Microsoft Sentinel Documentation

Preview Microsoft Sentinel (formerly Azure Sentinel) is a cloud-native security information and event management (SIEM) solution that provides intelligent security analytics across your enterprise.

What is Microsoft Sentinel?

Sentinel helps you collect data at cloud scale—anywhere—from users, applications, servers, and devices running on-premises or in any cloud. It uses built‑in AI to reduce noise and integrates directly with Microsoft 365 Defender, Azure Defender, and third‑party solutions.

Key Features

Data Collection & Integration – Connect over 300 data sources with built‑in connectors.
Analytics & Threat Detection – Built‑in analytics rules and custom queries with Kusto Query Language (KQL).
Investigation & Hunting – Interactive workbooks and hunting queries.
Automation – Automated response via Azure Logic Apps playbooks.
Scalable & Pay‑as‑you‑go – Consume only the data you ingest.

Getting Started

Follow these steps to deploy Sentinel in your Azure subscription:

Navigate to the Getting Started guide.
Create a Log Analytics workspace if you don’t have one.
Enable Microsoft Sentinel on the workspace.
Add data connectors for the services you want to monitor.
Deploy default analytics rules and configure alerts.

Resources

Table of Contents

What is Microsoft Sentinel?
Key Features
Getting Started
Resources

Sample KQL Query

Find failed sign‑in attempts from privileged accounts:

SecurityEvent
| where EventID == 4625
| where AccountType == "User"
| where AccountName endswith "$" == false
| where AccountDomain == "YOURDOMAIN"
| summarize Count = count() by AccountName, bin(TimeGenerated, 1h)
| order by Count desc

For more queries, see the Hunting Queries page.