Before Lab 4.4 — Microsoft Sentinel on Top of Log Analytics
Before Lab 4.4 — Microsoft Sentinel on Top of Log Analytics
Microsoft Sentinel is a Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) service. It sits on top of Log Analytics and adds security-specific capabilities.
Sentinel does not store data separately. It is a layer on top of Log Analytics that adds analytics rules, hunting queries, workbooks, automation, and incident management. You only pay for Log Analytics data ingestion.
Sentinel is free. There is no additional charge for using Microsoft Sentinel itself — you only pay for the Log Analytics data ingestion (PerGB2018).
Sentinel data flow
Note: Sentinel features are being migrated to the Microsoft Defender portal (security.microsoft.com). Use that portal for this lab.
Data lake tier (new in 2025)
Microsoft Sentinel now includes a data lake tier alongside the analytics tier:
| Tier | Purpose | Cost | Real-time? |
|---|---|---|---|
| Analytics tier | Active detection, incident management | Charged per GB ingested | Yes |
| Data lake tier | Long-term storage (up to 12 years) | Low-cost storage only | No |
Data in the data lake can be queried with KQL or notebooks. KQL jobs move selected data from the lake tier back into the analytics tier when you need it for detection or hunting. This means you can store high-volume logs (firewall, network) affordably and promote only what you need to analyze.
Analytics rules
Analytics rules are KQL queries that run automatically on a schedule (every 5 minutes to 24 hours). When a rule matches, it creates an incident.
Rule: "Direct access to internal backend"
Schedule: Every 5 minutes
Query: KQL that finds requests to internal backend from external IPs
Threshold: 1 or more matches
Incident severity: HighHunting queries
Hunting queries are ad-hoc investigations. Unlike analytics rules, they are not scheduled — you run them manually to search for threats that may not have triggered an alert.
Hunt: "Find all requests to sensitive endpoints"
Scope: Last 7 days
Query: KQL that searches AzureDiagnostics for admin, config, internal endpointsWhat Sentinel adds to Log Analytics
| Feature | Purpose | Example |
|---|---|---|
| Analytics rules | Automatic detection of suspicious patterns | "More than 5 failed logins in 10 minutes" |
| Hunting queries | Proactive search for hidden threats | "Find all requests to admin endpoints" |
| Workbooks | Security dashboards | "Attack surface overview", "Incident timeline" |
| Incidents | Structured security events | One incident per detected threat |
| Automation rules | Auto-classification and alerting | "Auto-assign network incidents to network team" |
| Notebooks | Advanced analysis with Python | ML-based anomaly detection |
| Threat intelligence | IOCs, MITRE ATT&CK mapping | Compare detected activity against known threats |
Data connectors
Data connectors bring data from external sources into Log Analytics. Sentinel uses these connectors to populate its data store.
Built-in connectors relevant to this course
| Connector | Data Type | Configured Via | Description |
|---|---|---|---|
| Azure Activity Log | Management operations | Sentinel portal | All Azure resource management events |
| Azure Defender | Security alerts | Sentinel portal | Defender for Cloud security alerts |
| Azure Monitor Logs | Platform logs | Automatic | All Log Analytics data is available to Sentinel |
The Azure Activity Log connector
The Azure Activity Log connector is the most important for Day 4. It captures:
- Resource creation, modification, deletion
- Role assignments and RBAC changes
- Authentication events (sign-in failures)
- Policy evaluations and compliance changes
The connector is not enabled by default. It must be manually turned on in the Sentinel portal.
Why not automated? The Azure Activity Log connector requires a one-time configuration to subscribe to the Activity Log feed. This is a portal-based action that is intentionally left manual to ensure operators understand what data is being ingested.
Sentinel workspaces
A Sentinel workspace is simply a Log Analytics workspace that has Sentinel enabled. There is no separate "Sentinel workspace" resource — Sentinel is a feature layer on top of the workspace.
Enabling Sentinel via the portal
Sentinel is enabled on a Log Analytics workspace through the Azure portal:
- Navigate to the Log Analytics workspace in the Azure portal
- Click Sentinel in the left menu (or search for "Microsoft Sentinel")
- If Sentinel is not yet enabled, you will see an Enable Sentinel button
- Click the button to enable Sentinel on this workspace
This is a manual step in the lab because understanding how to enable Sentinel interactively is a core operational skill. In production, you would use the Azure portal, CLI, or PowerShell — not Terraform — to enable Sentinel on existing workspaces.
Note: The
azurerm_log_analytics_workspaceresource creates the Log Analytics workspace. Sentinel is a feature layer that sits on top of the workspace, not a separate resource.
Lab 4.4 objectives
Lab 4.4 goals
Key questions before starting
- Does Microsoft Sentinel create a separate data store, or does it use Log Analytics?
- Why is the Azure Activity Log connector not enabled by default?
- What is the difference between an analytics rule and a hunting query?
- If Sentinel is free, what are you paying for when you use it?
Lab File
Download Lab 4.4 — Enable Sentinel PDF