Microsoft Sentinel and Its Components

Table of Contents
What is Microsoft Sentinel?Components and Stages of Microsoft Sentinel
What is Microsoft Sentinel?
The Microsoft Sentinel was formerly known as Azure Sentinel. Microsoft Sentinel (siEM) and SOAR (Security Orchestration Automated Response), are cloud-based tools used by security operations analysts to gather data from multiple sources and provide security insights for the corporation. Microsoft Sentinel uses Microsoft threat Intelligence and machine learning technologies to quickly detect and investigate suspicious activity and threats. It quickly detects and responds to vulnerabilities and automates security to protect your company. It combines alert detection with proactive hunting, threat visibility, threat response, and alert detection into one solution. Microsoft Sentinel manages all your on-premises servers, devices, applications, etc.
Microsoft Sentinel components

Data Connectors: Microsoft Sentinel contains several connectors that allow real-time connectivity for Microsoft products. Microsoft Sentinel includes built-in connectors that allow users and products to access data. Non-Microsoft products may also benefit from the out-of-the box connectivity to the larger security environment.
Workbooks: Once you have connected data sources with Microsoft Sentinel, you can monitor the data using the Microsoft Sentinel connection. Microsoft Sentinel allows you to create unique workbooks using your data. It also provides pre-built templates and configurable solutions to visualizing Sentinel data.
Analytics: Microsoft Sentinel uses analytics to correlate alerts into high-security incidents and proactively alert security personnel. Kusto Query Language can be used to create custom rules that generate alerts in Analytics. There are many pre-built rules and links to Microsoft sources such as Cloud App Security or Azure ATP.
Playbooks: Playbooks can interface with Microsoft services and other tools to automate security orchestration. Playbooks are a set or concepts that run in response to a sentinel signal. They use Azure Logic Apps. Playbooks are used to automate and simplify operations like data intake, enrichment and investigation for analysts and SOC engineers.
Community: A Microsoft Sentinel page powered via GitHub that contains many data sources for threat intelligence, automation, and community. The Microsoft Sentinel community page contains sample hunting queries, playbooks and workbooks, as well as other resources. It can be used to create alerts and respond quickly to hazards in the environment.
Workspace: Also known as a log analysis workspace, a workspace is a storage space for information and configuration settings. It is used by Microsoft Sentinel to store data from multiple sources. Either create a new space for data storage, or use an existing one.
Dashboard: Microsoft Sentinel’s simple dashboard allows you to view data from multiple sources and set up rules in real time. Allows security teams to better understand the events generated from these services. It has the following characteristics.
Machine learning
Rule management
Resource analysis for one machine
Investigation: Microsoft Sentinel’s investigation capabilities allow you to determine the extent of a security problem and the root cause. To launch an investigation, choose a specific incident. A case is a collection of all relevant evidence related to a single investigation.
Hunting: Hunting is responsible for executing proactive and manual investigations to discover and assess security vulnerabilities in your organization’s data sources. Microsoft Sentinel offers sophisticated hunting search and query tools based upon the MITRE ATT&CK framework. KQL (Kus