Azure Sentinel Documentation

Azure Sentinel is Microsoft's cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution.

On this page:

Introduction to Azure Sentinel

Azure Sentinel provides intelligent security analytics and threat intelligence across your enterprise. It serves as your single pane of glass for threat detection, threat visibility, proactive hunting, and threat response.

Sentinel uses a combination of machine learning, AI, and a rich set of built-in analytics rules to detect threats that other SIEM solutions might miss. It integrates seamlessly with other Azure services and can ingest data from a wide variety of sources, including firewalls, proxies, servers, and applications.

With Azure Sentinel, you can:

  • Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
  • Detect previously undetected threats, and minimize false positives using analytics and an intelligent threat hunting team.
  • Investigate threats with AI and custom search tools.
  • Respond to incidents rapidly with automation and orchestration.

Key Features of Azure Sentinel

Data Connectors

Ingest data from a wide range of sources, including:

  • Microsoft services (Azure Activity Logs, Microsoft 365 Defender, Azure AD Identity Protection)
  • Microsoft security solutions (Microsoft Defender for Endpoint, Microsoft Defender for Identity)
  • Non-Microsoft security solutions (firewalls, IDS/IPS, endpoints)
  • Cloud workloads (AWS, GCP)
  • On-premises servers and applications

Learn more about supported data connectors.

Workbooks

Visualize your data with interactive dashboards and reports using Azure Workbooks. Create custom dashboards to monitor specific security aspects of your environment.

Explore Sentinel workbook templates.

Analytics Rules

Detect threats using built-in and custom analytics rules. Sentinel leverages Kusto Query Language (KQL) for defining complex detection logic.

Get started with built-in analytics rules.

Hunting

Proactively hunt for threats using powerful query tools. Explore your data to uncover suspicious activities and potential security incidents.

See threat hunting best practices.

SOAR (Security Orchestration, Automation, and Response)

Automate common security tasks and incident response playbooks using Azure Logic Apps. Reduce manual effort and speed up incident remediation.

Discover Sentinel automation playbooks.

Getting Started with Azure Sentinel

Prerequisites

To use Azure Sentinel, you need an Azure subscription and a Log Analytics workspace.

  1. Enable Azure Sentinel: Provision Azure Sentinel in your Azure subscription.
  2. Connect Data Sources: Configure data connectors to ingest security-related logs and events.
  3. Configure Analytics Rules: Deploy built-in rules or create custom rules to detect threats.
  4. Investigate Incidents: Monitor alerts and investigate incidents using the Sentinel portal.
  5. Automate Responses: Implement playbooks to automate incident remediation.

Follow the step-by-step quickstart guide to set up Azure Sentinel.

Common Use Cases

  • Threat Detection: Identify sophisticated threats across your hybrid environment.
  • Incident Response: Streamline the process of investigating and responding to security incidents.
  • Security Analytics: Gain deep insights into your security posture.
  • Compliance Monitoring: Ensure your environment meets regulatory compliance standards.
  • Threat Hunting: Proactively search for unknown threats.

Additional Resources

Learn More

Key Concepts