CoursesAzure securityDefender for Cloud & Sentinel

Microsoft Sentinel SIEM/SOAR

Analytics rules, UEBA, playbooks that respond.

Advanced35 min · lesson 11 of 15

Detection is only as good as what happens after an alert fires. Microsoft Sentinel is the cloud-native SIEM and SOAR that ingests signals across your estate, turns them into incidents, and automates response — the difference between spotting an incident and containing one.

Ingest, detect, correlate

Sentinel connects to Entra ID sign-in and audit logs, Defender for Cloud alerts, Azure Activity, Office 365, network and firewall logs, and third-party sources, landing them in a Log Analytics workspace. Analytics rules — scheduled KQL queries and near-real-time detections — turn suspicious patterns into incidents, while UEBA baselines user and entity behavior to catch impossible travel, unusual access, and subtle account compromise that static rules miss. The result is a single, correlated incident queue instead of a dozen disconnected consoles.

an analytics rule and an automated response
// Analytics rule (KQL): mass secret reads from one identity in 5 minutes.
KeyVaultData
| where OperationName == "SecretGet"
| summarize reads = count() by CallerIPAddress, identity_claim_upn_s, bin(TimeGenerated, 5m)
| where reads > 50 // threshold → raises a Sentinel incident
// A playbook (Logic App) on that incident then, automatically:
// 1) disables the user (Entra), 2) revokes sign-in sessions,
// 3) posts to the SecOps channel and opens a ticket.

Automate response, tune for signal

Playbooks — Logic Apps triggered by incidents — turn detection into containment: disable a user, isolate a VM with a deny-all NSG, revoke sessions, or open a ticket, in seconds and without waiting for a human. Treat alert quality as first-class: tune analytics rules, deduplicate, and prioritize by severity and asset criticality so responders act on signal, not noise. Wrap the high-severity paths in rehearsed runbooks so the first real "compromised identity" incident runs a playbook you have practiced.

Sentinel: from signal to contained incident
1connectors
Entra, Defender, Activity, network…
2analytics rules + UEBA
detections → incidents
3investigation
correlate entities, hunt
4playbooks (SOAR)
disable, isolate, revoke, ticket
One SIEM correlates every source; SOAR playbooks turn a detection into containment. Detection without response is theatre.
Alert fatigue hides the real one
A firehose of low-signal incidents trains responders to ignore the queue, and the one that matters drowns. Ruthlessly tune analytics rules, suppress benign patterns, and prioritize by severity and asset criticality — a smaller stream of high-confidence incidents beats a flood every time.