A quick note before we get started. It’s been a little over a year since my last article. A large part of my absence has been simply due to life and life changes. I purchased and moved my family into a new home. My previous job underwent many changes with my responsibilities shifting seemingly like the unpredictable nature of the wind. I left that job for a new role, a Microsoft Cloud Security consulting position at a reputable firm. Now I’m finally feeling like things have settled down to a degree where taking on some more writing might be feasible. I won’t attempt to convince you that this will be consistent and life won’t again interfere, but I will do my best to continue providing whatever I can so I can share my experiences with these amazing tools and techniques I’ve come to build a career around.

Enjoy, and thank you for reading.

What’s Microsoft Sentinel?

As organizations the world over continue to increase their adoption of cloud services, it only makes sense that security event management would require a cloud native solution as well. While AWS has tools like CloudTrail, and GCP has Chronicle, Microsoft has brought their own solution to the table. Microsoft Sentinel is a cloud native Security Information and Event Management (SIEM) platform that can ingest log data from Microsoft 365, Azure Services, Cloud Service Providers like AWS and GCP, and on-premises severs to help organizations detect and respond to potential threats in your environment.

Sentinel is packed to the brim with features like threat intelligence feeds, investigation graphs, MITRE ATT&CK coverage, automation rules, prebuilt and custom analytics, workbooks for visualization and notebooks for analysis, and the list goes on. Being cloud native also means Sentinel is scalable, removing the requirement to scale the service yourself and letting Microsoft do the heavy lifting as your SOC and telemetry expand. There are even AI and machine learning features baked in to enrich alert data and aid in event correlation.

All that to say, Microsoft Sentinel is great on paper, and certainly an enticing option if you’re considering leaving your current SIEM for a more cloud-centric approach. But why might you actually consider using it? When does it make sense? Let’s talk about it.

When and Why to use Microsoft Sentinel?

Organizations looking to either implement a SIEM for the first time or move away from their existing SIEM to something new can feel inundated by the number of choices that exist. A simple google search for “SIEM tools” would give you:

• Microsoft Sentinel (duh)

• Splunk

• Exabeam

• CrowdStrike Next-Gen SIEM

• Elastic SIEM

• Google Chronicle

• AWS CloudTrail and Guard Duty (I guess these together are kind of a SIEM solution? I can’t be sure…)

• And on, and on, and on….

This list is only a fraction of the available offerings on the market today and if you were left to figure out which one you needed, you’d be reviewing offerings and doing demos for weeks. There also isn’t a one size fits all solution as every organization has different and unique requirements that will weigh heavily on their final decision. To help you determine if Microsoft Sentinel is a good choice for your organization, I’ve come up with a few criteria that might put Sentinel at the top of the list:

1. Your Organization heavily uses Microsoft 365 and Azure.

This one might seem obvious to most, and that’s probably a good thing. It goes without saying that if you’ve already heavily invested in M365 for collaboration, and are building your applications in Azure, that having Sentinel as your SIEM only makes sense. With all the first-party Data Connectors Microsoft has created for ingesting log data from Microsoft services, integration with Microsoft XDR, and Microsoft Automation, Sentinel is a great choice for organizations that are already deeply invested in Microsoft’s cloud.

2. You want your Cloud Provider to automatically scale your SIEM

While this feature may not be unique to Sentinel itself, it’s still a point in its favor. SIEM solutions that are running in on-premises environments will be entirely managed by the IT team, needing to eventually build multiple servers and manage vast amounts of storage. Solutions that are running in virtualized cloud solutions like AWS EC2 or Azure VMs still have similar issues, even if the virtual infrastructure is handled for you. Log Analytics Workspace, the underlying log management solution that Sentinel sits on top of, is a Platform-as-a-Service offering that removes the need for organizations to manage the infrastructure and scaling and instead lets your focus on collecting the log data your need and building alerts in Sentinel to identify threats. Don’t get me wrong, there’s still a cloud consumption cost associated with using Log Analytics and Sentinel, but the convenience of having a scalable SIEM that grows as you can make that tradeoff worthwhile.

3. You want a thriving marketplace of third-party connectors

Chances are, if your organization is a large one, Microsoft first-party connectors aren’t the only ones you need. Maybe you have on-premises firewalls to monitor. A Secure Web Gateway solution. Maybe you even want to monitor your other Cloud Service Provider accounts. Sentinel has you covered. With hundreds of connectors and various solutions supporting them, Sentinel can ingest information from a huge variety of sources, alert on activity, visualize the data with workbooks, and more. Can’t find a connector that suites your needs? Reach for Microsoft’s Codeless Connector Framework (CCF) and build the connector you need.

Microsoft Sentinel has a bright future

Microsoft Sentinel has grown a lot over the years. I was first introduced to it in 2021 while still Active Duty in the Navy. We were migrating to the Navy away from our legacy on-premises infrastructure and into the cloud, desperately seeking a way to improve collaboration during the pandemic. With a large-scale migration like that comes a need to monitor for potential threats. When I got my hands on Sentinel back then, I got a glimpse into the promise that Microsoft was trying to make. Observe activity across all your environments, in near real time, and hunt threats in a solution that will grow with you. Now in 2025, Microsoft Sentinel continues to aid organizations in that same goal, with better tools and integrations, with advanced AI and machine learning, and so much more on the way.

Thanks for tuning in! If this helped you out, let me know! In Part 2, we will be covering the different considerations organizations should make when deploying Sentinel for the first time. Hope to see you there!