Microsoft Sentinel: Full SIEM & SOAR in the Cloud Explained
What is Microsoft Sentinel and why do you need it? How can it provide security for cloud and on-premise environments? These are questions that many grapple with in the ever-evolving world of cybersecurity.
This article answers all your questions regarding Microsoft Sentinel (formerly Azure Sentinel).
Author
Niels KroezeIT Business Copywriter
Reading time 12 minutesPublished: 10 July 2025
What is Microsoft Sentinel?
Microsoft Sentinel (previously known as Azure Sentinel) is a cloud native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution developed by Microsoft. It provides a comprehensive, bird’s-eye view of your organisation’s security posture.
Integrated into Azure and the Microsoft 365 ecosystem, it helps organisations detect, prevent, investigate, and respond to security threats across their entire digital estate.
Thanks to its cloud native architecture, Microsoft Sentinel is particularly well-suited for monitoring and securing resources in cloud environments such as Azure and Microsoft 365. It also supports integration with on-premises systems, offering a unified security platform for hybrid environments.
Additionally, Sentinel can connect with other cloud platforms like Amazon Web Services (AWS) and Google Cloud Platform (GCP), providing a single pane of glass for managing multi-cloud security operations.
You don’t need to install any servers (as with many traditional SIEM solutions) whether on-prem or in the cloud to run Microsoft Sentinel. It’s a fully managed service in Azure that you can get up and running within minutes through the Azure Portal.
Watch the video below to learn more about it:
Why do we need Microsoft Sentinel?
As organisations increasingly adopt cloud technologies - embracing PaaS (Platform as a Service) and SaaS (Software as a Service) solutions while still relying on traditional IaaS (Infrastructure as a Service) - their IT environments become more complex and distributed. This shift introduces new security challenges, making it essential to protect data across a diverse and dynamic landscape.
Modern threats span IoT (Internet of Things) devices, endpoints, cloud services, multiple users, and even multiple tenants. This affects every organisation - small, medium, or large. We are all targets.
In today’s world, data breaches are no longer a question of if, but when.
How Microsoft Sentinel works
Previously known as Azure Sentinel, Microsoft Sentinel brings together threat detection, investigation, response, and analysis into a single, unified platform.
It operates across the full security lifecycle, starting with data collection and continuing through schema normalisation, validation, detection, investigation, and automated response.
Collect: Sentinel gathers data from across your environment – including devices, users, applications, infrastructure, and both on-premises and multi-cloud platforms.
Detect: Using Microsoft Defender Threat Intelligence (MDTI) and KQL-based analytics rules, Sentinel identifies suspicious activity and potential threats.
Investigate: Security teams can investigate incidents using built-in tools such as KQL queries, Jupyter Notebooks, and AI-powered insights. Sentinel also integrates with Azure Monitor to enhance visibility and context.
Respond: Sentinel enables automated responses through playbooks and workflows. With over 1,000 Logic App connectors, teams can triage, escalate, or resolve alerts efficiently – automating tasks that previously took hours.
Microsoft Sentinel includes several key components that enable organisations to collect, detect, investigate, and respond to security threats effectively:
Data connectors
Log retention
Workbooks
Analytics alerts
Threat hunting
Incidents and investigations
Automation playbooks
Let’s break them down further:
Data connectors
Everything in Sentinel starts with data connectors. The first step is onboarding these connectors to ingest logs from various sources. Once connected, Sentinel begins collecting and analysing your security data.
Sentinel supports nearly any log source, especially those connected via Azure Monitor.
Syslog
Common Event Format (CEF)
TAXII (for threat intelligence feeds)
Azure Activity Logs
Microsoft Defender services
Amazon Web Services (AWS) and Google Cloud Platform (GCP)
Log retention
Ingested data is stored in a Log Analytics workspace, where you can use Kusto Query Language (KQL) to explore and analyse it. This enables deep investigation, trend analysis, and insight extraction.
Workbooks are interactive dashboards powered by KQL. You can use built-in templates or create custom dashboards to visualise the data that matters most to your organisation.
Once data is flowing and visualised, Sentinel enables proactive threat detection. You can create analytics rules using built-in templates or custom KQL queries. These rules scan your environment and generate alerts when suspicious activity is detected. Sentinel includes over 200 built-in alert rules to help you get started.
Sentinel supports proactive threat hunting using KQL queries and Azure Notebooks – live notebooks that combine code, visualisations, and documentation. This allows analysts to search for hidden threats and anomalies.
As a fully cloud-native solution, Microsoft Sentinel requires no physical infrastructure or manual hardware profiling. Deployment is fast and simplified, with no on-premises setup needed.
Seamless Integration with Azure and Microsoft
Microsoft Sentinel isn’t a standalone tool; it integrates with Azure services such as Microsoft Defender for Cloud (formerly Azure Security Center), and Microsoft Entra ID (formerly Azure Active Directory).
This creates a more complete security ecosystem by combining insights from different layers of the tech stack. It also integrates well with other Microsoft security tools, such as:
Defender for Endpoint
Microsoft Entra ID Protection
Defender for Identity
Defender for Office 365
Defender for Cloud Apps
Fully cloud native architecture
Sentinel is designed for the cloud, making it ideal for monitoring and securing Azure resources. It scales automatically to handle large data volumes, supporting organisations of all sizes, from small businesses to global enterprises.
Hybrid clouds
Sentinel integrates with on-premises systems, enabling a unified security platform across hybrid environments.
Single pane of glass
Microsoft Sentinel provides a centralised platform to manage and monitor security across your entire infrastructure. This is especially helpful in complex environments with multiple cloud services, applications, and on-prem systems.
Customisation with data connectors, queries, and dashboards
Sentinel supports custom data connectors, KQL queries, and dashboards, allowing security teams to tailor the platform to their specific needs.
Built-in tools for compliance and reporting
With built-in tools for compliance tracking and audit-ready reporting, Sentinel helps organisations meet regulatory requirements without needing to consolidate data from multiple systems.
AI and Machine Learning (ML)
Sentinel uses AI and ML to detect advanced threats and anomalies in real time. With integrations like Microsoft Security Copilot and Azure OpenAI, analysts can accelerate investigations using natural language and intelligent automation.
Automated playbooks and workflows
Using Azure Logic Apps, Sentinel enables automated responses to common security incidents. Playbooks reduce response time and ensure consistent, effective action.
Since it is a cloud native solution, there is no configuration or profiling required from a hardware-level perspective. Moreover, no on-prem setup is required.
Broad log ingestion support
Sentinel can ingest logs in virtually any format; not just Windows, Linux, CEF, or JSON. This flexibility allows it to support a wide range of systems and data sources.
End-to-end Role-Based Access Control (RBAC)
With RBAC, users only see and access what they’re authorised to. This ensures secure, role-specific access across the platform.
Want to learn how to secure your Azure cloud?
Then join our FREE 90-minute Azure Security Workshop for practical tips, best practices, and see live demos on securing your Azure environment.
Microsoft Sentinel is ideal for organisations that need a scalable, cloud-native solution to run modern security operations. Consider using Sentinel if you want to:
Collect event data from various sources
Detect and investigate suspicious activity
Visualise logs, hunt for threats, and manage incidents
Automate responses to alerts
Sentinel is especially well-suited for organisations managing multi-cloud environments or looking to reduce the overhead of traditional SIEM tools. It integrates easily with other cloud providers (like AWS), syslog, and a wide range of data sources.
Plus, it scales automatically—no infrastructure provisioning required.
As your security operations mature, you may identify new priorities, such as automating parts of your SOC. Sentinel supports this through automated playbooks that reduce response time and analyst fatigue.
Note:
If your primary focus is performance monitoring, tools like Azure Monitor and Log Analytics may be more appropriate.
If you're looking to assess your security posture, enforce policies, or remediate misconfigurations, consider using Microsoft Defender for Cloud alongside Sentinel. You can even ingest Defender for Cloud alerts directly into Sentinel using built-in connectors.
Microsoft Sentinel Pricing: How Much Does It Cost?
Microsoft Sentinel charges based on the amount of data stored in your Log Analytics workspace and processed for analysis. Until now, this may seem pretty straightforward. However, the truth is that there are many caveats.
If you check out the Microsoft official documentation page for Microsoft Sentinel Pricing, you can see two types of logs:
Analytics Logs: Used for threat detection, investigation, and alerting.
Basic (Auxiliary) Logs: Used for less critical data such as performance monitoring or troubleshooting. These are cheaper but have limited analytics capabilities.
Microsoft Sentinel offers these pricing models: Pay-As-You-Go and Commitment Tiers.
Pay-As-You-Go
You pay for every gigabyte ingested in pay-as-you-go and in the Azure Monitor Log Analytics workspace. The current cost of Microsoft Sentinel is $4.30 per GB in East US.
Commitment Tiers
Alternatively, you could use commitment tiers, where you pay a fixed price every day.
The table below shows you the different commitment tiers and the potential savings compared to pay-as-you-go:
Tier
Microsoft Sentinel Price
Effective Per GB Price1
Savings Over Pay-As-You-Go
Pay-As-You-Go
$4.30 per GB
$4.30 per GB
N/A
100 GB per day
$296 per day
$2.96 per GB
31%
200 GB per day
$548 per day
$2.74 per GB
36%
300 GB per day
$800 per day
$2.67 per GB
38%
400 GB per day
$1,037.33 per day
$2.60 per GB
40%
500 GB per day
$1,265 per day
$2.53 per GB
41%
Tier
Microsoft Sentinel Price
Effective Per GB Price1
Savings Over Pay-As-You-Go
Pay-As-You-Go
$4.30 per GB
$4.30 per GB
42%
100 GB per day
$296 per day
$2.96 per GB
44%%
200 GB per day
$548 per day
$2.74 per GB
46%
300 GB per day
$800 per day
$2.67 per GB
48%
400 GB per day
$1,037.33 per day
$2.60 per GB
50%
500 GB per day
$1,265 per day
$2.53 per GB
52%
As you can see above, cost savings can reach up to 52% when choosing commitment tiers over PAYG prices.
That said, you also must pay for data retention:
The first 90 days of data retention are free.
After that, retaining data costs $0.10 per GB per month.
You can keep data in the interactive tier for up to two years.
Once the interactive retention period ends, you have two choices:
Let the data go
Move it to the archive tier
The archive tier stores data for up to seven years at a much lower cost; $0.02 per GB per month. This makes it ideal for long-term retention and compliance.
So, what if you need to access archived data after a while? You have two options:
Search Job: Scans archived data at a low cost (charged per GB scanned).
Data Restore: Brings data back into the interactive tier for detailed analysis.
But be cautious with Data Restore:
It has a 12-hour minimum billing window, even if you only use it briefly.
If you restore less than 2 TB, you’re still billed as if you restored 2 TB per day
This can lead to surprisingly high costs, especially in test or dev environments with small amounts of data.
To cut a long story short:archival is cheap, restoration is not.
Let’s now focus on when you don’t need to pay for Microsoft Sentinel.
Free trial (31 days)
You can try Microsoft Sentinel free for the first 31 days. When you enable Sentinel on a new Azure Monitor Log Analytics workspace, the following benefits apply:
Up to 10 GB/day of log data ingestion is free for the first 31 days.
Both Microsoft Sentinel and Log Analytics charges are waived during this period.
The free trial is limited to 20 workspaces per Azure tenant.
Note:
Usage beyond the 10 GB/day or after the 31-day period will be charged according to standard pricing.
Charges for additional capabilities - such as automation and bring-your-own machine learning models - are not covered by the free trial and charges will still apply.
Microsoft Sentinel free data sources
These Microsoft 365 data sources are always free to ingest in Microsoft Sentinel:
Azure Activity Logs
Office 365 Audit Logs (SharePoint activity and Exchange admin activity)
Security alerts from:
Microsoft Defender for Cloud
Microsoft 365 Defender
Microsoft Defender for Office 365
Microsoft Defender for Identity
Microsoft Defender for Endpoint
Microsoft Defender for Cloud Apps
There are additional cost-saving benefits if your organisation is subscribed to:
Microsoft 365 E5
Microsoft 365 I5
Microsoft 365 F5
Or Microsoft 365 G5 licenses
In such cases, you are eligible to receive a data grant of up to 5 MB per user per day for ingesting Microsoft 365 data into Microsoft Sentinel.
Microsoft Sentinel: Is It Worth It?
Now you know its costs, you probably wonder: “Is it worth it for small and medium-sized businesses, aka SMBs?”.
The short answer: it depends.
Many might argue that Microsoft Sentinel (and pretty much any SIEM solution in general) is too expensive for SMBs and only fits larger enterprises.
However, it doesn’t always have to be like that; it can be cost-effective works as long as it is closely managed, one of the core principles of the WAF (Well-Architected Framework).
But remember that it’s critical to understand how data ingestion is billed. As long as you're thoughtful with what you ingest, Sentinel can work, especially if you're already in the Microsoft ecosystem.
However, the pay-as-you-go pricing per GB can add up fast if you're a smaller organisation without the scale to commit.
Closing thoughts
We have shown how Microsoft Sentinel brings together data from Defender, Azure, other cloud platforms and even on-prem systems.
As a scalable, integrated SIEM solution, it enables you to monitor and respond to threats in real time, using cloud power and AI-driven analytics – across your entire infrastructure.
It gives you a full end-to-end platform for managing your security operations.
Talk to our experts about Microsoft Sentinel
Find out how it can be integrated into your cloud security strategy.
What is Security Information and Event Management (SIEM)?
A SIEM system collects and analyses log data to detect threats. It helps you spot unusual activity and create alerts so you can respond quickly.
What is Security Orchestration, Automation, and Response (SOAR)?
A SOAR system helps you automate and coordinate your security tools and processes. It speeds up response times by handling repetitive tasks and guiding analysts through investigations.