Skip to content

What is Microsoft Sentinel?

Microsoft Sentinel is a SIEM and SOAR tool:

  • Security information and event management (SIEM)
  • Security orchestration, automation and response (SOAR)

Long story short, you can collect data from almost everywhere and use analytics to detect threats. Furthermore, you get the chance to investigate threats and hunt activities. With Logic Apps and Playbooks you have the possibility to automate responses and protection.


Microsoft Sentinel’s primary function is to gather events and logs. To connect sources with your destination, Microsoft has dozens (at time of writing 124) of connectors. The screenshot below shows some of them:

The connectors are different in function. A distinction is made between the following four functions:

1. Microsoft integrated

Microsoft integrated connectors are built in and don’t need a lot of setup. For example Microsoft Defender for Endpoint can be activated with the click on a button.

Connection from Microsoft service to Microsoft Sentinel


REST-API connectors use Azure functions to connect to the Sentinel API to send logs. This enables the application to connect to Log Analytic workspace as long as there is an API to connect to.

3. Syslog

With syslog a lot of appliances and Linux devices can be connected. This is mainly done with the Azure Monitoring Agent.

Syslog Connection to Microsoft Sentinel

4. CEF

The common event format (CEF) is also supported by a lot of appliances and can be forwarded by Syslog servers. At this time CEF log forwarding with Azure Monitoring Agent is in private preview. Currently this can be done only with the legacy Microsoft Monitoring Agent.

Firewall appliance connection to Microsoft Sentinel


Sentinel does not differ from other Azure solutions where you can use workbooks to visualize data. A lot of workbooks are predefined and can be found in the portal. The community also provides workbooks for different vendors.


An incident is created based on analytic rules. These are containers of threats that contain all information about it. For example:
– Admins can create own incidents to track feedback from users,
– use them in Logic Apps to send them to ServiceNow
– or hunt them down.


Sentinel has a big community and a lot of members provide their own solutions and give feedback. To catch a glimpse at this, the following GitHub repository can be checked out: Microsoft Sentinel GitHub


Microsoft Sentinel is a big service that has many more features not mentioned here. If you just getting started with Microsoft Sentinel, take your time and go through every single feature. The more you immerse yourself in the subject, the sooner you will have to learn KQL as well. This is important to write your own queries for custom logs and to create your own Analytic Rules.

Published inAzureSecuritySentinel


Leave a Reply

Your email address will not be published. Required fields are marked *