Skip to main content
Cloud / Azure / Products / Microsoft Sentinel - Cloud-Native SIEM and SOAR

Microsoft Sentinel - Cloud-Native SIEM and SOAR

Microsoft Sentinel: Cloud-native SIEM from Microsoft Azure with AI-powered threat detection and security orchestration (SOAR).

security
Pricing Model Based on ingested data volume (pay-as-you-go per GB or commitment tiers starting at 50/100 GB per day for discounts), additional costs for log retention and automation
Availability Available in most Azure regions
Data Sovereignty EU regions available
Reliability SLA as published by the provider SLA

What is Microsoft Sentinel?

Microsoft Sentinel is Microsoft’s cloud-native Security Information and Event Management (SIEM) solution with integrated Security Orchestration, Automation, and Response (SOAR) capabilities. The service collects security events from across the entire IT landscape (cloud, on-premises, SaaS), correlates them using analytics and machine learning, detects threats, and automates incident response via playbooks.

At its core, Sentinel is based on Azure Monitor Log Analytics and uses Kusto Query Language (KQL) for queries, Analytics Rules for alerting, and Workbooks for visualization. Sentinel ingests logs via numerous data connectors from Microsoft services (Microsoft Defender, Entra ID, Azure services), third-party solutions, and generic protocols such as Syslog, CEF, or REST API.

Important change: Microsoft Sentinel is now fully available in the Microsoft Defender portal (including for customers without Microsoft Defender XDR or an E5 license), where it is being merged with Defender XDR as part of the unified security operations experience. Starting March 31, 2027, Microsoft Sentinel will no longer be supported in the Azure portal and will be available only through the Microsoft Defender portal. New customers have already been automatically directed toward the Defender portal since July 2025. Organizations currently running Sentinel in the Azure portal should plan their transition in good time.

Sentinel’s analytics capabilities and User and Entity Behavior Analytics (UEBA) establish baselines for normal behavior and detect anomalies such as unusual logins or privilege escalation. SOAR playbooks (based on Azure Logic Apps) automate responses such as user lockouts, notifications, or ticket creation. Jupyter notebooks enable interactive investigations with Python and KQL across large data volumes.

Core Features

Scalable data collection: Ingestion of log and event data from multi-cloud and on-premises environments via prebuilt and custom connectors, including data normalization (ASIM).

Threat detection with analytics and MITRE ATT&CK mapping: Predefined and custom analytics rules group individual alerts into incidents and map detected activity to the MITRE ATT&CK framework.

Threat intelligence and watchlists: Integration of various threat intelligence sources as well as custom watchlists (e.g., critical assets, departed employees) for correlation and response.

Investigation and hunting: Interactive incident graphs, proactive threat hunting via search queries, and Jupyter notebooks for advanced analysis.

SOAR automation: Automation rules and playbooks based on Azure Logic Apps to orchestrate incident response workflows.

Typical Use Cases

Multi-cloud security monitoring: Enterprises use Sentinel as a central SIEM for Azure, AWS, and GCP by consolidating logs from various cloud providers into a single workspace and correlating events across clouds.

Automated incident response with SOAR: Security teams create playbooks that automatically respond to certain incidents, such as temporarily locking a user account, notifying the security team, and creating a ticket in the ITSM system.

Threat hunting with KQL and UEBA: SOC analysts use KQL queries for proactive threat hunting, while UEBA generates risk scores for users and entities based on behavioral anomalies.

Compliance reporting: Enterprises use Sentinel workbooks for compliance dashboards and define retention policies aligned with regulatory requirements.

Integration with Microsoft Defender: Sentinel aggregates alerts from various Defender services into consolidated incidents instead of isolated individual alerts.

Best Practices for Microsoft Sentinel

Start with Microsoft connectors: Enable the pre-installed Microsoft connectors (Entra ID, Azure Activity, Microsoft Defender) first before building third-party integrations.

Use analytics rule templates: Enable relevant, predefined analytics rule templates instead of writing rules entirely from scratch, and adjust thresholds to your environment.

Define a data retention strategy: Set retention periods based on log type and regulatory requirements, and use archiving options for more cost-effective long-term storage.

Automate frequent responses: Identify recurring incident response tasks and automate them gradually via playbooks.

Cost optimization through log filtering: Filter out low-value, noisy logs before ingestion, and evaluate commitment tiers for predictable, high-volume data ingestion.

Frequently Asked Questions about Microsoft Sentinel

What is the difference between SIEM and SOAR?

SIEM (Security Information and Event Management) collects, correlates, and analyzes security events from various sources to detect threats. SOAR (Security Orchestration, Automation and Response) automates incident response processes via playbooks. Sentinel combines both functions in a single platform.

How does the pricing model work?

Sentinel primarily bills based on ingested data volume: either pay-as-you-go per GB or via commitment tiers (starting at a certain daily data volume) that offer meaningful discounts over pay-as-you-go for predictable usage. Additional costs apply for log retention beyond the included period and for automation (Logic Apps executions). Current prices and discount tiers are available on the official pricing page.

Do I need to move from Sentinel in the Azure portal to the Defender portal?

Yes. Microsoft Sentinel is already fully available in the Microsoft Defender portal, where it is being integrated into the unified security operations experience with Defender XDR. Starting March 31, 2027, Sentinel will no longer be supported in the Azure portal; existing customers should plan their migration in good time.

What is UEBA and how does it work?

User and Entity Behavior Analytics (UEBA) uses machine learning to establish baselines for normal user and entity behavior. When deviations occur, a risk score is increased and an alert is generated, making it possible to detect insider threats and compromised accounts even without explicit rules.

Which data connectors are available?

Sentinel offers numerous connectors for Microsoft services, common cloud platforms, firewalls, EDR/XDR solutions, identity providers, and ticketing systems, as well as generic protocols such as Syslog, CEF, and REST API. The available connectors are continuously expanded.

Can I use Sentinel for non-Microsoft environments?

Yes, Sentinel is generally cloud- and vendor-agnostic and can ingest logs from on-premises systems as well as AWS and GCP environments. The deepest integration naturally exists with Microsoft’s own services.

What is KQL and do I need to learn it?

Kusto Query Language (KQL) is Microsoft’s query language for Log Analytics and is essential for threat hunting, custom analytics rules, and dashboards. For basic use of predefined rules and workbooks, KQL isn’t strictly required, but it is recommended for advanced analysis.

Is Microsoft Sentinel GDPR compliant?

Sentinel can be operated in a GDPR-compliant manner when European Azure regions are selected, keeping logs within the chosen region. Because security logs can contain personal data (e.g., IP addresses, usernames), appropriate safeguards such as RBAC and encryption are required.

Integration with innFactory

As a Microsoft Solutions Partner, innFactory supports you in implementing Microsoft Sentinel. We help with connector configuration, analytics rule tuning, playbook development, and migration to the Microsoft Defender portal.

Contact us for a non-binding consultation on Microsoft Sentinel and cloud security monitoring.

Typical Use Cases

Security Information and Event Management (SIEM)
Security Orchestration, Automation and Response (SOAR)
Threat Hunting with KQL queries
Cloud security monitoring for Azure, AWS, GCP
Compliance reporting and incident response
User and Entity Behavior Analytics (UEBA)

Technical Specifications

0th Based on Azure Monitor Log Analytics
1st KQL (Kusto Query Language) for threat hunting
2nd Built-in analytics rules and ML models
3rd UEBA for anomaly detection
4th Integration with Microsoft Defender XDR and Entra ID
5th SOAR playbooks based on Azure Logic Apps
6th Numerous data connectors (Syslog, CEF, REST API)
7th Jupyter notebooks for advanced investigation

Note: All product information on this page has been compiled with care, but is provided without guarantee and may be outdated or incomplete. Cloud services evolve rapidly — features, pricing, SLAs, and availability change frequently. Authoritative and up-to-date information can only be found on the official product page of Azure (official documentation). This page does not represent an offer by Azure.

Microsoft Solutions Partner

innFactory is a Microsoft Solutions Partner. We provide expert consulting, implementation, and managed services for Azure.

Microsoft Solutions Partner Microsoft Data & AI

Ready to start with Microsoft Sentinel - Cloud-Native SIEM and SOAR?

Our certified Azure experts help you with architecture, integration, and optimization.

Schedule Consultation