Microsoft Sentinel Analytics & Incidents

m365-azureIdentity & DirectorySIEM / Log AggregatorCloud Admin Portal

Location

Azure Portal > Microsoft Sentinel > Incidents, Analytics rules, Hunting queries

Description

SIEM platform aggregating logs from all Microsoft and third-party sources with built-in analytics rules generating security incidents, entity mapping to users/hosts/IPs, investigation graphs, and automated response playbooks.

Forensic Value

Sentinel incidents aggregate related alerts from multiple detection sources into unified investigations with entity mapping. The investigation graph visually maps relationships between users, IPs, hosts, and alerts. Built-in analytics rules detect common attack patterns across log sources. Bookmarked hunting query results preserve evidence found during proactive threat hunting. Watchlists and threat intelligence indicators provide IOC matching across all ingested data sources.

Tools Required

Azure Portal (Sentinel)KQL (Kusto Query Language)Microsoft Graph Security APIAzure CLI

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical