Microsoft Sentinel for India compliance — DPDP, CERT-In, RBI and SEBI 2026

Published 08 Jun 2026 · By Pawan Sharma · Compliance · 17 min read

India's compliance landscape doesn't ask whether you have a SIEM — it asks whether you can prove what you detected, when, with timestamps and evidence chain. CERT-In's 6-hour reporting clock, DPDP Act ₹250 crore Schedule penalty, RBI 24×7 monitoring mandate, SEBI CSCRF — every one of these obligations starts at detection. Microsoft Sentinel is the data plane that closes the loop: cloud-native SIEM with 180-day log retention in Indian Azure regions, KQL-based detection content tuned to Microsoft Threat Intelligence, and seamless integration with E5 Security Defender stack. This post maps each Indian regulator's requirement to the Sentinel feature that satisfies it.

6 hours

CERT-In reporting clock

From detection to incident report. Direction No. 20(3)/2022, 28 April 2022.

180 days

Log retention floor

Minimum in Indian jurisdiction per the same CERT-In Direction.

₹250 cr

DPDP max penalty

Per instance, for failing reasonable security safeguards. Schedule, DPDP Act 2023.

2 regions

Sentinel India residency

Azure Central India + South India — full ingest, processing, storage in-country.

The compliance trigger isn't the breach — it's the detection

CERT-In's 2022 Direction created a six-hour reporting clock that starts at the moment of awareness. DPDP Act 2023 created a Data Protection Board notification trigger keyed to "knowledge of the breach." RBI / SEBI / IRDAI sector frameworks all require continuous monitoring. None of these obligations work without a SIEM that actually detects.

Microsoft Sentinel is the data plane that detection runs on. Cloud-native, Azure-region-resident, KQL-based content, native integration with the rest of the Microsoft security stack (Defender XDR, Purview, Entra ID), bundling with E5 Security. For Indian regulated entities already on Microsoft 365, Sentinel is the natural SIEM choice.

The four regulators that touch SIEM

Regulator / Standard	Core requirement	Sentinel feature that satisfies it
CERT-In (Direction 20(3)/2022)	6-hour reporting; 180-day log retention in India; NPL/NIC NTP	Analytics tier 180-day retention + Azure India region + Analytics rules
DPDP Act (2023, Sec 8 + Schedule)	Reasonable safeguards; breach notification to Data Protection Board	Defender XDR + Sentinel incident timeline + automated playbooks
RBI Cyber Security (Jun 2016 + successor)	24×7 monitoring SOC; baseline controls; Annual SAR	Sentinel + Ogma managed SOC; SAR-aligned content packs
SEBI CSCRF (2024)	24×7 SOC for market intermediaries by category	Sentinel + connectors for market-infrastructure logs
IRDAI ICS Guidelines	Web app + endpoint monitoring; log retention	Sentinel + Defender for Cloud + Defender for Endpoint

Sentinel India residency — the data path

Azure region matters

Provision Sentinel workspaces in Azure Central India or South India

Sentinel runs on a Log Analytics workspace, which is a regional resource. When you create the workspace in Central India or South India, every byte of log data — ingestion, processing, indexing, retention — stays inside that Azure India region. No cross-region replication unless you explicitly enable it.

For CERT-In's "within Indian jurisdiction" rule, this is non-negotiable. For DPDP residency comfort, this is the cleanest demonstration. For RBI / SEBI audit, the workspace region is visible in the Azure portal — directly auditable.

The 180-day log retention math

Sentinel offers three retention tiers — choose the right one per data class. Pricing converted to INR at ₹98/USD; verify against the Azure India pricing page at quote time.

Tier	Use for	Retention range	Approx INR per GB/month
Analytics	Hot, queryable logs — security events, detection content runs against these	Up to 2 years	~₹220–280 / GB / mo ($2.30–2.85)
Auxiliary Logs (preview)	High-volume sources at lower compute (CDN logs, large telemetry)	30 days hot + archive	~₹30–60 / GB / mo ($0.30–0.60)
Archive	Long-tail retention for compliance — RBI multi-year, SEBI CSCRF	2-7 years	~₹2–5 / GB / mo ($0.02–0.05)

Source: Microsoft Sentinel pricing page snapshot, May 2026, Azure Central India region. INR conversion at ₹98/USD. Commitment tiers (100 GB/day, 200 GB/day, 500 GB/day, 1 TB/day) discount Analytics pricing by 15-65% depending on tier — significant for production workloads. See our Sentinel pricing post for the worked math.

Mapping CERT-In's 6-hour clock to Sentinel + managed SOC

T+0 — Event lands in Sentinel

Connector ingests from Defender XDR / Microsoft 365 / Entra ID / Azure Activity / custom app log.

T+5-15 min — Analytics rule fires

Microsoft-curated rule (or custom KQL detection) creates a Sentinel incident with severity + tactic mapping (MITRE ATT&CK).

T+15-30 min — Tier-1 triage

SOC analyst (Ogma's managed team or your in-house) opens the incident, runs initial KQL queries, classifies as TP / FP / suspicious.

T+30-60 min — Playbook containment

Automated Logic App playbook isolates the endpoint via Defender, disables the user in Entra ID, blocks the IOC. Manual approval gate for high-impact actions.

T+1-3 hr — Incident package + CERT-In format report

Forensic detail compiled from Sentinel timeline. CERT-In report drafted in the prescribed format with incident type, time of detection, IOCs, affected systems.

T+3-4 hr — Security lead approval + CERT-In submission

Customer's security lead reviews + signs off. Report submitted via the CERT-In channel. 2 hours of buffer remaining on the 6-hour clock.

Where Sentinel + Defender XDR delivers

▸ Identity threat detection

Entra ID Identity Protection + Defender for Identity feed Sentinel — credential stuffing, OAuth abuse, MFA fatigue, impossible-travel.

▸ Endpoint forensics

Defender for Endpoint Advanced Hunting telemetry available in Sentinel via the M365 Defender connector.

▸ Email security

Defender for Office 365 phishing + BEC signals correlate with identity + endpoint in Sentinel for unified incidents.

▸ Cloud workload

Defender for Cloud (formerly Azure Security Center) findings + Azure Activity logs ingested natively.

▸ SaaS visibility

Defender for Cloud Apps surface SaaS user behaviour — Shadow IT, OAuth grants, anomalous downloads.

▸ Threat intelligence

Microsoft Threat Intelligence + custom TI feeds enrich every incident with IOC reputation + actor attribution.

An anonymised India engagement

A real outcome — anonymised

Indian SaaS firm, 800 staff, RBI-regulated (PA-PG), prior in-house SIEM

The incumbent stack was an older on-prem SIEM with limited M365 visibility and no SOAR. Last RBI audit cycle flagged incomplete 24×7 monitoring evidence + missing Entra ID detection coverage. Sentinel migration completed over 12 weeks. Ogma's managed SOC took over Tier-1 monitoring.

Outcome: 41 detections in first 3 months (vs 8 in the prior 3 months on the legacy SIEM) — credential theft caught early, BEC attempt against finance team blocked at OAuth grant stage, three Defender for Cloud misconfigurations remediated. The next RBI audit cycle closed the 24×7 monitoring finding with a written-evidence report generated directly from the Sentinel workspace.

FAQ

Is Microsoft Sentinel by itself enough for CERT-In compliance?

Sentinel handles the detection + log retention + incident management layer that CERT-In's Direction No. 20(3)/2022 expects. But CERT-In's 6-hour reporting requirement is a SOC-process obligation, not a tooling one — you still need 24×7 SOC analysts who triage incidents and submit the report. Sentinel is the data plane; Ogma's Sentinel-anchored managed SOC is the people layer that closes the loop.

How does Sentinel meet the 180-day log retention requirement?

Sentinel has built-in retention tiers — Analytics tier up to 2 years (hot, queryable), Auxiliary Logs tier 30 days then archive. For CERT-In's 180-day floor, Analytics tier is configured to 180 days on the workspaces holding ICT-system logs. Archive tier extends beyond 180 days for sector-specific requirements (RBI multi-year, SEBI CSCRF, etc.) at a fraction of Analytics cost.

Does Sentinel data stay in India?

Yes — when you provision the Sentinel workspace in Azure Central India or South India regions, all data ingestion, processing, and storage stays in-country. This satisfies CERT-In's 'within Indian jurisdiction' requirement and DPDP's reasonable safeguards expectation for data residency.

How does Sentinel compare to a Fortinet SOC-as-a-Service for compliance?

Different architectures, same compliance outcome. Sentinel is cloud-native SIEM — you own the data + content + analysts (or partner with someone like Ogma). FortiGuard SOCaaS is fully managed service — Fortinet's SOC team runs everything. Sentinel suits enterprises with internal security teams + Microsoft E5; SOCaaS suits orgs that want the SOC capability fully outsourced. Both are CERT-In-compatible when run properly.

What about RBI's specific 24×7 monitoring mandate?

RBI's Cyber Security Framework (DBS.CO.CSITE.BC.No.4083, June 2 2016) requires SCBs + qualifying UCB/NBFC categories to maintain 24×7 monitoring. Sentinel provides the detection engine; combined with Ogma's managed SOC layer (or your in-house team), it satisfies the operational 24×7 requirement. The framework also mandates baseline controls + Annual SAR — Sentinel content packs map directly to the SAR control set.

Sentinel vs Splunk for Indian BFSI — quick take?

Splunk has the deeper SOC operational maturity, broader content library, and is the entrenched SIEM in most large Indian banks. Sentinel wins on Azure-native integration, E5 bundling economics, and lower TCO at smaller-to-mid scale. For a brand-new SOC standing up today, Sentinel is hard to beat economically. For an existing Splunk shop, migration is a multi-quarter undertaking — see our Sentinel migration playbook post.

Is Ogma CERT-In Empanelled?

No. Ogma is a Microsoft CSP partner. The CERT-In reports produced through our managed SOC follow the format CERT-In requires; the empanelment of the entity submitting is a question for the customer's compliance team. We do not and will not claim CERT-In empanelment we do not hold.

How fast can Sentinel detect a real incident?

Detection latency depends on rule configuration. Microsoft-published analytics rules typically fire within 5-15 minutes of the underlying event. Custom KQL-based detections can be near-real-time (under 5 minutes). Ogma's managed Sentinel deployment runs both — Microsoft-curated content + custom detections tuned for Indian BFSI / SaaS attack patterns.

Free Sentinel compliance gap assessment

See the gap between your current SIEM and what India's regulators expect

Ogma reviews your detection coverage, retention posture, and incident-reporting workflow against CERT-In, DPDP, RBI, SEBI, IRDAI. The deliverable is a control-mapping report your auditor can use directly — plus a sized Sentinel quote in INR + GST. 7 working days, no commitment.

Request the gap assessment or explore the Microsoft Sentinel landing

Sources

learn.microsoft.com — Microsoft Sentinel — product documentation, retention tiers, connector list
azure.microsoft.com/en-in/pricing/details/microsoft-sentinel — pricing for India regions
cert-in.org.in — Direction No. 20(3)/2022, 28 April 2022
meity.gov.in — DPDP Act 2023, Sec 8 + Schedule
rbi.org.in — Cyber Security Framework for Banks DBS.CO.CSITE.BC.No.4083 (Jun 2 2016)
sebi.gov.in — CSCRF for SEBI-regulated entities

Tags Microsoft Sentinel SIEM DPDP Act CERT-In RBI SEBI Compliance India

Stay ahead of cyber threats

One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.