Tools
T1654Azure Sentinel
Microsoft Azure Sentinel (cloud-native SIEM) — built-in analytics rules, UEBA, fusion detections, playbook automation (Logic Apps), and how to hunt in Sentinel using KQL.
View on Graph
What Azure Sentinel Is and Where It Fits
Azure Sentinel (now called Microsoft Sentinel) is a cloud-native SIEM and SOAR platform. Unlike traditional SIEMs that require provisioning servers and managing infrastructure, Sentinel is fully SaaS — you pay for data ingestion and get the analytics engine, storage, and automation built in.
- Sentinel runs on Azure Log Analytics workspaces. All log data is stored in tables —
SecurityEvent,SigninLogs,AzureActivity,CommonSecurityLog,DeviceEvents— and queried with KQL. - Sentinel ingests data from Microsoft sources (Microsoft 365 Defender, Azure AD, Azure Activity, Microsoft Defender for Cloud) and third-party sources (Syslog, CEEE, Windows Event Forwarding, AWS CloudTrail, GCP logs).
- The key difference from Splunk: Sentinel does not have its own search-time indexing. All queries use KQL. Data is stored in a columnar store (Azure Data Explorer technology) and queried at read time. This makes storage very cheap but means KQL optimization matters.
MITRE ATT&CK maps log enumeration to T1654. Sentinel’s strength is that it enumerates across Microsoft’s entire security stack — Defender, Azure AD, and cloud infrastructure.
Log Ingestion — What Goes Where
Sentinel organizes data into Log Analytics tables. Each table has a schema defined by the connector.
| Data Source | Table Name | Connector | Key Columns |
|---|---|---|---|
| Windows Security Events | SecurityEvent | Windows Security Events via AMA (Azure Monitor Agent) | EventID, Account, Computer, ProcessName, CommandLine |
| Windows Events (custom) | Event | AMA or Windows Event Forwarding | EventLog, EventID, Computer, EventData |
| Azure Activity Log | AzureActivity | Azure Activity (built-in) | Caller, OperationName, Resource, Status |
| Azure AD Sign-ins | SigninLogs | Azure AD (Microsoft Entra ID) connector | UserPrincipalName, AppDisplayName, IPAddress, Status |
| Azure AD Audit | AuditLogs | Azure AD connector | ActivityDisplayName, TargetResources, InitiatedBy |
| Microsoft 365 Defender | DeviceEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents | Microsoft 365 Defender connector | DeviceName, FileName, ProcessCommandLine, RemoteIP |
| Syslog | Syslog | Syslog connector (AMA or legacy OMS agent) | Facility, SeverityLevel, SyslogMessage, Computer |
| CEEE (Common Event Format) | CommonSecurityLog | CEEE connector | DeviceVendor, DeviceProduct, SourceIP, DestinationIP, DestinationPort |
| AWS CloudTrail | AWSCloudTrail | AWS connector | EventName, UserIdentityType, SourceIPAddress, AwsRegion |
| Azure Firewall | AzureDiagnostics | Azure Firewall | msg_s, src_ip_s, dst_ip_s, dst_port_d |
| Office 365 | OfficeActivity | Office 365 connector | Operation, UserId, Workload, ItemName |
| DNS | DnsEvents | DNS Analytics solution | ClientIP, QueryName, QueryType, ResultCode |
| Threat Intelligence | ThreatIntelligenceIndicator | Threat Intelligence import from MISP and other feeds | ThreatType, Description, NetworkIP, NetworkDomain |
Data Retention and Cost
| Tier | Retention | Cost | When to Use |
|---|---|---|---|
| Free | 31 days (Azure AD logs only) | $0 | Trial, small environments |
| Pay-as-you-go | 90 days default, up to 2 years | ~$2.30/GB ingested | Most production environments |
| Commitment tiers | Same as pay-as-you-go | 15-50% discount | High-volume (100+ GB/day) |
| Archived logs | Up to 7 years | Low-cost storage | Compliance, long-term retention |
Built-In Analytics Rules
Sentinel comes with hundreds of built-in analytics rules organized by MITRE ATT&CK tactic. These rules are Microsoft’s detection engineering — tuned for common attack patterns.
Rule Types
| Rule Type | Description | Example |
|---|---|---|
| Scheduled | Runs a KQL query on a schedule. Most common rule type. | ”Failed logins > 10 in 5 minutes” |
| Near-real-time (NRT) | Runs every minute with low latency. | ”Malware detected on endpoint” |
| Fusion | ML-based correlation across multiple signals. | ”User downloaded file from Tor, then accessed sensitive data, then exfiltrated via email” |
| ML Behavior Analytics | User and entity behavioral analytics (UEBA). | ”User logs in from unusual location and performs unusual data access” |
| Microsoft Security | Import alerts from Microsoft security products. | ”Microsoft Defender for Endpoint alert” |
| Anomaly | Time series anomaly detection. | ”Unusual volume of failed logins” |
High-Value Built-In Rules
| Rule Name | MITRE Tactic | Detection Logic |
|---|---|---|
| Multiple failed logins from a single source | Credential Access | count(EventID=4625) > 5 in 5 minutes from same IP |
| Successful login after multiple failures | Credential Access (brute force success) | Failed tries → 4624 from same account |
| Account creation and deletion in short time | Persistence | 4720 followed by 4740 within 1 hour |
| Admin group modification | Privilege Escalation | 4728, 4732, 4746, 4751, 4756 |
| Suspicious PowerShell command line | Execution | PowerShell with -EncodedCommand, Invoke-, DownloadString |
| Network connection to countries not in allow list | Command and Control | DestinationIP geolocation mismatch |
| Ransomware detection (file rename storm) | Impact | > 100 file create/modify events in 5 minutes |
| DNS tunneling detection | Command and Control | High volume of TXT queries, long subdomain names |
Rule Tuning — What Every Analyst Should Know
| Tuning Parameter | Purpose | Example |
|---|---|---|
| Query schedule | How often the rule runs | Every 5 minutes, look back 15 minutes |
| Alert threshold | Minimum number of results to fire | ` |
| Entity mapping | Which fields define the alert entities | Account, Host, IP |
| Tactics and techniques | MITRE ATT&CK mapping | tactics: ["CredentialAccess"], techniques: ["T1110"] |
| Alert details | Dynamic alert content | AlertDisplayName = "Brute Force from " + IPAddress |
Custom Analytics Rule Template
// Custom rule: Detect brute force success
let threshold = 10;
let timeWindow = 15m;
let FailedLogins = SecurityEvent
| where TimeGenerated > ago(timeWindow)
| where EventID == 4625
| summarize FailedCount = count() by Account, Computer;
let SuccessfulLogins = SecurityEvent
| where TimeGenerated > ago(timeWindow)
| where EventID == 4624
| distinct Account, Computer;
FailedLogins
| where FailedCount > threshold
| join kind=inner SuccessfulLogins on Account, Computer
| project Computer, Account, FailedCountIncident enrichment: Sentinel can enrich alerts with:
- Threat intelligence match — is the IP in a known threat feed?
- UEBA profile — is this behavior normal for this user?
- Asset information — is this server critical, sensitive, or public-facing?
- Watchlist lookup — is this user in the “high-value targets” list?
UEBA — User and Entity Behavioral Analytics
UEBA builds behavioral profiles for users and entities (devices, IPs, applications) and detects anomalies.
What UEBA Tracks
| Profile Type | Data Considered | Anomaly Detection |
|---|---|---|
| User | Login times, locations, devices, applications, data access, peer group | Login from unusual location, unusual time, unusual data access |
| Device | Network connections, logged-on users, running processes, installed software | Unusual outbound connections, unusual process tree |
| IP | Geolocation, ASN, connection frequency | First-time connection to internal resource |
| Application | Usage patterns, data access, authentication methods | Unusual admin actions, unusual data volume |
UEBA Detection Examples
| Anomaly | What It Detects | Typical Alert |
|---|---|---|
| Unusual login location | Stolen credentials used from attacker’s location | ”User logged in from [Country] which is not their usual location” |
| Impossible travel | Two logins in 5 minutes from geographically distant locations | ”Impossible travel detected — user logged in from US and China within 5 minutes” |
| Mass download | Exfiltration of data from SharePoint, OneDrive, or SaaS app | ”User downloaded 5000 files in 15 minutes” |
| Unusual admin actions | Privilege escalation or backdoor creation | ”User performed admin action they have never done before” |
| Unusual app access | Attacker using credentials to access unfamiliar applications | ”User accessed application for the first time in 90 days” |
Fusion Detections
Fusion is Sentinel’s ML-based correlation engine. It combines signals across the Microsoft security ecosystem to detect multi-stage attacks.
How Fusion Works
Fusion correlates alerts from:
- Microsoft Defender for Endpoint (endpoint detections)
- Microsoft Defender for Identity (AD identity detections)
- Microsoft Defender for Cloud Apps (SaaS application detections)
- Azure AD Identity Protection (authentication risk detections)
- Custom analytics (your scheduled and NRT rules)
Example Fusion detection chain:
1. Azure AD → "User logged in from Tor exit node" (Identity Protection)
2. Defender for Cloud Apps → "User downloaded company SharePoint to unmanaged device"
3. Defender for Endpoint → "Device running suspicious PowerShell"
→ Fusion correlates these → "Multi-stage supply chain or insider threat incident"Fusion Alert Categories
| Category | Signal Combination | Scenario |
|---|---|---|
| Credential theft | Identity Protection (risky sign-in) + Azure Activity (unusual RBAC change) | Stolen creds used to escalate in Azure |
| Ransomware | Defender for Endpoint (ransomware alert) + Defender for Identity (lateral movement) | Endpoint encrypted after lateral movement |
| Data exfiltration | Defender for Cloud Apps (mass download) + Defender for Identity (unusual app access) | User exfiltrating data from unusual app |
| Insider threat | Defender for Cloud Apps (data download) + UEBA (unusual behavior) | User accessing data outside their pattern |
Playbooks — SOAR Automation
Sentinel playbooks are built on Azure Logic Apps. They automate incident response actions without writing code.
Playbook Triggers
| Trigger | When It Runs | Use Case |
|---|---|---|
| Alert created | A new alert fires | Send alert to Teams/Slack, create ticket, start investigation |
| Incident created | Multiple alerts grouped into an incident | Assign owner, set severity, create Jira/ServiceNow ticket |
| Entity updated | Entity status changes (user disabled, IP blocked) | Update related incidents, notify stakeholders |
Common Playbook Actions
| Action Category | Example Actions |
|---|---|
| Investigation | Enrich IP with VirusTotal/AbuseIPDB, look up user in Azure AD, check device compliance |
| Containment | Disable user account, isolate device via Defender for Endpoint, block IP on firewall |
| Remediation | Remove user from group, reset password, delete malicious file |
| Notification | Post to Teams/Slack channel, send email to SOC manager, create ServiceNow ticket |
| Approval | Request manager approval before containing an account |
Sample Playbook Flow
1. Trigger: Incident created ("Multiple failed logins")
2. Action: Enrich source IP → VirusTotal lookup
3. Action: Check user in Azure AD → MFA status, last login, group membership
4. Condition: If IP is known malicious → "HIGH" severity; if IP is unknown → "MEDIUM"
5. Action: Create ServiceNow incident with enriched data
6. Action: Post alert details to SOC Teams channel
7. Action: (Approval step) "Block source IP?" — waits for analyst approval
8. Action: If approved → Add firewall block rule via Azure FirewallPopular Playbook Templates
| Template | Connectors Used | Description |
|---|---|---|
| IP Enrichment | VirusTotal, AbuseIPDB, OTX AlienVault, GreyNoise | Enrich alert IP with threat intelligence |
| User Enrichment | Azure AD, Microsoft Graph, Teams | Get user details, manager, group memberships |
| Account Isolation | Defender for Endpoint, Intune | Isolate compromised endpoint |
| Email Quarantine | Exchange Online, Defender for Office 365 | Move suspicious email to quarantine |
| Jira/ServiceNow | Jira, ServiceNow | Create ticket with incident details |
Hunting in Sentinel
Hunting is the proactive phase — searching for threats before they trigger alerts. Sentinel provides a dedicated hunting interface.
Hunting Workflow
1. Choose a hunting query → Built-in or custom KQL query
2. Run the query → Returns potential findings
3. Bookmark findings → Tag suspicious events for investigation
4. Create livebook → Document the hunting session, findings, and actions
5. Convert to analytics rule → Turn a successful hunting query into an alertBuilt-In Hunting Queries
| Query | Table | What It Finds |
|---|---|---|
| Pass-the-Hash detection | SecurityEvent | EventID 4624 LogonType 3 + EventID 4776 — NTLM auth anomalies (also detectable with BloodHound |
| PowerShell without commandline logging | SecurityEvent | EventID 4688 with empty CommandLine — disabled logging |
| Service account interactive login | SecurityEvent | EventID 4624 LogonType 2 where Account ends with $ |
| New user created on server | SecurityEvent | EventID 4720 on non-DC servers |
| Process injection (cross-session) | SecurityEvent + DeviceEvents | Process in session 1 injecting into session 2 — similar to Cobalt Strike techniques |
| TS Licensing abuse (BEc) | OfficeActivity | Email forwarding rule created, then mailbox access |
| Shadow admin in Azure | AzureActivity | User added to privileged role without PIM activation |
| Containerd application insider access | OfficeActivity | User accessing SharePoint after leaving org (AD disable but no app revoke) |
Related
- CyberChef — detection and response for T1654 techniques
- Elastic Security — detection and response for T1654 techniques
- Log Sources Overview — covers the log sources overview concepts
- MFA Fatigue — detection and response for T1110.004, T1621 techniques
- MITRE ATT&CK for Triage — covers the mitre att&ck for triage concepts