Sentinel

---

Resource Icon

Resource Overview

Azure Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution that collects and analyzes various security data sources to detect threats and automate incident response.
It is built on Log Analytics Workspace and supports integrated security operations by configuring alert rules and connecting Microsoft security products and external data connectors.

Associated Resources

Parent Resources

• ResourceGroup

Connected Resources

• LogAnalyticsWorkspace

---

Resource Configuration

• linked_workspace_name : Name of the Log Analytics Workspace to which Sentinel is connected
• connect_security_center : Whether to connect the Microsoft Defender for Cloud Data Connector - true, false
• connect_threat_intelligence : Whether to connect the Threat Intelligence Platform (Preview) Data Connector - true, false
• connect_advanced_threat_protection : Whether to connect the Microsoft Defender for Identity Data Connector - true, false
• connect_microsoft_defender : Whether to connect the Microsoft Defender for Endpoint Data Connector - true, false
• connect_office_365 : Whether to connect the Office 365 Data Connector - true, false
• connect_cloud_app_security : Whether to connect the Microsoft Defender for Cloud Apps Data Connector - true, false
• fusion_rule_rule_guid : List of Fusion Rule GUIDs
• behavior_analytics_rule_guid : List of ML Behavior Analytics Rule GUIDs
• tag : Tags used to categorize resources

MS Security Incident Alert Rule (alert_rule_incident)

• alert_rule_incident.display_name : Display name of the MS Security Incident Alert Rule
• alert_rule_incident.product : Microsoft security service that generates alerts - Azure Active Directory Identity Protection, Azure Advanced Threat Protection, Azure Security Center, Azure Security Center for IoT, Microsoft Cloud App Security, Microsoft Defender Advanced Threat Protection, Office 365 Advanced Threat Protection
• alert_rule_incident.severity : Severity levels for generating incidents - High, Medium, Low, Informational

Scheduled Alert Rule (alert_rule_scheduled)

• alert_rule_scheduled.display_name : Display name of the Scheduled Alert Rule
• alert_rule_scheduled.severity : Severity of the Scheduled Alert Rule - High, Medium, Low, Informational
• alert_rule_scheduled.query : Query statement of the Scheduled Alert Rule

---

References

• Microsoft Sentinel Overview(Microsoft)
• Microsoft Sentinel Data Connectors(Microsoft)
• Microsoft Sentinel Analytics Rules(Microsoft)