Azure Sentinel- Powerful Security System

By Ashwin Venugopal -

 




Security can be challenging with never-ending sophisticated attacks, excessive volume of social threats, and whatnot; and The Cybersecurity Jobs report 2018-21, by Cybersecurity ventures, stating the expected shortfall of about 3.5M security professional by 2021, further adds to the problems for security operations teams. But Azure Sentinel can be helpful to counter these issues.

Microsoft Azure Sentinel is a flexible, cloud-native, Security Information Event Management (SIEM), and Security Orchestration Automated Response (SOAR) solution providing a one-stop solution for security threats, threat visibility, proactive hunting, and threat response. It uses the power of Artificial Intelligence the recognize security threats and subdue them further. With Azure Sentinel, you can enjoy affordable security services without any hidden prices.

Microsoft Azure Sentinel

Microsoft Azure Sentinel combines the power of the cloud and Artificial Intelligence to help identify the security threats and stop them before they can cause any harm. By integrating with Microsoft 365 solutions, it can enable the following services:

  •  Collect data at cloud scale across all users, devices, applications, and infrastructure both on-premises and in multiple clouds.
  •  Detect previously undetected threats, and minimize false positives using Microsoft’s analytics and unparalleled threat intelligence.
  •  Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cybersecurity work at Microsoft.
  • Respond to incidents rapidly with built-in orchestration, and automation of common tasks.

Azure Sentinel enables you to bring your threat intelligence, by improving your threat detection and protection with the help of Artificial Intelligence.

Data Connection Methods

Microsoft Azure Sentinel is capable of connecting with your security services through its various data connection methods including service-to-service integration (Amazon Web Services, Azure Security Center, Windows Firewall, etc.), via API, and agent. It enables you to import your data security threats and customize threat detection and alert rules. Whether it is any type of data threat, we will never disappoint you.

Service to service integration- Some services such as AWs, Microsoft services, etc. can be locally connected granting extraordinary integration. Other easily connectable solutions are Azure Activity, Azure Security Center, Cloud App Security, Windows firewall, Microsoft 365, and many more.

External Solutions via API- Some data sources can be connected using Application Programming Interface (APIs) through which event logs can be retrieved to gather specific data types and then send them to Azure Log Analytics.

External Solutions via Agent- Azure Sentinel Agent based on Log Analytics agent is capable of converting CEF formatted logs into a simpler format which can be easily consumed by Log Analytics. The particular agent can be installed either directly in the appliance or through a Linux server, depending upon the appliance type.

The agent can be deployed automatically or manually on a dedicated machine (VM or on-premises) to enable easy communication between the appliance and Azure Sentinel. Automatic agent deployment can only be done if your machine is a new VM, otherwise, the agent can be easily deployed manually on an existing Azure VM, VM in another cloud, an on-premises machine.

We are collaborating with various partners in the Microsoft Intelligent Security Association, including Palo Alto, F5, Accenture, Symentec, and many more. Our customers are always satisfied with our services. For example, Andrew Winkelmann, Global Consulting Practice Lead, Accenture said in an interview that “With Microsoft Azure Sentinel, we can better address the main SIEM landscape challenges for our clients, along with simplifying data residency and GDPR concerns.”

Hence, with Microsoft Azure Sentinel you can enjoy a 100% customer satisfaction guarantee without breaking a sweat.

 

Workbooks

After connecting with Azure Sentinel you can monitor your data using our versatile Azure Monitor workbooks. Workbooks always help in situations like-

·         Exploring the usage of Azure Sentinel.

·         Explaining to your team how a newly released feature will work.

·         Sharing the results of your experiments with other team members.

·         Reporting the impact of an outage on overall functioning.

Saving & Sharing Workbooks with your team

Workbooks can be saved either in the My Reports section or the Shared Reports section depending upon your requirements and can be easily shared by a link or email, but the recipients should have access and contributor’s permission to this resource in Azure Sentinel to view and edit the Workbook.

Analytics & Incidents

Azure Sentinel uses analytics to correlate alerts into incidents, which are a group of related alerts that together create an actionable possible threat needed to be investigated and resolved. This combination helps you to minimize the noise and the number of alerts you have to review and investigate.

You can use the built-in rules within Azure Sentinel to choose the Microsoft security solutions to create incidents in real-time.

 

Using Microsoft Security Incident creation analytic rules

Azure Sentinel Incidents can be automatically created by using the built-in rules available in Azure Sentinel to choose Microsoft Security solutions for the same. You can also edit the rules to define more specific options to create Incidents in Azure Sentinel.

For example- you can choose to create Azure Sentinel Incidents automatically only from high-severity Security Center alerts.

You can also create more than one Microsoft Security analytic rule per service type and since each rule works as a filter it will not create any duplicate incidents. You can also select the alerts from the security solution to automatically generate incidents in Azure Sentinel, when you connect a Microsoft Security solution.

Playbooks

Security automation & orchestration

Playbooks can easily integrate with Azure services as well as the existing tools which can help you to automate your common tasks and simplify security orchestration. Azure Sentinel’s automation and orchestration solution provides a highly-extensible architecture that enables scalable automation as new threats emerge. You can build playbooks with Azure Logic Apps and choose from a growing gallery of built-in playbooks. The connection will allow you to apply any custom logic in code, ServiceNow, Jira, Zendesk, HTTP requests, Microsoft Teams, Slack, Windows Defender ATP, and Cloud App Security.

For example- If you are using ServiceNow ticketing system, you can always use the tools provided to use Azure Logic Apps to automate your workflows and also open a ticket in ServiceNow each time a particular event is detected.

Investigation & Hunting

Azure Sentinel’s investigating tools help analyze and investigate the root cause of a potential threat. Based on the MITRE framework Azure Sentinel’s powerful hunting tools will help you hunt down the threats even before an alert is triggered. For example one built-in query may provide data about many uncommon processes running on your infrastructure and you would not want alert every time they run.

Use the Investigation graph to deep dive

The investigation graph offers you:

·         Visual context from raw data- It displays the entity relationships extracted automatically from the raw    data and enables you to easily view connections across different data sources.

·         Full investigation scope discovery- It will expand your scope of investigation by using in-built                exploration queries to surface the full scope of breach.

·         Built-in investigation steps- It uses predefined exploration options to make sure you are asking the         right question in the face of a threat.

Hunting

Azure Sentinel hunting is capable of providing following advantages:

  • Built-in queries- The starting page provides you with preloaded query examples designed to help  you to get started and be familiar with the tables and the query language.   
  •  Powerful query language with IntelliSense- The query language will provide you the flexibility     needed to take the hunting to the next level.
  •   Create your own bookmarks- You can use the bookmark functionality to mark any matches or       findings that seems unusual or suspicious and can come back to them in future.
  •  Use notebook to automate investigation- They are like playbooks that can be built to walk through the steps of an investigation and hunt. Notebooks can easily combine all the hunting steps in a reusable playbook that can also be shared with others in your organization.
  •  Query the stored data- You can access the data in tables to query, like you can query the process  creation, DNS events, and many other event types.
  •  Links to community- You can also borrow the power of the greater community to find additional  queries and data sources. 

 Community

The Azure Sentinel Community is the best resource for threat detection and automation. Our Microsoft security analysts constantly add new workbooks, hunting queries, etc. sample content can be downloaded from the private company GitHub repository to make your custom workbooks, hunting queries, notebooks, etc. for Azure Sentinel.

 

Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more