and leverages the cloud's elasticity to ingest massive amounts of data without requiring upfront hardware or capacity planning. It is a PaaS (Platform as a Service) offering, meaning Microsoft manages the underlying infrastructure.
Why Sentinel Exists
Organizations face an ever-increasing volume of security alerts from various sources: firewalls, endpoints, identity systems, cloud applications, and more. Traditional SIEMs require significant capital expenditure, complex tuning, and manual correlation. Sentinel addresses these challenges by providing: - Scalability: Ingest terabytes of data per day without capacity constraints. - Cloud-native architecture: Built on Azure Monitor and Log Analytics, leveraging existing investments. - Advanced analytics: Built-in machine learning and user and entity behavior analytics (UEBA). - Automation: SOAR capabilities with playbooks to automate incident response. - Integration: Native connectors for Microsoft 365 services (Azure AD, Microsoft 365 Defender, Office 365) and hundreds of third-party sources.
How Sentinel Works Internally
Sentinel's architecture consists of several key components that work together:
1. Data Ingestion: Data sources connect via connectors. Connectors can be: - Azure-native connectors: For Azure resources (e.g., Azure Activity Log, Azure AD logs) – these require minimal configuration. - Common Event Format (CEF): Syslog-based format for many security appliances (e.g., Palo Alto, Cisco ASA). - Syslog: Direct syslog ingestion, often used for Linux-based sources. - REST API connectors: For cloud services (e.g., AWS CloudTrail, Salesforce). - Microsoft 365 connectors: For Exchange Online, SharePoint, Teams, etc. - Agents: The Log Analytics agent (Windows/Linux) or the newer Azure Monitor Agent (AMA) can forward logs from VMs.
Data is sent to a Log Analytics workspace, which acts as the central repository. Each workspace is associated with an Azure subscription and region. Sentinel is enabled on top of a Log Analytics workspace, transforming it into a SIEM.
Data Storage and Retention: Logs are stored in tables within the Log Analytics workspace. By default, logs are retained for 30-730 days depending on the pricing tier (pay-as-you-go or reserved capacity). Sentinel also supports long-term retention (up to 7 years) via Azure Data Lake or archive logs. Data is partitioned by time and indexed for fast queries.
3. Threat Detection: Sentinel uses analytics rules to detect threats. There are several types: - Scheduled query rules: Run a Kusto Query Language (KQL) query at regular intervals (e.g., every 5 minutes) and generate an alert if the query returns results. This is the most common type. - Near-real-time (NRT) rules: Run every minute for low-latency detection. - Microsoft Security rules: Built-in rules that cover common attack patterns (e.g., ransomware, brute force). - Anomaly detection rules: Use machine learning to detect unusual behavior (e.g., abnormal login times, unusual data exfiltration). - Fusion rules: Correlate multiple alerts from different sources to detect multi-stage attacks (e.g., a phishing email followed by credential theft). - ML Behavior Analytics: UEBA profiles entities (users, devices, IPs) and detects deviations from baseline.
Each rule has a severity (Informational, Low, Medium, High) and can be configured to automatically create incidents.
Incident Creation: When an analytics rule triggers, Sentinel creates an incident. An incident is a collection of related alerts, grouped by entities (e.g., user, IP, host). Incidents are the focal point for investigation. They have a status (New, Active, Closed), a severity, and an owner.
Investigation: Sentinel provides a graphical investigation canvas that shows entities and their relationships (e.g., a user logged into a VM, which then communicated with an external IP). Investigators can pivot by clicking on entities to launch new queries. The hunting feature allows proactive threat searching using KQL. Sentinel also has livestream to monitor real-time events.
Response: Playbooks automate incident response. Playbooks are built on Azure Logic Apps and can be triggered automatically or manually. They can perform actions such as blocking a user, isolating a machine, sending an email, or creating a ticket in ServiceNow. Playbooks use connectors to interact with Azure services, Microsoft 365, and third-party systems.
Threat Intelligence: Sentinel can ingest threat intelligence feeds (e.g., from Microsoft, third-party providers) in STIX/TAXII format. This data is used to correlate against logs to detect known malicious IPs, domains, or hashes.
Key Components, Values, and Defaults
Log Analytics workspace: Must be in a supported region. Workspace pricing tiers: Pay-as-you-go (per GB ingested), Reserved Capacity (100 GB/day minimum).
Data retention: Default 30 days for Sentinel-enabled workspaces (but can be increased to 730 days at additional cost). Long-term retention via Azure Storage.
Analytics rule frequency: Default 5 minutes for scheduled rules, 1 minute for NRT rules. Lookback period: typically 24 hours.
Incident closing reasons: True Positive (benign), True Positive (malicious), False Positive, Undetermined.
Playbook trigger: Automatic (when incident created/updated) or manual (from incident toolbar).
Data connectors: Over 300 built-in connectors. Custom connectors can be created using Log Analytics API.
Configuration and Verification Commands
Sentinel is managed via the Azure portal, Azure CLI, PowerShell, or REST API. There is no direct command-line for Sentinel itself, but you can manage resources:
Azure CLI example to list Sentinel incidents:
az sentinel incident list --resource-group <rg> --workspace-name <workspace>PowerShell to enable Sentinel on a workspace:
New-AzSentinelOnboardingState -ResourceGroupName <rg> -WorkspaceName <workspace>KQL query example for failed logins:
SigninLogs
| where ResultType == "50057"
| summarize Count = count() by UserPrincipalName, IPAddress
| where Count > 10Interaction with Related Technologies
Microsoft 365 Defender: Sentinel can ingest alerts from Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps. This provides a unified view across identities, endpoints, and cloud apps.
Azure Defender (now part of Microsoft Defender for Cloud): Sentinel can collect security alerts from Azure Defender for VMs, SQL, storage, etc.
Azure AD: Sentinel ingests sign-in logs, audit logs, and identity protection events.
Azure Policy: Can be used to enforce Sentinel configuration across multiple subscriptions.
Logic Apps: Playbooks are built on Logic Apps, which can connect to hundreds of services.
Pricing
Sentinel pricing is based on data ingestion volume (per GB) and includes a free tier of 5 GB/day for the first 31 days. Additional costs apply for retention, long-term storage, and Logic Apps executions.
Enable Sentinel on a Workspace
Navigate to the Azure portal, search for 'Microsoft Sentinel', and click 'Create'. Select an existing Log Analytics workspace (or create a new one). The workspace must be in a supported region (e.g., East US, West Europe). Sentinel will enable on top of that workspace, converting it into a SIEM. This process takes a few seconds. After enablement, the workspace will have Sentinel's blade visible. Note: Once enabled, you cannot disable Sentinel without deleting the workspace or removing the Sentinel resource.
Connect Data Sources
In Sentinel, go to 'Data connectors'. Choose from over 300 connectors. For example, to connect Azure Active Directory, select 'Azure Active Directory' and click 'Open connector page'. Follow the prompts to grant permissions. For syslog sources, you may need to install a Log Analytics agent on a Linux forwarder. Each connector has specific prerequisites (e.g., Azure AD requires Global Admin or Security Admin role). Data begins flowing within minutes. Verify by checking 'Logs' and querying the relevant table (e.g., SigninLogs).
Create an Analytics Rule
Under 'Analytics', click 'Create' and select 'Scheduled query rule'. Define a name, severity, and MITRE ATT&CK tactics. Write a KQL query that detects malicious activity. Set the query frequency (e.g., every 5 minutes) and lookback period (e.g., 24 hours). Configure alert threshold (e.g., if query returns > 5 results). Choose whether to group alerts into incidents (recommended). Enable 'Create incident' and set the group-by fields (e.g., UserPrincipalName). Finally, set automated responses (playbooks) if desired. The rule will be active immediately.
Investigate an Incident
When an incident is created, go to 'Incidents'. Select an incident to view its details: description, entities involved (users, IPs, hosts), and timeline of alerts. Click 'Investigate' to open the graphical canvas. Here you can see relationships: a user logged into a VM, which connected to an external IP. Click on an entity to run queries (e.g., 'Show related alerts'). Use the 'Hunting' tab to run proactive queries. You can also use 'Livestream' to monitor real-time events. Change the incident status to 'Active' and assign an owner.
Automate Response with a Playbook
Go to 'Automation' and 'Playbooks'. Click 'Create' to open Logic Apps designer. Choose a trigger (e.g., 'When an incident is created'). Add actions: for example, 'Get incident entities', then 'Block IP in Azure Firewall'. Use connectors for Microsoft Teams to send a notification, or ServiceNow to create a ticket. Save the playbook. Then, go to 'Automation rules' and create a rule that triggers on specific conditions (e.g., when incident severity is High) and runs the playbook. Test by simulating an incident. Playbooks can also be run manually from the incident toolbar.
Enterprise Scenario 1: SOC Monitoring for a Financial Institution
A bank with 10,000 employees uses Sentinel to centralize logs from on-premises firewalls, Azure workloads, Microsoft 365, and endpoints. They ingest approximately 2 TB of logs daily. The SOC team uses Sentinel's built-in analytics rules (e.g., 'Brute force attack against Azure AD') and custom rules for suspicious wire transfers. They have playbooks that automatically disable a user's account if Sentinel detects a potential account compromise. A common misconfiguration is not tuning the analytics rules, leading to alert fatigue. For example, a rule that alerts on failed logins without filtering out known test accounts generates thousands of false positives. The solution is to use KQL to exclude known IPs or users. Performance is generally good, but complex KQL queries with large lookback periods (e.g., 14 days) can cause delays. They mitigate by using materialized views or summarization tables.
Enterprise Scenario 2: Multi-Cloud Security for a Retail Company
A retailer uses AWS, GCP, and Azure. They use Sentinel as the single pane of glass by deploying connectors for AWS CloudTrail and GCP Audit Logs via custom API connectors. They also ingest data from their SaaS applications (Salesforce, Workday). A key challenge is log format normalization: AWS logs arrive in JSON, while syslog from on-premises firewalls is in CEF. Sentinel handles this via the Log Analytics agent and built-in parsers. They use UEBA to detect insider threats, such as an employee accessing HR data after hours. A misconfiguration they encountered was not enabling the 'User and Entity Behavior Analytics' data connector, which is required for UEBA. After enabling, they had to wait 14 days for baseline profiling. They also use threat intelligence feeds from Microsoft and a third-party provider to block known malicious IPs at the firewall via a playbook.
Scenario 3: Managed Security Service Provider (MSSP)
An MSSP manages Sentinel for 50 clients. They use Azure Lighthouse to manage multiple workspaces from a single portal. Each client has its own Log Analytics workspace and Sentinel instance. They deploy a centralized 'SOC workspace' that collects alerts from all client workspaces using cross-workspace queries. A common issue is data egress costs: querying across workspaces in different regions incurs network charges. They mitigate by collocating workspaces in the same region. They also use automation rules to route high-severity incidents to the SOC team's Teams channel. A pitfall is that playbooks run in the context of the workspace's subscription, so they need appropriate RBAC permissions across multiple tenants. They use managed identities and service principals to handle this.
Exactly What SC-900 Tests on Sentinel
SC-900 objective 3.2: 'Describe the capabilities of Microsoft Sentinel.' The exam focuses on high-level concepts rather than deep configuration. Key areas: - Purpose: Understand that Sentinel is a cloud-native SIEM and SOAR solution. - Data connectors: Know that Sentinel can collect data from Microsoft 365, Azure, and third-party sources. - Analytics: Know the types of analytics rules (scheduled, NRT, ML, Fusion). - Incidents and investigations: Understand that incidents are groups of related alerts, and the investigation canvas shows entity relationships. - Automation: Know that playbooks are based on Azure Logic Apps and automate response. - Threat intelligence: Understand that Sentinel can ingest threat intel feeds. - Pricing: Know that Sentinel charges per GB ingested (not per alert).
Common Wrong Answers and Why
'Sentinel is an on-premises SIEM' – Wrong. Sentinel is cloud-native. Candidates confuse it with Azure Sentinel (old name) but it's still cloud.
'Sentinel requires an agent on every device' – Wrong. While agents are used for some sources, many connectors (Azure, M365) are agentless.
'Playbooks are built with PowerShell' – Wrong. Playbooks are Azure Logic Apps, which use a visual designer and connectors.
'Sentinel replaces Microsoft 365 Defender' – Wrong. They complement each other; Sentinel ingests alerts from Defender.
Specific Numbers and Terms
Data retention: 30 days default (up to 730 days).
Connectors: Over 300.
Pricing: Pay-as-you-go per GB, with a free tier of 5 GB/day for 31 days.
Analytics rule types: Scheduled, NRT, ML, Fusion, Microsoft Security.
Incident statuses: New, Active, Closed.
Playbook trigger: Automatic or manual.
Edge Cases and Exceptions
Sentinel can be enabled on a Log Analytics workspace that is already used for other monitoring, but this may affect performance.
Some data connectors require specific licensing (e.g., Azure AD P2 for Identity Protection logs).
Threat intelligence feeds must be in STIX/TAXII format.
UEBA requires the 'UEBA' data connector to be enabled and takes 14 days to build baselines.
How to Eliminate Wrong Answers
Focus on the key words: 'cloud-native', 'SIEM', 'SOAR', 'Log Analytics workspace', 'playbooks', 'incidents', 'analytics rules'. If an answer mentions on-premises, manual correlation, or capacity planning, it's likely wrong. Remember that Sentinel is a PaaS – no infrastructure management.
Microsoft Sentinel is a cloud-native SIEM and SOAR solution built on Azure Log Analytics.
It collects data from over 300 connectors, including Microsoft 365, Azure, and third-party sources.
Analytics rules (scheduled, NRT, ML, Fusion, Microsoft Security) detect threats and create incidents.
Incidents group related alerts and can be investigated using the graphical investigation canvas.
Playbooks, based on Azure Logic Apps, automate incident response.
Sentinel ingests threat intelligence in STIX/TAXII format for correlation.
Pricing is per GB of data ingested, with a free tier of 5 GB/day for 31 days.
UEBA requires enabling the data connector and takes 14 days to establish baselines.
Sentinel does not replace Microsoft 365 Defender; it integrates with it.
Automation rules can automatically assign incidents, change severity, or run playbooks.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Sentinel
Cloud-native, no hardware required.
Scalable automatically with pay-as-you-go pricing.
Built-in connectors for Microsoft 365 and Azure.
Playbooks via Azure Logic Apps (SOAR).
Incident investigation with graphical canvas.
On-Premises SIEM (e.g., Splunk)
Requires on-premises servers and storage.
Capacity planning required; scaling is complex.
Connectors often need custom development.
SOAR capabilities may require additional products.
Investigation tools vary; often query-based.
Mistake
Microsoft Sentinel is just a log storage tool.
Correct
Sentinel is a full SIEM and SOAR with analytics, threat intelligence, and automated response. It is not just a log repository; it actively detects and responds to threats.
Mistake
You need to install an agent on every data source.
Correct
Many connectors (Azure AD, Office 365, Azure Activity) are agentless. Agents are only needed for on-premises Windows/Linux servers and syslog sources.
Mistake
Playbooks are written in PowerShell or Python.
Correct
Playbooks are built using Azure Logic Apps, which is a low-code visual designer. They use connectors and can include code steps, but the core is logic-based.
Mistake
Sentinel can replace your firewall or endpoint protection.
Correct
Sentinel is a SIEM/SOAR, not a prevention tool. It detects and responds but does not block traffic directly. It integrates with firewalls and endpoint protection to automate blocking.
Mistake
Sentinel is free with an Azure subscription.
Correct
Sentinel has a consumption-based pricing model (per GB ingested). There is a free trial of 5 GB/day for 31 days, but after that, you pay for data ingestion and retention.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
There is no difference. Azure Sentinel was renamed to Microsoft Sentinel in 2021. The product is the same; only the name changed to reflect its integration with the Microsoft security portfolio. The exam refers to it as Microsoft Sentinel.
Yes. Sentinel is enabled on top of a Log Analytics workspace. The workspace stores all the ingested data. You can use an existing workspace or create a new one. Each Sentinel instance is tied to one workspace.
Yes. You can install the Log Analytics agent (or Azure Monitor Agent) on on-premises Windows and Linux servers to forward logs. Alternatively, you can use syslog or CEF connectors for network appliances.
Sentinel charges per gigabyte (GB) of data ingested into the Log Analytics workspace. There is a free tier of 5 GB/day for the first 31 days. After that, you pay the standard Log Analytics ingestion rate plus additional costs for long-term retention and Logic Apps executions.
A playbook is an automated workflow that responds to incidents. It is built using Azure Logic Apps and can perform actions like blocking a user, isolating a machine, or sending a notification. Playbooks can be triggered automatically by automation rules or manually from an incident.
Yes, through User and Entity Behavior Analytics (UEBA). UEBA profiles normal behavior of users, devices, and other entities, then detects anomalies that may indicate insider threats, such as unusual data access or off-hours logins.
The investigation canvas is a graphical tool in Sentinel that displays entities (users, IPs, hosts) and their relationships. It helps analysts understand the scope of an incident by showing connections between alerts and entities, allowing them to pivot and explore further.
You've just covered Microsoft Sentinel — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?