So, you’ve rolled out Global Secure Access, traffic is flowing, and dashboards look calm. Great! However, all that network telemetry is more than just pretty graphs, it’s a cache of high-level data waiting to be explored. Enter Microsoft Sentinel. Connect the two, and suddenly you go from “we think things are fine” to “we know exactly what’s happening right now.”
What’s Microsoft Sentinel, Anyway?
Think of Microsoft Sentinel as your security ops nerve center. It’s a cloud-first SIEM + SOAR platform that:
- Ingests logs from just about everywhere
- Highlights the unusual without burying you in noise
- Helps you respond faster, not later
- Orchestrates response with automation playbooks, approvals, and one-click actions.
In other words, it correlates events across your estate so a suspicious sign-in, odd network traffic, and an out-of-policy device don’t live in three separate consoles. Instead, they become a single, actionable incident and you can kick off standardized, auditable response steps straightaway. So, your team spends less time tab-hopping and more time resolving what matters.
Why layer in Global Secure Access?
Global Secure Access is your identity-aware gateway modern, policy-driven, and very Zero Trust. Unlike traditional VPNs, it understands who is accessing what, when, and from where then enforces your rules accordingly.
Even better, GSA emits rich telemetry on every connection, including:
- User identity and device posture
- Source IPs, destinations, protocols, and headers
- Data volumes and policy decisions
- Threat classifications and outcomes
Altogether, that’s gold for investigations and threat hunting.
How to Wire it Up (Quickly)
- Send GSA Logs to Sentinel
In Entra navigate to Monitoring & Health>Diagnostic Settings and then Add Diagnostic Setting.
After selecting the Add Diagnostic setting, we then select our logs that we want to send to our Sentinel Workspace.
Then select the log categories (below).
- NetworkAccessTrafficLogs: Detailed transaction logs showing who accessed what, when, and what happened
- NetworkAccessAlerts: Security alerts generated by Global Secure Access itself
- NetworkAccessConnectionEvents: Connection lifecycle events and state changes
- RemoteNetworkHealthLogs: Health metrics for your branch office connectivity
- Install the GSA Solution in Sentinel
Next up navigate to Defender (yes, I said Defender). Under Microsoft Sentinel navigate to Content Management>Content Hub and then search for Global Secure Access.
After selecting Global Secure Access, you will see a summary to the right.
What You Get Out of the Box
When you install the Global Secure Access solution from Sentinel’s Content Hub (literally takes 30 seconds), you get pre-configured content that provides immediate value:
Four Analytics Rules (ready to flip on)
Port Scanning Detection – Flags reconnaissance when a source probes multiple ports. In short, it catches the “mapping the castle walls” step.
Abnormal Denial Rate Detection – Learns what “normal” looks like per source IP and alerts when denies spike. This helps surface stolen creds failing repeatedly or noisy misconfigurations.
Protocol Change Detection – Flags abrupt protocol shifts on known ports. This often reveals covert tunneling or evasive threats.
Operational Hours Violations – Notifies when connections succeed outside business hours. Accessing file shares at 3:00 a.m. is… notable.
Two Workbooks
The Enhanced Microsoft 365 Logs workbook correlates your Office 365 activity logs with Global Secure Access network data. Suddenly, you’re not just seeing “User opened document” you’re seeing “User on Device X (Windows 11, compliant) from IP Y opened document via edge location Z.” The context is incredible for investigations.
The Network Traffic Insights workbook visualizes your traffic patterns, top destinations, cross-tenant access attempts, and relationship maps between users, devices, and endpoints. Maybe your users are being malicious…. Maybe they’re just searching for the latest brisket recipes?
In other words, it correlates events across your estate so a suspicious sign-in, odd network traffic, and an out-of-policy device don’t live in three separate consoles. Instead, they become a single, actionable incident and you can kick off standardized, auditable response steps straightaway. Consequently, your team spends less time tab-hopping and more time resolving what matters.
The Correlation
Individually, each log source is useful. Together, they’re a superpower. GSA gives you deep network context (user, device, IP, destination, verdict). Meanwhile, Sentinel already ingests:
- Defender for Endpoint (processes, files, threats)
- Entra ID (sign-ins, risk, Conditional Access)
- Microsoft 365 (SharePoint, Teams, Exchange activities)
- Defender for Cloud Apps (SaaS usage, DLP, anomalies)
When you join these, patterns jump out:
- A “low” unusual sign-in becomes high-priority when GSA shows a surge of data to a personal cloud app afterward
- A suspicious PowerShell alert turns critical when GSA reveals connections to known command-and-control hosts
- Denied connections that suddenly spike from a single IP line up with password-spray behavior in sign-in logs
Wrapping Up
If you’re running Global Secure Access, piping those logs into Sentinel is, frankly, a layup. The setup is short, the insights are immediate, and the correlation across identity, device, and network is exactly what modern operations need.
In the long run, organizations moving past legacy VPNs and leaning into identity-centric access will find this integration not only surfaces issues sooner but also proves what’s working. If you’re early in your Zero Trust journey, this visibility helps you tighten policies, close gaps, and most importantly sleep better afterward.
