1.6 Microsoft Sentinel

60–90 minutes · Module 1 · Free

Sentinel receives a deeper treatment here than the other components because it is the platform many subsequent modules build on. It is where you will spend the majority of your time from Module 5 onwards.

Where you will spend most of your time

From Module 5 onwards, Sentinel is the primary platform. You will build workspaces, write analytics rules, configure automation, and hunt for threats here. This subsection covers the architecture — the hands-on work starts in Phase 2.

Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response). It collects data from across the entire environment — not just Microsoft products — stores it in a Log Analytics workspace, and provides detection, investigation, hunting, and automation capabilities. Think of it as the brain of the SOC for organisations that need more than what Defender XDR provides out of the box.

Log Analytics Workspace. The underlying data store. All ingested data lands here as tables. KQL queries run against these tables. Understanding workspace structure — tables, retention periods, log types — is covered in depth in Module 5.

Data Connectors. Integrations that ingest data from sources into the workspace. Three categories. Microsoft connectors (M365 Defender, Entra ID, Azure Activity, Microsoft Purview) are first-party and usually one-click setup. Third-party connectors (firewalls, SaaS apps, endpoint tools from other vendors) connect via Syslog, CEF, API, or custom connectors. Custom connectors use Data Collection Rules for bespoke data sources.

Analytics Rules. Scheduled KQL queries that run against workspace data and generate alerts or incidents when conditions are met. Four types. Scheduled rules are custom KQL on a timer — the most common and most customisable. NRT (Near Real-Time) rules run every minute for high-priority detections. Microsoft Security rules pass through alerts from other Microsoft products. Anomaly rules use ML-based behavioural detection.

Incidents. When an analytics rule fires, it creates an incident in the Sentinel incident queue. Incidents contain alerts, entities, evidence, and can be assigned to analysts for investigation.

Automation Rules. Lightweight logic that runs when an incident is created or updated. Can assign incidents, change severity, add tags, and trigger playbooks. No-code configuration.

Playbooks (Logic Apps). Full automation workflows triggered by incidents or alerts. They can call external APIs, send notifications, take containment actions, create tickets, and enrich alerts with threat intelligence. Built on Azure Logic Apps. Covered in depth in Module 25.

Hunting. The proactive threat hunting interface. Analysts write KQL queries to search for threats that have not triggered detection rules. Supports bookmarks for saving interesting findings, livestream for running a query continuously, and structured hunt management. Covered in Module 23.

Workbooks. Interactive dashboards built with KQL that visualise security data. Used for operational monitoring and management reporting. Covered in Module 26.

Threat Intelligence. Ingest and manage threat indicators (IoCs) from feeds, STIX/TAXII sources, or manual entry. Indicators can be matched against ingested data automatically. Covered in Module 24.

Content Hub. A marketplace of pre-built solutions containing analytics rules, playbooks, workbooks, hunting queries, and data connectors — packaged by Microsoft and the community.

Key data tables

All tables from connected data sources listed in previous subsections, plus: SecurityAlert — alerts from all connected Microsoft security products. SecurityIncident — Sentinel incident records. ThreatIntelligenceIndicator — IoC data. AzureActivity — Azure resource management activity. Syslog and CommonSecurityLog — third-party device logs. Custom tables created via Data Collection Rules.

How it connects

Sentinel ingests data from every other component in this module (Defender XDR, Entra ID, Purview, and more). It runs detections on the combined data that no individual product can produce alone — cross-source correlation is its primary advantage. Automation rules and playbooks can trigger containment actions in Defender for Endpoint, Entra ID, and third-party tools. The unified security operations platform is bringing Sentinel and Defender XDR into a single portal experience.

Key takeaways

Sentinel is a cloud-native SIEM and SOAR — it ingests data from the entire environment, not just Microsoft
Four analytics rule types: scheduled, NRT, Microsoft Security, and anomaly
Playbooks (Logic Apps) automate containment and response at machine speed
Requires an Azure subscription — not included in any M365 licence
Cost management (Module 5) is a critical operational skill — data ingestion is pay-per-use

Licensing

Not included in any M365 licence — requires a separate Azure subscription. Pricing is pay-per-use based on data ingestion volume (per GB/day into the workspace). Free tier: 5 GB/day on the first workspace, which is often sufficient for small environments. M365 E5 customers receive a data grant for ingesting M365 security data. Cost management is a critical operational skill covered in Module 5.

Try it yourself

Without looking back at the content, list the four types of Sentinel analytics rules and describe when you would use each one. Then reveal the answer to check.

Scheduled rules — custom KQL queries that run on a timer (e.g. every 5 minutes, every hour). Most common and most customisable. Use for any detection you build yourself.

NRT (Near Real-Time) rules — run every minute with a 1-minute lookback. Use for high-priority detections where even a 5-minute delay is unacceptable (e.g. admin account compromise).

Microsoft Security rules — pass-through rules that surface alerts from other Microsoft products (Defender XDR, Entra ID Protection) directly into the Sentinel incident queue. Use to ensure important alerts from other products create Sentinel incidents.

Anomaly rules — ML-based behavioural detection that identifies deviations from baselines. Use for catching unknown threats that do not match predefined patterns.

Check your understanding

1. What is the difference between a Sentinel automation rule and a playbook?

They are the same feature

Automation rules run KQL; playbooks send emails

Automation rules are lightweight no-code logic (assign, tag, trigger); playbooks are full Logic App workflows that can call APIs and take complex actions

Automation rules handle simple logic: assign incidents, change severity, add tags, suppress, or trigger a playbook. Playbooks (Logic Apps) handle complex workflows: call external APIs, send Teams notifications, revoke tokens, isolate devices, create tickets. Think of automation rules as the dispatcher and playbooks as the responders.

2. Sentinel requires an Azure subscription. Why is it not included in any M365 licence?

Microsoft forgot to include it

Sentinel pricing is based on data ingestion volume, which varies enormously between organisations — a flat licence fee would not work

Sentinel is a third-party product

Sentinel costs scale with data volume. A small organisation ingesting 2 GB/day and an enterprise ingesting 500 GB/day have fundamentally different cost profiles. Pay-per-use pricing means you pay proportionally to your actual usage. The 5 GB/day free tier and E5 data grants help manage this — cost optimisation is covered in Module 5.

3. What is the primary advantage Sentinel has over Defender XDR for detection?

Sentinel has a better user interface

Sentinel can ingest and correlate data from non-Microsoft sources (firewalls, third-party tools, custom logs)

Sentinel runs queries faster

Defender XDR correlates across Microsoft products. Sentinel can ingest data from anything — Palo Alto firewalls, CrowdStrike, Okta, custom applications, Syslog sources. This cross-source correlation is what allows detections that no single-vendor product can produce alone.

4. You want to detect a specific attack pattern within 60 seconds. Which analytics rule type should you use?

Scheduled rule (5-minute interval)

NRT (Near Real-Time) rule

Anomaly rule

NRT rules run every minute with a 1-minute lookback window. They are designed for high-priority detections where speed matters — like detecting a compromised admin account or active ransomware deployment. The trade-off is higher resource consumption, so use them selectively for your most critical detections.

← 1.7 Microsoft Purview 1.5 Entra ID Protection →