SIEM as a service

Friday, March 13, 2026

Building Our SIEM‑as‑a‑Service Offering with Azure Sentinel

As organisations continue to accelerate their cloud adoption, security visibility has become one of the biggest challenges businesses face. To address this, we proposed adopting Azure Sentinel internally—not just to strengthen our own security posture, but to lay the groundwork for a future SIEM‑as‑a‑Service offering that we can deliver to our customers.

This blog explains what Azure Sentinel is, why we chose it, and how it fits into our journey to build a white‑labelled managed security service for our clients.

What Is Azure Sentinel?

Azure Sentinel is Microsoft’s cloud‑native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) platform. A SIEM collects and analyses logs from across an organisation and correlates them to identify potential threats. Sentinel does this at cloud scale, with deep integration into Microsoft 365, Azure resources, identity services, endpoint protection solutions, and even third‑party infrastructure.

Because Sentinel is built into the Azure platform, it supports a vast catalogue of native connectors and data ingestion pipelines, allowing organisations to centralise their security telemetry into a single, unified environment.

Why We Wanted to Adopt Azure Sentinel Internally

Our goal was twofold:

1. Strengthen our internal security posture

We recognised that centralising our logs and gaining real‑time visibility across our environment would allow us to detect threats earlier and respond more effectively. While we maintain a test tenant for development and validation, it does not generate the volume or variety of logs required for creating accurate security analytics.

By onboarding our production tenant into Sentinel, we would have access to realistic, high‑value data that mirrors what real enterprise customers experience.

2. Build the foundation for a white‑labelled SIEM‑as‑a‑Service offering

A key part of our cloud practice strategy is to develop a managed security service that we can offer to customers. By implementing Sentinel internally first, we can:

  • Understand real operational usage
  • Develop high‑quality detection queries and workbooks
  • Build automated playbooks for response
  • Establish processes for monitoring, alerting, and incident handling
  • Move towards a packaged, repeatable, ready‑to‑sell solution

This approach would allow us to take a proven, production‑tested service to market—something far more compelling than a theoretical or lab‑only solution.

What Azure Sentinel Provides

Azure Sentinel brings several key capabilities that support both our internal needs and our customer‑facing ambitions:

Centralised visibility

(“single pane of glass”)

Instead of having alerts scattered across multiple systems, Sentinel aggregates logs and events from:

  • Microsoft 365
  • Azure AD
  • Exchange Online
  • Teams, SharePoint, and OneDrive
  • Firewalls and other on‑premises security tools
  • Microsoft Defender security products

This provides a full end‑to‑end view of what is happening across a business.

Threat detection and analytics

Using Sentinel, we can identify issues such as:

  • Compromised or suspicious user accounts
  • Unusual login patterns
  • Mass data downloads
  • Elevation of privileges
  • Compromised Exchange infrastructure
  • High‑risk behaviour inside Teams, SharePoint, and OneDrive

These insights are essential in building reliable detection rules for our future customers.

Incident investigation and automated response

When Sentinel identifies a threat, it creates an incident. These can be:

  • Investigated manually using Sentinel’s visual investigation tools
  • Automatically remediated using playbooks (for example, disabling a compromised account or blocking an IP address)

These capabilities allow us to test and refine real‑world responses before offering the service externally.

Which Data Sources We Ingested

To develop meaningful analytics, we focused on onboarding:

  • Microsoft 365 logs (Teams, SharePoint, OneDrive)
  • Azure AD sign‑in logs and audit logs
  • Defender alerts
  • Exchange Online activity

These sources provide the baseline telemetry expected in most customer environments, ensuring that the detections we build will apply broadly.

How Much Does Sentinel Cost?

Azure Sentinel is a consumption‑based service. Charges are based on the volume of data ingested into the Log Analytics workspace and how long that data is retained.

As an example:

Ingesting 1 GB of logs per day with 3‑month retention costs approximately:

£130 per month

Costs vary depending on log volume, but Microsoft provides several free data sources, including:

  • Azure Activity Logs
  • Microsoft 365 Audit Logs
  • Microsoft Defender alerts
  • Azure Security Center and MCAS alerts

This allows us to build valuable detections while controlling cost.

Looking Ahead: Our SIEM‑as‑a‑Service Vision

By adopting Azure Sentinel internally, we are now positioned to:

  • Develop a repeatable, white‑labelled SIEM‑as‑a‑Service product
  • Provide real‑time monitoring and incident response for customers
  • Offer a stronger security posture for organisations without in‑house SOC capabilities
  • Deliver a service backed by real operational experience—not theoretical knowledge

This internal foundation gives us the confidence to create a security offering that is cost‑effective, scalable, and capable of meeting modern cyber security challenges.