Microsoft Sentinel Deployment Guide: Workspace Design, Data Connectors, and Detection Rules

Microsoft Sentinel is deployed on top of an Azure Log Analytics workspace. The workspace design decision, specifically whether to use a single workspace or multiple workspaces, affects cost, performance, data sovereignty, and cross-workspace query capability. Making the right architecture decision at the start is far easier than migrating workspaces later.

Single workspace architecture: The default and recommended architecture for most organizations. All data from all regions, business units, and data sources flows into a single Log Analytics workspace with a single Sentinel deployment. Benefits: simplified management (one rule set, one playbook library, one cost center), better cross-data-source correlation (KQL queries can join across all tables without cross-workspace syntax), and lower operational overhead. Limitations: data sovereignty requirements that prohibit certain data from leaving a jurisdiction may force a regional workspace split, and very high-value environments where strict data access segregation between SOC teams is required may need workspace separation.

Multi-workspace architecture: Multiple Log Analytics workspaces, each with its own Sentinel deployment, connected via Sentinel's workspace manager (in preview as of early 2026) or cross-workspace KQL queries using the workspace() function. Use cases: organizations with GDPR or data residency requirements (EU data must stay in the EU, so a separate EU workspace is required), large MSPs managing multiple customer Sentinel instances (each customer gets their own workspace), and organizations with strict SOC-level data access controls between business units.

Retention and cost tiering: Log Analytics workspaces support two data tiers: Analytics Logs (hot tier, fully queryable, $2.30-2.76/GB ingestion, 90-day interactive retention included) and Basic Logs (cheaper ingestion at $0.50/GB, 8-day interactive retention, limited KQL operators, requires an explicit query to retrieve older data). For high-volume, low-value tables (raw verbose firewall logs, Windows Security Event logs for non-critical event IDs), configuring tables to use the Basic Logs tier reduces ingestion cost by 70-80% while retaining the data for compliance.

Archive tier (cold storage) extends retention at $0.02/GB/month for data beyond the hot retention period, accessible via asynchronous search jobs rather than real-time KQL queries. For organizations with 1-year or 7-year compliance retention requirements, the archive tier makes long retention economically viable.

Commitment Tiers: Sentinel and Log Analytics both support Commitment Tier pricing: committing to a minimum daily ingestion volume in exchange for a per-GB discount of 30-65% compared to Pay-As-You-Go. The 100 GB/day Commitment Tier is the first threshold (commonly the right entry point for enterprises with over 5,000 users). Sentinel's Commitment Tier pricing mirrors the Log Analytics tier structure. Calculate expected ingestion volume from all data connectors before purchasing a Commitment Tier; use the Azure Cost Management + Billing workspace insights to project costs based on current ingestion rates.

Microsoft Sentinel's content hub contains over 200 data connectors, but ingestion priority matters enormously for both security coverage and cost management. The following priority ordering reflects security value and is designed to produce the highest coverage for the lowest incremental cost in a Microsoft-heavy environment.

Priority 1: Microsoft 365 Defender connector This single connector provides the most security coverage per integration effort of any Sentinel connector. It ingests:

• Microsoft Defender for Endpoint: DeviceEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceLogonEvents (rich endpoint telemetry)
• Microsoft Defender for Office 365: EmailEvents, EmailAttachmentInfo, EmailUrlInfo, AlertEvidence
• Microsoft Defender for Identity: IdentityDirectoryEvents, IdentityLogonEvents
• Microsoft Defender for Cloud Apps (MDCA): CloudAppEvents, alerts from MDCA policies

Configuration note: when enabling the Microsoft 365 Defender connector, choose whether to make Sentinel or the Defender portal the primary incident management interface. Bi-directional sync keeps incidents in sync across both portals, but analyst workflow should be consistent.

Priority 2: Azure Active Directory Enable SigninLogs (interactive user sign-ins), AADNonInteractiveUserSignInLogs (service principal and silent sign-ins), AuditLogs (directory changes: user creation, group membership, application consent), and AADServicePrincipalSignInLogs. Identity telemetry from Azure AD is the foundational data source for account compromise detection, impossible travel rules, and privilege escalation detection.

Priority 3: Azure Activity Azure Activity logs capture all control-plane operations in your Azure subscription: resource creation and deletion, role assignments, policy changes, and diagnostic setting modifications. This data is essential for detecting unauthorized Azure resource provisioning (cryptomining, data exfiltration infrastructure) and privilege escalation in the Azure RBAC model. Azure Activity is very low volume (typically under 1 GB/day for most organizations) and nearly always worth enabling.

Priority 4: Microsoft Defender for Cloud Defender for Cloud security alerts cover Azure resource security misconfigurations, network threat detection (Azure DDoS, suspicious network traffic), and container/Kubernetes threats. This connector is low volume (alerts only, not raw telemetry) and provides broad Azure posture visibility.

Priority 5: Office 365 The OfficeActivity table captures Exchange Online (email delivery, forwarding rules, mailbox access), SharePoint Online (file operations, sharing, external access), and Teams (message events, external invitations). Exchange forwarding rule creation (used in business email compromise) and SharePoint mass download events (data exfiltration) are high-priority detection scenarios from this source.

Priority 6: Primary EDR and network security tools After the Microsoft ecosystem is connected, prioritize your primary endpoint security product (CrowdStrike, SentinelOne, Trend Micro) and primary network security tool (next-generation firewall, proxy/SWG). These are typically the highest-volume non-Microsoft sources and require ingestion volume planning to manage cost.

Sentinel's analytics rules are the detection engine. Without deployed and tuned rules, the SIEM is a log archive with no alerting capability. The content hub provides a large library, but deploying it without selection and tuning creates alert fatigue.

Rule type selection:

Enable Microsoft Security rules first for all connected Microsoft Defender products. These rules automatically import high-fidelity Microsoft-generated alerts without any KQL authoring. A new Sentinel deployment connected to Microsoft 365 Defender can have hundreds of meaningful alerts within 24 hours of enabling Microsoft Security rules, with no custom development.

For Scheduled and NRT rules, deploy from the content hub solutions rather than individual rules. Solutions (for example, the Microsoft Entra ID solution, the Microsoft 365 Defender solution, the Windows Security Events solution) bundle related data connectors, analytics rules, workbooks, and playbooks into coherent packages. Deploying a solution activates a curated set of rules appropriate for that data source.

Tuning newly deployed rules:

Every newly deployed rule should be monitored for false positive rate for its first 7-14 days in production before being used to drive analyst triage workload. Use the following process:

1. Deploy rules at Informational severity with incident creation disabled. Rules run and generate alerts visible in the Alerts blade but do not create analyst-facing incidents.
2. Review the alert output daily for 7 days. Identify recurring false positive patterns.
3. Build exclusions using entity-based watchlists: create a Sentinel watchlist for legitimate scanner IPs, authorized admin accounts, and known-good automation service accounts. Reference the watchlist in the rule KQL: | where AccountName !in (_GetWatchlist("ExclusionList") | project AccountName).
4. After 7 days with acceptable false positive rates, raise severity and enable incident creation.

Alert grouping for incident quality:

Configuring alert grouping correctly is critical for analyst triage efficiency. Without grouping, a brute force detection rule that fires 200 times against the same account from the same IP creates 200 separate incidents. Configure alert grouping to group alerts from the same rule into a single incident when they share the same Account entity, IP entity, or both within a 5-hour window. The grouping configuration is in the analytics rule's "Incident Settings" tab.

Sentinel's SOAR capability is built on Azure Logic Apps. Playbooks are Logic Apps that are triggered by Sentinel alerts or incidents and execute automated response actions. The automation capability ranges from simple notification to full autonomous response, depending on the playbook's design and the pre-authorizations granted.

Common playbook patterns:

Alert enrichment: When a new Sentinel alert fires, automatically query external enrichment sources (VirusTotal for IP/domain/file hash reputation, Shodan for IP information, Azure AD for account risk score) and post the enrichment results as a comment on the Sentinel incident. This reduces analyst lookup time and provides immediate context without requiring analyst action. Trigger: Sentinel incident created. Actions: HTTP request to enrichment API, update Sentinel incident with comment.

Automated entity blocking: When a high-confidence alert fires (specific detection rules that indicate compromise with low false positive rates), automatically add the source IP to a network security group deny rule, disable the Azure AD account, or add the file hash to the EDR block list. This requires pre-authorization and must be limited to specific rules where automated blocking is appropriate. Trigger: specific analytics rule alert. Actions: Azure AD Graph API to revoke user sessions and block sign-in, Azure NSG API to add deny rule.

Analyst notification and triage routing: Post new incidents to a Microsoft Teams channel with entity context, severity, and a direct link to the Sentinel incident. Route incidents to different Teams channels or PagerDuty services based on severity or entity type. Trigger: Sentinel incident created. Actions: Teams connector send message, conditional branching by severity.

Managed connector authentication: Logic Apps playbooks authenticate to Azure services (Azure AD, Azure NSG, Azure Storage) via managed identity, which is the recommended authentication method as it eliminates credential management. For external services (VirusTotal, Shodan, Jira, ServiceNow), Logic Apps uses HTTP connector with API key authentication or OAuth 2.0 depending on the service.

Playbook deployment from the content hub: The Sentinel content hub includes pre-built playbooks for common scenarios. The SOC-Common-Playbooks solution contains foundational playbooks for incident notification, entity enrichment, and analyst routing that most organizations should deploy as the automation baseline. Review the Logic Apps designer to understand each playbook's logic before deploying, and adjust connector authentication and notification targets for your environment.

The MITRE ATT&CK framework provides a structured language for describing attacker techniques and the security controls that detect them. Sentinel's built-in MITRE ATT&CK coverage map (accessible from Threat Management in the Sentinel portal) shows which techniques are covered by your active analytics rules.

Reading the coverage map:

The coverage map displays ATT&CK tactics (columns) and techniques (rows in each column). Each technique shows color-coded coverage based on whether active Sentinel rules cover it, and which rule type (Simulated, Active, Fusion, Machine Learning). A technique with no color has no active detection coverage. The map can be filtered to show only the techniques relevant to your environment and threat model.

Prioritizing coverage gaps:

Not all coverage gaps are equal priority. Prioritize gap-filling based on three factors:

1. Threat relevance: which techniques are commonly used by threat actors targeting your industry? Cross-reference with CISA advisories and your threat intelligence feeds. Focus first on techniques used by actors that actively target organizations like yours.

2. Data availability: some technique detections require data sources you do not have. Lateral movement detection via SMB authentication (EventID 4648, 4624 Type 3) requires Windows Security Event logs from every endpoint. If you only have cloud identity logs, lateral movement detection is structurally limited.

3. Business risk: techniques that enable data exfiltration, ransomware deployment, or persistent administrative access are higher priority than low-impact techniques regardless of your threat model.

Coverage gap remediation options:

For techniques with coverage gaps, options in priority order:

• Deploy content hub rules for the specific technique if available (search the content hub for the ATT&CK technique ID, e.g., T1078)
• Deploy community rules from the Sentinel GitHub repository (Azure/Azure-Sentinel/Detections)
• Write custom KQL rules targeting the specific technique in your environment
• Accept the gap with documented rationale if the data source required is not available or the technique is not relevant to your threat model

Tracking coverage over time:

Export the coverage map state monthly (via the Sentinel API or the coverage map export feature) and compare month-over-month to verify that coverage is improving as new rules are deployed. Set a quarterly goal for expanding coverage into the highest-priority gap areas. A detection engineering program without a coverage tracking mechanism is flying blind.

Sentinel workbooks (built on Azure Monitor Workbooks) are interactive dashboards that visualize data from Log Analytics tables. They provide SOC management dashboards, investigation starting points, and compliance reporting views that are not available from the standard Sentinel incident and alert views.

High-priority workbooks to deploy from the content hub:

Sentinel Overview workbook: Provides a high-level dashboard of incident counts by severity, analytics rule firing frequency, data connector health status, and workspace ingestion volume by table. This is the SOC manager's daily status view and the first workbook to deploy.

Microsoft Entra ID Workbook / Azure AD Sign-in and Audit workbook: Visualizes sign-in patterns, failed authentication rates, Conditional Access policy failures, and privileged role assignment changes. This workbook surfaces identity-related anomalies that may not yet have triggered alert rules.

Microsoft 365 Defender Workbook: Aggregates Defender alert counts, endpoint vulnerability scores, email threat summaries, and identity risk metrics from the M365 Defender connector tables. Useful for SOC tier-1 briefings.

Data Collection Health Monitor: Shows the ingestion rate, data latency, and last-event timestamp for every connected data source. The most operationally critical workbook for detecting data connector failures: a firewall connector that stopped sending data 4 hours ago means 4 hours of blind spot in network detection. Set a process to review this workbook daily.

Zero Trust Dashboard workbook: Maps your Sentinel environment's controls against the NIST Zero Trust maturity model dimensions. Useful for security posture reporting to leadership.

Custom workbook development:

For organization-specific dashboards, the Workbook designer supports full KQL query composition with charts, tables, and parameter-driven filtering. Common custom workbook requests: executive-facing incident summary with SLA compliance metrics, compliance reporting workbooks (PCI, HIPAA, SOC 2 control status), and threat-specific investigation workbooks that guide analysts through a structured investigation workflow for specific detection types (for example, a business email compromise investigation workbook that pre-populates relevant queries for the OfficeActivity, EmailEvents, and AuditLogs tables).