Microsoft Sentinel SIEM/SOAR
Analytics rules, UEBA, playbooks that respond.
Detection is only as good as what happens after an alert fires. Microsoft Sentinel is the cloud-native SIEM and SOAR that ingests signals across your estate, turns them into incidents, and automates response — the difference between spotting an incident and containing one.
Ingest, detect, correlate
Sentinel connects to Entra ID sign-in and audit logs, Defender for Cloud alerts, Azure Activity, Office 365, network and firewall logs, and third-party sources, landing them in a Log Analytics workspace. Analytics rules — scheduled KQL queries and near-real-time detections — turn suspicious patterns into incidents, while UEBA baselines user and entity behavior to catch impossible travel, unusual access, and subtle account compromise that static rules miss. The result is a single, correlated incident queue instead of a dozen disconnected consoles.
// Analytics rule (KQL): mass secret reads from one identity in 5 minutes.KeyVaultData| where OperationName == "SecretGet"| summarize reads = count() by CallerIPAddress, identity_claim_upn_s, bin(TimeGenerated, 5m)| where reads > 50 // threshold → raises a Sentinel incident// A playbook (Logic App) on that incident then, automatically:// 1) disables the user (Entra), 2) revokes sign-in sessions,// 3) posts to the SecOps channel and opens a ticket.
Automate response, tune for signal
Playbooks — Logic Apps triggered by incidents — turn detection into containment: disable a user, isolate a VM with a deny-all NSG, revoke sessions, or open a ticket, in seconds and without waiting for a human. Treat alert quality as first-class: tune analytics rules, deduplicate, and prioritize by severity and asset criticality so responders act on signal, not noise. Wrap the high-severity paths in rehearsed runbooks so the first real "compromised identity" incident runs a playbook you have practiced.