Steve: Welcome back everybody to 3in3. In this episode we’re going to be talking about Azure Sentinel and with me I’ve got Charlie Smith, one of our Senior Solutions Consultants on the security team, so let’s jump right in.


Charlie, what is Azure Sentinel?


Charlie: Yes, Azure Sentinel in its simplest form is a SIM tool which is Security Information event Management and it’s a SOR tool which is Security Orchestration Automated Response that’s all native to the cloud.


Steve: Excellent. So essentially, it’s a tool that sits in azure that collects logs and information about events and security events and all sorts of things that are going on around Office 365 and other systems, is that correct?


Charlie: Yes, and it’s using its proprietary threat intelligence engine on the back end to help you correlate events, so the more events you put into Sentinel, in some ways, the smarter it is. So, if I’m taking my firewall logs and my Azure AD logs, it’s able to correlate those relationships together to help find threats.


Steve: Excellent, thanks.


So then, the second question I would have is what makes Azure Sentinel interesting today for our customers?


Charlie: Yeah for me what makes Azure Sentinel really interesting is the scalability. It’s all in the cloud and it is really fast. So, I’m running my queries and trying to find stuff, my own custom queries. It is really quick. So, I don’t’ have to worry about storage or build up new servers to help handle some of that load. It’s all in the cloud and it’s all done on the back end. Also, it’s dashboarding, it’s threat intelligence, it’s analytic data, it’s incredible. It’s really rich in what it can provide to you.


Steve: Well and that’s really important because our customers obviously, when they’re responding to or looking for security incidents, they want to be able to respond quickly, so having a scalable tool is certainly really helpful and it’s super interesting and we’re getting a lot of requests to talk about it.


Alright so the third question that I have, and the final question would be what can or what should customers do about it today?


Charlie: Yeah so most of my customers have a SIM tool already, but there’s interest in some of Azure Sentinel’s capabilities. So what I always recommend is to start ingesting the Office 365 logs into Sentinel. Microsoft has done it in a way where it makes it really simple to ingest those, it’s a click of a button. Second, the first thirty days it’s completely free. After that point there’s a really small cost if you want a longer retention, but at that point you can start seeing the value of what it’s capability is, the threats it can detect and getting familiar with the dashboard, the queries and all the data you’re able to get.


Steve: Excellent. Well thanks for that Charlie. We appreciate your time today in talking about Azure Sentinel and certainly it is an interesting topic and if you would like more information, you can contact us at Thanks, and we’ll see you next time.