For too long, Security Information and Event Management (SIEM) has been seen as the exclusive domain of large enterprises with dedicated Security Operations Centres (SOCs) and multi-million dollar security budgets. The reality in 2025 is very different. Microsoft Sentinel -- a cloud-native SIEM and Security Orchestration, Automation, and Response (SOAR) platform -- has democratised enterprise-grade security monitoring, making it accessible and affordable for Australian small and mid-sized businesses (SMBs) for the first time.
The OAIC Notifiable Data Breaches Report (July-December 2024) reveals that 67% of reported data breaches in Australia affected organisations with fewer than 500 employees. The ACSC consistently warns that cyber criminals increasingly target SMBs, viewing them as softer targets than hardened enterprise environments. Despite this, the majority of Australian SMBs lack any form of centralised security monitoring -- relying instead on disconnected security tools, manual log reviews, and reactive incident response.
Microsoft Sentinel changes this equation. By leveraging cloud-native architecture, pay-per-GB pricing, and deep integration with the Microsoft 365 ecosystem, Sentinel enables SMBs to deploy enterprise-grade threat detection without the capital expenditure, staffing requirements, or operational complexity of traditional SIEM solutions.
Key Takeaway
Microsoft Sentinel is not a "lite" SIEM. It is the same platform used by global enterprises and government agencies, delivered through a consumption-based pricing model that scales from small businesses processing 1 GB/day to enterprises ingesting 100 TB/day. The difference is cost management strategy, not capability.
Why SMBs Need SIEM
Many SMBs question whether they need a SIEM at all. The answer is unequivocally yes, and here is why:
- Compliance requirements -- The Essential 8 framework, ISO 27001, and industry regulations such as APRA CPS 234 all require centralised logging, monitoring, and incident detection capabilities. A SIEM is the standard tool for meeting these requirements.
- Mean time to detect -- IBM's 2024 Cost of a Data Breach Report found that organisations without SIEM take an average of 277 days to identify a breach, compared to 196 days for those with automated detection. Every additional day of undetected compromise increases the cost and impact of the breach.
- Alert fatigue -- Without a SIEM to correlate and prioritise alerts, IT teams are overwhelmed by disconnected notifications from firewalls, email security, endpoint protection, and identity systems. Critical alerts are missed in the noise.
- Forensic capability -- When a breach occurs, a SIEM provides the log data and timeline necessary to understand what happened, how the attacker gained access, what they accessed, and whether they are still present. Without this data, incident response is guesswork.
- Insurance requirements -- Cyber insurance providers increasingly require evidence of centralised monitoring and detection capabilities. SIEM deployment can reduce premiums and strengthen your policy coverage.
Microsoft Sentinel Overview
Microsoft Sentinel is built on Azure Log Analytics, leveraging the massive scale of Azure infrastructure to collect, store, analyse, and respond to security data from across your entire environment. Key architectural components include:
- Log Analytics Workspace -- The central repository where all security data is ingested, stored, and queried. Sentinel supports multiple workspaces for multi-tenant or geographic isolation scenarios.
- Data Connectors -- Pre-built integrations that ingest data from security sources. Sentinel includes connectors for over 200 data sources out of the box.
- Analytics Rules -- Detection logic that analyses ingested data and generates security alerts when suspicious activity is identified.
- Incidents -- Correlated groups of alerts that represent a potential security event, with severity classification and assignment workflows.
- Playbooks -- Automated response workflows built on Azure Logic Apps that execute actions when incidents are created -- such as blocking an IP address, disabling a user account, or sending a notification to the security team.
- Workbooks -- Interactive dashboards for visualising security data, trends, and compliance metrics.
- Hunting -- Proactive threat hunting using KQL queries to search for indicators of compromise that may not trigger automated detection rules.
Data Connectors: What to Ingest First
The most critical decision in a Sentinel deployment is which data sources to connect. For Australian SMBs, the following connectors provide the highest security value relative to their ingestion cost:
Priority 1: Free or Low-Cost, High-Value Connectors
- Microsoft Entra ID (Azure AD) Sign-In and Audit Logs -- Identity is the primary attack vector for most breaches. Entra ID logs capture authentication events, conditional access evaluations, and administrative changes. These logs are free to ingest into Sentinel for Microsoft 365 E5 customers.
- Microsoft Defender for Endpoint -- Endpoint detection alerts and raw telemetry from Defender-managed devices. Essential for correlating endpoint threats with identity and network events.
- Microsoft 365 Defender -- Consolidated alerts from Defender for Office 365 (email threats), Defender for Identity (AD compromise), and Defender for Cloud Apps (SaaS security).
- Azure Activity Logs -- Track administrative actions across your Azure subscriptions -- resource creation, deletion, configuration changes, and access grants.
Priority 2: Core Infrastructure Connectors
- Firewall Logs (Fortinet, Palo Alto, etc.) -- Ingesting firewall logs via Syslog or CEF format provides network-layer visibility into blocked connections, intrusion attempts, and policy violations.
- Windows Security Events -- Process execution, logon events, and privilege escalation on Windows servers and workstations. Use the "Common" event set to control ingestion volume.
- DNS Logs -- DNS query logs help identify command-and-control communication, data exfiltration over DNS, and connections to known malicious domains.
Key Takeaway
Start with identity and endpoint data -- these two sources alone will detect the majority of threats relevant to SMBs. Add firewall and DNS logs in the second phase once your analytics rules and triage processes are established. Avoid the temptation to connect everything at once, as this drives up ingestion costs without proportional security benefit.
KQL Basics for Security Analysts
Kusto Query Language (KQL) is the query language used to search and analyse data in Sentinel. While KQL has a learning curve, the basic patterns needed for security analysis are straightforward:
Essential KQL Patterns
- Filtering --
SigninLogs | where ResultType != 0-- Find all failed sign-in attempts. - Aggregation --
SigninLogs | where ResultType != 0 | summarize count() by UserPrincipalName-- Count failed sign-ins per user. - Time filtering --
SigninLogs | where TimeGenerated > ago(24h)-- Limit results to the last 24 hours. - Joining tables -- Correlate sign-in events with audit logs to detect a compromised account performing administrative actions.
- Anomaly detection --
series_decompose_anomalies()-- Built-in function to identify statistical anomalies in time series data.
Microsoft provides hundreds of pre-built analytics rules and hunting queries that can be deployed without writing custom KQL. For SMBs, these out-of-the-box detections cover the vast majority of common threat scenarios.
Analytics Rules: Detecting Threats
Analytics rules are the detection engine of Sentinel. They run on a schedule (typically every 5 minutes to every 24 hours) and generate alerts when their query logic matches against ingested data. Sentinel provides four types of analytics rules:
- Microsoft Security -- Automatically creates Sentinel incidents from alerts generated by Microsoft Defender products. These require no configuration and provide immediate detection value.
- Scheduled Rules -- Custom KQL queries that run on a defined schedule. These are the most flexible and powerful detection mechanism.
- Fusion -- AI-powered multi-stage attack detection that correlates alerts from multiple sources to identify complex attack chains. Fusion detects scenarios like "impossible travel followed by suspicious mailbox rule creation followed by data exfiltration."
- NRT (Near Real-Time) -- Rules that run every minute for time-critical detections. Use sparingly, as they consume more resources.
Essential Analytics Rules for SMBs
| Rule | Data Source | Detects |
|---|---|---|
| Brute Force Attack | Entra ID Sign-In Logs | Multiple failed logon attempts from a single IP |
| Impossible Travel | Entra ID Sign-In Logs | Sign-ins from geographically distant locations in impossibly short timeframes |
| New Inbox Rule | Office 365 Logs | Suspicious mailbox forwarding rules created by compromised accounts |
| Rare Process Execution | Defender for Endpoint | Uncommon processes running on endpoints that may indicate malware |
| MFA Fatigue | Entra ID Sign-In Logs | Repeated MFA prompts indicating an attacker attempting MFA bypass |
| Admin Account Creation | Entra ID Audit Logs | New privileged accounts created outside of change management processes |
| Data Exfiltration | Defender for Cloud Apps | Unusual volume of file downloads or sharing from cloud applications |
Incident Management and Response
When analytics rules trigger, Sentinel creates incidents that group related alerts into a single investigation unit. Effective incident management requires:
- Severity classification -- Sentinel assigns severity (High, Medium, Low, Informational) based on rule configuration. High-severity incidents should trigger immediate investigation.
- Assignment and ownership -- Assign incidents to specific analysts or teams. For SMBs using a managed security service, incidents can be automatically assigned to the MSP's SOC team.
- Investigation graph -- Sentinel's investigation graph visually maps the relationships between entities (users, IP addresses, devices, files) involved in an incident, making it easier to understand the scope and impact.
- Playbook automation -- For common incident types, automated playbooks can perform initial triage actions -- such as temporarily disabling a compromised account, blocking a malicious IP at the firewall, or collecting additional forensic data.
Cost Management for SMB Deployments
Sentinel costs are primarily driven by data ingestion volume, measured in GB/day. For SMBs, careful data source selection and retention management are essential to keeping costs predictable:
- Free data sources -- Azure Activity Logs, Office 365 audit logs (with E5), and some Microsoft Defender alerts are free to ingest.
- Basic Logs tier -- For high-volume, low-query data sources (like verbose firewall logs), use the Basic Logs tier which costs significantly less than Analytics Logs but limits query capabilities.
- Commitment tiers -- If you consistently ingest more than 100 GB/day, commitment tiers offer discounts of up to 50% compared to pay-as-you-go pricing.
- Data collection rules -- Filter logs at the source to ingest only security-relevant events. For Windows Security Events, use the "Common" or "Minimal" event sets rather than "All Events."
- Retention policies -- Set retention at 90 days for active analytics (included in Sentinel pricing) and archive to low-cost storage for long-term compliance retention.
A typical Australian SMB with 100-200 users, ingesting identity, endpoint, and email security logs, can expect Sentinel costs of $300-$800 AUD per month -- a fraction of the cost of traditional on-premises SIEM solutions like Splunk or QRadar.
Deployment Phases for SMBs
Precision IT recommends a phased deployment approach that delivers security value quickly while managing cost and complexity:
Phase 1: Foundation (Weeks 1-2)
- Deploy Log Analytics Workspace in Azure Australia East
- Connect Entra ID sign-in and audit logs
- Connect Microsoft 365 Defender alerts
- Enable Microsoft Security analytics rules
- Configure incident assignment and notification
Phase 2: Core Detection (Weeks 3-4)
- Connect Defender for Endpoint telemetry
- Deploy essential scheduled analytics rules (brute force, impossible travel, inbox rules)
- Enable Fusion detection
- Create initial response playbooks for common incidents
- Build executive security dashboard workbook
Phase 3: Extended Visibility (Weeks 5-8)
- Connect firewall logs via Syslog/CEF
- Connect DNS logs
- Deploy additional analytics rules for network-layer threats
- Implement hunting queries for proactive threat detection
- Conduct tabletop exercise to test incident response procedures
Phase 4: Maturity (Ongoing)
- Tune analytics rules to reduce false positives based on operational experience
- Expand playbook automation for frequently occurring incident types
- Conduct quarterly SIEM reviews to assess coverage, cost, and detection effectiveness
- Add additional data sources as the threat landscape evolves
Key Takeaway
Do not attempt to deploy Sentinel with every data source and every analytics rule on day one. A phased approach ensures each connector and rule is properly tuned, cost is controlled, and your team has time to develop the processes needed to act on detections effectively.
Precision IT's Managed SIEM Service
For SMBs that lack dedicated security staff, Precision IT provides a fully managed Microsoft Sentinel service as part of our cybersecurity services. Our managed SIEM includes:
- Deployment and Configuration -- We design, deploy, and configure your Sentinel environment, including data connectors, analytics rules, and playbooks tailored to your industry and risk profile.
- 24/7 Monitoring and Triage -- Our ISO 27001 certified SOC monitors your Sentinel incidents around the clock, triaging alerts and escalating genuine threats with actionable remediation guidance.
- Threat Hunting -- Our analysts conduct regular proactive threat hunts using KQL queries and Microsoft threat intelligence to identify threats that may not trigger automated detections.
- Incident Response -- When a significant incident is detected, our team provides hands-on response support -- from initial containment to full remediation and recovery.
- Monthly Reporting -- Executive-level reports covering incidents detected, threats mitigated, security posture trends, and recommendations for improvement.
- Cost Optimisation -- We continuously monitor your Sentinel ingestion and recommend adjustments to data collection rules, retention policies, and pricing tiers to keep costs aligned with value delivered.
As a Microsoft Solutions Partner with advanced security specialisations and AWS Select Partner, Precision IT has the expertise to deploy Sentinel across hybrid and multi-cloud environments. Whether you are deploying SIEM for the first time or migrating from a legacy on-premises solution, we ensure your security monitoring is comprehensive, cost-effective, and aligned with Australian compliance requirements.
Contact Precision IT to discuss how Microsoft Sentinel can give your organisation the security visibility and threat detection capabilities it needs to stay protected in an increasingly hostile cyber landscape.