01
▾
LOG SOURCES
Where all data originates — every event, login, and alert
Azure Resources
VMs, NSGs, Key Vault, Storage, Azure AD activity
Microsoft 365
Exchange, Teams, SharePoint, OneDrive, Defender for O365
Microsoft Defender
Defender for Endpoint, Identity, Cloud Apps
On-Premises
Windows / Linux servers, Active Directory, DNS
Network Devices
Firewalls, routers, switches — Cisco, Palo Alto, Fortinet
Third-Party / Cloud
AWS, GCP, SaaS apps, custom REST API sources
Key point: Sentinel is source-agnostic — it can ingest from virtually any platform as long as data reaches Log Analytics Workspace in a supported format.
raw logs and events
▼
02
▾
DATA CONNECTORS
The bridge — normalises and forwards data into Sentinel
Built-in Connectors
1-click connectors for all Microsoft services and 200+ partners
CEF / Syslog
Common Event Format via Log Analytics Agent for network devices and Linux
AMA / MMA Agent
Azure Monitor Agent installed on VMs and on-prem servers
REST API / DCR
Data Collection Rules and custom log ingestion API for any source
Logic App Connector
Custom ingestion pipelines using Azure Logic Apps for any REST source
Key point: Connectors normalise data into a common schema before it enters LAW. This is why one KQL query can work across multiple source types.
normalised and ingested
▼
03
▾
LOG ANALYTICS WORKSPACE (LAW)
The data store — all logs live here, queried via KQL
Log Tables
SecurityEvent, SigninLogs, OfficeActivity, CommonSecurityLog, Syslog...
KQL Engine
Kusto Query Language — search, filter, join, aggregate across all tables
Data Retention
Hot tier (90 days default), Archive tier (up to 7 years)
Workbooks
Interactive dashboards built directly on top of LAW query results
| Table | What It Contains | Common Use |
|---|---|---|
| SigninLogs | Azure AD authentication events | Impossible travel, brute force, MFA analysis |
| SecurityEvent | Windows security event IDs | Logon events 4624/4625, privilege use |
| OfficeActivity | M365 — email, SharePoint, Teams | Mail forwarding rules, file downloads |
| AzureActivity | Azure resource changes | Who changed what in your subscription |
| CommonSecurityLog | CEF-format logs from firewalls | Network threat detection |
| ThreatIntelligenceIndicator | IOCs — IPs, domains, hashes | Matching logs against known threats |
Splunk equivalent: LAW is Splunk's index + search head combined. KQL is your SPL. Tables are your sourcetypes.
Sentinel reads and analyses LAW data
▼
04
▾
MICROSOFT SENTINEL — SIEM + SOAR
The brain — detects threats, enriches context, raises incidents
Analytics Rules
Scheduled, NRT, Fusion, ML-based — run KQL on schedule, create alerts
Incidents
Grouped alerts with investigation graph, entities, timeline, severity
Watchlists
CSV reference lists — VPN IPs, VIP users, known-good assets
Threat Intelligence
IOC feeds matched against all ingested logs in real time
UEBA
User and Entity Behaviour Analytics — baselines normal, flags deviations
Hunting Queries
Proactive threat hunting using KQL across all historical data
Notebooks
Jupyter + Python for advanced investigation, ML, geolocation analysis
Internal flow: Analytics Rule fires → Alert created → Alerts grouped → Incident raised → Entities extracted (user, IP, host, URL) → Assigned to analyst → Investigation begins
incident triggers response
▼
05
▾
RESPONSE AND AUTOMATION
What happens after a threat is confirmed
Playbooks
Logic Apps triggered on incidents — automated response workflows
Automation Rules
Auto-assign, triage, tag incidents, or trigger a playbook on creation
SOAR Actions
Block IP, disable user, isolate device, send Teams and email alerts
Example: Incident created → Automation Rule fires → Playbook runs → Azure AD account disabled + SOC notified via Teams — all within seconds, no human needed.
outputs delivered to
▼
06
▾
OUTPUTS
Where the results of SOC work land
SOC Dashboard
Real-time incident queue, analyst workload, alert trends
Alerts and Emails
Automated notifications to analysts, managers, on-call teams
ITSM / ServiceNow
Incidents pushed to ticketing systems for tracking and SLA management
Reports and Metrics
MTTD, MTTR, false positive rate, coverage dashboards for leadership
LAYERS:
Log Sources
Data Connectors
Log Analytics Workspace
Microsoft Sentinel
Response and Automation
Outputs