What Sentinel Does That Defender Alone Cannot

Microsoft Defender for Business provides endpoint detection and response (EDR) — it protects individual devices and surfaces endpoint-level incidents. Sentinel is the aggregation layer: it ingests signals from Defender, Entra ID, Microsoft 365, Azure, and third-party sources, then applies analytics rules to detect patterns that span multiple systems.

Example: An attacker successfully authenticates to Entra ID from an unusual location (detected by Identity Protection), then immediately accesses 50 SharePoint files (detected by M365 Defender), then attempts to create a new admin account (detected by Entra audit logs). Each event alone might not trigger an alert — the combination is a confirmed account compromise. Sentinel correlates these three signals across three different log sources into a single high-priority incident.

Data Connectors: What to Ingest

Start with the first three connectors only. Windows Security Events generate high ingestion volume — if you include them, use the Common security events filter rather than All security events to reduce cost by ~70%.

Built-in Analytics Rules That Matter for SMBs

Sentinel includes hundreds of built-in analytics rules via the Microsoft Security content hub. For a small business without a dedicated security analyst, enable these rules as a starting point:

Successful sign-in from non-compliant device: Detects when a user authenticates successfully from a device that does not meet your Conditional Access device compliance requirements — potential shadow-IT or unmanaged device risk.

Bulk download of files from SharePoint: Flags when a user downloads an unusually large number of files in a short window — a common indicator of data exfiltration before a resignation or termination.

New admin account created outside normal hours: Detects administrative account creation at nights or weekends — a common persistence technique after initial compromise.

Password spray attack detected: Correlates low-and-slow failed authentication attempts across many accounts — the signature pattern of password spraying that bypasses per-account lockout thresholds.

Automation: Playbooks for Incident Response

Sentinel automation playbooks (built on Azure Logic Apps) allow automated response to incidents without human intervention. For a small business, two playbooks are immediately valuable: auto-disabling a user account when a high-severity identity incident is triggered (stopping an attacker within minutes rather than hours), and sending an automated Teams notification to IT when any critical incident fires. Both are available as templates in the Sentinel content hub and require minimal configuration.

Licensing and Cost Management

Sentinel pricing: pay-per-GB of ingested data, billed via an Azure subscription. Microsoft 365 Defender and Entra ID log ingestion have free tiers that cover basic sign-in and alert data — verify the current free data allocation in the Sentinel pricing page as this changes. For predictable costs, use the commitment tiers (100 GB/day, 200 GB/day) if your ingestion volume exceeds ~33 GB/day. Below that threshold, the pay-as-you-go rate is more cost-effective. Budget approximately €2–3 per GB ingested outside the free allocation.