david dominguez 😺

Introduction to SIEM, and Sentinel

Mar 17, 2026

What are logs?

Logs are records of events generated by a system or application. In an enterprise SIEM environment, logs are an output from specific security appliances/devices. They have a very tight scope as to what they are looking at (e.g. All network traffic, authentication logs, EDR logs, etc.)

Take firewall logs for example. These are the core attributes of what we’d see. Usually when analysts are looking at it, they’re validating over the traffic and seeing what exactly has been going on that caused an alert to trigger.

Timestamp	Source IP	Dest IP	Source Port	Dest Port	Protocol	Rule Name	Action	Traffic Type	Severity
2024-03-14 08:15:23	192.168.1.105	203.0.113.45	54321	443	TCP	Allow_HTTPS_Internal	ALLOWED	Internal to External	Low
2024-03-14 08:18:47	10.0.2.50	192.168.1.1	53421	22	TCP	Block_SSH_External	BLOCKED	External to Internal	High
2024-03-14 08:22:10	192.168.1.200	8.8.8.8	52341	53	UDP	Allow_DNS	ALLOWED	Internal to External	Low
2024-03-14 08:25:33	203.0.113.99	192.168.1.50	45123	445	TCP	Block_SMB_External	BLOCKED	External to Internal	Critical
2024-03-14 08:29:56	10.0.1.25	172.16.0.10	55234	3306	TCP	Allow_Database_Internal	ALLOWED	Internal to Internal	Low

What’s a Security Information Event Management (SIEM) solution?

A SIEM solution, put simply, collects all the security-relevant logs within a large enterprise, and puts it all into a centralized location, for future detection and analysis. I’ve provided an ASCII visual below to demonstrate how the flow usually looks like.

┌──────────────────────────┐      ┌────────────────────────────┐      ┌──────────────────────────┐
│   LOG SOURCES            │      │   SIEM                     │      │   USERS                  │
├──────────────────────────┤      ├────────────────────────────┤      ├──────────────────────────┤
│                          │      │                            │      │                          │
│  🖥️  Firewalls           │      │  ┌──────────────────────┐  │      │  👤 Security Analysts    │
│  🖥️  Servers             │      │  │ Log Ingestion        │  │      │  👤 SOC Engineers        │
│  🖥️  Endpoints           │      │  └──────────────────────┘  │      │  👤 DevOps Teams         │
│  🖥️  Network Devices     │ ---> │           ↓                │ <--- │  👤 Security Managers    │
│  🖥️  Cloud Services      │      │  ┌──────────────────────┐  │      │                          │
│  🖥️  Web Applications    │      │  │ Correlation &        │  │      │  Activities:             │
│  🖥️  Databases           │      │  │ Enrichment           │  │      │  • Investigate alerts    │
│  🖥️  Active Directory    │      │  └──────────────────────┘  │      │  • Analyze threats       │
│  🖥️  IDS/IPS Systems     │      │           ↓                │      │  • Configure rules       │
│  🖥️  Proxy/WAF           │      │  ┌──────────────────────┐  │      │  • Tune SIEM             │
│  🖥️  DNS Servers         │      │  │ Alerting &           │  │      │  • Review dashboards     │
│      ...                 │      │  │ Dashboarding         │  │      │  • Create reports        │
│                          │      │  └──────────────────────┘  │      │                          │
│                          │      │           ↓                │      │                          │
│                          │      │  ┌──────────────────────┐  │      │                          │
│                          │      │  │ Data Storage &       │  │      │                          │
│                          │      │  │ Retention            │  │      │                          │
│                          │      │  └──────────────────────┘  │      │                          │
└──────────────────────────┘      └────────────────────────────┘      └──────────────────────────┘

On the left you have a bunch of log sources, and the log source information is passed to the SIEM.
The SIEM ingests all the log information (ingestion is the process of moving log data into the SIEM), and then the logs are actioned upon in some way (e.g. used to enrich existing alerts, directly used to create alerts and correlate with other sources, used for dashboards, etc.)
The users of the SIEM are typially security-minded employees who step into the SIEM when they need to perform activities such as investigating alerts (Security Analysts), configuring detection rules and making tuning changes to the SIEM (SOC Engineers), etc.

Why do we care about a SIEM?

To understand the importance of a SIEM, I think it’s better explained if we think of the alternative, what is life like without a SIEM? Let’s show an example workflow of a Security Analyst responding to an alert:

Alert fires from a security solution (e.g. in our ASCII diagram, it could be Firewall alerts, Network Device Monitoring alerts, Cloud service provider alerts, etc.)
Security Analyst receives the alert and opens the link to the alert.
During the investigation, they find they have to open 3 more tabs, to the other security solutions, to further dive into the logs and see what exactly is going on. They need to query this information manually, and each security solution may have its own SQL-adjacent language.
Then, they find that it was due to expected activity or that it was a complete miss due to contextual information from another solution. Analyst is annoyed because had the original alert been correlated with this other solution, it would have never fired in the first place.

This is an overly focused example, but the point comes across well. A SIEM allows Security Analysts to thoroughly investigate alerts without the need to switch to multiple tabs. As an analyst, if they are constantly switching tabs within a specific alert, it can be easy to get very lost and overwhelmed due to the amount of context switching that is required within each tab. If they are kept on a single area, they can be more efficient with their time since they are not performing a hard context switch.

Additionally, correlation is extremely valuable in a SIEM. Being able to have the ability to directly tune out alerts due to another log source’s information is valuable, because it avoids analysts doing extremely repetitive work.

In a nutshell, anything that an analyst does repetitively and often, is a strong candidate for automation, correlation, or dashboard/report creation.

What is Microsoft Sentinel?

Microsoft Sentinel is the SIEM I work on often for our clients. It is a cloud-native SIEM that collects log source data and analyzes said data to support threat protection for organizations, as per Microsoft’s definition.

How can you play with it?

Sentinel is available via Azure, which is Microsoft cloud platform. Once logged into Azure, type in ‘Sentinel’ in the search box, and you can choose to spin up a Sentinel instance. Pricing is based on how many logs you are ingesting, and it is not cheap, so tread carefully and appropriately forecast anticipated volume of logs to bring in. Feel free to send me a message if you are confused about pricing or if you want to learn more cost-saving strategies.