Microsoft Sentinel

Microsoft

Cloud-native SIEM and SOAR built on Azure Monitor and Log Analytics.

Logging & SIEM Commercial Platform / Suite Learning Cross-platform

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

Microsoft Sentinel is Azure's cloud-native SIEM + SOAR offering. It uses Log Analytics workspaces as storage and Kusto Query Language (KQL) for search and detection.

Key building blocks:

Data connectors for Microsoft 365, Defender, Azure AD, AWS, GCP, syslog/CEF.
Analytics rules (scheduled KQL queries that generate incidents).
Workbooks for visualisation.
Playbooks (Logic Apps) for SOAR automation.
UEBA, Watchlists, Threat Intelligence integrated natively.

Use cases

Hybrid cloud SOC with Microsoft-heavy estate
Native integration with Defender XDR and Azure AD logs
SOAR automation via Logic Apps playbooks

Example

SigninLogs
| where ResultType != 0
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 1h)
| where FailedAttempts > 20