Microsoft Azure Sentinel – What Why & How

In this blog we will understand about what is Microsoft Azure Sentinel is all about in very simple and easy way. We will also discuss about why you need Microsoft Azure Sentinel and rather I would explain you why you should have azure sentinel. Lastly we will see step by step demonstration of how we can use azure sentinel in your environment.

What is Microsoft Azure Sentinel

In organization cloud infrastructure there is always risk for threat, virus and other unauthorized or malicious activities. This can be spread out across the cloud infrastructures, on premises infrastructure, devices and may also include other cloud (in case you have multi cloud architecture). This will also various cloud integration services as well. Hence there is need to have a central system which can help us to take care of all these threats detection and should be capable enough to respond to it in defined automated way.

This capability is provided by the Microsoft Azure Sentinel.

What is Microsoft Azure Sentinel cloud native SIEM

Azure sentinel is SIEM solutions (Security Information Event Management). It uses the advance AI and machine learning algorithms to analyze the logs and tries to detect any threat posed for the system. Azure Sentinel is basically comprises of the four important steps depicted by below diagram:

Azure Sentinel Overview
Figure 1: Azure Sentinel Overview
  • Collect: Azure sentinel collect the data and information from across all the system, devices, services, application, on-premises servers and cloud. Various systems generates huge amount log information that could be key for security professionals to identify any threat or anomalies.
  • Detect: Once the data get collected, azure sentinel try to analyze and detect the threats using the Microsoft security intelligence using AI.
  • Investigate: Azure sentinel then investigate all the threats detected, and using the AI technology detect at large scale whether these will be important for organization or not.
  • Respond: It will define the response mechanism for the threat detected. It could be series of workflow which need to be initiated when any specific kind of threat gets detected.

Azure data factory scenario based interview questions and answers

Mostly asked Azure Data Factory Interview Questions and Answers

Why we should use Azure Sentinel

In a large infrastructure it is not possible to analyze each and every system and services to identify any threats. We need a system at scale which can help us to analyze all resources and services from security stand point from one place. Azure sentinel provide you the global solution to analyze any security threat in your entire landscape. It may be include all your resources, endpoints, applications, devices and other cloud infrastructure. Using the collect feature, azure sentinel provides the connector that can bring in the logs from any kind of system and services in one place.

This huge data would then, automatically get analyzed using the Microsoft AI technology to intercept any threat to the system. It gives capability to detect millions of event taking place across the system and identify any anomalies in any one of them.

Not only you can just detect the threats but you can have access to the Microsoft’s years of research and understanding to identify and differentiate between the threats which make sense and which don’t. Microsoft also has access to the various clients infrastructures, hence while making the decision, Microsoft powered AI technologies uses that information as well under consideration while making any choices.

Lastly it provides the response mechanism system, which can work in real time to respond to threats. It helps to take any action needed to mitigate the risk or may be to take a systematic approach for any specific event type. You can take the action using the standard best practices.

How to setup Azure Sentinel

Azure sentinel is easy to setup and work on. Let’s see step by step how we can setup the azure sentinel from scratch. Lets login to azure portal and search azure sentinel in the search box:

Select Azure sentinel on azure portal
Figure 2: Select Azure sentinel on azure portal

Click on + Add to create new workspace:

Azure sentinel account
Figure 3: Azure sentinel account

It will ask you to create new workspace (log analytics workspace). Click + and create.

Create new azure sentinel workspace
Figure 4: Create new azure sentinel workspace

Provide the subscription details, resource group name and the azure sentinel workspace name. Once you fill in all this entire information move to the pricing tab.

Provide subscription, resource group details
Figure 5: Provide subscription, resource group details

Select the pricing model. So far we have only one pricing model i.e. pay as you go model, choose that.

Select the azure sentinel pricing tier.
Figure 6: Select the pricing tier.

Tags are optionally, so we can skip that and let’s go to review and create. This will create your azure log analytics successfully.

See newly created azure log analytics workspace
Figure 7: See newly created azure log analytics workspace

Add log analytics to the azure sentinel.

Add log analytics to azure sentinel
Figure 8: Add log analytics to azure sentinel

Now azure sentinel is ready to rock.

Figure 9: Azure sentinel overview

How do I create a sentinel workbook?

It’s very easy to create and edit the workbook. For this prerequisite is, you should have active azure sentinel workspace. Go to azure sentinel workspace ->Select the Workbook tab from the left hand side menu:

Figure 10: Select the workbooks from azure sentinel

Now you will see all the existing workbooks. You can choose, which ever you want to edit. In case you want to create the new one, from the top select ‘add workbook’.

IS Azure Sentinel Free?

No. Azure sentinel is not free. You can start the free trial for 30 Days, after than it will be charges as per the pricing model.

IS Azure Sentinel SaaS or PAAS?

In Azure sentinel you won’t get any infrastructure to operate upon. However you get the cloud data collection at the large scale, and threat detection mechanism. Hence this would be considered as SaaS, it is just a software as a service model.

What is the difference between Azure Security Center and Azure Sentinel?

Azure security center is basically providing the collection of the log data and threat detection. However azure sentinel is more advance than azure security center. Besides including the collection of data, threat detection, it also do threat investigation and threat response as well.

Final Thoughts

We have gone through each an every aspect of the Microsoft azure sentinel. In this article we have understood what is azure sentinel, why we should use azure sentinel. We have also gone through how to setup azure sentinel step by step. This article also discusses about various other related questions like. is azure sentinel free, whether azure sentinel is PaaS or SaaS.

Hope you like the article and it has answered most of your queries about the azure sentinel. Please let me know your feedback, queries and suggestion in the comment section below.


Deepak Goyal is certified Azure Cloud Solution Architect. He is having around decade and half experience in designing, developing and managing enterprise cloud solutions. He is also Big data certified professional and passionate cloud advocate.