Skip to content
Home ยป How Azure Sentinel Works

How Azure Sentinel Works

What is Azure Sentinel?

It is an SIEM (Security Information and Event Management) and Security Orchestration and Automated Response (SOAR) system on Microsoft’s cloud service for public use. It provides a single option for alert detection, threat visibility and proactive hunts, as well as threat response. It gathers data from various sources, then conducts data correlation and Data Visualization the data processed into one dashboard. It helps collect information, discover, analyze and respond to security-related incidents and threats.

In this way, it provides smart security analysis and threat intelligence across the enterprise. It is natively integrated with Azure Logic Apps and Log Analytics that enhances its capabilities. It also incorporates advanced machine-learning capabilities that identify threat actors and suspicious behavior. This can greatly assist security analysts in their efforts to analyze their environment.

It’s easy to deploy in single and multi-tenant scenarios. In the case of multitenant situations, it will be deployed for each tenant and Azure Lighthouse will be used to have a multitenant visualization of every tenant.

What are the steps in it?

The four crucial areas or phases in Azure Sentinel are as follows:

Collect Data

It will collect information about every device, user applications, as well as infrastructure that is on-premise and spread across several cloud environments. It is easy to connect to security sources out-of-the-box. There are several connectors available for Microsoft solutions that provide real-time integration. It also includes built-in connectors that work with third-party solutions and products (non-Microsoft solutions). Apart from this, Common Event Format (CEF), Syslog, or REST-API may also be connected to the necessary data sources to it.

The services that are directly connected through out-of the-box integration include Azure Active Directory, Azure Activity, Azure DDoS Protection, Azure AD Identity Protection, Azure Firewall, Azure Security Center, Azure Web Application Firewall, Office 365, Microsoft Defender for Identity, Amazon Web Services – CloudTrail, Cloud App Security and many other Microsoft solutions.

Appliances that can be connected to Okta SSO, Orca Security, Qualys VM, Citrix Analytics, Barracuda CloudGen Firewall, Perimeter 81 Logs, Proofpoint TAP, and others using an API.

It also allows for connection via the agent with any data source. Syslog protocol can be used for this purpose and enables live streaming of logs in real time. This is accomplished by the Azure Sentinel Agent feature, i.e., Log Analytics Agent. Log Analytics Agent. It converts CEF-formatted logs into a format which can be consumed via Log Analytics. The external solutions that are supported through Agents include Linux Servers, DNS Servers Azure Stack VMs DLP Solutions.

Threat Intelligence Providers (MISP Open Source Threat Intelligence Platform, Anomali ThreatStream, Palo Alto Networks MineMeld, ThreatConnect Platform, ThreatQ Threat Intelligence Platform, etc.). Firewalls, proxies , and endpoints can be accessed through CEF (Check Point F5 ASM Palo Alto Networks, Zscaler, Cisco ASA, Fortinet and various other CEF-based appliances), and firewalls, proxy servers and endpoints supported through Syslog (Sophos AX, Symantec Proxy SG, Pulse Connect Secure and other Syslog-based products).

It can be used with Fluentd and LogStash for connecting and collecting the data and logs.

Detection of Threats

It can identify dangers and decrease false positives through the use of data analytics and threat intelligence directly from Microsoft. Azure Analytics plays a major function in correlating alerts to incidents discovered by the security team. It comes with templates built in from the start to help you create rules for detection of threats and automate threat responses. Additionally, it also provides the ability to design custom rules. The four templates that are available for build-in are below:

Microsoft Security Templates- When you use this template, events will generate a real-time alert that will are generated by other Microsoft security software.

Fusion Template- This template can only create only one rule and is enabled by default. Based on principles of sophisticated Multistage Attack Detection. It makes use of scalable machine-learning algorithms to correlate a variety of low-fidelity alerts and events across multiple products into high-fidelity and actionable incidents.

Machine Learning Behavioural Analytics TemplatesThe templates are able to create only one rule with each type of template. They are built on proprietary Microsoft Machine Learning Algorithms, and the users can’t know the internal working of this template’s logic or the duration it is running.

Contact when searching for a Managed Azure Sentinel service.

Scheduled Templates- It is the only template that is available with the ability to look at the query logic and make changes as per the specifications of the environment. Scheduled templates are set up to be scheduled analytics and depend on build-in queries written by Microsoft. These templates are customizable by the logic of queries and scheduling settings to design new rules.

Investigation Suspicious Activities

It is able to investigate and track suspicious activities across the environment. It reduces the amount of noise and seek out security threats based on MITRE framework. Use Artificial Intelligence to proactively identify dangers before alerts trigger over the secure assest to detect suspicious activities. When you use it for investigation and hunting, you can make use of the following features:

Built-in-Queries: It’s developed by Microsoft and available to familiarize you with tables and query language. You can however, make new queries, and fine-tune existing queries to enhance your ability to detect.

The most powerful query language that incorporates intelligence: The software is built the foundation of a query language that supplies the flexibility is required to bring your hunt capabilities up a notch.

Create your Bookmarks: You can create bookmarks for your discoveries you make during your hunting trip so that you can check them later in the future and make an incident to further investigation.

Notebooks can be used in order to Automate Investigation: Notebooks are similar to a step-by-step manual that resembles playbooks. You can make them to track the steps required during the hunt and investigation process. The notebooks will summarize all steps involved in the hunting process in a portable playbook which can be shared with other people in the organization.

The stored data can be accessed by querying it: The data associated and generated by it is available and accessible in the table form that can be easily queryable.

Connections to Communities: Azure Sentinel Github’s community is a central place to find additional queries and data sources.


It can react smoothly and react quickly to orchestration issues built-in and routine and repetitive tasks are easily converted into automation. It can create simplified security orchestration with playbooks. It can also make tickets for ServiceNow, Jira, etc. in the event of an event.

What are the most important components?

Here are the nine major Azure Sentinel components:

Dashboards: It has built-in dashboards that display data gathered from different data sources. It allows security personnel to get a better understanding of the actions generated by these services.

Cases: A set of all evidence that is relevant to a specific investigation is known as a case. A case can contain one or more than one alert based upon the analytics that are defined as such by the person who created the.

Hunting: It’s an extremely effective component for security analysts and threat analysts. It’s responsible for performing proactive threat analysis across the entire environment to analyze and detect security threats. KQL (Kusto Query Language) improves the search capabilities of it. Because of its machine-learning capabilities that detect suspicious behaviours. For example, abnormal traffic or patterns of traffic in firewall data as well as suspicious authentication patterns and anomalies in resource creation.

Notebooks: It provides flexibility and broadens the scope of what you can do with the collected data providing an out-of-the box connectivity to the Jupyter Notebook which comes with a built-in collection of libraries and modules for machine learning and embedded analytics visualization, and data analysis.

Data Connectors built-in connectors are included in it to facilitate the ingestion of data from Microsoft solutions and products as well as partner solutions.

Playbooks: A playbook is a set of steps to execute in response to an alert trigger from it. They leverage Azure Logic Apps. Thus, users is able to benefit from flexibility, capacity to customize, as well as the built-in templates of Logic Apps. To automate and organize tasks and workflows that are ready for configuration to run manually or run automatically when certain alerts are triggered.

Analytics: Analytics permits users to build custom alerts by using Kusto Query Language (KQL).

Community: TheGitHubAzure Sentinel Community page contains detections based on different sources of data. The users are able to make alerts and react to security threats in their surroundings. The Community page also contains some hunting-related queries and examples as well as security playbooks and other documents.

Workspace: Workspace or Log Analytics Workspace is a container that consists of information on configuration and data. This container is used to store data collected from various sources of data. You can create a new workspace or use an existing workspace for storing the data. But it would help to have a separate workspace because alert rules and investigations do not operate across different workspaces.

Log Analytics workspace Log Analytics workspace can provide these features:

A geographic location for data storage.

Data isolation through granting different users access rights following Log Analytics’ recommended design methods for workspaces.

The possibility of setting configuration options for pricing tiers, like retention, price tier, and data capping.

How can it be deployed?

It is based on the Role-Based Access Control (RBAC) authorization model which allows administrators to create the level of access depending on the specifications and the permissions. It comes with three roles that can be used.

Reader: Users who are assigned this role have access to the data and incidents but not make changes.

Responder: Users assigned to this role are able to view incidents and data and perform certain actions in the course of adventures, such as assign an additional user to handle the incident or change the severity of the incident.

Contributor: Users in this role have the ability to look at incidents and information, perform some actions on incidents and also create or remove analytic rules.

In order to deploy it the workspace, you must have permissions for contributors for the subscription in which it is located. Azure Sentinel workspace resides. To give access to different teams based on their work with it, leverage RBAC. RBAC model to assign the appropriate permissions to different groups.

What is Azure Sentinel Center?

Azure Security Center is a cloud-based platform for protection of workloads which focuses on server workload protection’s particular requirements in today’s hybrid data center designs. It is, however, a cloud-native SIEM , which analyzes event data in real-time for early detection of targeted data breaches and cyberattacks and to collect, store, investigate and respond to security incidents.

What exactly is Azure Security Center?

Azure Security Center deals with your Azure assets’ configuration following the best practices in more simple terms. It focuses on identifying bad actors and blocking unauthorized access to data. If you decide to deploy Azure Security Center and it simultaneously. In this case it is imperative to make sure you do not use the default workspace generated by Azure Security Center to deploy it since you aren’t able to enable it on this default namespace.

How do you find Security Threats?

When using Azure Sentinel, there are four ways to search for security threats.

Jupyter Notebook for Hunting: Making use of Jupyter Notebooks to complete the hunting process extends the amount of data that can be examined from gathered data. The Kqlmagic library has the functions to take Azure Sentinel queries and run them directly inside notebooks. Azure is the home of Azure Notebooks, an integrated Jupyter Notebook for Azure environment which can be used to store, share and run notebooks.

Using Bookmarks for Hunting: Using bookmarks helps you preserve the logs of your queries and the results you obtained from it. You can also add tags and notes to your bookmarks that you use as reference. Viewing bookmarks from your Hunting Bookmark table in your Log Analytics workspace enables you to search and join bookmark information with other sources of data which makes it simple to find evidence that supports your claims.

Use of Livestream for hunting It’s possible to use Livestream to make interactive sessions that let users perform the following tasks:

Test newly created queries as things happen.

Be alerted when threats are detected.

Investigations that launch that include assets such as host or user

Livestream sessions can be created with every Log Analytics queries.

Manage hunting and Livestream queries using the REST API It lets you use Log Analytics’ REST API to handle hunting and Livestream queries. Such queries display in the Azure Sentinel UI.


Azure Sentinel is a scalable cloud-based tool that can help detect to investigate, identify, and respond to potential threats if there are any. It lets users detect possible issues earlier. It makes use of Machine learning to minimize the risk of a problem and to identify unusual behavior. Also, IT teams save time and effort for maintenance. It allows them to monitor their ecosystem , from cloud to workstations, on-premise and personal devices.