Business Cyber Security Microsoft Sentinel

A Beginner’s Guide to Microsoft Sentinel

Empower Your Organisation with Microsoft Sentinel: A comprehensive beginner's guide for Microsoft's state of the art SIEM solution.

What is Microsoft Sentinel?

Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security, orchestration, automation, and response (SOAR) solution based within Microsoft Azure.

Essentially, Microsoft Sentinel provides a birds-eye view across your organisation’s Azure environment, allowing you to collect, detect, investigate, and respond to security information across your network. It’s capabilities allow you to identify potential threats in real-time, rapidly respond to these incidents, automate routine operations, scale to meet growing needs, and maintain regulatory compliance.

As a next-gen SIEM, Microsoft Sentinel allows advanced functionality compared to traditional SIEMs while eliminating the costs associated with installation, maintenance, and upgrades, typically involved in using traditional SIEMs. Read on for a comprehensive introduction to Microsoft Sentinel.


SIM, SEM, and SIEM. These three acronyms tend to get confused and interchanged, yet they represent three distinct, albeit similar, processes.

  • SIM
    SIM (Security Information Management) automates the collection, storage, and aggregation of security-related data from various sources across a network. SIMs have strong log management capabilities and are helpful for compliance reporting, historical analysis, and security-related reporting.

  • SEM
    SEM (Security Event Management) focuses on real-time threat analysis across a network. It collects logs and alerts from various sources, such as firewalls, servers, and antivirus software. SEMs have poor log management capabilities in comparison to SIM but help security teams to detect and respond to threats, providing them helpful visualisations, notifications, and alerts immediately.

  • SIEM
    SIEM (Security Information Event Management) essentially combines the features of both SIM and SEM. This allows for automatic data collection alongside real-time threat analysis across a network. Microsoft Sentinel is a SIEM solution.

How Microsoft Sentinel Works

Microsoft Sentinel works according to a cycle that functions in four key stages; Collect, Detect, Investigate, and Respond. Every component of Microsoft Sentinel functions to achieve this cycle.

Microsoft Sentinel's Process Lifecycle


The cycle begins with collection. During this stage, information is ingested from different data sources into Microsoft Sentinel. This information includes data on the devices, network traffic, applications, and users within your organisation’s network. Sentinel takes this information and consolidates it, organises it, and stores it. From here, it automatically formats the data in a way that makes it simpler to understand, monitor and explore.

Key Components to Collection: Data Connectors, Log Retention, Workbooks


Once information is ingested, the next step of the process is made possible. During the detection stage Microsoft Sentinel uses its advanced analytics and machine learning capabilities to detect potential threats, suspicious activity, and security incidents. During this stage security professionals can uncover hidden or emerging threats via threat hunting.

Key Components to Detection: Analytics, Threat Hunting


Microsoft Sentinel helps simplify the threat investigation process. Leveraging automation once again, Sentinel examines threats, searching for patterns and irregularities, to group related incidents together and determines root causes. This saves time for security analysists, who can then access the data and investigate the identified threats further.

Key Components to Investigation: Incidents and Investigation


The final step of the cycle is response. Microsoft Sentinel takes automatic action to mitigate threats and incidents using playbooks. In this stage security teams are able to quickly address and resolve identified threats. This phase focuses on minimising damage and eliminating threats. With the commencement of this final phase, the cycle can begin again.

Key Components to Response: Playbooks

How the components of Microsoft Sentinel relate to it's process cycle

Key Components of Microsoft Sentinel

Data Connectors

The first step of the process is the ingestion of your organisation’s data into Microsoft Sentinel. To achieve this, Sentinel utilises what are called data connectors. Data connectors act like the bridge between Sentinel and various data sources. To start the data ingestion process, data connectors must be configured for each of the sources that you want to monitor.

For efficiency purposes, Sentinel comes with pre-built data connectors designed for popular scenarios and sources, such as Microsoft 365 Defender, Common Event Format (CEF), and Office 365 logs. Although popular connectors can be added with a click of a button, others require some configuration.

Data Connectors in Microsoft Sentinel. This component begins the ingestion of data into Sentinel.
Image Source: Microsoft

Log Retention

Microsoft Sentinel uses Log Analytics Workspaces to store the information it ingests. A workspace is essentially a storage container in which Microsoft Sentinel houses your data. With the ability to ingest more than 10 petabytes of data daily, Log Analytics offers an efficient and scalable database. From here you have the ability to gain insights from your data using Kusto Query Language (KQL).

Log Workspaces in Microsoft Sentinel. This is where ingested data is stored and can be viewed.
Image Source: Microsoft


With your data ingested and stored, you can use workbooks to immediately visualise and monitor your data. Sentinel offers pre-designed workbook templates that showcase commonly helpful data insights.

Each component of a workbook presents the outcome of a KQL query of your data. These queries can be modified and adapted to your needs. Furthermore, you can create custom workbooks from scratch to display only the information that you find relevant.

Microsoft Sentinel Workbooks. Workbooks help visualise KQL query results in Sentinel.
Image Source: Microsoft

Analytic Alerts

During this phase, you transition from the collection stage to the detection phase. Analytic Rules actively analyse your data and provide high-fidelity incident alerts. With it’s fast query engine, Analytic Rules can search through millions of records in seconds, automatically identifying and alerting you of potential threats, suspicious activity, and security incidents.

Microsoft Sentinel provides pre-built analytic alerts that address common anomalies and threats. By adjusting these pre-built rules or creating custom rules as needed, you can create alerts tailored specifically to your organisation. Effectively utilising Analytic Rules can save your security team valuable time by minimising the need for constant monitoring and reducing low-fidelity alerts.

Microsoft Sentinel Analytic Alerts. Alerts notify you of threats and incidents within your network.
Image Source: Microsoft

Threat Hunting

Threat Hunting is a crucial part of the detection phase. It involves using Microsoft’s powerful search and query tools to proactively intercept hidden or emerging threats before they trigger alerts. This approach has the advantage of reducing the impact and risk associated with waiting for threats to trigger alerts.

Query – Analysist can experiment with built-in hunting queries or their own custom queries to discover queries that consistently provide useful threat insights. These queries can be used to create custom detection rules, automating the process for future hunting.

Hunt – Analysts can bookmark interesting events, share them with others, and group them with related incidents for further investigation. By leveraging Microsoft Sentinel’s hunting capabilities, analysts can consistently identify patterns, anomalies, and threat indicators, effectively minimising the time threats go undetected

Threat Hunting in Microsoft Sentinel. A proactive process where you intercept threats before they trigger alerts.
Image Source: Microsoft

Incidents and Investigation

Microsoft Sentinel simplifies the investigation process through automation. When an alert is triggered, an incident is automatically created. You can assign specific individuals to investigate and receive notifications for these different incident types. The status of these incidents can be easily monitored and updated in Sentinel.

Sentinel also allows for the creation of timelines, allowing you to map incidents and other meaningful context, in an easy to investigate manner. Sentinel’s automatic investigation tools and capabilities assist in understanding the scope and root causes of such threats.

Incidents and Investigation timeline. Timelines help during the investigate phase allowing you to visualise and find root causes.
Image Source: Microsoft


During the final phase, response, Microsoft Sentinel’s security orchestration, automation, and response (SOAR) capabilities come into play. At the core of this functionality are Playbooks. Playbooks are collections of predefined procedures and actions that can be programmed to execute automatically in response to specific incidents and alerts triggered within Sentinel.

By effectively using Sentinel’s Playbooks, you can automate and streamline your threat response efforts. Additionally, Playbooks can also be used to guide manual threat responses from the incidents page. The integration of SOAR capabilities in Sentinel both reduces the workload of security teams and improves threat response time.

Automation playbooks. Built-in playbooks and custom playbooks help automate threat responses in Sentinel.
Image Source: Microsoft

Benefits of Microsoft Sentinel

There are many business benefits of adopting Microsoft Sentinel for your organisation. Key benefits of Microsoft Sentinel include:

  • Seamless Deployment
  • Reduced Downtime
  • Scalability and Flexibility
  • Ai Powered SOAR
  • Centralised Security Management
  • Intuitive Visualisations

Seamless Deployment

Microsoft Sentinel simplifies the deployment process, minimising downtime during the transition period. As a cloud native SIEM, it eliminates the time investment associated with establishing, maintaining, and scaling traditional SIEM solutions.

Once established, data ingestion can begin almost immediately, advantaging Sentinel’s data connectors. Moreover, if your organisation already uses Microsoft software, the process becomes even simpler. With a few clicks, you can seamlessly begin ingesting data from your entire network.

Reduced Downtime

As a cloud native solution, Microsoft Sentinel has the ability to automatically switch to backup systems in the event of service disruption. This means you can keep ingesting, monitoring, and investigating your network’s data without interruption. Furthermore, it prevents SOC teams missing security alerts. This reliable availability makes Microsoft Sentinel a robust SIEM solution.

Ai Powered SOAR

Microsoft Sentinel surpasses traditional SIEM solutions with its Ai-driven SOAR functionality, automating security alerts and actions. The use of playbooks streamlines the initial stages of threat response, reducing the need for manual responses.

Additionally, Sentinel uses Ai to reduce the number of low-fidelity security alerts. These capabilities improve response time and productivity, allowing you to focus on critical threats and dedicate time to threat hunting.

Centralised security management.

Microsoft Sentinel offers a comprehensive centralised hub for your security management, offering a bird’s-eye view of your organisation’s network. It simplifies the querying, analysing, and monitoring process by centralising log data in one place.

With Sentinel, your SOC team can easily monitor network health, track incidents, and respond to threats from a single console. This eliminates the need for multiple consoles or data extraction, saving time and improving efficiency in security operations.

Intuitive Visualisations

Microsoft Sentinel focuses on making ingested data easily understandable, providing clear visualisations of information. This not only enhances visibility for SOC teams, enabling them to quickly interpret and identify security information, it also streamlines the reporting process. This intuitive functionality facilitates efficient communication between teams, allowing you to directly export clear, understandable, and actionable report assets.

Scalability and Flexibility

Microsoft Sentinel provides excellent flexibility and scalability for managing hybrid environments. Its cloud-native architecture seamlessly adjusts to the changing demands of modern organisations, effortlessly handling extensive data volumes and workloads.

As your organisation’s needs evolve, you can easily scale up or down without incurring significant charges. This process, which would be time-consuming and expensive with traditional SIEMs, can be done instantly with Microsoft Sentinel.

Microsoft Sentinel Costs

Microsoft Sentinel offers two payment models across their billable processes which accommodate for the various needs and budgets of different organisations.

  • Pay-as-you-go: The default payment model, where billing is based on the amount of GB ingested during specific periods. This flexible and scalable billing option is ideal for businesses that are new to Microsoft Sentinel and are uncertain about their regular data ingestion volume. Unless specified otherwise, you are automatically billed according to this model.
  • Commitment Tiers: The more cost-effective payment model, Commitment Tiers are perfect for businesses with consistent and predictable data ingestion volume. With this model you commit to purchasing specified amounts of GB for a set-period. As it allows for considerably easier compacity planning on Microsoft’s side, using commitment tiers can grant you discounts up to 65%.

Although intuitive, flexible, and easily scalable, the pricing model for Microsoft Sentinel can be initially confusing. The overall price of Microsoft Sentinel is determined by a number of factors, including data ingestion volume, investigation levels, data retention, archived data, number of users, and utilised features.

For a detailed breakdown of Microsoft Sentinel’s key cost drivers and useful advice on how to optimise them, click here.

How log tiers interact and influence billing in Sentinel.

How We Can Help

The transition from transitional SIEM to Microsoft Sentinel is one that can be expensive, confusing and time-consuming. This is where we come in.

Our team of experienced IT professionals have experience working with businesses through this transition, developing bespoke migration strategies that meet the their unique requirements.

As a Microsoft Solutions Partner for Modern Work, we at Vital are ideally placed to help you:

  • Migrate to Microsoft Sentinel
  • Optimise your current cybersecurity expenditure.
  • Identify opportunities for development.
  • Secure the best Microsoft pricing.

For a 30 day free trial of Microsoft Sentinel and/or a no obligation review of your cybersecurity infrastructure get in touch here.