Cyber Intelligence
Security Operations · 25% of exam

L15. Microsoft Sentinel Fundamentals

Course outlineLesson 15 of 18

Microsoft Sentinel is the AZ-500's cloud-native SIEM and SOAR platform. Learn workspaces, data connectors, analytics rules, incidents, and the KQL queries the exam expects you to recognise.

What Is Microsoft Sentinel?

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution built on Azure. It collects data at cloud scale, detects threats using built-in and custom analytics rules, and automates response via playbooks.

Workspace Architecture

Sentinel is built on a Log Analytics workspace. All data flows into the workspace; KQL queries run against it. Key design considerations:

  • One workspace per environment is the most common pattern
  • Multiple workspaces are used for data sovereignty (keep EU data in EU)
  • You can query across workspaces with the workspace() KQL function

Data Connectors

Data connectors ingest logs from sources into the workspace. Types:

  • Native connectors: Microsoft 365 Defender, Entra ID, Azure Activity: one-click
  • CEF/Syslog connectors: For Linux and network devices: requires a log forwarder VM
  • API connectors: Third-party services sending logs via REST API
Exam tip: Connector enabled does not mean data is flowing. After enabling a connector, verify ingestion via the connector health dashboard.

Analytics Rules

Analytics rules run KQL queries on a schedule and create incidents when results exceed a threshold.

Rule types:

  • Scheduled: KQL runs every N minutes/hours on a lookback window
  • NRT (Near-Real-Time): Runs every minute with 5-minute latency: for high-priority detections
  • Anomaly: ML-based baselines; generates incidents on statistical deviations
  • Fusion: Correlates low-fidelity signals into high-confidence incidents

Incidents and Alerts

An Alert is a single rule firing. An Incident groups related alerts together. The exam tests: alerts alone do not create tickets. Incidents do. SOAR playbooks (Logic Apps) attach to incidents via automation rules.

Exam Focus Points
  • Sentinel is built on Log Analytics: all data is queried with KQL in the workspace
  • CEF/Syslog connectors require a log forwarder VM: native Microsoft connectors are one-click
  • Enabling a connector does not guarantee data is flowing: verify via connector health dashboard
  • Scheduled rules run on a timer; NRT rules run every minute; Fusion correlates low-fidelity signals into incidents
  • Alerts fire from rules; Incidents group related alerts. Playbooks (Logic Apps) attach to incidents via automation rules
Knowledge Check

1. What is the role of a Data Connector in Microsoft Sentinel?

2. An Analytics Rule in Sentinel generates a 'finding'. What does this become in Sentinel?

3. A Microsoft Sentinel workspace has data from 10 Azure subscriptions. Where must the Log Analytics workspace be located?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.

Start AZ-500 prep free10-day free trial available