Azure Sentinel is a cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution. It collects data from across an organization, uses built-in analytics and threat intelligence to detect threats, enables investigation of incidents with AI, and automates responses. Azure Sentinel provides visibility across users, devices, applications, and infrastructure both on-premises and in multiple clouds. It detects previously unknown threats, minimizes false positives, and allows hunting for suspicious activities at scale. Responses can be automated through built-in orchestration of common tasks. Azure Sentinel has no infrastructure setup or maintenance costs and scales automatically with unlimited compute and storage resources.

1. What is Azure Sentinel?

2. What is Azure Sentinel?

3. Introducing Azure Sentinel
Birds-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks,
increasing volumes of alerts, and long resolution time frames.
Collect data at cloud scale across all users, devices,
applications, and infrastructure, both on-premises and in
multiple clouds
Detect previously undetected threats, and minimize false
positives using Microsoft's analytics and unparalleled
threat intelligence
Investigate threats with artificial intelligence, and hunt
for suspicious activities at scale, tapping into years of
cyber security work at Microsoft
Respond to incidents rapidly with built-in
orchestration and automation of common tasks

4. About Azure Sentinel
No infrastructure setup or maintenance
SIEM+SOAR service available in Azure portal
Scale automatically, put no limits to
compute or storage resources
Bring your own insights, machine learning
models, and threat intelligence
Tap into our security community to build on
detections, threat intelligence, and response
automation.
Robust interactive dashboards to visualize
and analyze data

5. Azure Sentinel at a glance
© Microsoft Corporation Azure
Microsoft
Services
Analyze & Detect Investigate & Hunt Automate &
Orchestrate Response
Visibility
Data Ingestion Data Repository Data Search
Enrichment
IntegrateCollect

6. Multi-Tenant Capable (MSSP)
Uses Azure Lighthouse to combine multiple
tenants
Manage your customers’ Sentinel resources
directly from your own Azure tenant –
without connecting to the customer’s tenant
View incidents from all selected workspaces
and tenants in a unified list
Ensures data isolation between tenants
Create cross-tenant Workbooks (dashboards),
Playbooks (automation) and threat hunting
queries

7. Traditional
Pricing
No infrastructure costs, only pay for
what you use
Bring your Office 365 Data at no cost
Predictable Billing with capacity
reservations
Sentinel
Cloud-native, scalable SIEMHardware
setup
Maintenance Software
setup
Azure Sentinel Pricing | Microsoft Azure

8. Forrester TEI study: Azure Sentinel delivers 201 percent ROI over 3 years
and a payback of less than 6 months
A three-year 201 percent return on
investment (ROI) with a payback period of
less than six months.
A 48 percent reduction in costs compared
to legacy SIEM solutions, saving on
expenses like licensing, storage, and
infrastructure costs.
A 79 percent reduction in false positives
and 80 percent reduction in the amount
of labor associated with investigation,
reducing mean time to resolution (MTTR)
over three years.
A 67 percent decrease in time to
deployment compared to legacy on-
premises SIEMs.
Link to Forrester TEI Study

9. Integrate with existing
tools, services & data
sources

10. Collect security data from all sources across the organization
Out-of-the-box integration with Microsoft
solutions
Connectors for many non-Microsoft solutions
Standard log format support for all sources
(CEF,Syslog,REST-API)
Supports integrated threat intelligence
platforms: MISP, Anomali, Palo Alto,
ThreatConnect, ExlecticIQ, ThreatQ (Public
Preview)
Import your organization’s threat indicators
More information: Connect data sources to Azure Sentinel

11. What can be ingested at no cost with Azure Sentinel?
• Azure Activity Logs
• Office 365 Audit Logs (all SharePoint activity and Exchange admin activity)
• Microsoft Defender products
• Azure Defender
• Microsoft 365 Defender
• Microsoft Defender for Office 365
• Microsoft Defender for Identity
• Microsoft Defender for Endpoint
• Azure Security Center
• Microsoft Cloud App Security
• Azure Information Protection can be ingested at no additional cost into both Azure
Sentinel, and Azure Monitor Log Analytics.
Note: Azure Active Directory (AAD) audit data is not free and is billed for ingestion into
both Azure Sentinel, and Azure Monitor Log Analytics.
Azure Sentinel Pricing

12. Detect threats out-of-the-box
Out-of-the-box, built-in templates to create
threat detection rules
Identifies common attack vectors, suspicious
activity escalation chains, known threats and
more
Advanced multi-stage attack detection using
machine learning
Create custom rules to search for specific
behavior, suspicious activities, or criteria
Alerts can be automatically correlated and
added to incidents

13. Investigate threats with AI and hunt suspicious activities at scale
Visualize context from raw data to
Get prioritized alerts and automated
expert guidance
Visualize the entire attack and its impact
Hunt for suspicious activities using pre-built
queries and Azure Notebooks
Correlates data to understand scope, identify
root cause of potential threats

14. Visualize and monitor your data
Create interactive custom dashboards and
reports to bring new insights to your data
Based on Azure Monitor Workbooks
Dozens of pre-built out of the box workbooks
Sentinel can also use PowerBI for dashboards
and reports

15. Respond rapidly with built-in orchestration and automation
Automatically or manually respond to an
alert with a collection of procedures
Integrate with triggers and actions across
multiple Microsoft and 3rd party tools and
services
Based on Azure Logic Apps
Examples:
• Automatically create service desk tickets
• Automatically isolate a device if suspicious
behavior detected

16. Advanced capabilities

17. Proactively hunt for threats across the organization
Built-in queries to guide you in finding new
anomalies that weren’t detected by security
apps, using your existing data
Developed and maintained by Microsoft
security researchers on a continuous basis
Get notified of potential or current threats to
your organization via threat data feeds
Aligns with MITRE ATT&CK

18. Jupyter notebooks to hunt for security threats
Combines full programmability with huge
collection of libraries for machine learning,
visualization and data analysis
Enrich data using external sources such as
threat intelligence, and other network
databases (e.g. VirusTotal, GeoIP,etc)
Automate common investigative steps such
as gathering additional host and network
details, triggering host actions like collecting
an investigative package, or running anti-virus
scans.
Use your own Machine Learning for data
processing and analysis

19. User & Entity Behavior Analytics
Builds baseline behavioral profiles of entities within the
organization
Clear understanding of anomalous activities in context
in comparison of the baseline
Identifies anomalous activity to determine if an asset
has been compromised
Evaluate potential impact (“blast radius”)
Aligned with MITRE ATT&CK
Types of entities include: users, hosts, IPs,files, processes,
URLs, mailboxes, registry keys, domain names, SaaS
apps and more!

20. Out-of-the-box and customizable SOC incident metrics
Workbook template to measure SOC
operational metrics:
• Incidents created over time
• Incidents created by closing classification,
severity, owner, and status
• Mean time to triage
• Mean time to closure
• Incidents created by severity, owner, status,
product, and tactics over time
• Time to triage percentiles
• Time to closure percentiles
• Mean time to triage per owner
• Recent activities
• Recent closing classifications

21. Watchlists (Preview)
Investigating threats and responding to incidents quickly
with the rapid import of IP addresses, file hashes, and
other data. Use in alert rules, threat hunting, workbooks,
notebooks, and general queries
Importing business data as a watchlists. For example,
import user lists with privileged system access, or
terminated employees, and then use the watchlist to
create allow and deny lists used to detect or prevent those
users from logging in to the network
Reducing alert fatigue Create allow lists to suppress alerts
from a group of users, such as users from authorized IP
addresses that perform tasks that would normally trigger
the alert, and prevent benign events from becoming alerts
Enriching event data. Use watchlists to enrich your event
data with name-value combinations derived from external
data sources
Enables collection of data from external data sources for correlation with events in Sentinel

22. Wrap Up & Resources

23. Resources
Sentinel Ninja Training (L400)
Sentinel GitHub SecOps Community
Technical Documentation