Azure Sentinel- Securing The Future

By Ashwin Venugopal -

 


 As per the "Cybersecurity Jobs Report 2018-21" by Cybersecurity ventures, there will be a shortfall of 3.5M security professionals by the end of 2021, which will create more challenges for security professional teams. Azure Sentinel has been designed to counter these problems and subdue security threats from your database.

Microsoft Azure Sentinel a scalable, cloud-native, Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) is a one-stop solution for all your security threats, threat visibility, proactive hunting, and threat response. It delivers intelligent security analytics, and threat intelligence across the enterprise with the help of Artificial Intelligence while offering affordable security services without any hidden prices.

Microsoft Azure Sentinel

Microsoft Azure Sentinel combines with Microsoft 365 solution and combines various signals from products like Azure Identity Protection, Microsoft Cloud App Security, O365 Advanced Threat Protection, etc. It provides the following services:

  • Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
  • Detect previously undetected threats, and minimize false positives using Microsoft's analytics and unparalleled threat intelligence.
  • Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cybersecurity work at Microsoft.
  • Respond to incidents rapidly with built-in-orchestration and automation of common tasks 

  Azure Sentinel enhances your security threat detection and investigation by using artificial intelligence and allows you to customize your own threat intelligence.

Data Connections

To start with Azure Sentinel you have to first connect to your security sources and Azure Sentinel comes fully laced with various connectors for Microsoft solutions providing real-time security threat detection and investigation.

Azure Sentinel supports the following data connection methods:

Service to service integration- Some services such as AWs, Microsoft services, etc. can be locally connected granting extraordinary integration. Other easily connectable solutions are Azure activity, Azure Security Center, Cloud App Security, Windows Firewall, Microsoft 365, and many more.

External solutions via API- Some data sources can be connected using Application Programming Interface (API) through which event logs can be retrieved to gather specific data types and then send them to Azure Log Analytics.

External solutions via Agent- Azure Sentinel Agent based on Log Analytics agent is capable of converting CEF formatted log into a simpler format which can be easily consumed by Log Analytics. The particular agent can be installed either directly in the appliance or through a Linux server depending upon the appliance type.

The agent can be deployed automatically or manually on a dedicated machine (VM or on-premises) to enable easy communication between the appliance and Azure Sentinel. Automatic agent deployment can only be done if your machine is a new VM, otherwise, the agent can be easily deployed manually on an existing Azure VM, VM in another cloud, or on-premises machine.  

Workbooks

After the completion of your data connection sources with Azure Sentinel, you can easily monitor data through Azure Monitor Workbooks which also allows you to create your custom workbooks across your data with the help of its in-built templates to quickly gain insights as soon as you connect to a data source.

Workbooks can be helpful in the following ways:

  • Exploring and understanding the capabilities of your App in advance, the number of users, retention rates conversion rates, etc. Workbooks allow you to combine with multiple visualizations and analyses, making them exceptional for this type of exploration.
  • Explaining to your team the performance of a newly released feature by using various analytical methods.
  • Sharing the results of an experiment in your app with the whole team using texts along with clear call-outs for whether each metric was above or below target.
  • Reporting and discussing the impact of an outage on your app by combining data, text explanation, and the steps to prevent future outages.   

Saving & Sharing Workbooks with your team

 Workbooks can be saved in either My Reports section or the Shared Reports section depending upon your requirements and can be easily shared by a link or email, but the recipients should have access and contributors permission to this resource in Azure Sentinel to view and edit the Workbook.

Analytics & Incidents

Azure Sentinel uses analytics to correlate alerts into incidents that are a group of related alerts that together create an actionable possible threat needed to be investigated and resolved. This combination helps you to minimize the noise and the number of alerts you have to review and investigate.

You can use the built-in rules within Azure Sentinel to choose the Microsoft security solutions to create incidents in real-time.

Using Microsoft Security Incident creation analytic rules

Azure Sentinel Incidents can be automatically created by using built-in rules available in Azure Sentinel to choose Microsoft Security solutions for the same. You can also edit the rules to define more specific options to create Incidents in Azure Sentinel.

For example- you can choose to create Azure Sentinel Incidents automatically only from high severity Center alerts.

You can also create more than one Microsoft security analytic rule per service type and since each rule works as a filter it will not create any duplicate incidents. \you can also select the alerts from the security solution to automatically generate incidents in Azure Sentinel, when you connect a Microsoft security solution.

Investigation & Hunting

Azure Sentinel's investigating tools help analyze and investigate the root cause of a potential threat. Based on the MITRE framework, Azure Sentinel's power hunting tools will help you hunt down the threats even before an alert is triggered. For example- one built-in query may provide data about many uncommon processes running on your infrastructure and you would not want an alert every time they run.

Use the Investigation graph to deep dive

The investigation graph offers you:

  • Visual context from raw data- It displays the entity-relationship extracted automatically from the raw data and enables you to easily view connections across different data sources.
  • Full investigation scope discovery- It will expand your scope of the investigation by using in-built exploration queries to surface the full scope of the breach.
  • Built-in investigation steps- It uses predefined exploration options to make sure you are asking the right question in the face of a threat.          

Hunting

Azure Sentinel hunting is capable of providing the following advantages: 

  • Built-in queries- The starting page provides you with preloaded query examples designed to help you get started and be familiar with the tables and the query language.
  •  Powerful query language with IntelliSense- The query language will provide you the flexibility needed to take the hunting to the next level.
  • Create your own bookmarks- You can use the bookmark functionality to mark any matches or findings that seem unusual or suspicious and can come back to them in the future.
  • Use notebook to automate investigation- They are playbooks that can be built to walk through the steps of an investigation and hunt. Notebooks can easily combine all the hunting steps in a reusable playbook that can also be shared with others in your organization.
  • Query the stored data-You can access the data in tables to query like you can query the process creation, DNS events, and many other event types.      
  • Links to community- You can also borrow the power of the greater community to find additional queries and data sources.   
\   Community
The Azure Sentinel community is the best resource for threat detection and automation. Our Microsoft security analysts constantly add new workbooks, hunting queries, etc. Sample content can be downloaded from the private company GitHub Repository to make your custom workbooks, hunting queries, notebooks, etc. to Azure Sentinel.

Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more