Splunk Architecture vs. Sentinel Architecture — Side by Side
| Function | Splunk Model | Sentinel / Microsoft-Native Model |
|---|---|---|
| Audit / event ingestion | Splunk Add-on for Microsoft Office 365 | Defender XDR connector → Sentinel / Log Analytics |
| DLP / Defender alerts | Splunk Add-on for Microsoft Security | Defender XDR native + Sentinel connector |
| Enrichment | Defender Advanced Hunting API (scheduled) | Advanced Hunting in Defender portal / KQL in Sentinel |
| Normalization | SPL + CIM data models | KQL functions + Sentinel Watchlists |
| Operational dashboards | Splunk dashboards | Sentinel Workbooks (Engineering / SOC) |
| Executive dashboards | Splunk dashboards or Power BI | Power BI over curated KQL outputs |
| Workflow automation | External SOAR or manual | Logic Apps (Sentinel-centered) + Power Automate (compliance/business) |
| Evidence register | Splunk PDF/CSV exports | SharePoint Online + Power Automate |
| Query language | SPL | KQL |
| Reference tables (taxonomy) | Splunk lookup CSVs | Sentinel Watchlists |
Microsoft-Native Architecture
Control Plane · Source
🏛️ Microsoft Purview
Investigation & Enrichment Plane
🛡️ Microsoft Defender XDR
Security Data Lake · KQL Normalization
🔵 Microsoft Sentinel / Log Analytics
Executive Reporting Plane
Power BI
Workflow Automation Plane
Logic Apps / Power Automate
Integration note: Sentinel and Defender XDR can be integrated by ingesting Defender XDR service data into Sentinel, or by integrating Sentinel directly into the Defender portal — keeping incidents synchronized between both portals.
Product Roles
Control Plane
Microsoft Purview
- DLP policy creation + rule conditions
- Sensitivity labels + auto-labeling
- Insider Risk Management
- Data Security Investigations
- Retention labels and policies
- Activity Explorer / Data Classification
- Unified Audit Log activity
Purview is the control plane, not the enterprise reporting plane. It is not enough by itself for executive-class KPI reporting.
Investigation & Enrichment Plane
Microsoft Defender XDR
- DLP alert management + investigation
- Security incidents + evidence entities
- Alert classification (TP / FP / benign)
- True-positive / false-positive disposition
- Advanced Hunting (30-day window)
- User / file / device / IP evidence
- Key tables:
AlertInfo,AlertEvidence,CloudAppEvents,DataSecurityEvents
Security Data Lake & Correlation
Microsoft Sentinel / Log Analytics
- Central durable security telemetry store
- KQL normalization + semantic functions
- Analytic rules + incident correlation
- Workbooks (Engineering, SOC, Audit)
- Automation rules + Logic Apps playbooks
- Watchlists (label, SIT, policy, KPI maps)
- Incident triage + assignment
Executive Reporting
Power BI
- Executive dashboards + monthly scorecards
- Audit packages + PDF/PowerPoint export
- KPI trend reporting
- Cross-program control coverage reporting
- Consumes curated KQL query outputs
- Published to Power BI Service + Teams
- Secured with workspace permissions + sensitivity labels
Sentinel-Centered Automation
Logic Apps
- Sentinel incident workflow
- High-severity alert → Teams + email notify
- SLA breach → escalation
- FP closure → tuning backlog item
- Override threshold → compliance reviewer notify
- Monthly reporting date → evidence snapshot to SharePoint
- Ingestion failure → engineering alert
Compliance / Business Workflow
Power Automate
- SharePoint evidence register updates
- Planner tasks for KPI gaps
- Executive notification on monthly report publish
- Control-owner attestation routing
- Remediation tracking for Blank / Partial KPIs
- DLP high-FP-rate → engineering backlog route
Do not force one tool to do both. Logic Apps for Sentinel automation. Power Automate for compliance/business workflow.
Key Defender Advanced Hunting Tables
| Table | Purpose |
|---|---|
AlertInfo | Alert metadata, severity, category, detection source, service source |
AlertEvidence | Entity details: user, file, mailbox, URL, IP, device |
CloudAppEvents | Microsoft 365 cloud activity; some DLP-related activity depending on workload/config |
DataSecurityEvents | Purview data-security events where available — ⚠️ Preview, requires IRM opt-in |
DeviceEvents | Endpoint DLP / device activity |
EmailEvents / EmailAttachmentInfo | Email activity context and attachment evidence for exfiltration investigations |
IdentityInfo | User enrichment: department, title, account metadata where available |
Microsoft-Native Data Design
Raw Data Layer — Log Analytics Tables
| Data Source | Destination |
|---|---|
| Defender XDR connector (incidents, alerts, AH events) | Sentinel / Log Analytics |
| Microsoft 365 audit logs (Exchange, SharePoint, OneDrive, Teams) | Sentinel / Log Analytics |
| Purview diagnostic / audit logs where available | Sentinel / Log Analytics |
| Advanced Hunting exports | Sentinel / Log Analytics |
| Sentinel incidents + analytic rules | Sentinel |
| Watchlists (label map, SIT map, policy map, KPI maturity) | Sentinel reference data |
| Power Automate / Logic Apps run logs | Log Analytics |
Sentinel Watchlists — Reference Tables
Watchlists replace Splunk lookup CSVs. Create these six watchlists to power KQL normalization and dashboard enrichment.
DLPPolicyMap
PolicyName
PolicyOwner
ControlObjective
WorkloadScope
ExpectedAction
DeploymentStatus
ExecutiveCategory
DLPRuleMap
PolicyName
RuleName
RuleOwner
ExpectedAction
SeverityTier
EnforcementMode
TuningStatus
SITFamilyMap
SITName
SITFamily
RegulatedDataType
ExecutiveCategory
SeverityModifier
SensitivityLabelMap
LabelId
LabelName
LabelFamily
ProtectionLevel
EncryptionExpected
ExternalSharingAllowed
KPIMaturityMap
KPIName
DataSource
MaturityStatus
Owner
KnownGap
RemediationPlan
ControlOwnerMap
ControlName
Owner
BackupOwner
BusinessUnit
EscalationPath
KQL Semantic Functions — Reusable Normalization Layer
Create these as saved Sentinel functions. The goal is a repeatable semantic layer for Purview reporting — not just dashboards.
Event + Alert Functions
Purview_DLP_Events()
Purview_DLP_Alerts()
Purview_Label_Activity()
Purview_Incident_Facts()
KPI + Reporting Functions
Purview_Control_Facts()
Purview_KPI_Health_Daily()
Purview_KPI_Effectiveness_Daily()
Purview_KPI_Investigation_Daily()
Purview_KPI_Executive_Monthly()
Purview_Audit_Evidence_Status()
Normalized Control Facts — Purview_Control_Facts()
| Field | Purpose |
|---|---|
EventTime | Event timestamp |
SourcePlane | Purview, Defender, Sentinel, Audit, Workflow |
Workload | Exchange, SharePoint, OneDrive, Teams, Endpoint, Browser |
PolicyName / RuleName | DLP / retention / label policy and rule |
RuleAction / EnforcementMode | Audit, notify, warn, block, restrict, override |
UserPrincipalName / UserDepartment / UserTitle | Actor enrichment |
RecipientDomain / ExternalInternalFlag | External vs internal destination |
FileName / FileExtension / SiteUrl | Content object and location |
SensitivityLabel / SensitivityLabelId | Label at time of event |
SITNames / SITFamily / SITCount | Sensitive info types + family mapping + count |
ConfidenceLevel | SIT confidence where available |
AlertId / IncidentId | Defender / Sentinel alert and incident linkage |
Severity / Status / Classification | Alert severity, lifecycle state, TP/FP/benign |
AssignedTo / TicketId | Analyst owner and ITSM ticket |
MaturityStatus | Blank / Partial / Live |
Microsoft-Native KPI Matrix
Every KPI must have a product source, owner, refresh cadence, and maturity state. Never mark a KPI Live until source, parsing, refresh, owner, and dashboard validation are all confirmed.
Engineering KPIs — Sentinel Workbook
| KPI | Product | Maturity |
|---|---|---|
| DLP event ingestion freshness | Sentinel / Log Analytics | LIVE |
| Defender alert ingestion freshness | Sentinel | LIVE |
| Connector health | Sentinel | LIVE |
| Purview audit event volume | Sentinel / UAL | PARTIAL |
| Policy / rule / action parse success | KQL | PARTIAL |
| SIT confidence distribution | Advanced Hunting / Sentinel | PARTIAL |
| Label usage by workload | Purview / Audit / Sentinel | PARTIAL |
| Auto-labeling trend | Purview / Audit | PARTIAL |
| OCR pipeline status | Control register | BLANK unless deployed |
Investigation KPIs — Defender XDR + Sentinel
| KPI | Product | Maturity |
|---|---|---|
| DLP alerts by severity | Defender XDR / Sentinel | LIVE |
| DLP incidents by status | Defender XDR / Sentinel | LIVE |
| Triage queue depth | Sentinel | LIVE |
| Aging by severity | Sentinel | LIVE |
| Top users / entities | Advanced Hunting / Sentinel | LIVE |
| MTTA / MTTR | Sentinel incident fields | PARTIAL |
| False-positive rate | Defender / Sentinel classification | PARTIAL |
| Top exfiltration vectors | KQL normalization | PARTIAL |
| Reopened incidents | Sentinel | PARTIAL |
| Ticket creation latency | Logic Apps / Power Automate | PARTIAL |
Executive KPIs — Power BI
| KPI | Product | Maturity |
|---|---|---|
| Risk exposure trend, 90 days | Power BI over Sentinel | LIVE |
| KPI maturity: Blank / Partial / Live | Power BI + Sentinel Watchlist | LIVE |
| Program coverage % | Power BI + control inventory | PARTIAL |
| Control Health composite score | Power BI | PARTIAL |
| Protected vs exposed sensitive activity | Power BI over Sentinel | PARTIAL |
| Block / override ratio | Power BI over Sentinel | PARTIAL |
| NPI / PCI incidents trend | Power BI + SIT mapping | PARTIAL |
| Member-data incidents avoided (proxy) | Power BI | PARTIAL |
Composite Score Model
Same Health × Effectiveness axes as the Splunk model — formulas updated to reflect Sentinel/Watchlist completeness as a scoring component instead of Splunk parse success.
Control Health Score
| Component | Weight |
|---|---|
| Ingestion freshness | 20% |
| Alert pipeline health | 20% |
| Policy / rule parse quality | 15% |
| Incident lifecycle completeness | 15% |
| Watchlist / taxonomy completeness | 10% |
| Dashboard refresh health | 10% |
| KPI maturity completeness | 10% |
Health Score =
0.20 × ingestion_freshness_score
+ 0.20 × alert_pipeline_score
+ 0.15 × parsing_quality_score
+ 0.15 × incident_lifecycle_score
+ 0.10 × watchlist_completeness_score
+ 0.10 × dashboard_refresh_score
+ 0.10 × kpi_maturity_score
Effectiveness Score
| Component | Weight |
|---|---|
| Sensitive events protected (block / restrict / warn) | 25% |
| High-risk events reduced over 90 days | 20% |
| False-positive rate reduced | 20% |
| MTTA / MTTR improved | 15% |
| Override rate controlled | 10% |
| Repeat-offender reduction | 10% |
Effectiveness Score =
0.25 × protected_events_score
+ 0.20 × high_risk_reduction_score
+ 0.20 × fp_reduction_score
+ 0.15 × mtta_improvement_score
+ 0.10 × override_rate_score
+ 0.10 × repeat_offender_score
Dashboard Package
Sentinel Workbooks for Engineering and SOC — analysts can pivot directly into Sentinel/Defender. Power BI for Executive and Audit — Power BI should consume curated KQL outputs, not raw Defender/Purview JSON.
Sentinel Workbooks — Engineering & SOC
Audience — Engineering
Workbook 1 · Purview Pipeline Health
- Ingestion freshness by source
- Connector health status
- Defender alert ingestion rate
- Sentinel incident ingestion
- Parse success rate
- Missing policy / rule / action %
- Zero-event days by feed
- Failed automation runs
Audience — Engineering / Security / Compliance
Workbook 2 · DLP Control Effectiveness
- DLP events by workload, policy, rule
- Rule action distribution
- Block / warn / allow / override trend
- SIT family distribution
- SIT confidence distribution
- Label + SIT mismatch report
- Top external domains
- Top risky users and files
Audience — SOC / Investigations
Workbook 3 · Investigation Operations
- Incidents by severity and status
- Queue depth + aging by severity
- MTTA / MTTR
- False-positive and true-positive rates
- Unassigned and reopened incidents
- Top policies producing FPs
- Top entities across multiple incidents
Audience — Audit / Compliance
Workbook 4 · Audit Evidence Register
- Control objective
- Evidence source
- Current maturity state
- Last successful event
- Dashboard refresh status
- Owner + known gap + remediation plan
- Evidence package link
Reports without data are still evidence — provided the report shows expected source, maturity state, gap, owner, and remediation path.
Power BI Reports — Executive & Audit
Audience — Leadership
Report 1 · Executive Data Protection Scorecard
- Control Health composite score
- Effectiveness composite score
- 90-day risk exposure trend
- Protected vs exposed sensitive activity
- Block / override ratio
- Member-data protection trend
- Top 5 control gaps
- KPI maturity: Blank / Partial / Live
Audience — Leadership / Compliance
Reports 2–5 · Supplemental Reports
- DLP Effectiveness Trend — block/warn/override trends over time
- Sensitive Data Exposure — NPI/PCI protected vs at-risk
- Control Health Dashboard — per-control health status
- Audit Defensibility Dashboard — KPI-to-source traceability
- KPI Maturity Dashboard — all KPIs with maturity + gap + owner
Publish to Power BI Service → secure with workspace permissions + sensitivity labels → share to Teams.
Phased Implementation — 5 Phases
Phase 1
Foundation — Configure Data Sources
- Enable / validate Purview audit logging
- Confirm DLP alerts are generated from Purview policies
- Connect Microsoft Defender XDR to Sentinel
- Enable relevant Defender XDR raw event streaming into Sentinel
- Configure Microsoft 365 audit log ingestion where supported
- Enable Sentinel Workbooks
- Create 6 Sentinel Watchlists: DLPPolicyMap, DLPRuleMap, SITFamilyMap, SensitivityLabelMap, KPIMaturityMap, ControlOwnerMap
Phase 2
Normalize with KQL
- Create
Purview_DLP_Events()andPurview_DLP_Alerts() - Create
Purview_Label_Activity() - Create
Purview_Control_Facts()— full normalized fact function - Create daily KPI functions:
Purview_KPI_Health_Daily(),Purview_KPI_Effectiveness_Daily() - Join to Watchlists for taxonomy enrichment
- Populate tag logic: Blank / Partial / Live per KPI
Goal: A repeatable semantic layer — not just dashboards. Every dashboard query calls a named function, not raw table scans.
Phase 3
Build Sentinel Workbooks
- Workbook 1: Purview Pipeline Health
- Workbook 2: DLP Control Effectiveness
- Workbook 3: Investigation Operations
- Workbook 4: Audit Evidence Register
- Tag every panel with data source + maturity state
Note: Sentinel Workbooks are better than Power BI for Engineering/SOC — analysts can pivot directly into Sentinel and Defender XDR from the workbook context.
Phase 4
Build Power BI Executive Reports
- Connect Power BI to Log Analytics / Sentinel via KQL
- Build 5 reports consuming curated function outputs
- Do not parse raw Defender/Purview JSON directly in Power BI
- Publish to Power BI Service with workspace permissions
- Apply sensitivity labels to reports
- Configure scheduled refresh
- Publish executive views to Teams
Phase 5
Automate Workflow
Logic Apps — Sentinel-Centered
- New high-severity DLP incident → Teams alert + notify owner
- Incident aging past SLA → escalation
- Incident closed as FP → tuning backlog item
- Override threshold exceeded → compliance reviewer notify
- Monthly reporting date → evidence snapshot to SharePoint
- Ingestion failure or Power BI refresh fail → engineering alert
Power Automate — Compliance/Business
- SharePoint evidence register updates
- Planner tasks for KPI gaps
- Executives notified when monthly report publishes
- Control-owner attestation routing
- Remediation tracking for Blank/Partial KPIs
- DLP high-FP-rate → engineering backlog route
Engineering Prompt — Microsoft-Native Team
Use with the Microsoft Purview, Defender XDR, Sentinel, Power BI, Logic Apps, and Power Automate engineering team. Covers the full architecture, KQL function list, Watchlist schemas, dashboard specs, automation requirements, and acceptance criteria.
You are a Microsoft Purview, Microsoft Defender XDR, Microsoft Sentinel, Power BI, Logic Apps, and Power Automate engineering team building enterprise-class, audit-defensible reporting for data protection controls. Objective: Create a Microsoft-native reporting and workflow architecture for Purview DLP, sensitivity labels, retention/control health, and investigation operations. Required Microsoft products: - Microsoft Purview - Microsoft Defender XDR - Microsoft Sentinel - Log Analytics - KQL - Sentinel Workbooks - Power BI - Logic Apps - Power Automate - SharePoint Online for evidence registers - Teams for notifications - Optional Planner or ServiceNow connector if approved Design principle: Purview is the control and policy plane. Defender XDR is the alert, evidence, and investigation plane. Sentinel/Log Analytics is the central security telemetry and correlation plane. Power BI is the executive and audit reporting plane. Logic Apps and Power Automate provide workflow, escalation, notifications, and evidence packaging. Data sources to connect: 1. Microsoft Defender XDR connector into Microsoft Sentinel - incidents, alerts, advanced hunting events where required 2. Microsoft 365 audit activity / Unified Audit Log - Exchange, SharePoint, OneDrive, Teams activity where available - DLP events where available 3. Purview-related data - DLP alerts, DLP policy/rule metadata - sensitivity label activity, auto-labeling activity - retention policy/label deployment status - Insider Risk / Data Security Investigation events where available 4. Workflow data - Sentinel incident status, Logic Apps run history - Power Automate flow status, Power BI refresh status - SharePoint evidence register status Create Sentinel Watchlists: 1. DLPPolicyMap PolicyName | PolicyOwner | ControlObjective | WorkloadScope | ExpectedAction | DeploymentStatus | ExecutiveCategory 2. DLPRuleMap PolicyName | RuleName | RuleOwner | ExpectedAction | SeverityTier | EnforcementMode | TuningStatus 3. SITFamilyMap SITName | SITFamily | RegulatedDataType | ExecutiveCategory | SeverityModifier 4. SensitivityLabelMap LabelId | LabelName | LabelFamily | ProtectionLevel | EncryptionExpected | ExternalSharingAllowed 5. KPIMaturityMap KPIName | DataSource | MaturityStatus | Owner | KnownGap | RemediationPlan 6. ControlOwnerMap ControlName | Owner | BackupOwner | BusinessUnit | EscalationPath Create normalized KQL functions: - Purview_DLP_Events() - Purview_DLP_Alerts() - Purview_Label_Activity() - Purview_Incident_Facts() - Purview_Control_Facts() - Purview_KPI_Health_Daily() - Purview_KPI_Effectiveness_Daily() - Purview_KPI_Investigation_Daily() - Purview_KPI_Executive_Monthly() - Purview_Audit_Evidence_Status() Normalize the following fields in Purview_Control_Facts(): - EventTime, SourcePlane, Workload, Operation - PolicyName, RuleName, RuleAction, EnforcementMode - UserPrincipalName, UserDepartment, UserTitle - Recipient, RecipientDomain, ExternalInternalFlag - FileName, FileExtension, FilePath, SiteUrl - DeviceName, DeviceId, IPAddress - SensitivityLabel, SensitivityLabelId - SITNames, SITFamily, SITCount, ConfidenceLevel - AlertId, IncidentId, Severity, Status, Classification, Determination, AssignedTo - TicketId, MaturityStatus Build Sentinel Workbooks: 1. Purview Pipeline Health (Audience: Engineering) - ingestion freshness by source, connector health - Defender alert and incident ingestion rates - parse success rate, missing policy/rule/action % - zero-event days, failed automation runs 2. DLP Control Effectiveness (Audience: Engineering / Security / Compliance) - DLP events by workload, policy, rule - rule action distribution, block/warn/allow/override trend - SIT family and confidence distribution - label + SIT mismatch, top external domains, top risky users/files 3. Investigation Operations (Audience: SOC / Investigations) - incidents by severity/status, queue depth, aging - MTTA, MTTR, FP/TP rates - unassigned and reopened incidents - top policies producing FPs, top entities across multiple incidents 4. Audit Evidence Register (Audience: Audit / Compliance) - control objective, evidence source, maturity state - last successful event, refresh status, owner - known gap, remediation plan, evidence package link Build Power BI reports: 1. Executive Data Protection Scorecard 2. DLP Effectiveness Trend 3. Sensitive Data Exposure Dashboard 4. Control Health Dashboard 5. Audit Defensibility Dashboard 6. KPI Maturity Dashboard Power BI design rules: - Use Sentinel/Log Analytics KQL function outputs as the curated source. - Do not parse raw Defender/Purview JSON directly in Power BI unless unavoidable. - Use imported or DirectQuery-compatible datasets per performance/governance needs. - Publish to Power BI Service with workspace permissions and sensitivity labels. - Create scheduled refresh. Add monthly PDF/PowerPoint export if approved. - Publish executive views to Teams. Automation requirements: Logic Apps — Sentinel-centered: - New high-severity DLP incident → Teams alert + email control owner - Incident aging past SLA → escalate to manager/control owner - Incident closed as FP → create tuning backlog item - Override event above threshold → notify compliance reviewer - Monthly reporting date → generate evidence snapshot + store in SharePoint - Failed ingestion or Power BI refresh → notify engineering Power Automate — compliance/business: - Update SharePoint evidence register - Create Planner tasks for KPI gaps - Notify executives when monthly report publishes - Route control-owner attestations - Track remediation for Blank/Partial KPIs - DLP high-FP-rate → route to engineering backlog KPI maturity states: - Blank: dashboard/control exists, no source data connected or available. - Partial: data exists but parsing, coverage, source completeness, or workflow incomplete. - Live: source data connected, normalized, refreshed, validated, report-ready. Control Health Score: 20% ingestion freshness + 20% alert pipeline health + 15% policy/rule parse quality + 15% incident lifecycle completeness + 10% watchlist/taxonomy completeness + 10% dashboard refresh health + 10% KPI maturity Control Effectiveness Score: 25% sensitive events protected + 20% high-risk events reduced over 90 days + 20% false-positive rate reduced + 15% MTTA/MTTR improvement + 10% override rate controlled + 10% repeat-offender reduction Acceptance criteria: - Defender XDR incidents and alerts are visible in Sentinel. - DLP-related events are queryable in Sentinel or Defender Advanced Hunting. - Sentinel Workbooks exist for Engineering, Investigation Operations, and Audit Evidence. - Power BI executive dashboards are connected to curated Sentinel/Log Analytics KQL outputs. - Every KPI is tagged Blank, Partial, or Live. - Every KPI has a source, owner, refresh cadence, known limitation, and remediation path. - Logic Apps or Power Automate flows exist for escalation, evidence packaging, and monthly report distribution. - Executives can understand risk posture in under five minutes. - Auditors can trace KPI evidence back to source telemetry and control objective.
References
- Stream data from Microsoft Defender XDR to Microsoft Sentinel — Microsoft Learn
- Get started with DLP alerts (Defender XDR as preferred portal) — Microsoft Learn
- Advanced Hunting overview — Microsoft Defender XDR
- Integrate Microsoft Sentinel and Microsoft Purview — Microsoft Learn
- Defender XDR integration with Microsoft Sentinel — Microsoft Learn
- Visualize data using Workbooks in Microsoft Sentinel — Microsoft Learn
- Create a Power BI report from Microsoft Sentinel data — Microsoft Learn
- Log Analytics integration with Power BI — Azure Monitor
- DataSecurityEvents table in Advanced Hunting (Preview) — Microsoft Learn