Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Microsoft Sentinel for Microsoft 365

How Microsoft Sentinel ingests Microsoft 365 signals and extends Defender XDR into a full SIEM.

Microsoft Sentinel is Microsoft's cloud-native SIEM / SOAR platform. For Microsoft 365 customers, it extends the Defender XDR experience with longer log retention, third-party log ingestion, custom hunting at scale, and full SOAR automation. As of 2025–2026, Sentinel lives inside the Defender XDR portal as a unified surface alongside Microsoft's first-party security signals.

What Sentinel adds beyond Defender XDR

Defender XDR is excellent for first-party Microsoft signals — Defender for Office 365, Endpoint, Identity, Cloud Apps. Sentinel extends this in several directions:

  • Long-term retention — Defender XDR retains data for ~30–180 days depending on plan; Sentinel can retain years.
  • Third-party log sources — firewalls (Palo Alto, Cisco, Check Point), network devices, custom apps via Azure Functions or REST API, AWS / GCP cloud logs.
  • Custom detection rules in KQL beyond what Defender ships.
  • Automation playbooks built as Azure Logic Apps — automate responses, ticketing, notification.
  • Watchlists for context (VIP users, asset criticality).
  • Threat intelligence ingestion from TAXII feeds, structured threat intel from vendors.
  • User and Entity Behavior Analytics (UEBA) — ML-driven baselines per user / entity, anomaly detection.

How M365 signals flow

For Microsoft 365 customers, the integration is largely free of ingestion cost for first-party Microsoft sources:

  • Microsoft 365 audit logs (Exchange, SharePoint, Teams).
  • Entra ID sign-in logs, audit logs, risk events.
  • Defender XDR alerts and incidents.
  • Defender for Cloud alerts.

Sentinel billable ingestion typically covers third-party sources and custom data. The pricing pivoted in 2024 to better align Sentinel with Microsoft 365 customers; ask your Microsoft account team about current cost models.

The unified portal

Inside the Defender XDR portal, Sentinel and Defender XDR share:

  • Incidents — unified view, with Sentinel incidents and Defender XDR incidents in one queue.
  • Advanced hunting — KQL queries run across both Defender XDR tables and Sentinel tables.
  • Investigation graphs — entity-centric views of attack chains.
  • Hunting books and notebooks — reusable investigation patterns.

For SOC analysts, this means one portal, one query language, one incident workflow.

When you need Sentinel

Sentinel is the right answer when:

  • You need long-term log retention for compliance or investigation.
  • You have third-party security sources (firewalls, network gear, custom apps) that need correlation with Microsoft signals.
  • You want deep custom detections beyond Defender's first-party rules.
  • You're building a SOC with custom workflows and want SOAR automation.
  • You're doing threat hunting at scale.

Sentinel adds operational complexity — KQL skills, content library curation, playbook engineering. For smaller organisations, Defender XDR alone may be enough.

Getting started

A typical first-month deployment:

  1. Connect Microsoft 365 sources — Defender XDR, Entra ID, Office 365.
  2. Enable analytic rules from the Sentinel content hub — Microsoft ships hundreds.
  3. Turn on UEBA for behavioural baselines.
  4. Add a Logic App playbook for one or two common response actions (notify Teams channel, create ServiceNow ticket).
  5. Establish KQL skills in the SOC team — invest in training.

Mature deployments add custom rules, hunting books, watchlists, and threat-intel integrations iteratively.