Azure Sentinel Design
Azure Sentinel born-in-the-cloud SIEM was released in preview mode in February 2019 and in full general availability in September 2019, however, it has since advanced in bounds and leaps, doubling the number of data connectors, improving visualizations, incident management and building a rich ecosystem of options for SOAR and data enrichment. Combined with a tight integration with highly specialized security controls such as Defender ATP, MCAS and Azure ATP, Sentinel is emerging as a natural choice for the organizations that want to take advantage of the synergy between these products. The increase in capabilities comes at the cost of additional complexity and while Sentinel does a good job in doing most of the work behind the scene, understanding how each component integrates is a must for security analysts interested in mastering this versatile product.
The diagram below is a one-page view of the core Azure Sentinel components updated as of September 2020, showing how various parts of the traditional SIEM infrastructure relate to it. We have also included some of the complementary services that are not part of Sentinel itself but are typically used in correlation with Sentinel.