What is Azure Sentinel: Features, Components & Overview

5/5 - (45 votes)

Microsoft Azure Sentinel is a cloud-native, scalable, SIEM and SOAR solution. Azure Sentinel is a security analytics and threat intelligence platform that works throughout an organization.

The topics covered in this blog are:

What is Microsoft Azure Sentinel?

Microsoft Azure Sentinel is a cloud-based SIEM (security information and event management) solution. Azure Sentinel provides a single solution for alert detection, proactive hunting, threat visibility, and threat response. It takes data from several data sources, correlates the data, and visualizes the processed data in a single dashboard. It’s a bird’s-eye perspective of all the Azure businesses you’ve created.

Azure Sentinel assists in gathering, detecting, investigating, and responding to security threats and occurrences. Microsoft Sentinel is a single solution for attack detection, threat visibility, proactive hunting, and threat response that offers intelligent security analytics and threat information throughout the company.

Azure Sentinel Overview

Components of Azure Sentinel

There are nine major components:

  1. Dashboards: It offers a representation of data obtained from numerous sources, allowing the security team to look into events caused by such services.
  2. Cases: Cases are the collections of evidence relevant to a certain inquiry. It may include more than one alert dependent on analytics specified.
  3. Hunting: As the name indicates, it is responsible for doing proactive threat assessments throughout the environment. It is a powerful component for security and threat analysts.
  4. Notebooks: Sentinel integrates with Jupyter Notebook and offers a wide range of libraries and modules for ML, visualization, and other purposes.
  5. Data Connectors: Azure Sentinel has built-in connections for data ingestion from Microsoft products and partner solutions.
  6. Playbooks: A Playbook is a set of operations that Azure Sentinel may perform in response to an alert trigger. They make use of Azure Logic Apps. As a result, the user may make use of Logic Apps’ flexibility, capacity, customizability, and built-in templates.
  7. Analytics: Analytics allows users to build custom alerts using the (KQL) Kusto Query Language.
  8. Community: The GitHub Azure Sentinel Community page offers detections based on several data sources. Users may use it to produce warnings and react to risks in their environment. The community page offers example queries for hunting, playbooks, and other things.
  9. Workspace: A Log Analytics workspace, also known as a Workspace, is a container for data and configuration information. It is used by Azure Sentinel to store data obtained from various sources.
Azure Sentinel Components

Also Check: Azure Data Factory Interview Questions

How Azure Sentinel Works?

First, devices and services need to start feeding their data into Sentinel, using Data Connectors. Technically, the data goes into Azure Log Analytics. Workbooks are used to display data, possible problems, and trends, and to assist in the creation of specialized queries. These queries may assist in the creation of analytics rules. After implementing analytic rules, you start to view Incidents, as well as perform automatic actions using Playbooks. When studying Incidents, you may leave a trail of Bookmarks to indicate interesting or aberrant data for follow-up and find additional areas that may be impacted. Finally, and after acquiring experience, you may go Hunting for threats.

How Azure Sentinel Works

Log Analytics – All data that is consumed into Azure Sentinel must originate in a Log Analytics workspace. A workspace is simply an unlimited storage container that houses all your data from a number of sources. It is advised to have a single, dedicated workspace configured for Azure Sentinel.

Workbooks – Built-in workbooks enable you to analyze data right away. Custom workbooks may also be built to enable you to see your data in the manner that is most convenient for you.

Analytics – Custom rule sets may be established to search all imported data for possible threats. There are several pre-built rules available as well as connections to Microsoft sources such as Cloud App Security and Microsoft Azure ATP. Additional custom rules may be established depending on queries. These may be set to run on a regular basis. All hits from each rule may result in an incident and/or the execution of a playbook.

Incidents – Analytics rule sets are used to produce alerts. An incident might include multiple alerts. They enable further investigation utilizing the investigation graph to see whether there were any other areas of exposure. Incidents may be allocated to a specific individual to delegate the investigating duties.

Playbooks – Playbooks are simply Azure Logic Apps with special identification to Azure Sentinel alerts. They provide a coordinated and automatic reaction to alerts generated by Analytics. Anything that you can perform inside a new or existing Logic App may also be expanded to execute based on an Azure Sentinel alert.

Notebooks – Azure Sentinel has incorporated Jupyter notebooks straight into the Azure Portal. A notebook is a web application that is embedded into your browser and enables you to execute live visualizations and code from inside the browser. Microsoft provides a few notebooks to demonstrate its capabilities.

Hunting – Hunting enables manual, proactive investigations into probable security issues based on the ingested data. Microsoft provides various built-in queries, as well as the ability to develop custom queries. Once you’ve created a query, you can turn it into an analytic activity that will execute on a regular basis. Hunting capabilities include: Queries, Live Stream, Bookmarks, Notebooks

Also Read: Our blog post on Azure Certification Paths

Features of Azure Sentinel

Collect data at cloud scale: Azure Sentinel is a completely cloud-based service. Azure Sentinel is a log-analytics-based data collecting platform with incredible scalability potential. There are connectors available that can be utilized to connect to these diverse data sources.

Detect previously uncovered threats: Azure Sentinel identifies previously identified threats and also lowers false positives using analytics and threat data from Microsoft. It therefore considerably minimizes the work spent by the security teams in examining warnings that are produced but are not true occurrences.

Investigate threats with artificial intelligence: Azure Sentinel employs AI for threat investigation and searches for any unusual behaviors at scale. Microsoft brings over its own cybersecurity knowledge with Azure Sentinel.

Respond to incidents and events rapidly: Azure Sentinel uses AI to react quickly to dangerous situations and events. There are several options for tracking out threats and orchestrating appropriate actions.

Intelligent built-in queries: Azure Sentinel provides a number of built-in queries that non-technical users may use to quickly analyze typical threats.

Easy Installation: Azure Sentinel is a very simple to install SIEM tool. Infrastructure setup is simple and does not need any complicated setup.

Read More: About Azure Bastion

How to Deploy Azure Sentinel

There are a few conditions you must meet before moving on to real deployment:

  • You must have a current Azure subscription.
  • Log analytics workspace.
  • You’ll need contributor access to the subscription where the workspace is hosted to use this service.
  • To utilize this service, you must be a member of the resource group to which the workspace belongs as either a contributor or a reader.
  • It is not available in China or the German regions.

Enable Azure Sentinel

Sign in to the Azure portal, then search for Azure Sentinel:

Enable Azure Sentinel 1

Choose an existing workspace or start from scratch. You can run sentinel on many workspaces, but the data is only kept in one of them.

To set up a workspace, follow these steps: Type Log Analytics workspaces in the Search resources, services, and documents text box at the top of the Azure portal page and hit the Enter key.

Enable Azure Sentinel 2

Create the log Analytics:

Log Analytics

Also Check: Our blog post on Azure Security Center

Connect Data Source

Azure Sentinel ingests data from services and applications by connecting to them and giving them events and logs. You can install the Log Analytics agent on both real and virtual machines, which gathers logs and delivers them to Azure Sentinel. It installs the Log Analytics agent for firewalls and proxies on a Linux Syslog server, from which the agent collects log files and sends them to Azure Sentinel.

1. Select Data connectors from the main menu. This displays a list of data connectors.

Data Connectors

2. The gallery offers a list of all the data sources that you can use. After choosing a data source, click the Open connector page option.

Data Sources

3. The connector page offers instructions for configuring the connector as well as any further instructions that may be necessary.

Azure Activity

4. The Next steps tab on the connection page shows the data connector’s built-in workbooks. You may utilize them as-is or make changes to them; either way, you’ll get exciting data insights straight immediately.

Rule Query
Analytics Rule

5. After you connect your data sources, your data will begin to flood into Azure Sentinel and will be available for you to work with. To investigate the data, use the built-in workbooks to browse the logs and begin generating queries in Log Analytics.

Azure Sentinel Configuration

Azure Sentinel Pricing

Capacity Reservation based Pricing Model – Capacity Reservation is a fixed-fee license that allows you to pay for the amount of data that may be consumed into Azure Sentinel (this pricing model is provided at a discounted rate)

Pay-As-You-Go Pricing Model – The first 5 GB of data ingested into Azure Sentinel is free, after which you’ll be charged 185.07 per GB. PAYG pricing is based on Log Analytics pricing and is set at 212.830 per GB with 5GB free per billing account per month.

Check Out: Official Pricing Document


Microsoft Azure Sentinel is a cloud-native solution for detecting, investigating, and responding to threats. It enables customers to identify possible issues earlier. It offers organizations with sophisticated security analysis and threat intelligence. Machine learning is being used to decrease risks and identify unusual behavior.


Q1. What is Azure Sentinel?

Azure Sentinel is a cloud-native security information and event management (SIEM) solution provided by Microsoft Azure. It offers intelligent security analytics and threat intelligence to help organizations detect, investigate, and respond to security threats across their entire enterprise. By aggregating data from various sources, such as logs, events, and alerts, Azure Sentinel provides a centralized platform for security monitoring, incident management, and proactive threat hunting.

Q2. Is Azure Sentinel a SIEM or a SOAR?

Azure Sentinel is primarily classified as a SIEM (Security Information and Event Management) solution. It collects and analyzes security event data, providing real-time monitoring, correlation, and alerting capabilities. While Azure Sentinel incorporates some SOAR (Security Orchestration, Automation, and Response) functionalities, such as automated incident response and playbooks, its core focus is on SIEM capabilities for comprehensive security monitoring and management.

Q3. Who uses Azure Sentinel?

Azure Sentinel is designed for organizations of all sizes and industries that require a robust and scalable security monitoring solution. It caters to security operations teams, incident responders, and security analysts responsible for detecting and responding to security threats. Organizations seeking centralized visibility, advanced analytics, and automated security operations can benefit from Azure Sentinel’s capabilities. It is used across a wide range of industries, including finance, healthcare, government, and manufacturing, to strengthen security posture and improve incident response effectiveness.

Q4. What language is utilized in Azure Sentinel?

Azure Sentinel utilizes the Kusto Query Language (KQL) for data analysis and querying. KQL is an industry-standard query language specifically designed for efficiently searching, filtering, and aggregating data within Azure Sentinel. It allows security analysts and administrators to perform advanced analysis and investigations, create custom detection rules, build interactive dashboards, and generate insightful reports. By leveraging KQL, Azure Sentinel provides a powerful and flexible language for extracting valuable insights from the vast amount of security data collected and stored within the platform.


Sharing Is Caring:

Sonali Jain is a highly accomplished Microsoft Certified Trainer, with over 6 certifications to her name. With 4 years of experience at Microsoft, she brings a wealth of expertise and knowledge to her role. She is a dynamic and engaging presenter, always seeking new ways to connect with her audience and make complex concepts accessible to all.


Leave a Comment