Try Azure Sentinel Alongside Your Existing SIEM
Published Nov 07 2019 01:07 PM 6,963 Views


For the latest on integrating Azure Sentinel with your SIEM or ticketing system, read:
- Send data and notable events from Splunk to Azure Sentinel using the Azure Setninel Splunk App
- Sending alerts enriched with supporting events from Azure Sentinel to 3rd party SIEMs
- Azure Sentinel Incident Bi-directional sync with ServiceNow


If you’re using an on-prem SIEM today, you know that as your organization grows, so will the need for supporting infrastructure in your SIEM. Azure Sentinel, the first truly cloud native SIEM, helps eliminate security infrastructure set-up & maintenance, and elastically scales to meet your organization’s needs. Making the switch to a new SIEM is a big change – instead, try out Azure Sentinel by connecting your organization’s data, and you will immediately be able to gain insights into your environment: see detections in action, utilize industry-leading machine learning models to cut down on noise, and respond with detailed investigations & automated responses.

Get started with a free Proof of Concept (PoC) of Azure Sentinel today in four easy steps:

  1. Set up Azure Sentinel
  2. Connect Microsoft cloud data sources for free
  3. Utilize expert-written rules
  4. Investigate alerts & incidents


1) Set-Up Azure Sentinel

No need for complex deployments or integrations. Azure Sentinel is already available in the Azure portal and takes just a few clicks to set-up. Azure Sentinel is powered by Azure Monitor, the common log aggregator & querying tool for all applications within Azure.

  • Already have an active Azure subscription? Start here to onboard Sentinel to your instance.
  • Not using Azure, yet? No problem - sign up here for a free account Once you’ve created an account, follow the same steps above.


2) Connect your data sources

Azure Sentinel can connect to a variety of Microsoft and external sources, enabling you to monitor what matters most to your organization. Azure Sentinel’s connectors allow you to ingest data easily, without complex custom integrations or professional services.

Get your PoC started with five key connectors, providing you with correlated insights across sources. Connecting these data sources to Azure Sentinel is free, takes just a few clicks and will provide instant visibility into your environment:

Not using Microsoft cloud products, or want to connect more data to your Azure Sentinel PoC? Azure Sentinel supports both CEF and SYSLOG, enabling you to integrate virtually any log source. Additionally, Azure Sentinel provides insights beyond the Microsoft ecosystem with out-of-the-box connectors for key partners, including network appliances and other cloud services (AWS, Cisco, Palo Alto, and more).


3) Utilize Microsoft’s expert-written rules

Azure Sentinel’s detection platform correlates across log sources, to identify indicators of compromise early and cut down your team’s time to insights. Azure Sentinel’s rule-based detections are powered by the Microsoft Threat Intelligence Center (MSTIC), an industry leader in identifying & understanding emerging trends in the threat landscape. Now, your organization can benefit from their expertise, through detections & rules natively included in Sentinel.

MSTIC has written rules for the most popular data sources, including those recommended for a PoC – utilize Microsoft’s security expertise today to ensure your team is looking at relevant alerts from Day 1. The Azure Sentinel Github repository is constantly updated by the MSTIC team and the greater Sentinel community, providing critical detections for newly emerging threats.

Many of these rules are available already within the Analytics tab of Azure Sentinel. We recommend adding these rule-based detections to your PoC:

You can use these rules out of the box, or customize them for your PoC (see here for detailed instructions on how to customize alerts). Additionally, Azure Sentinel’s flexible detection platform also allows you to save time by using expert-written rules, or bringing over detections previously written for your existing SIEM. You can also convert Sigma rules for use in Azure Sentinel, or write your own custom queries. All Azure Sentinel queries are based on KQL, the query language powering Azure Monitor (Get Started With KQL).


4) Investigate within Azure Sentinel, or send alerts back to your current SIEM

Once you have configured log sources and rules, Azure Sentinel will begin to generate Incidents. You can view Incidents and investigate them directly within Azure Sentinel, where the data-rich Incident page will walk you through what events raised the initial alert, as well as related insights.

Enrich the insights you get with Azure Sentinel by bringing in alerts from your current SIEM. Azure Sentinel’s built-in machine learning models can help reduce the false positives you’re seeing in your current SIEM, and enable your security team focus on only the alerts that matter. You can connect your existing SIEM to Azure Sentinel in two ways:

  • If your current SIEM uses CEF for alerts or events, Azure Sentinel has a native CEF connector (instructions here)
  • If you are using a log forwarder, utilize the Logstash connector for Log Analytics to forward logs to Azure Sentinel (instructions and connector)

If your team is more comfortable working within your existing SIEM, Microsoft Security Graph API can serve to connect Azure Sentinel to your current toolset. Security Graph API allows you to integrate Microsoft alerts into numerous 3rd party tools, including other SIEMs. From a cost-perspective, we recommend you forward only Sentinel alerts to your existing SIEM. See here for the full list of security solutions Security Graph API supports.


Ready to see what else Azure Sentinel can do for your Security team?

Within this PoC, Azure Sentinel can automate incident responses and cut down on false positives with industry-leading machine learning models – ultimately saving your SecOps team valuable time. Go beyond rule-based detections and manual investigations with these advanced features, all available with your PoC:

Version history
Last update:
‎Nov 02 2021 05:43 PM
Updated by: