--- id: skill:cloud-siem type: skill title: 'Sample skill: Building Cloud SIEM with Microsoft Sentinel' status: active confidence: 0.9 sources: - 2026-05-09-cybersec-skill-cloud-siem.md created: 2026-05-09 updated: 2026-05-09 updated_log: - 2026-05-09: created tiers: semantic half_life_days: 180 tags: [skill-sample, cloud-security, siem, sentinel, kql] --- # Sample skill — Building Cloud SIEM with Microsoft Sentinel ## Summary A worked example skill from the cloud-security domain — and the most cross-mapped of the four sample skills in this wiki. Use it when establishing centralized SecOps for multi-cloud environments, migrating from legacy SIEMs (Splunk, QRadar) to cloud-native, building automated response for cloud-specific threats, or hunting at petabyte scale. The workflow provisions a Sentinel workspace, wires AWS CloudTrail + Azure AD + GCP data connectors, writes KQL detection rules (impossible travel, IAM credential abuse, mass S3 deletion), builds Logic Apps SOAR playbooks, and integrates threat-intel feeds. Each detection rule maps explicitly to MITRE ATT&CK techniques. ## Claims - Skill name: `building-cloud-siem-with-sentinel`. Domain: cybersecurity, subdomain: cloud-security. Version 1.0.0, Apache-2.0. `[src: raw/2026-05-09-cybersec-skill-cloud-siem.md] {conf: 0.95}` - Frontmatter declares three frameworks: `nist_ai_rmf: [MEASURE-2.7, MAP-5.1, MANAGE-2.4]`, `atlas_techniques: [AML.T0070, AML.T0066, AML.T0082]`, `nist_csf: [PR.IR-01, ID.AM-08, GV.SC-06, DE.CM-01]`. No `d3fend_techniques` or `mitre_attack` frontmatter fields, even though the workflow body explicitly maps detection rules to ATT&CK techniques. `[src: raw/2026-05-09-cybersec-skill-cloud-siem.md] {conf: 0.95}` - Workflow is 5 steps: (1) provision Sentinel workspace + data connectors via `az` CLI, (2) write KQL analytics rules (impossible travel, IAM credential abuse from CloudTrail, mass S3 DeleteObject), (3) build Logic Apps SOAR playbooks (auto-disable Azure AD user, add incident comments), (4) configure Sentinel data lake for petabyte-scale long-term hunting (KQL + SQL endpoints), (5) integrate Microsoft Threat Intelligence connector and match indicators against cloud flow logs. `[src: raw/2026-05-09-cybersec-skill-cloud-siem.md] {conf: 0.9}` - Key concepts defined include KQL, Analytics Rule, SOAR Playbook, Data Connector, Sentinel Data Lake, Workbook, Watchlist, Fusion Detection. `[src: raw/2026-05-09-cybersec-skill-cloud-siem.md] {conf: 0.9}` - Tools/systems: Microsoft Sentinel, Azure Logic Apps, Microsoft Threat Intelligence, Azure Data Explorer, MITRE ATT&CK Navigator (for mapping detection rules to tactics/techniques). `[src: raw/2026-05-09-cybersec-skill-cloud-siem.md] {conf: 0.9}` - Worked scenario: detecting cross-cloud credential theft — Azure AD impossible-travel sign-in correlated with AWS CloudTrail AssumeRoleWithSAML events; Fusion detection links Azure risk to subsequent AWS privilege escalation; SOAR auto-disables Azure AD account and revokes AWS STS sessions. `[src: raw/2026-05-09-cybersec-skill-cloud-siem.md] {conf: 0.85}` ## Relationships - categorized-as → [[domain:cloud-security]] `{conf: 0.9}` - uses → [[tool:microsoft-sentinel]] `{conf: 0.95}` - uses → [[tool:kql]] `{conf: 0.9}` - uses → [[tool:azure-logic-apps]] `{conf: 0.9}` - uses → [[tool:mitre-attack-navigator]] `{conf: 0.85}` - maps-to → [[framework:nist-csf-20]] `{conf: 0.95}` - maps-to → [[framework:mitre-atlas]] `{conf: 0.9}` - maps-to → [[framework:nist-ai-rmf]] `{conf: 0.9}` - composes → [[concept:cybersec-skill-library]] `{conf: 0.8}` ## Open questions - [ ] Why are the ATT&CK technique IDs used in the body (e.g. for impossible-travel detection) not surfaced into a `mitre_attack` frontmatter field? It would make the cross-framework story complete. ## Changelog - 2026-05-09 — created