Microsoft Azure Sentinel

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Azure Sentinel is your birds-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.

  • Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
  • Detect previously undetected threats, and minimize false positives using Microsoft’s analytics and unparalleled threat intelligence.
  • Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cyber security work at Microsoft.
  • Respond to incidents rapidly with built-in orchestration and automation of common tasks.

Deploying Azure Sentinel

Open the Azure Portal and navigate to the Azure Sentinel blade. Click Connect Workspace to enable Azure Sentinel.

Azure Sentinel blade

Azure Sentinel must be linked to a Logs Analytics Workspace, so if you do not have an existing workspace, you must create a new one.

Azure Sentinel workspace

In order to create the workspace, select the subscription, a resource group and enter a friendly name.

Create the workspace

After creating the workspace, refresh the list to select the workspace created previsouly

Refresh the list to select the workspace

Before going deeper in the Sentinel blade, go to the Azure Active Directory blade to enable the diagnostic settings. Click Add diagnostic setting

Add diagnostic setting

Then, you can collect all the data to the workspace

Сollect all the data to the workspace

Save the settings and go back to the Azure Sentinel home page. Click Connect to collect data

Connect to collect data

As a good starting point, it is great to enable Azure Active Directory connector to monitor the Azure AD health. Select Azure Active Directory connector and click Open the connector page

Open the connector page

You must have tenant permissions to apply the following changes

Tenant permissions

After applying the changes, go to the Next steps page to create a rule based on the templates

Сreate a rule based on the templates

In this guide, I want to enable a rule about brute force attack agains Azure Portal. You can fill the fields in the wizard and enable the rule

rule about brute force attack agains Azure Portal

Depending your needs, you can adjust the rule and simulate the rule to see the potential results

Adjust the rule and simulate the rule

On the third page, you can group the alerts in a single incident

Group the alerts in a single incident

Then you can automate some actions with playbooks. Playbooks allow you run automation steps to schedule, automate, and orchestrate tasks and workflows.


Review the parameters and create the rule

Review the parameters and create the rule

If you need to modify the rule, go to Analytics


One of the great things with Azure Sentinel is the built-in dashboard templates. Go to the Workbooks blade and click View reports for the Azure AD connector and your data wyou will have dashboard

Workbooks blade

Wait few minutes until data are collected

Data are collected

To finish, go to Incidents to check the new incidents


Back to blog