{"id":9028,"date":"2021-10-06T07:05:50","date_gmt":"2021-10-06T14:05:50","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=9028"},"modified":"2025-10-07T16:19:25","modified_gmt":"2025-10-07T23:19:25","slug":"moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/","title":{"rendered":"Moving to next-generation SIEM at Microsoft with Microsoft Sentinel"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"112\" class=\"size-medium wp-image-7498 alignright\" style=\"margin-top: 0px;\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories-300x112.png\" alt=\"Microsoft Digital technical stories\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories-300x112.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories.png 500w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><em>We periodically update our stories, but we can\u2019t verify that they represent the full picture of our current situation at Microsoft. We leave them on the site so you can see what our thinking and experience was at the time.<\/em><\/p>\n<p>Our internal security team works diligently 24 hours a day, 7 days a week to help protect Microsoft IP, its employees, and its overall business health from security threats.<\/p>\n<p>We recently implemented Microsoft Sentinel to replace a preexisting, on-premises solution for security information and event management (SIEM). With Microsoft Sentinel, we can ingest and appropriately respond to more than 20 billion cybersecurity events per day.<\/p>\n<p>Microsoft Sentinel supplies cloud-scale SIEM functionality that allows integration with crucial systems, provides accurate and timely response to security threats, and supports the SIEM requirements of our team.<\/p>\n<p>Our team is responsible for maintaining security and compliance standards across Microsoft. Managing the massive volume of incoming security-related data is critical to Microsoft\u2019s business health. Historically, we have performed SIEM using a third-party tool hosted on-premises in Microsoft datacenters.<\/p>\n<p>However, we recognized several areas in which they could improve their service by implementing a next-generation SIEM tool. Some of the challenges when using the old tool included:<\/p>\n<ul class=\"c-list\">\n<li><strong>Limited ability to accommodate increasing incoming traffic.<\/strong> Ingesting data into the previous SIEM tool was time consuming due to limited ingestion processes. As the number of incoming cybersecurity events continued to grow, it became more evident that the solution we were using wouldn\u2019t be able to maintain the necessary throughput for data ingestion.<\/li>\n<li><strong>On-premises scalability and agility issues.<\/strong> The previous solution\u2019s on-premises nature limited our ability to scale effectively and respond to changing business and security requirements at the speed that we required.<\/li>\n<li><strong>Increased training requirements.<\/strong> We needed to invest more resources in training and onboarding with the previous solution, because it was on-premises and customized to meet our requirements. If we recruited employees from outside Microsoft, they needed to learn the new solution\u2014including its complex on-premises architecture\u2014from the ground up.<\/li>\n<\/ul>\n<p>As part of our ongoing digital transformation, we\u2019re moving to cloud-based solutions with proven track records and active, customer-facing development and involvement. We need our technology stack to evolve at the speed of our business.<\/p>\n<h2>Modernizing SIEM with Microsoft Sentinel<\/h2>\n<p>In response to the challenges presented, we began assessing options for a new SIEM environment that would address the challenges positioning our team to manage continued growth of the cybersecurity landscape.<\/p>\n<h3>Feature assessment and planning<\/h3>\n<p>In partnership with the Microsoft Sentinel product team, our internal security division assessed whether Sentinel would be a suitable replacement for our previous solution. Sentinel is a Microsoft-developed, cloud-native enterprise SIEM solution that uses the cloud\u2019s agility and scalability to ensure rapid threat detection and response through:<\/p>\n<ul class=\"c-list\">\n<li>Elastic scaling.<\/li>\n<li>AI\u2013infused detection capability.<\/li>\n<li>A broad set of out-of-the-box data connectivity and ingestion solutions.<\/li>\n<\/ul>\n<p>To move to Microsoft Sentinel, we needed to verify that equivalent features and capabilities were available in the new environment. We aligned security teams across Microsoft to ensure that we met all requirements. Some of these teams had mature monitoring and detection definitions in place, and we needed to understand those scenarios to accommodate feature-performance requirements. The issues that our previous solution presented narrowed our focus with respect to whether Sentinel would work, including throughput, agility, and usability.<\/p>\n<p>Throughout the assessment period and into migration, we worked closely with the Microsoft Sentinel product team to ensure that Microsoft Sentinel could provide the feature set we required. Our engagement with the Microsoft Sentinel team addressed two sets of needs simultaneously. We received significant incident-response benefits from Microsoft Sentinel while the product team worked with us as if we were a customer. This close collaboration meant that the product team could identify what enterprise-scale customers needed more quickly.<\/p>\n<p>Not only were our requirements met, but we were able to provide feedback and testing for the Microsoft Sentinel product team. This helped them better serve their large customers that have similar challenges, requirements, and needs.<\/p>\n<h3>Defining and refining SIEM detections<\/h3>\n<p>As we developed standards that met our new requirements, we also evaluated our previous SIEM solution\u2019s functionality to determine how it would transition to Microsoft Sentinel. We examined three key aspects of incoming security data ingestion and event detection:<\/p>\n<ul class=\"c-list\">\n<li><strong>Data-source validity. <\/strong>We pull incoming SIEM data from hundreds of data locations across Microsoft. As time has passed, some of these data sources remained valid but others no longer provided relevant SIEM data. We assessed our entire data-source footprint to determine which data sources Microsoft Sentinel should ingest and which ones were no longer required. This process helped us to better understand our data-source environment and refine the amount of data ingested. There were several data sources that we weren\u2019t ingesting with the previous solution because of performance limitations. We knew that we wanted to increase ingestion capability when moving to Microsoft Sentinel.<\/li>\n<li><strong>Detection importance.<\/strong> Our team examined event-detection definitions used throughout the previous SIEM solution, so we could understand how detections were being performed, which detection definitions generated alerts, and the volume of alerts from each detection. This information helped us identify the most important detection definitions, so we could prioritize these definitions in the migration process.<\/li>\n<li><strong>Detection validity.<\/strong> Our security teams evaluated the list of detections from our SIEM environment so we could identify invalid detections or detection definitions that required refinement. This helped us create a more streamlined set of detections when moving into Microsoft Sentinel, including combining multiple detection definitions and removing several detections.<\/li>\n<\/ul>\n<p>Throughout this process, we worked with the Microsoft Security Operations team to evaluate detections end-to-end. They got involved in the detection and data-source refinement process and were exposed to how these detections and data sources would work in Microsoft Sentinel.<\/p>\n<h2>Implementation<\/h2>\n<p>After feature parity and throughput capabilities were confirmed, we began the migration process from our previous solution to Microsoft Sentinel. Based on our initial testing, we added several implementation steps to ensure that our Sentinel environment would readily meet our security environment\u2019s needs.<\/p>\n<h3>Onboarding data sources<\/h3>\n<p>Properly onboarding data sources was a critical component in our implementation <em>and<\/em> one of the biggest benefits of the Microsoft Sentinel environment. With the massive amount of default connectors available in Sentinel, we were able to connect to most of our data sources without further customization. This included cloud data sources such as Microsoft Azure Active Directory, Microsoft Defender for Cloud, and Microsoft Defender. However, it also included on-premises data sources, such as Windows Events and firewall systems.<\/p>\n<p>We also connected to several enrichment sources that supplied more information for threat-hunting queries and detections. These enrichments sources included data from human-resources systems and other nontypical data sources. We used playbooks to create many of these connections.<\/p>\n<p>We keep Microsoft Sentinel data in hot storage for 90 days, using Kusto Query Language (KQL) queries for detections, hunting, and investigation. We also use Microsoft Azure Data Explorer for warm storage and Microsoft Azure Data Lake for cold storage and retrieval for up to two years.<\/p>\n<h3>Refining detections<\/h3>\n<p>Based on testing, we refined our detection definitions further in Sentinel to support better alert suppression and aggregation. We didn\u2019t want to overwhelm our Security Operations team with incidents. Therefore, we refined our detection definitions to include suppression logic when notification wasn\u2019t required and aggregation logic to ensure that similar and related events were grouped together and not surfaced as multiple, individual alerts.<\/p>\n<h3>Increasing scale with the cloud<\/h3>\n<p>We used dedicated clusters for Microsoft Azure Monitor Log Analytics to support the data-ingestion scalability we required. At a large enterprise scale, our previous solution was exceeding its capacity at 10 billion events per day. With dedicated clusters, we were able to accommodate that initial volume and add additional data sources to improve alert detection, thereby increasing our event ingestion to &gt; 20 billion events per day.<\/p>\n<h3>Customizing functionality<\/h3>\n<p>Our environment required several customizations to Sentinel functionality, which we implemented by using standard Microsoft Sentinel features and extension capabilities to meet our needs while still staying within the boundaries of standard functionality. Using common features for customization made our changes to Sentinel easy to document and helped our security operations team better and more quickly understand and use the new features. We made several important customizations including:<\/p>\n<ul class=\"c-list\">\n<li><strong>Integration with our IT service-management system.<\/strong> We integrated Microsoft Sentinel with our security incident management solution. This had a two-fold positive effect, as it extended Sentinel information into our case-management environment and provided our support teams with exactly the information they need, regardless of which tool they\u2019re in.<\/li>\n<li><strong>Implementation of Microsoft Defender for Cloud playbook to support scale.<\/strong> We used a playbook to automate the addition of more than 20,000 Azure subscriptions to Microsoft Defender for Cloud.<\/li>\n<li><strong>High volume ingestion with Microsoft Azure Event Hub and Microsoft Azure Virtual Machine scales sets.<\/strong> We built a custom solution that ingested the large volume of events from our firewall systems that exceeded the capabilities of on-premises collection agents. With the new solution, we can ingest more than 100,000 events per second into Microsoft Sentinel from on-premises firewalls.<\/li>\n<\/ul>\n<figure id=\"attachment_9035\" aria-describedby=\"caption-attachment-9035\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-9035\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/11\/10293_image001-1024x566.png\" alt=\"Illustration of the architecture for the new SIEM solution, showing the workflow from data sources, to the event store, and the portal user experience. \" width=\"800\" height=\"442\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/11\/10293_image001-1024x566.png 1024w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/11\/10293_image001-300x166.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/11\/10293_image001-768x424.png 768w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/11\/10293_image001-1536x849.png 1536w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/11\/10293_image001-2048x1132.png 2048w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/11\/10293_image001-1920x1061.png 1920w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-9035\" class=\"wp-caption-text\">Architecture for the new SIEM solution using Microsoft Sentinel.<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"74\" class=\"wp-image-7448\" style=\"width: 300px;\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways.png\" alt=\"Key Takeaways\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways.png 500w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways-300x74.png 300w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<p>We\u2019ve experienced several important benefits from using Microsoft Sentinel as our SIEM tool, including:<\/p>\n<ul class=\"c-list\">\n<li><strong>Faster query performance.<\/strong> Our query speed with Microsoft Sentinel improved drastically. It\u2019s 12 times faster than it was with the previous solution, on average, and is up to 100 times faster with some queries.<\/li>\n<li><strong>Simplified training and onboarding.<\/strong> Using a cloud-based, commercially available solution like Microsoft Sentinel means it\u2019s much simpler to onboard and train employees. Our security engineers don\u2019t need to understand the complexities of an underlying on-premises architecture. They simply start using Sentinel for security management.<\/li>\n<li><strong>Greater feature agility.<\/strong> Microsoft Sentinel\u2019s feature set and capabilities iterate at a much faster rate than we could maintain with our on-premises developed solution.<\/li>\n<li><strong>Improved data ingestion.<\/strong> Microsoft Sentinel\u2019s out-of-the box connectors and integration with the Microsoft Azure platform make it much easier to include data from anywhere and extend Sentinel functionality to integrate with other enterprise tools. On average, it\u2019s 18 times faster to ingest data into Sentinel using a built-in data connector than it was with our previous solution.<\/li>\n<\/ul>\n<p>Throughout our Microsoft Sentinel implementation, we reexamined and refined our approach to SIEM. At Microsoft\u2019s scale, very few implementations go exactly as planned from beginning to end. However, we derived several points with our Sentinel implementation, including:<\/p>\n<ul class=\"c-list\">\n<li><strong>More testing enables more refinement.<\/strong> We tested our detections, data sources, and processes extensively. The more we tested, the better we understood how we could improve test results. This, in turn, meant more opportunities to refine our approach.<\/li>\n<li><strong>Customization is necessary but achievable.<\/strong> We capitalized on the flexibility of Microsoft Sentinel and the Microsoft Azure platform often during our implementation. We found that while out-of-the-box features didn\u2019t meet all our requirements, we were able to create customizations and integrations to meet the needs of our security environment.<\/li>\n<li><strong>Large enterprise customers might require a dedicated cluster.<\/strong> We used dedicated Log Analytics clusters to allow ingestion of nearly 20 billion events per day. In other large enterprise scenarios, moving from a shared cluster to a dedicated cluster might be necessary for adequate performance.<\/li>\n<\/ul>\n<p>The first phase of our migration is complete! However, there\u2019s still more to discover with Microsoft Sentinel. We\u2019re taking advantage of new ways to engage and interact with connected datasets and using machine learning to manage some of our most complex detections.<\/p>\n<p>As we continue to grow our SIEM environment in Sentinel, we\u2019re capitalizing on Sentinel\u2019s cloud-based benefits to help meet our security needs at an enterprise level. Sentinel provides our security operations teams with a single SIEM solution that has all the tools they need to successfully complete and manage security events and investigations.<\/p>\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"81\" class=\"wp-image-7482\" style=\"width: 300px;\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links.png\" alt=\"Related links\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links.png 500w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links-300x81.png 300w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<ul class=\"c-list\">\n<li><a href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/boosting-microsofts-response-to-cybersecurity-attacks-with-microsoft-azure-sentinel\/\">Read more about how we\u2019re securing our enterprise and responding to cybersecurity attacks with Microsoft Sentinel.<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/\">Discover how we\u2019re improving our security by protecting elevated-privilege accounts at Microsoft.<\/a><\/li>\n<\/ul>\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" style=\"width: 580px;\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/Customer-Survey-580x85-1.png\" alt=\"We'd like to hear from you!\" \/><\/figure>\n<p><a href=\"mailto:msitstaff@microsoft.com\">Want more information? Email us and include a link to this story and we\u2019ll get back to you.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We periodically update our stories, but we can\u2019t verify that they represent the full picture of our current situation at Microsoft. We leave them on the site so you can see what our thinking and experience was at the time. Our internal security team works diligently 24 hours a day, 7 days a week to [&hellip;]<\/p>\n","protected":false},"author":133,"featured_media":9030,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":true,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[115,849,689,848],"coauthors":[646],"class_list":["post-9028","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-microsoft-azure","tag-network-and-infrastructure","tag-network-security","tag-security-and-risk-management","program-microsoft-digital-technical-stories","m-blog-post"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Moving to Next-Gen SIEM with Microsoft Sentinel<\/title>\n<meta name=\"description\" content=\"See how Microsoft uses Microsoft Sentinel to upgrade its SIEM system, transforming the way it responds to cybersecurity events.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Moving to Next-Gen SIEM with Microsoft Sentinel\" \/>\n<meta property=\"og:description\" content=\"See how Microsoft uses Microsoft Sentinel to upgrade its SIEM system, transforming the way it responds to cybersecurity events.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/\" \/>\n<meta property=\"og:site_name\" content=\"Inside Track Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-06T14:05:50+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-07T23:19:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/11\/10293-hero.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1040\" \/>\n\t<meta property=\"og:image:height\" content=\"585\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Inside Track staff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Inside Track staff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\\\/\"},\"author\":{\"name\":\"Inside Track staff\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/d87d5d73eed76dd055086299c842c17e\"},\"headline\":\"Moving to next-generation SIEM at Microsoft with Microsoft Sentinel\",\"datePublished\":\"2021-10-06T14:05:50+00:00\",\"dateModified\":\"2025-10-07T23:19:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\\\/\"},\"wordCount\":2031,\"image\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2022\\\/11\\\/10293-hero.jpg\",\"keywords\":[\"Microsoft Azure\",\"Network and infrastructure\",\"Network Security\",\"Security and risk management\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\\\/\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\\\/\",\"name\":\"Moving to Next-Gen SIEM with Microsoft Sentinel\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2022\\\/11\\\/10293-hero.jpg\",\"datePublished\":\"2021-10-06T14:05:50+00:00\",\"dateModified\":\"2025-10-07T23:19:25+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/d87d5d73eed76dd055086299c842c17e\"},\"description\":\"See how Microsoft uses Microsoft Sentinel to upgrade its SIEM system, transforming the way it responds to cybersecurity events.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2022\\\/11\\\/10293-hero.jpg\",\"contentUrl\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2022\\\/11\\\/10293-hero.jpg\",\"width\":1040,\"height\":585,\"caption\":\"Microsoft is using Microsoft Sentinel to upgrade its security information and event management (SIEM) system, which is transforming the way it responds to more than 20 billion cybersecurity events per day.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Moving to next-generation SIEM at Microsoft with Microsoft Sentinel\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/\",\"name\":\"Inside Track Blog\",\"description\":\"How Microsoft does IT\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/d87d5d73eed76dd055086299c842c17e\",\"name\":\"Inside Track staff\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g5b36aff6a325749e67e5cb253696fa6b\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g\",\"caption\":\"Inside Track staff\"},\"description\":\"Questions? Send us a note: msitstaff@microsoft.com\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/author\\\/insidetrack\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Moving to Next-Gen SIEM with Microsoft Sentinel","description":"See how Microsoft uses Microsoft Sentinel to upgrade its SIEM system, transforming the way it responds to cybersecurity events.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/","og_locale":"en_US","og_type":"article","og_title":"Moving to Next-Gen SIEM with Microsoft Sentinel","og_description":"See how Microsoft uses Microsoft Sentinel to upgrade its SIEM system, transforming the way it responds to cybersecurity events.","og_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/","og_site_name":"Inside Track Blog","article_published_time":"2021-10-06T14:05:50+00:00","article_modified_time":"2025-10-07T23:19:25+00:00","og_image":[{"width":1040,"height":585,"url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/11\/10293-hero.jpg","type":"image\/jpeg"}],"author":"Inside Track staff","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Inside Track staff","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/"},"author":{"name":"Inside Track staff","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e"},"headline":"Moving to next-generation SIEM at Microsoft with Microsoft Sentinel","datePublished":"2021-10-06T14:05:50+00:00","dateModified":"2025-10-07T23:19:25+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/"},"wordCount":2031,"image":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/11\/10293-hero.jpg","keywords":["Microsoft Azure","Network and infrastructure","Network Security","Security and risk management"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/","name":"Moving to Next-Gen SIEM with Microsoft Sentinel","isPartOf":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/11\/10293-hero.jpg","datePublished":"2021-10-06T14:05:50+00:00","dateModified":"2025-10-07T23:19:25+00:00","author":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e"},"description":"See how Microsoft uses Microsoft Sentinel to upgrade its SIEM system, transforming the way it responds to cybersecurity events.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/#primaryimage","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/11\/10293-hero.jpg","contentUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/11\/10293-hero.jpg","width":1040,"height":585,"caption":"Microsoft is using Microsoft Sentinel to upgrade its security information and event management (SIEM) system, which is transforming the way it responds to more than 20 billion cybersecurity events per day."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/moving-to-next-generation-siem-at-microsoft-with-microsoft-azure-sentinel\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/insidetrack\/blog\/"},{"@type":"ListItem","position":2,"name":"Moving to next-generation SIEM at Microsoft with Microsoft Sentinel"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/","name":"Inside Track Blog","description":"How Microsoft does IT","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e","name":"Inside Track staff","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g5b36aff6a325749e67e5cb253696fa6b","url":"https:\/\/secure.gravatar.com\/avatar\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g","caption":"Inside Track staff"},"description":"Questions? Send us a note: msitstaff@microsoft.com","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/author\/insidetrack\/"}]}},"jetpack_featured_media_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/11\/10293-hero.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9hcZA-2lC","_links":{"self":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/9028","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/users\/133"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/comments?post=9028"}],"version-history":[{"count":11,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/9028\/revisions"}],"predecessor-version":[{"id":20598,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/9028\/revisions\/20598"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media\/9030"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media?parent=9028"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/categories?post=9028"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/tags?post=9028"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/coauthors?post=9028"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}