Microsoft Sentinel
What is Microsoft Sentinel?
Microsoft SentinelA cloud-native SIEM and SOAR service from Microsoft running on Azure, querying logs with Kusto Query Language (KQL) and integrating natively with Microsoft 365 Defender and Azure data sources.
Microsoft Sentinel is a SaaS SIEM and SOAR built on Azure Log Analytics workspaces and Azure Monitor, released by Microsoft in 2019 (originally as Azure Sentinel) and rebranded in 2021. Analysts query data using Kusto Query Language (KQL), build analytics rules, near-real-time (NRT) rules, and hunting queries, and orchestrate response via Logic Apps playbooks. Sentinel ingests data through 200-plus content connectors (Microsoft 365 Defender, Entra ID, Azure Activity, AWS CloudTrail, GCP, Syslog, CEF, MISP, custom data collection rules), maps detections to MITRE ATT&CK, and surfaces incidents in a unified XDR portal alongside Defender XDR. It is billed per ingested gigabyte with commitment tiers and integrates with Microsoft Copilot for Security.
● Examples
- 01
Writing a KQL analytics rule to alert when an Entra ID sign-in from an impossible-travel pattern follows an MFA push spam burst.
- 02
Triggering a Logic App playbook to isolate a device via Defender for Endpoint when a Sentinel incident reaches High severity.
● Frequently asked questions
What is Microsoft Sentinel?
A cloud-native SIEM and SOAR service from Microsoft running on Azure, querying logs with Kusto Query Language (KQL) and integrating natively with Microsoft 365 Defender and Azure data sources. It belongs to the Defense & Operations category of cybersecurity.
What does Microsoft Sentinel mean?
A cloud-native SIEM and SOAR service from Microsoft running on Azure, querying logs with Kusto Query Language (KQL) and integrating natively with Microsoft 365 Defender and Azure data sources.
How does Microsoft Sentinel work?
Microsoft Sentinel is a SaaS SIEM and SOAR built on Azure Log Analytics workspaces and Azure Monitor, released by Microsoft in 2019 (originally as Azure Sentinel) and rebranded in 2021. Analysts query data using Kusto Query Language (KQL), build analytics rules, near-real-time (NRT) rules, and hunting queries, and orchestrate response via Logic Apps playbooks. Sentinel ingests data through 200-plus content connectors (Microsoft 365 Defender, Entra ID, Azure Activity, AWS CloudTrail, GCP, Syslog, CEF, MISP, custom data collection rules), maps detections to MITRE ATT&CK, and surfaces incidents in a unified XDR portal alongside Defender XDR. It is billed per ingested gigabyte with commitment tiers and integrates with Microsoft Copilot for Security.
How do you defend against Microsoft Sentinel?
Defences for Microsoft Sentinel typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Microsoft Sentinel?
Common alternative names include: Azure Sentinel, MS Sentinel.
● Related terms
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- defense-ops№ 1062
SOAR
A platform that automates and orchestrates SOC workflows by chaining detections, enrichments and response actions into playbooks executed across security tools.
- defense-ops№ 1254
XDR (Extended Detection and Response)
A security platform that unifies telemetry from endpoint, network, identity, email and cloud sensors to deliver correlated detections and integrated response actions.
- defense-ops№ 1080
Splunk Enterprise Security
A commercial SIEM solution from Splunk Inc. (acquired by Cisco in 2024) that ingests, indexes, and correlates machine data using the Splunk Processing Language (SPL) for security monitoring and investigation.
- defense-ops№ 448
Google Chronicle SecOps
Google Cloud's cloud-native SIEM and SOAR (formerly Backstory) that stores petabyte-scale telemetry at a flat per-employee price and queries it with the YARA-L detection language.
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.