LAYER 1 β DATA SOURCES (What generates logs)
RAW LOG SOURCES
π₯οΈ
Endpoints & VMs
Windows, Linux, Azure VMs, on-prem servers
COMPUTE
π
Network Devices
Firewalls, NSGs, VPN Gateways, routers
NETWORK
π
Azure AD / Entra ID
Sign-in logs, audit logs, risky users
IDENTITY
π§
Microsoft 365
Exchange, Teams, SharePoint, Defender
SaaS
π
3rd Party Apps
Palo Alto, Okta, AWS, GCP, custom apps
EXTERNAL
logs & events ingested via connectors
LAYER 2 β DATA CONNECTORS (The ingestion bridge)
DATA CONNECTORS
β‘
Microsoft Native Connectors
Azure AD, Defender, M365, Activity Logs β 1-click enable
BUILT-IN
π‘
CEF / Syslog
Linux agent forwards Syslog/CEF from firewalls, appliances
AGENT-BASED
π
REST API / DCR
Data Collection Rules push custom log formats via HTTPS
CUSTOM
ποΈ
Content Hub Connectors
AWS, GCP, Okta, Palo Alto, Cisco β from Sentinel marketplace
MARKETPLACE
LAYER 3 β LOG ANALYTICS WORKSPACE (The database engine)
LOG ANALYTICS WORKSPACE (LAW)
Core Storage Engine β All logs land here first
π
Log Tables
SecurityEvent, SigninLogs, AzureActivity, CommonSecurityLog, Syslog...
TABLES
π
KQL Query Engine
Kusto Query Language β search, filter, aggregate, join log data
KQL
ποΈ
Data Retention
Hot tier (interactive), Cold tier (archive) β cost-controlled retention
STORAGE
βοΈ
Data Collection Rules (DCR)
Filter, transform, and route data before it hits the workspace. Reduce cost by dropping noise.
TRANSFORM
π°
Ingestion & Pricing
Pay-per-GB or Commitment Tiers. Basic Logs tier for high-volume, low-priority data.
BILLING
Sentinel sits on top of LAW and adds SIEM/SOAR capabilities
LAYER 4 β MICROSOFT SENTINEL (The SIEM + SOAR engine)
βοΈ MICROSOFT SENTINEL
SIEM Β· SOAR Β· THREAT INTELLIGENCE Β· AI/ML
π
Analytics Rules
Scheduled KQL queries, Microsoft rules, ML-based anomaly detection, NRT (near real-time)
DETECTION
π¨
Incidents
Alerts grouped into incidents. Assigned to analysts. Tracks investigation status.
TRIAGE
πΊοΈ
Investigation Graph
Visual map of entities, alerts, and relationships for an incident
INVESTIGATE
π―
Threat Intelligence
IOC matching β IPs, domains, file hashes from MDTI and 3rd party TI feeds
TI MATCHING
π§©
Entity Behavior (UEBA)
Builds behavioral baselines for users, hosts, IPs. Scores anomalies automatically.
UEBA
π
Hunting
Pre-built and custom KQL hunting queries. Livestream. Bookmark findings.
HUNT
automated response & analyst workflow
LAYER 5 β SOAR & AUTOMATION (Respond automatically)
AUTOMATION & RESPONSE
π€
Automation Rules
Auto-assign, auto-close, or trigger playbooks based on incident conditions
ORCHESTRATE
βΆοΈ
Playbooks (Logic Apps)
Azure Logic Apps workflows β block IP, disable user, send Teams alert, create ticket
PLAYBOOK
π
Logic App Connectors
ServiceNow, Jira, Slack, Teams, email β 400+ connectors available
INTEGRATE
π§
Microsoft Copilot for Security
AI assistant β summarize incidents, explain KQL, suggest remediation steps
AI/ML
analyst workbench & reporting
LAYER 6 β ANALYST WORKBENCH (What analysts see and use daily)
ANALYST FRONT-END TOOLS
π
Workbooks
Azure Monitor Workbooks β custom dashboards, charts, visual reports from KQL
DASHBOARDS
π¬
Watchlists
Upload CSV lists (VIP users, trusted IPs, asset inventory) to enrich alerts
ENRICH
π
Notebooks (Jupyter)
Python + KQL in Jupyter notebooks for advanced threat hunting and data science
ADVANCED
π¦
Content Hub
Install solution packs: connectors + rules + workbooks + playbooks bundled together
SOLUTIONS
SUPPORTING AZURE SERVICES (Infrastructure Sentinel depends on)
AZURE PLATFORM DEPENDENCIES
π
Azure Key Vault
Store connector API keys, playbook secrets, and credentials securely
SECRETS
π€
Azure RBAC
Sentinel Reader, Responder, Contributor roles β control analyst permissions
ACCESS
πΎ
Azure Storage / ADX
Archive logs to Storage Account or Azure Data Explorer for long-term retention
ARCHIVE
π
Azure Activity Log
Audit trail for all Sentinel config changes, rule edits, playbook runs
AUDIT
LAYER LEGEND
Sentinel Core / Analyst Tools
Azure Platform Dependencies
Hover over any card for more detail