building-cloud-siem-with-sentinel

Featured

This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR platform for centralized security operations. It details configuring data connectors for multi-cloud log ingestion, writing KQL detection queries, building automated response playbooks with Logic Apps, and leveraging the Sentinel data lake for petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry.

DevOps & Infrastructure 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Building Cloud SIEM with Sentinel ## When to Use - When establishing a centralized security operations center for multi-cloud environments - When migrating from legacy SIEM platforms (Splunk, QRadar) to cloud-native architecture - When building automated incident response workflows for cloud-specific threats - When performing large-scale threat hunting across petabytes of security telemetry - When integrating threat intelligence feeds with cloud security log analysis **Do not use** for AWS-only environments where Security Hub and GuardDuty suffice, for endpoint detection requiring EDR capabilities (use Defender for Endpoint), or for compliance posture monitoring (see building-cloud-security-posture-management). ## Prerequisites - Azure subscription with Microsoft Sentinel enabled on a Log Analytics workspace - Data connector permissions for target log sources (AWS CloudTrail, Azure Activity, GCP) - Logic Apps or Azure Functions for automated response playbooks - KQL (Kusto Query Language) proficiency for writing detection rules and hunting queries ## Workflow ### Step 1: Provision Sentinel Workspace and Data Connectors Create a Log Analytics workspace optimized for security data and enable data connectors for multi-cloud ingestion. ```powershell # Create Log Analytics workspace az monitor log-analytics workspace create \ --resource-group security-rg \ --workspace-name sentinel-workspace \ --location eastus \ --retention-time 365 \ --sku PerGB2018 # Enabl...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

Google Cloud · Cloud Azure · Cloud

Similar Skills

Semantically similar based on skill content — not just same category

DevOps & Infrastructure Solid

azure-sentinel

Expert knowledge for Azure Sentinel development including troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when managing Sentinel connectors, KQL analytics rules, Logic Apps playbooks, UEBA/SAP data, or ASIM schemas, and other Azure Sentinel related development tasks. Not for Azure Defender For Cloud (use azure-defender-for-cloud), Azure Security (use azure-security), Azure Monitor (use azure-monitor), Azure Network Watcher (use azure-network-watcher).

562 Updated today
MicrosoftDocs
DevOps & Infrastructure Listed

siem-logging

Configure security information and event management (SIEM) systems for threat detection, log aggregation, and compliance. Use when implementing centralized security logging, writing detection rules, or meeting audit requirements across cloud and on-premise infrastructure.

368 Updated 5 months ago
ancoleman
DevOps & Infrastructure Featured

securing-azure-with-microsoft-defender

This skill instructs security practitioners on deploying Microsoft Defender for Cloud as a cloud-native application protection platform for Azure, multi-cloud, and hybrid environments. It covers enabling Defender plans for servers, containers, storage, and databases, configuring security recommendations, managing Secure Score, and integrating with the unified Defender portal for centralized threat management.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

detecting-cloud-threats-with-guardduty

This skill teaches security teams how to deploy and operationalize Amazon GuardDuty for continuous threat detection across AWS accounts and workloads. It covers enabling protection plans for S3, EKS, EC2 runtime monitoring, and Lambda, interpreting finding severity levels, and building automated response workflows using EventBridge and Lambda.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

implementing-aws-security-hub

This skill covers deploying AWS Security Hub as a centralized cloud security posture management platform that aggregates findings from GuardDuty, Inspector, Macie, and third-party tools. It details enabling security standards like CIS AWS Foundations Benchmark, configuring automated remediation, and building executive dashboards for compliance tracking across multi-account AWS organizations.

12,642 Updated today
mukul975