Azure Sentinel Configuration
Guide to configuring Microsoft Sentinel SIEM/SOAR including data connectors, KQL analytics rules, automation playbooks, and cost optimization.
Continue your mission
Guide to configuring Microsoft Sentinel SIEM/SOAR including data connectors, KQL analytics rules, automation playbooks, and cost optimization.
# Azure Sentinel Configuration
Microsoft Sentinel is a cloud-native SIEM and SOAR platform that consolidates security telemetry from across an organization's entire digital estate into a single, queryable environment. It exists because modern infrastructure generates data at volumes and velocities that on-premises log management tools cannot absorb economically or operationally. Security teams need a platform that ingests logs from cloud services, hybrid endpoints, SaaS applications, and network devices simultaneously, correlates those signals into actionable incidents, and triggers automated responses without requiring teams to manage the underlying compute and storage infrastructure. Sentinel solves the scalability problem by building on Azure Log Analytics, which handles petabyte-scale ingestion natively, while layering threat detection, investigation, and response capabilities on top of that data foundation.
---
Microsoft Sentinel is a cloud-hosted Security Information and Event Management (SIEM) platform combined with Security Orchestration, Automation, and Response (SOAR) capabilities, deployed entirely within the Azure ecosystem. It ingests structured and unstructured log data from hundreds of supported sources, applies Kusto Query Language (KQL) analytics to detect threats, groups correlated alerts into incidents, and executes automated response workflows through Azure Logic Apps.
Sentinel is not a firewall, an endpoint detection and response (EDR) tool, or a data loss prevention (DLP) platform. It does not prevent threats at the network perimeter. It is an analytical and orchestration layer that depends on upstream security controls to generate the telemetry it processes. This distinction matters when organizations treat Sentinel as a replacement for defensive controls rather than as the detection-and-response layer that operates on top of them.
Sentinel differs from traditional on-premises SIEMs such as Splunk Enterprise, IBM QRadar, or ArcSight in three structural ways. First, it has no dedicated server infrastructure to maintain; capacity scales automatically with data volume. Second, its pricing model is consumption-based, meaning organizations pay per gigabyte ingested rather than per appliance or per event per second. Third, its native integrations with Microsoft 365, Azure Active Directory, Microsoft Defender for Endpoint, and Defender for Cloud create a deeply correlated signal chain that third-party SIEMs require custom connectors and normalization work to replicate.
Variants and deployment subtypes include single-workspace deployments for organizations with unified data residency requirements, multi-workspace federated architectures for Managed Security Service Providers (MSSPs) managing multiple tenants, and workspace-per-region configurations for organizations subject to data sovereignty regulations such as the EU General Data Protection Regulation or Australian Privacy Act.
Sentinel configuration is not a one-time event. It is an ongoing operational discipline that includes connector management, rule tuning, playbook maintenance, cost governance, and threat intelligence integration. Organizations that treat initial deployment as the end state consistently experience alert fatigue, coverage gaps, and runaway data ingestion costs.
---
Workspace Foundation
Every Sentinel deployment begins with an Azure Log Analytics workspace, which serves as the underlying data store. Administrators create the workspace in a chosen Azure region, which determines data residency. Once Sentinel is enabled on the workspace, the platform gains access to that workspace's query engine, storage tiers, and the Azure Resource Manager APIs used to manage connectors and rules.
Data Connector Configuration
Data connectors are the ingestion layer. Microsoft provides over 300 native connectors covering Microsoft 365 (Exchange, SharePoint, Teams), Azure Active Directory (sign-in logs, audit logs, identity protection alerts), Microsoft Defender products, Azure resource diagnostics, and third-party sources. Third-party connectors use three mechanisms: Common Event Format (CEF) over Syslog forwarded through a Linux-based log forwarder agent, native REST API polling where Sentinel queries the third-party source on a schedule, or Azure Event Hubs where high-volume sources stream data in real time.
Connector configuration requires more than clicking an enable button. Each connector has specific permissions requirements (typically a service principal with reader or contributor rights to the source resource), and administrators must validate that the expected log tables are populating in the workspace after activation. A misconfigured connector produces no errors but generates no data, creating silent coverage gaps.
Analytics Rules
Analytics rules are the detection engine. They execute KQL queries against ingested log tables on a scheduled basis (every five minutes to every 24 hours) or in near-real time using streaming analytics. Each rule defines a query, a lookback window, grouping logic, severity, and MITRE ATT&CK tactic and technique mappings.
Sentinel provides three rule templates types. Scheduled analytics rules run KQL on a timer and are the most customizable. Microsoft Security rules automatically promote alerts from Defender products into Sentinel incidents, with configurable severity filters. NRT (Near Real Time) rules run every minute and are suited for high-priority detections where latency matters, such as detecting credential stuffing against privileged accounts.
A concrete example: a SOC team wants to detect impossible travel, where a user authenticates from New York and then from Amsterdam within 30 minutes. The KQL rule queries the SigninLogs table, extracts location data, calculates the time delta between consecutive sign-ins for each user, computes the implied travel speed using coordinates, and generates an alert when that speed exceeds a configurable threshold. The rule maps to MITRE ATT&CK T1078 (Valid Accounts) under the Initial Access tactic. The alert includes entity mappings for the user account and both source IP addresses, enabling Sentinel to enrich the incident with threat intelligence context automatically.
Incident Management
When an analytics rule fires, it generates an alert. Sentinel groups related alerts into incidents based on entity overlap and time proximity. An incident aggregating five alerts about the same user account, each from a different detection rule, gives the analyst a unified investigation surface rather than five separate tickets. Incidents display MITRE ATT&CK coverage, entity timelines, bookmarked evidence, and relationships to other incidents involving the same entities.
Automation: Rules and Playbooks
Automation rules execute immediately when an incident is created or updated. They can assign the incident to an analyst, change its severity, add tags, or trigger a playbook. Playbooks are Azure Logic Apps, which are low-code workflow automation tools. A playbook can query Active Directory to confirm whether the flagged account is still active, post the incident details to a Teams channel, open a ServiceNow ticket, and send an email to the account's manager, all within seconds of incident creation.
A more advanced playbook for a confirmed phishing incident would revoke the user's active sessions via the Microsoft Graph API, disable the account in Azure Active Directory, send a notification to the user, quarantine the reported email across the tenant using Defender for Office 365, and update the incident status to "In Progress" with a comment documenting each action taken. This sequence replaces manual steps that historically took 15 to 45 minutes per incident.
Workbooks and Cost Management
Workbooks provide customizable SOC dashboards built on Azure Monitor Workbooks. They display ingestion volume by connector, incident trends, mean time to detection (MTTD), and coverage maps against MITRE ATT&CK.
Cost management is a configuration discipline in itself. Log Analytics supports three storage tiers: Analytics (full query capability, higher cost), Basic (reduced query capability, lower cost for high-volume low-value logs), and Archive (long-term retention at minimal cost). Administrators configure data collection rules to filter out noisy, low-value events, such as verbose firewall allow-logs, before they reach the workspace, reducing billable ingestion volume without sacrificing meaningful detection coverage.
---
Security operations teams without a properly configured SIEM operate reactively, discovering breaches through end-user reports, partner notifications, or public disclosure rather than internal detection. Sentinel, configured correctly, shifts that posture toward detection at the earliest possible stage of an attack chain.
The business impact of poor or absent SIEM configuration is measurable. IBM's Cost of a Data Breach Report consistently shows that organizations with mature security operations and automated response capabilities contain breaches faster and at lower total cost. In 2023, the average breach cost for organizations with high levels of security AI and automation was 1.76 million dollars less than organizations without those capabilities. That gap is substantially explained by detection speed: organizations that detect a breach within 200 days face materially lower costs than those discovering it after 200 days.
A specific consequence of misconfigured Sentinel deployments is the silent coverage gap. A financial services organization deployed Sentinel across its Azure environment but failed to connect its on-premises Active Directory through the Azure AD Connect health connector. Attackers performing lateral movement using pass-the-hash techniques against on-premises domain controllers generated no telemetry in Sentinel because those authentication events never reached the workspace. The organization's SOC dashboard showed green status across all panels while the compromise progressed undetected for 11 days. The gap was discovered during a post-incident forensic review, not by the SOC.
A common misconception is that enabling Microsoft's built-in analytics rule templates provides comprehensive coverage. Templates are starting points. Many templates have default thresholds tuned for generic environments that produce unacceptable false-positive rates in specific organizational contexts. A rule that alerts on any failed login count exceeding 10 in five minutes will generate constant noise in a healthcare organization with thousands of shift-change authentications happening simultaneously. Tuning thresholds, entity exclusions, and lookback windows to the organization's baseline is not optional configuration work; it is the primary driver of whether the SOC trusts the tool enough to act on its alerts.
---
CDA approaches Sentinel configuration through the Planetary Defense Model under the Threat Intelligence and Detection (TID) domain. The methodology is Predictive Defense Intelligence (PDI): see the threat before it sees you.
Where standard Sentinel deployments focus on reactive alerting, CDA's PDI methodology reshapes configuration around anticipatory detection. This means analytics rules are not built to alert on known bad behavior after it occurs; they are built to detect the behavioral precursors that reliably precede targeted attack stages. For a cloud-native environment, this includes detecting the reconnaissance behaviors that precede credential attacks, the enumeration patterns that precede privilege escalation, and the staging behaviors that precede data exfiltration.
CDA's Sentinel engagements begin with a threat profile specific to the client's sector and adversary exposure. A defense contractor faces different adversary tradecraft than a regional hospital network. The threat profile drives connector prioritization: which data sources carry the highest signal density for the specific adversaries the client is likely to face. This prevents the common error of treating all 300 available connectors as equally valuable and drowning the workspace in low-signal data.
CDA builds analytics rule libraries mapped to sector-specific threat actor techniques documented in MITRE ATT&CK. For a client in the defense industrial base, this means prioritizing detection of techniques associated with known state-sponsored groups targeting that sector, including spearphishing attachment delivery, BITS Jobs for persistence, and Kerberoasting in Active Directory. Each rule in the library is accompanied by tuning documentation that specifies expected alert volumes, recommended thresholds, and criteria for escalation versus automated suppression.
Playbook architecture under the PDI methodology includes enrichment-first designs: before a human analyst reviews an incident, automated playbooks have already queried threat intelligence feeds, pulled historical context from previous incidents involving the same entities, and assessed whether the involved accounts have active privileged access. Analysts receive incidents with context already assembled, reducing investigation time and the cognitive load that leads to missed signals.
CDA also implements Sentinel cost governance as a security function, not a finance function. Uncontrolled ingestion costs lead organizations to disconnect high-volume data sources to reduce bills, creating coverage gaps that adversaries can exploit. By designing data collection rules and basic-log configurations into the initial deployment, CDA ensures clients maintain coverage without facing costs that drive operational shortcuts.
---
---
---
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.