Microsoft Sentinel • SIEM • KQL • Workbooks • Security Operations

Microsoft Sentinel Security Services

Microsoft Sentinel gives you visibility across your environment, but only if the right data is connected, the right analytics rules are tuned, and the right questions are being asked.

GEMXIT helps Australian businesses plan, review and improve Microsoft Sentinel across setup, SIEM visibility, Defender XDR integration, KQL analytics, workbooks and practical security operations design.

With Microsoft moving Sentinel operations into the Microsoft Defender portal, now is the time to review your connectors, incidents, permissions, automation and investigation workflows before the change affects your security team.

Discuss your environment Back to briefings

Microsoft Sentinel Security Services by GEMXIT

Sentinel page summary

A service page for Microsoft Sentinel setup, Defender portal transition planning, SIEM visibility, analytics rule review, KQL workbooks and security operations.

Sentinel setup and connector review

KQL analytics rules and workbooks

Security visibility and response workflows

Important Microsoft Sentinel change: Defender portal transition

Microsoft Sentinel is transitioning into the Microsoft Defender portal. The Defender portal is now the unified security operations experience for Sentinel and Defender XDR, and Microsoft guidance now states that after 31 March 2027, Microsoft Sentinel will no longer be supported in the Azure portal and will be available only in the Microsoft Defender portal.

For Australian businesses, this is more than a portal change. It affects how security teams investigate incidents, manage permissions, review Defender XDR integration, use connectors, and maintain operational workflows.

What changes Sentinel investigations increasingly move into the Defender portal, alongside Defender XDR incidents, alerts and security signals.

What to review now Connectors, analytics rules, automation rules, playbooks, permissions, incident workflows and reporting should be checked before migration pressure builds.

Why GEMXIT cares We focus on visibility, KQL threat hunting and practical security operations — the areas most affected when Sentinel and Defender workflows come together.

What Microsoft Sentinel adds

Microsoft Sentinel provides cloud-native SIEM and SOAR capabilities for collecting, correlating and investigating security events across Microsoft 365, Azure, Defender XDR, identity, endpoint, cloud and third-party environments.

Centralised security visibility Bring identity, endpoint, firewall, cloud and Microsoft 365 logs into one investigation plane.

Analytics rules Turn important patterns into scheduled detections and incidents.

Workbooks and reporting Visualise trends, gaps, incidents and security posture in a way decision-makers can understand.

Defender XDR + Sentinel: why the integration matters

The strongest Microsoft security environments do not treat Sentinel, Defender, Entra ID and Microsoft 365 logs as separate islands. They bring the signals together so incidents can be understood faster and with better context.

Unified incidents Review how Defender XDR incidents, Sentinel incidents, alerts and entities are being grouped and investigated.

Connector impact Check whether Defender XDR connector changes affect duplicate alerts, incident creation rules or existing Sentinel workflows.

Security operations design Design the process around how analysts actually investigate identity, email, endpoint and cloud activity.

Practical KQL example: after-hours activity

Not every incident starts with malware. Sometimes the first signal is activity happening at a time that does not match normal business behaviour.

SigninLogs
| where TimeGenerated > ago(14d)
| extend HourOfDay = datetime_part("hour", TimeGenerated)
| where HourOfDay < 6 or HourOfDay > 20
| project
    TimeGenerated,
    UserPrincipalName,
    IPAddress,
    Location,
    AppDisplayName,
    ResultType,
    ConditionalAccessStatus
| order by TimeGenerated desc

How to read this query

TimeGenerated > ago(14d) limits the hunt to recent sign-in behaviour.
HourOfDay < 6 or HourOfDay > 20 highlights activity outside normal business hours.
Location, IPAddress and AppDisplayName help determine whether the activity matches the user's normal pattern.
ConditionalAccessStatus helps show whether the sign-in was challenged, blocked, allowed or not evaluated.

Used for Finding sign-ins that may be legitimate but deserve review because of timing.

Best pivot Compare location, device, application, conditional access and user history.

Why it matters Good detection often starts with behaviour, not malware signatures.

Sentinel setup areas GEMXIT can review

Sentinel value depends on the right data connectors, analytics rules, workbooks, retention and response process.

Data connectors Validate which logs are connected and whether important sources are missing.

Rules and incidents Review analytics coverage, noisy detections and practical incident workflow.

SOC-style visibility Build workbooks and dashboards that make security posture easier to understand.

Sentinel to Defender portal readiness review

A good Sentinel review should not only ask “is Sentinel turned on?” It should ask whether the environment is ready for the way Microsoft security operations are moving.

Portal transition Review current Azure portal Sentinel usage and identify what needs to move into the Defender portal workflow.

Permissions and roles Check whether current Azure permissions, Sentinel roles and Defender portal access still support the way your team works.

Automation and reporting Review automation rules, Logic Apps, workbook assumptions and reporting processes before the operational model changes.

Build deeper Microsoft security capability

Sentinel works best when it is part of a broader Microsoft security strategy. These GEMXIT resources help connect the dots between KQL, Defender, identity and real-world threat hunting.

KQL Threat Hunting Real-world KQL examples for Defender and Sentinel investigations. Microsoft Security GEMXIT's Microsoft security services across identity, endpoint, cloud and operations. Cyber Security Services Security posture reviews, Microsoft 365 hardening and practical risk reduction.