Microsoft Sentinel • SIEM • KQL • Workbooks • Security Operations

Microsoft Sentinel Security Services

Microsoft Sentinel gives you visibility across your environment, but only if the right data is connected, the right analytics rules are tuned, and the right questions are being asked.

GEMXIT helps Australian businesses plan, review and improve Microsoft Sentinel across setup, SIEM visibility, Defender XDR integration, KQL analytics, workbooks and practical security operations design.

With Microsoft moving Sentinel operations into the Microsoft Defender portal, now is the time to review your connectors, incidents, permissions, automation and investigation workflows before the change affects your security team.

Discuss your environment Agent Foskett Hub

Microsoft Sentinel Security Services by GEMXIT

Sentinel page summary

A service page for Microsoft Sentinel setup, Defender portal transition planning, SIEM visibility, analytics rule review, KQL workbooks and security operations.

Sentinel setup and connector review

KQL analytics rules and workbooks

Security visibility and response workflows

Identity & Access Microsoft Defender Microsoft Sentinel Zero Trust Security Operations

Important Microsoft Sentinel change: Defender portal transition

Microsoft Sentinel is transitioning into the Microsoft Defender portal. The Defender portal is now the unified security operations experience for Sentinel and Defender XDR, and Microsoft guidance now states that after 31 March 2027, Microsoft Sentinel will no longer be supported in the Azure portal and will be available only in the Microsoft Defender portal.

For Australian businesses, this is more than a portal change. It affects how security teams investigate incidents, manage permissions, review Defender XDR integration, use connectors, and maintain operational workflows.

What changes Sentinel investigations increasingly move into the Defender portal, alongside Defender XDR incidents, alerts and security signals.

What to review now Connectors, analytics rules, automation rules, playbooks, permissions, incident workflows and reporting should be checked before migration pressure builds.

Why GEMXIT cares We focus on visibility, KQL threat hunting and practical security operations — the areas most affected when Sentinel and Defender workflows come together.

What Microsoft Sentinel adds

Microsoft Sentinel provides cloud-native SIEM and SOAR capabilities for collecting, correlating and investigating security events across Microsoft 365, Azure, Defender XDR, identity, endpoint, cloud and third-party environments.

Centralised security visibility Bring identity, endpoint, firewall, cloud and Microsoft 365 logs into one investigation plane.

Analytics rules Turn important patterns into scheduled detections and incidents.

Workbooks and reporting Visualise trends, gaps, incidents and security posture in a way decision-makers can understand.

Defender XDR + Sentinel: why the integration matters

The strongest Microsoft security environments do not treat Sentinel, Defender, Entra ID and Microsoft 365 logs as separate islands. They bring the signals together so incidents can be understood faster and with better context.

Unified incidents Review how Defender XDR incidents, Sentinel incidents, alerts and entities are being grouped and investigated.

Connector impact Check whether Defender XDR connector changes affect duplicate alerts, incident creation rules or existing Sentinel workflows.

Security operations design Design the process around how analysts actually investigate identity, email, endpoint and cloud activity.

Practical KQL example: after-hours activity

Not every incident starts with malware. Sometimes the first signal is activity happening at a time that does not match normal business behaviour.

SigninLogs
| where TimeGenerated > ago(14d)
| extend HourOfDay = datetime_part("hour", TimeGenerated)
| where HourOfDay < 6 or HourOfDay > 20
| project
    TimeGenerated,
    UserPrincipalName,
    IPAddress,
    Location,
    AppDisplayName,
    ResultType,
    ConditionalAccessStatus
| order by TimeGenerated desc

How to read this query

TimeGenerated > ago(14d) limits the hunt to recent sign-in behaviour.
HourOfDay < 6 or HourOfDay > 20 highlights activity outside normal business hours.
Location, IPAddress and AppDisplayName help determine whether the activity matches the user's normal pattern.
ConditionalAccessStatus helps show whether the sign-in was challenged, blocked, allowed or not evaluated.

Used for Finding sign-ins that may be legitimate but deserve review because of timing.

Best pivot Compare location, device, application, conditional access and user history.

Why it matters Good detection often starts with behaviour, not malware signatures.

Real-world Sentinel findings

A Sentinel environment can look healthy from a distance while still missing the data, detections or workflows needed for real investigations.

Important logs are missing Identity, endpoint, firewall, cloud or Microsoft 365 logs may not be connected, leaving investigations incomplete.

Rules are noisy or too quiet Analytics rules may generate too many low-value incidents, or they may miss the behaviour the business actually cares about.

Workbooks do not answer useful questions Dashboards often show activity, but not enough context to help a manager, analyst or administrator decide what to do next.

What a Sentinel review should include

The goal is not just to confirm Sentinel is deployed. The goal is to confirm it can support real detection, triage, investigation and reporting.

Connector and table review Confirm which data sources are connected, which tables are populated, and which important signals are still missing.

Analytics rule quality Review scheduled rules, entity mapping, incident grouping, severity, false positives and operational usefulness.

Response workflow readiness Check whether incidents have owners, triage notes, escalation paths, automation, and a clear investigation process.

Sentinel setup areas GEMXIT can review

Sentinel value depends on the right data connectors, analytics rules, workbooks, retention and response process.

Data connectors Validate which logs are connected and whether important sources are missing.

Rules and incidents Review analytics coverage, noisy detections and practical incident workflow.

SOC-style visibility Build workbooks and dashboards that make security posture easier to understand.

Sentinel to Defender portal readiness review

A good Sentinel review should not only ask “is Sentinel turned on?” It should ask whether the environment is ready for the way Microsoft security operations are moving.

Portal transition Review current Azure portal Sentinel usage and identify what needs to move into the Defender portal workflow.

Permissions and roles Check whether current Azure permissions, Sentinel roles and Defender portal access still support the way your team works.

Automation and reporting Review automation rules, Logic Apps, workbook assumptions and reporting processes before the operational model changes.

Frequently asked questions

Microsoft Sentinel becomes more valuable when the business understands what it collects, what it detects, and how analysts should respond.

What is Microsoft Sentinel? Microsoft Sentinel is a cloud-native SIEM and SOAR platform used to collect, correlate, detect and investigate security activity across cloud and on-premises environments.

Is Sentinel replacing Defender XDR? No. Sentinel and Defender XDR work together. Defender provides deep Microsoft security signal, while Sentinel supports broader SIEM, KQL analytics, automation and reporting.

Why does KQL matter in Sentinel? KQL is the query language used to search logs, build analytics rules, investigate incidents and create useful Sentinel workbooks.

Do we need to prepare for the Defender portal? Yes. Organisations should review permissions, connectors, incidents, automation, workbooks and analyst workflows before relying fully on the Defender portal experience.

Can GEMXIT build Sentinel workbooks? Yes. GEMXIT can help design practical workbooks that show identity, Defender, sign-in, incident and security posture information clearly.

How often should Sentinel be reviewed? Sentinel should be reviewed whenever major connectors, licensing, security operations workflows or Microsoft portal changes affect how the team investigates threats.

Related Microsoft security pages

Sentinel is strongest when it is connected to identity, Defender, Zero Trust and real investigation capability.

Identity and Access Microsoft Entra ID, Conditional Access, MFA and privileged access hardening. Microsoft Defender Defender XDR, endpoint, email, alert tuning and practical investigation visibility. Agent Foskett Academy KQL lessons for administrators, analysts and Microsoft security investigations.

Build deeper Microsoft security capability

Sentinel works best when it is part of a broader Microsoft security strategy. These GEMXIT resources help connect the dots between KQL, Defender, identity and real-world threat hunting.

KQL Threat Hunting Real-world KQL examples for Defender and Sentinel investigations. Microsoft Security GEMXIT's Microsoft security services across identity, endpoint, cloud and operations. Cyber Security Services Security posture reviews, Microsoft 365 hardening and practical risk reduction.