Microsoft Azure · Software · YoctoIT tech page

Sentinel

The cloud-native SIEM/SOAR: collection, correlation and automated response at cloud scale, paying for what you ingest.

FOCUS · THE SIEM WITHOUT IRONLogs of everything, rules that matter and playbooks that respond: the SOC on Azure
YoctoIT material for clients and partners · Microsoft, Azure, Entra, Defender and the other products mentioned are trademarks of Microsoft Corporation.
01 · What it is

Microsoft Sentinel, made clear.

Sentinel is the SIEM born in the cloud: ready connectors for Microsoft and third parties, analytics rules and machine learning to correlate, hunting with KQL, and Logic Apps playbooks automating the response. No appliances to size: it scales with the logs, and you pay for ingest — which must be governed.

300+
ready connectors: from M365 to firewalls, from clouds to SAP
KQL
the hunting language: powerful questions over billions of events
SOAR
automatic playbooks: enrich, contain, notify hands-free
Microsoft Sentinel
OFFICIAL MICROSOFT BRANDING · SENTINEL
CONSOLE REALE · MICROSOFT SENTINEL DASHBOARD · FONTE: MICROSOFT LEARN
REAL CONSOLE · MICROSOFT SENTINEL DASHBOARD · SOURCE: MICROSOFT LEARN
02 · How to use it well

The things that make the difference.

The flow

Sources: cloud, on-prem, SaaSeverything that logs
Ingest & parsing
Analytics rules
Incidents
collect · correlate · decide
SOAR playbooksthe response that starts on its own
Log Analytics workspacethe log lake, with chosen retention
From log to action, in one flow

Governed ingest

The cloud SIEM is paid by the GB: filters, basic tiers and differentiated retention keep the bill sensible.

Tailored rules

Analytics rules adapted to YOUR environment: fewer false positives, more signal.

Response playbooks

Confirmed phishing disables the user and opens the ticket: at night the playbook works.

OT and SAP use cases

The connectors for the factory and the ERP: the SIEM that sees where others don't look.

03 · In depth

Ingest, analytics and SOAR, seriously

Sentinel now lives in the Defender portal: data connectors (native, S3, API) feed the Log Analytics workspace; tiers (Analytics vs Basic vs Auxiliary logs) and DCR transformations cut ingest costs; analytics rules (scheduled, NRT, UEBA) generate incidents enriched by entities; Logic Apps playbooks automate containment and notification; workbooks tell the story. The content repository (solutions) brings vendor-ready rules.

  • Log tier — Analytics for the security-relevant, Basic/Aux for the volume: the bill is designed
  • DCR transform — filters and parsing at the entrance: only what's needed gets in
  • NRT rules — near-real-time rules for the signals that can't wait
  • UEBA — behavioral baselines on users and hosts: the contextual anomaly
  • Playbook — disable user, isolate host, open ticket: at night Logic Apps works
  • Content hub — solutions for M365, firewalls, SAP: ready rules and workbooks
04 · Numbers and lifecycle

The numbers that matter.

300+
the connectors in the catalog
90 gg
retention included (up to 12 years with archive)
-50%
the typical ingest saved with tiers and DCRs done right
SAP
the dedicated connector: the SIEM that sees the ERP too
A cloud SIEM is judged on rules and the bill: our tuning, tiers and playbooks — the signal rises, the ingest drops.
05 · Use cases

Where it really pays off.

Corporate SOC

The heart of security monitoring, without infrastructure.

Log compliance

Retention and searches for NIS2, GDPR, audits.

MSSP-ready

Multi-tenant and separate workspaces: the model we serve clients with.

A SIEM is worth the rules it holds and who watches it: Sentinel with our content and our watch.