Security Operations / SIEM Β· Modern Endpoint Guides
π Microsoft Sentinel
Microsoft Sentinel β SIEM & SOAR Guide
Cloud-native SIEM and SOAR β from workspace setup and data connector configuration, to KQL analytics rules, UEBA behavioral analytics, and Logic Apps playbooks for automated incident response.
π Overview & Architecture
Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) built on Azure Log Analytics. It ingests security data, detects threats with AI and KQL rules, and responds via automated playbooks.
π₯ Collect
- Data connectors for Microsoft and third-party sources
- Log Analytics workspace as the data store
- Syslog, CEF, REST API, Agent-based collection
- Ingestion cost: per GB ingested
π Detect
- Built-in analytics rules (MITRE ATT&CK mapped)
- Custom KQL detection queries
- UEBA (User & Entity Behavior Analytics)
- ML-based anomaly detection
π€ Respond
- Incident queue with triage workflow
- Logic Apps playbooks for SOAR automation
- Automation rules for incident routing
- Integration with Teams, ServiceNow, JIRA
π Pricing Model
| Model | Cost | Best For |
|---|---|---|
| Pay-as-you-go | ~$2.46/GB ingested | Low volume / testing |
| Commitment Tier 100 GB/day | ~$123/day (effective ~$1.23/GB) | Medium environments |
| Commitment Tier 200 GB/day | ~$196/day (effective ~$0.98/GB) | Large enterprise |
| Microsoft 365 E5 benefit | First 5MB/user/day FREE | M365 data sources |
ποΈ Workspace Setup
ποΈ Workspace Architecture
- Single workspace: All logs in one place β recommended for most orgs
- Multi-workspace: For geographic data sovereignty or separate SOC teams
- Workspace in same region as primary data sources
- Retention: 90 days interactive + up to 12 years archive
- Role: Microsoft Sentinel Contributor, Reader
π§ Initial Configuration
1
Create Log Analytics Workspace
Azure Portal β Log Analytics Workspaces β Create. Choose region close to data sources.
2
Enable Microsoft Sentinel
Microsoft Sentinel β Add β Select workspace β Add Sentinel.
3
Connect Data Sources
Content hub β Install solutions β Enable data connectors for priority sources.
4
Enable Analytics Rules
Analytics β Rule templates β Enable relevant rules (start with Microsoft Security rules).
π Data Connectors
Microsoft first-party connectors (MDE, Entra ID, M365) are typically free to ingest (covered by M365 E5 benefit). Third-party and Windows Security Events can be costly at scale β plan ingestion budget carefully.
π΅ Priority Microsoft Connectors
Microsoft Defender XDR (formerly M365 Defender)
MDE alerts, MDE advanced hunting events, MDO events, MCAS alerts β all in one. Includes incident sync. FREE with E5
Microsoft Entra ID
Sign-in logs, audit logs, identity protection risk events, provisioning logs. FREE with E5
Microsoft Defender for Cloud
Security alerts from Azure resources, CSPM recommendations, regulatory compliance. Billable
Windows Security Events via AMA
Windows event logs (Security, System, Application) via Azure Monitor Agent. Billable (high volume)
Azure Firewall / Network Security Groups
Network traffic logs for east-west visibility. Billable
π‘ Third-Party Connectors
| Vendor | Method | Data Sent |
|---|---|---|
| Cisco ASA / Firepower | Syslog via CEF | Firewall logs, IPS events |
| Palo Alto Networks | Syslog / API | Traffic, threat, WildFire events |
| Fortinet FortiGate | Syslog CEF | Firewall, VPN, UTM events |
| CrowdStrike Falcon | REST API | Detections, incidents, device events |
| AWS CloudTrail | S3 + Lambda | API calls, management events |
| Okta | REST API | Authentication, admin events |
β‘ Analytics Rules
π Rule Types
- Scheduled: KQL query runs on a schedule (most common)
- Microsoft Security: Auto-create incidents from MDE/MDO/MCAS alerts
- Fusion: ML-based multi-signal correlation (built-in)
- Machine Learning Behavioral Analytics: Anomaly detection (built-in)
- Anomaly: UEBA-powered behavioral baselines
- Near Real-Time (NRT): 1-minute detection latency
π― Priority Rules to Enable
- Sign-in from impossible travel
- Multiple failed logins followed by success
- New admin account created outside business hours
- Bulk download of SharePoint files
- Mass deletion of files (ransomware indicator)
- Password spray attack
- Privileged account lateral movement
βοΈ Scheduled Rule Settings
| Setting | Recommendation |
|---|---|
| Query frequency | 5 minutes to 1 hour (based on detection urgency) |
| Lookup window | Equal or greater than frequency (no data gaps) |
| Incident creation | Enabled β group alerts into incidents by entity |
| Alert grouping | Group by account, host, or IP (reduce alert noise) |
| Suppression | Suppress duplicate alerts for X hours after first |
| Severity | Map to MITRE ATT&CK technique impact |
πΊοΈ MITRE ATT&CK Coverage
Tag every analytics rule with MITRE ATT&CK tactics and techniques to track coverage gaps.
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command & Control
Exfiltration
Impact
π KQL Detection Queries
// Detect password spray attack (many users, few attempts each)
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType != "0" // Failed sign-ins
| summarize
FailedAttempts = count(),
AffectedUsers = dcount(UserPrincipalName),
UniqueIPs = dcount(IPAddress)
by IPAddress, bin(TimeGenerated, 10m)
| where AffectedUsers > 20 and FailedAttempts > 50
| project TimeGenerated, IPAddress, AffectedUsers, FailedAttempts
// Detect impossible travel (sign-in from two distant locations within 30 min)
let timeWindow = 30m;
SigninLogs
| where ResultType == "0"
| where isnotempty(LocationDetails)
| project UserPrincipalName, TimeGenerated,
City = tostring(LocationDetails.city),
Country = tostring(LocationDetails.countryOrRegion),
IPAddress
| join kind=inner (
SigninLogs
| where ResultType == "0"
| project UserPrincipalName, TimeGenerated2 = TimeGenerated,
City2 = tostring(LocationDetails.city),
Country2 = tostring(LocationDetails.countryOrRegion)
) on UserPrincipalName
| where abs(datetime_diff('minute', TimeGenerated, TimeGenerated2)) < 30
| where Country != Country2
| project UserPrincipalName, TimeGenerated, City, Country, City2, Country2
// Detect bulk file deletion (ransomware indicator)
OfficeActivity
| where Operation in ("FileDeleted", "FileRecycled")
| where TimeGenerated > ago(1h)
| summarize DeletionCount = count() by UserId, SiteUrl, bin(TimeGenerated, 10m)
| where DeletionCount > 100
| order by DeletionCount desc
// Find new Global Admin assignments
AuditLogs
| where OperationName == "Add member to role"
| where TargetResources[0].modifiedProperties[0].newValue contains "Global Administrator"
| extend
Actor = tostring(InitiatedBy.user.userPrincipalName),
Target = tostring(TargetResources[0].userPrincipalName)
| project TimeGenerated, Actor, Target, OperationName
| order by TimeGenerated descπ€ UEBA β User & Entity Behavior Analytics
π§ How UEBA Works
- Builds behavioral baselines for each user and entity
- Detects deviations from normal behavior patterns
- Scores entities with an Investigation Priority Score
- Correlates across multiple data sources
- Surfaces anomalies even without specific rules
- Requires Entra ID P2 for full user entity enrichment
π UEBA Data Points
- Unusual login hours (2am vs. typical 9am)
- New country/region access
- Unusual data volume download
- Peer anomaly detection (vs. similar users)
- Device hopping (many new devices)
- Lateral movement (accessing new resources)
π¨ Incident Management
π Incident Lifecycle
- New: Alert triggered, incident created
- Active: Analyst investigating
- Closed β True Positive: Real threat confirmed
- Closed β Benign Positive: Expected activity
- Closed β False Positive: Rule needs tuning
π Incident Investigation Tools
- Investigation graph: visualize entity relationships
- Timeline: all events related to incident
- Entity pages: full context for user, device, IP
- Bookmarks: save important queries and events
- Log queries: direct KQL access from incident
π€ Playbooks (SOAR)
Sentinel playbooks are Azure Logic Apps triggered by analytics rule alerts or incidents. They automate response actions: block a user, isolate a device, post to Teams, create a ServiceNow ticket, or enrich an alert with threat intelligence.
β‘ Common Playbook Actions
- Disable user account in Entra ID
- Revoke all user sessions (token revocation)
- Isolate device via MDE API
- Block IP in Azure Firewall
- Post alert to Teams channel
- Create ITSM ticket (ServiceNow, Jira)
- Send email to SOC team
- Enrich alert with VirusTotal / threat intel
π§ Playbook Triggers
| Trigger Type | When to Use |
|---|---|
| Incident trigger | Full incident context, recommended for SOAR |
| Alert trigger | Per-alert action before incident grouping |
| Entity trigger | Manual run from entity page |
| Scheduled | Periodic cleanup or report generation |
// Playbook: Disable user + post to Teams (Logic App HTTP trigger)
// Step 1: Parse incident from Sentinel trigger
// Step 2: Get affected user UPN from incident entities
// Step 3: Disable user via Graph API
PATCH https://graph.microsoft.com/v1.0/users/{userUPN}
{
"accountEnabled": false
}
// Step 4: Revoke all refresh tokens
POST https://graph.microsoft.com/v1.0/users/{userUPN}/revokeSignInSessions
// Step 5: Post notification to Teams
POST https://graph.microsoft.com/v1.0/teams/{teamId}/channels/{channelId}/messages
{
"body": {
"content": "π¨ SENTINEL ALERT: User {userUPN} disabled. Incident: {incidentTitle}. Please investigate immediately."
}
}
// Step 6: Add comment to Sentinel incident
POST https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}/providers/
Microsoft.OperationalInsights/workspaces/{ws}/providers/Microsoft.SecurityInsights/
incidents/{incidentId}/comments
{
"properties": { "message": "User account disabled and sessions revoked automatically by playbook." }
}βοΈ Automation Rules
π Automation Rule Capabilities
- Auto-assign incidents to specific analysts
- Auto-change incident severity based on conditions
- Auto-close low-fidelity known false positives
- Auto-trigger a playbook on incident creation
- Add tags to incidents for tracking
- Runs before playbooks in the order chain
β‘ Automation Rule Examples
- If rule = "Password Spray" β Severity = High β Assign to Tier 2
- If rule = "Test Alert" β Close as False Positive
- If severity = Informational AND source = Azure Defender β Close
- If entity = specific service account β Add tag "service-account"
π Workbooks & Reports
π Built-in Workbooks
- Azure AD Sign-In & Audit
- Microsoft Defender for Endpoint
- Security Operations Efficiency
- MITRE ATT&CK coverage map
π Key Metrics to Track
- MTTD β Mean Time to Detect
- MTTR β Mean Time to Respond
- True positive rate per rule
- Data ingestion volume trend
π Power BI Integration
- Export KQL results to Power BI
- Build executive security dashboards
- Schedule automated report distribution
- Trend analysis over months/quarters
π° Cost Management
π‘ Cost Reduction Tips
- Use Commitment Tiers once data volume is known
- Filter noisy Windows Event IDs (4624, 4688) before ingest
- Exclude verbose logs (firewall allow rules) or use Basic Logs tier
- Archive infrequently accessed data (cheaper tier)
- Free 5 MB/user/day for M365 E5 data sources
π§ Basic vs. Analytics Logs
| Feature | Analytics Logs | Basic Logs |
|---|---|---|
| Ingestion cost | ~$2.46/GB | ~$0.62/GB |
| Query cost | Free | $0.006/GB queried |
| Interactive retention | 90 days | 8 days |
| Analytics rules | β Full support | β Not supported |
π§ Troubleshooting
β Common Issues & Fixes
| Issue | Cause | Fix |
|---|---|---|
| Connector shows disconnected | Permissions revoked or service principal expired | Re-authorize connector; check app permissions in Entra ID |
| Analytics rule not firing | No matching data in lookup window or query error | Test query manually in Logs; verify data is ingesting |
| Playbook failing | Logic App permissions or API call failure | Check Logic App run history; verify Managed Identity permissions |
| Too many false positive alerts | Rule too broad; missing exclusions | Add exclusions; tune confidence level; use alert grouping |
| High ingestion costs | Verbose tables (SecurityEvent, AzureDiagnostics) | Filter at collection via DCR transformations; use Basic Logs |
| UEBA not generating insights | Entra ID connector not streaming audit logs | Verify Entra ID diagnostic settings sending to Sentinel workspace |
β Implementation Checklist
ποΈ Workspace & Connectors
- Log Analytics workspace created in correct region
- Microsoft Sentinel enabled on workspace
- Microsoft Defender XDR connector enabled
- Microsoft Entra ID connector enabled (sign-in + audit)
- Defender for Cloud connector enabled
- Priority third-party connectors configured
β‘ Detection
- Microsoft Security analytics rules enabled
- Fusion rule enabled (ML correlation)
- Priority custom KQL rules created
- UEBA enabled
- MITRE ATT&CK coverage reviewed
π€ Response
- Incident queue triage process documented
- Playbook: Disable user on high-risk alert
- Playbook: Teams notification for Critical alerts
- Automation rules for false positive suppression
- Analyst roles and responsibilities defined
π° Operations
- Commitment tier selected based on ingestion volume
- Cost monitoring alert configured (Azure Cost Management)
- Noisy tables filtered or moved to Basic Logs
- SOC workbooks created for daily/weekly review
- MTTD/MTTR metrics tracked monthly