Blog Azure Cloud Native Security & Compliance

Microsoft Sentinel: Full SIEM & SOAR in the Cloud Explained

What is Microsoft Sentinel and why do you need it? How can it provide security for cloud and on-premise environments? These are questions that many grapple with in the ever-evolving world of cybersecurity. 

This article answers all your questions regarding Microsoft Sentinel (formerly Azure Sentinel). 

Niels Kroeze

Author

Niels Kroeze IT Business Copywriter

Reading time 12 minutes Published: 10 July 2025

What is Microsoft Sentinel?

Microsoft (Azure) Sentinel

Microsoft Sentinel (previously known as Azure Sentinel) is a cloud native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution developed by Microsoft. It provides a comprehensive, bird’s-eye view of your organisation’s security posture. 

Integrated into Azure and the Microsoft 365 ecosystem, it helps organisations detect, prevent, investigate, and respond to security threats across their entire digital estate. 

Thanks to its cloud native architecture, Microsoft Sentinel is particularly well-suited for monitoring and securing resources in cloud environments such as Azure and Microsoft 365. It also supports integration with on-premises systems, offering a unified security platform for hybrid environments.

Additionally, Sentinel can connect with other cloud platforms like Amazon Web Services (AWS) and Google Cloud Platform (GCP), providing a single pane of glass for managing multi-cloud security operations. 

You don’t need to install any servers (as with many traditional SIEM solutions) whether on-prem or in the cloud to run Microsoft Sentinel. It’s a fully managed service in Azure that you can get up and running within minutes through the Azure Portal.

Watch the video below to learn more about it:

 

Why do we need Microsoft Sentinel? 

As organisations increasingly adopt cloud technologies - embracing PaaS (Platform as a Service) and SaaS (Software as a Service) solutions while still relying on traditional IaaS (Infrastructure as a Service) - their IT environments become more complex and distributed. This shift introduces new security challenges, making it essential to protect data across a diverse and dynamic landscape. 

Modern threats span IoT (Internet of Things) devices, endpoints, cloud services, multiple users, and even multiple tenants. This affects every organisation - small, medium, or large. We are all targets. 

In today’s world, data breaches are no longer a question of if, but when.

 

How Microsoft Sentinel works 

Previously known as Azure Sentinel, Microsoft Sentinel brings together threat detection, investigation, response, and analysis into a single, unified platform.

It operates across the full security lifecycle, starting with data collection and continuing through schema normalisation, validation, detection, investigation, and automated response. 

  • Collect: Sentinel gathers data from across your environment – including devices, users, applications, infrastructure, and both on-premises and multi-cloud platforms. 
  • Detect: Using Microsoft Defender Threat Intelligence (MDTI) and KQL-based analytics rules, Sentinel identifies suspicious activity and potential threats. 
  • Investigate: Security teams can investigate incidents using built-in tools such as KQL queries, Jupyter Notebooks, and AI-powered insights. Sentinel also integrates with Azure Monitor to enhance visibility and context. 
  • Respond: Sentinel enables automated responses through playbooks and workflows. With over 1,000 Logic App connectors, teams can triage, escalate, or resolve alerts efficiently – automating tasks that previously took hours.

Microsoft Sentinel includes several key components that enable organisations to collect, detect, investigate, and respond to security threats effectively: 

  • Data connectors 
  • Log retention 
  • Workbooks 
  • Analytics alerts 
  • Threat hunting 
  • Incidents and investigations 
  • Automation playbooks

Let’s break them down further: 

 

Data connectors 

Everything in Sentinel starts with data connectors. The first step is onboarding these connectors to ingest logs from various sources. Once connected, Sentinel begins collecting and analysing your security data.

Microsoft Sentinel data connectors list, showing 190 onboarded connectors, 38 connected, and 0 updates.
Source: Microsoft

Sentinel supports nearly any log source, especially those connected via Azure Monitor. 

  • Syslog 
  • Common Event Format (CEF) 
  • TAXII (for threat intelligence feeds) 
  • Azure Activity Logs 
  • Microsoft Defender services 
  • Amazon Web Services (AWS) and Google Cloud Platform (GCP)

 

Log retention 

Ingested data is stored in a Log Analytics workspace, where you can use Kusto Query Language (KQL) to explore and analyse it. This enables deep investigation, trend analysis, and insight extraction.  

Multi-stage prediction software displaying a list of results, including scores and checkboxes.
Source: Microsoft
 

Workbooks 

Workbooks are interactive dashboards powered by KQL. You can use built-in templates or create custom dashboards to visualise the data that matters most to your organisation. 

Microsoft Sentinel workbook list, including "Azure Network Watcher," showing status, source, and description.
Source: Microsoft

Analytics alerts 

Once data is flowing and visualised, Sentinel enables proactive threat detection. You can create analytics rules using built-in templates or custom KQL queries. These rules scan your environment and generate alerts when suspicious activity is detected. Sentinel includes over 200 built-in alert rules to help you get started. 

Incident management dashboard showing 372 new, 0 active, and 30 closed incidents; time-based incident status and classification summaries; and mean acknowledgement and closure times.
Source: Microsoft

Threat hunting 

Sentinel supports proactive threat hunting using KQL queries and Azure Notebooks – live notebooks that combine code, visualisations, and documentation. This allows analysts to search for hidden threats and anomalies. 

Microsoft Sentinel Hunting dashboard showing 224 events, with various metrics and configuration options.
Source: Microsoft

 

Incidents and investigations 

Sentinel groups related alerts into incidents, making them easier to manage and investigate. 

Key features include: 

  • Incident management – Change status, assign incidents, and track progress. 
  • Investigation tools – Visually explore incidents, map related entities (users, IPs, devices), and view timelines to understand how an attack unfolded. 

 

Automation playbooks

Automation rules help triage incidents, suppress low-priority alerts, escalate critical ones, and trigger playbooks. 

Playbooks are built using Azure Logic Apps and can: 

  • Run automatically or on demand 
  • Use pre-built templates or custom workflows 
  • Integrate with over 1,000 connectors to automate response actions 

 

Microsoft Sentinel automation rules, playbooks, and actions list displayed in a software interface.
Source: Microsoft

 

Secure Setup

Request a Security Scan

Need to increase security for your Azure environment? Identify blind spots now with a free Security Scan!

Yes I want a Security Scan!

Benefits of Microsoft Sentinel

No Hardware setup or on-prem configuration 

As a fully cloud-native solution, Microsoft Sentinel requires no physical infrastructure or manual hardware profiling. Deployment is fast and simplified, with no on-premises setup needed.

Seamless Integration with Azure and Microsoft

Microsoft Sentinel isn’t a standalone tool; it integrates with Azure services such as Microsoft Defender for Cloud (formerly Azure Security Center), and Microsoft Entra ID (formerly Azure Active Directory).

This creates a more complete security ecosystem by combining insights from different layers of the tech stack. It also integrates well with other Microsoft security tools, such as:  

  • Defender for Endpoint 
  • Microsoft Entra ID Protection 
  • Defender for Identity 
  • Defender for Office 365 
  • Defender for Cloud Apps

Fully cloud native architecture 

Sentinel is designed for the cloud, making it ideal for monitoring and securing Azure resources. It scales automatically to handle large data volumes, supporting organisations of all sizes, from small businesses to global enterprises. 

Hybrid clouds 

Sentinel integrates with on-premises systems, enabling a unified security platform across hybrid environments.

Single pane of glass 

Microsoft Sentinel provides a centralised platform to manage and monitor security across your entire infrastructure. This is especially helpful in complex environments with multiple cloud services, applications, and on-prem systems.

Customisation with data connectors, queries, and dashboards 

Sentinel supports custom data connectors, KQL queries, and dashboards, allowing security teams to tailor the platform to their specific needs.

Built-in tools for compliance and reporting 

With built-in tools for compliance tracking and audit-ready reporting, Sentinel helps organisations meet regulatory requirements without needing to consolidate data from multiple systems.

AI and Machine Learning (ML) 

Sentinel uses AI and ML to detect advanced threats and anomalies in real time. With integrations like Microsoft Security Copilot and Azure OpenAI, analysts can accelerate investigations using natural language and intelligent automation.

Automated playbooks and workflows 

Using Azure Logic Apps, Sentinel enables automated responses to common security incidents. Playbooks reduce response time and ensure consistent, effective action. 

Since it is a cloud native solution, there is no configuration or profiling required from a hardware-level perspective. Moreover, no on-prem setup is required. 

Broad log ingestion support

Sentinel can ingest logs in virtually any format; not just Windows, Linux, CEF, or JSON. This flexibility allows it to support a wide range of systems and data sources.

End-to-end Role-Based Access Control (RBAC) 

With RBAC, users only see and access what they’re authorised to. This ensures secure, role-specific access across the platform. 

Azure Security Workshop

Want to learn how to secure your Azure cloud?

Then join our FREE 90-minute Azure Security Workshop for practical tips, best practices, and see live demos on securing your Azure environment. 

Yes, sign me up!

When to use Microsoft Sentinel 

Microsoft Sentinel is ideal for organisations that need a scalable, cloud-native solution to run modern security operations. Consider using Sentinel if you want to: 

  • Collect event data from various sources 
  • Detect and investigate suspicious activity 
  • Visualise logs, hunt for threats, and manage incidents 
  • Automate responses to alerts 

Sentinel is especially well-suited for organisations managing multi-cloud environments or looking to reduce the overhead of traditional SIEM tools. It integrates easily with other cloud providers (like AWS), syslog, and a wide range of data sources.

Plus, it scales automatically—no infrastructure provisioning required. 

As your security operations mature, you may identify new priorities, such as automating parts of your SOC. Sentinel supports this through automated playbooks that reduce response time and analyst fatigue. 

Note: 

If your primary focus is performance monitoring, tools like Azure Monitor and Log Analytics may be more appropriate. 

If you're looking to assess your security posture, enforce policies, or remediate misconfigurations, consider using Microsoft Defender for Cloud alongside Sentinel. You can even ingest Defender for Cloud alerts directly into Sentinel using built-in connectors. 

Microsoft Sentinel Pricing: How Much Does It Cost? 

Microsoft Sentinel charges based on the amount of data stored in your Log Analytics workspace and processed for analysis. Until now, this may seem pretty straightforward. However, the truth is that there are many caveats. 

If you check out the Microsoft official documentation page for Microsoft Sentinel Pricing, you can see two types of logs:  

  • Analytics Logs: Used for threat detection, investigation, and alerting. 
  • Basic (Auxiliary) Logs: Used for less critical data such as performance monitoring or troubleshooting. These are cheaper but have limited analytics capabilities. 

Microsoft Sentinel offers these pricing models: Pay-As-You-Go and Commitment Tiers. 

Pay-As-You-Go 

You pay for every gigabyte ingested in pay-as-you-go and in the Azure Monitor Log Analytics workspace. The current cost of Microsoft Sentinel is $4.30 per GB in East US. 

Commitment Tiers 

Alternatively, you could use commitment tiers, where you pay a fixed price every day.  

The table below shows you the different commitment tiers and the potential savings compared to pay-as-you-go: 

Tier Microsoft Sentinel Price Effective Per GB Price1 Savings Over Pay-As-You-Go
Pay-As-You-Go $4.30 per GB $4.30 per GB N/A
100 GB per day $296 per day  $2.96 per GB 31%
200 GB per day $548 per day  $2.74 per GB 36%
300 GB per day $800 per day  $2.67 per GB 38%
400 GB per day $1,037.33 per day  $2.60 per GB 40%
500 GB per day $1,265 per day $2.53 per GB 41%

 

Tier Microsoft Sentinel Price Effective Per GB Price1 Savings Over Pay-As-You-Go
Pay-As-You-Go $4.30 per GB $4.30 per GB 42%
100 GB per day $296 per day  $2.96 per GB 44%%
200 GB per day $548 per day  $2.74 per GB 46%
300 GB per day $800 per day  $2.67 per GB 48%
400 GB per day $1,037.33 per day  $2.60 per GB 50%
500 GB per day $1,265 per day $2.53 per GB 52%

As you can see above, cost savings can reach up to 52% when choosing commitment tiers over PAYG prices. 

That said, you also must pay for data retention: 

  • The first 90 days of data retention are free
  • After that, retaining data costs $0.10 per GB per month.
  • You can keep data in the interactive tier for up to two years. 

Once the interactive retention period ends, you have two choices: 

  • Let the data go 
  • Move it to the archive tier 

The archive tier stores data for up to seven years at a much lower cost; $0.02 per GB per month. This makes it ideal for long-term retention and compliance. 

So, what if you need to access archived data after a while? You have two options: 

  • Search Job: Scans archived data at a low cost (charged per GB scanned). 
  • Data Restore: Brings data back into the interactive tier for detailed analysis. 

But be cautious with Data Restore: 

  • It has a 12-hour minimum billing window, even if you only use it briefly. 
  • If you restore less than 2 TB, you’re still billed as if you restored 2 TB per day 

This can lead to surprisingly high costs, especially in test or dev environments with small amounts of data. 

To cut a long story short: archival is cheap, restoration is not.  

Let’s now focus on when you don’t need to pay for Microsoft Sentinel.

 

Free trial (31 days) 

You can try Microsoft Sentinel free for the first 31 days. When you enable Sentinel on a new Azure Monitor Log Analytics workspace, the following benefits apply: 

Up to 10 GB/day of log data ingestion is free for the first 31 days

Both Microsoft Sentinel and Log Analytics charges are waived during this period. 

The free trial is limited to 20 workspaces per Azure tenant.

Note:

Usage beyond the 10 GB/day or after the 31-day period will be charged according to standard pricing. 

 Charges for additional capabilities - such as automation and bring-your-own machine learning models - are not covered by the free trial and charges will still apply.

 

Microsoft Sentinel free data sources 

These Microsoft 365 data sources are always free to ingest in Microsoft Sentinel: 

  • Azure Activity Logs 
  • Office 365 Audit Logs (SharePoint activity and Exchange admin activity) 

Security alerts from: 

  • Microsoft Defender for Cloud 
  • Microsoft 365 Defender 
  • Microsoft Defender for Office 365 
  • Microsoft Defender for Identity 
  • Microsoft Defender for Endpoint 
  • Microsoft Defender for Cloud Apps 

There are additional cost-saving benefits if your organisation is subscribed to: 

  • Microsoft 365 E5 
  • Microsoft 365 I5 
  • Microsoft 365 F5 
  • Or Microsoft 365 G5 licenses 

In such cases, you are eligible to receive a data grant of up to 5 MB per user per day for ingesting Microsoft 365 data into Microsoft Sentinel. 

 

Microsoft Sentinel: Is It Worth It? 

Now you know its costs, you probably wonder: “Is it worth it for small and medium-sized businesses, aka SMBs?”.

The short answer: it depends.  

Many might argue that Microsoft Sentinel (and pretty much any SIEM solution in general) is too expensive for SMBs and only fits larger enterprises.  

However, it doesn’t always have to be like that; it can be cost-effective works as long as it is closely managed, one of the core principles of the WAF (Well-Architected Framework).  

But remember that it’s critical to understand how data ingestion is billed. As long as you're thoughtful with what you ingest, Sentinel can work, especially if you're already in the Microsoft ecosystem. 

However, the pay-as-you-go pricing per GB can add up fast if you're a smaller organisation without the scale to commit.

 

Closing thoughts 

We have shown how Microsoft Sentinel brings together data from Defender, Azure, other cloud platforms and even on-prem systems. 

As a scalable, integrated SIEM solution, it enables you to monitor and respond to threats in real time, using cloud power and AI-driven analytics – across your entire infrastructure.

It gives you a full end-to-end platform for managing your security operations. 

Meeting Fabian Leonor

Talk to our experts about Microsoft Sentinel

Find out how it can be integrated into your cloud security strategy.

Get in Touch

FAQ about Microsoft Sentinel

What is Security Information and Event Management (SIEM)?

What is Security Orchestration, Automation, and Response (SOAR)?