Microsoft Sentinel Analytics & Incidents

Cloud & SaaSIdentity & DirectorySIEM / Log AggregatorCloud Control Plane

Location

Azure Portal > Microsoft Sentinel > Incidents, Analytics rules, Hunting queries

Description

SIEM platform aggregating logs from all Microsoft and third-party sources with built-in analytics rules generating security incidents, entity mapping to users/hosts/IPs, investigation graphs, and automated response playbooks.

Forensic Value

Sentinel incidents aggregate related alerts from multiple detection sources into unified investigations with entity mapping. The investigation graph visually maps relationships between users, IPs, hosts, and alerts. Built-in analytics rules detect common attack patterns across log sources. Bookmarked hunting query results preserve evidence found during proactive threat hunting. Watchlists and threat intelligence indicators provide IOC matching across all ingested data sources.

Tools Required

Azure Portal (Sentinel)KQL (Kusto Query Language)Microsoft Graph Security APIAzure CLI

Collection Commands

KQL

SecurityIncident | where TimeGenerated > ago(30d) | where Status != "Closed" | project TimeGenerated, Title, Severity, Status, Owner, ProviderName | sort by TimeGenerated desc

KQL

SecurityAlert | where TimeGenerated > ago(7d) | summarize AlertCount=count() by AlertName, ProviderName | sort by AlertCount desc | take 25

az CLI

az sentinel incident list --workspace-name <workspace> --resource-group <rg-name> --query "[?properties.status!='Closed']" --output json > open_incidents.json

MITRE ATT&CK Techniques

T1078.004T1098T1071T1027T1059

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical