Deploy Microsoft Sentinel workspace for AI threat detection
Implementation Effort: Medium – Requires provisioning a Log Analytics workspace, onboarding Microsoft Sentinel, configuring data connectors for AI workload telemetry, and setting retention policies appropriate for security investigation timelines.
User Impact: Low – Infrastructure deployment; end users are not affected.
Overview
AI workloads generate security-relevant telemetry — Azure OpenAI diagnostic logs, agent identity sign-in events, Copilot interaction records — but without a centralized SIEM platform, this data sits in isolated logs with no correlation, no detection logic, and no incident management workflow. Deploying a Microsoft Sentinel workspace is the foundational step that makes everything else in the AI threat detection and response lifecycle possible: analytics rules, playbooks, automation rules, workbooks, and Defender XDR integration all depend on this workspace existing.
The workspace must be scoped and configured with AI threat detection in mind. This means connecting the right data sources — Azure OpenAI diagnostics, Entra ID sign-in and audit logs for agent identities, Defender for Cloud alerts for AI services, and Microsoft 365 activity logs for Copilot interactions — and setting retention periods long enough to support investigation of slow-moving AI threats like gradual model manipulation or sustained prompt injection campaigns.
This supports Assume breach by establishing the detection and investigation platform that enables the organization to identify, correlate, and respond to AI-specific security events. It supports Verify explicitly by centralizing the identity and activity telemetry needed to validate whether AI workload behavior is legitimate. Without this workspace, the organization has no ability to detect, investigate, or respond to threats targeting its AI workloads — alerts go uncreated, incidents go unmanaged, and threat actors operate unobserved.