Azure Sentinel- Securing The Future

 


 As per the "Cybersecurity Jobs Report 2018-21" by Cybersecurity ventures, there will be a shortfall of 3.5M security professionals by the end of 2021, which will create more challenges for security professional teams. Azure Sentinel has been designed to counter these problems and subdue security threats from your database.

Microsoft Azure Sentinel a scalable, cloud-native, Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) is a one-stop solution for all your security threats, threat visibility, proactive hunting, and threat response. It delivers intelligent security analytics, and threat intelligence across the enterprise with the help of Artificial Intelligence while offering affordable security services without any hidden prices.

Microsoft Azure Sentinel

Microsoft Azure Sentinel combines with Microsoft 365 solution and combines various signals from products like Azure Identity Protection, Microsoft Cloud App Security, O365 Advanced Threat Protection, etc. It provides the following services:

  • Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
  • Detect previously undetected threats, and minimize false positives using Microsoft's analytics and unparalleled threat intelligence.
  • Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cybersecurity work at Microsoft.
  • Respond to incidents rapidly with built-in-orchestration and automation of common tasks 

  Azure Sentinel enhances your security threat detection and investigation by using artificial intelligence and allows you to customize your own threat intelligence.

Data Connections

To start with Azure Sentinel you have to first connect to your security sources and Azure Sentinel comes fully laced with various connectors for Microsoft solutions providing real-time security threat detection and investigation.

Azure Sentinel supports the following data connection methods:

Service to service integration- Some services such as AWs, Microsoft services, etc. can be locally connected granting extraordinary integration. Other easily connectable solutions are Azure activity, Azure Security Center, Cloud App Security, Windows Firewall, Microsoft 365, and many more.

External solutions via API- Some data sources can be connected using Application Programming Interface (API) through which event logs can be retrieved to gather specific data types and then send them to Azure Log Analytics.

External solutions via Agent- Azure Sentinel Agent based on Log Analytics agent is capable of converting CEF formatted log into a simpler format which can be easily consumed by Log Analytics. The particular agent can be installed either directly in the appliance or through a Linux server depending upon the appliance type.

The agent can be deployed automatically or manually on a dedicated machine (VM or on-premises) to enable easy communication between the appliance and Azure Sentinel. Automatic agent deployment can only be done if your machine is a new VM, otherwise, the agent can be easily deployed manually on an existing Azure VM, VM in another cloud, or on-premises machine.  

Workbooks

After the completion of your data connection sources with Azure Sentinel, you can easily monitor data through Azure Monitor Workbooks which also allows you to create your custom workbooks across your data with the help of its in-built templates to quickly gain insights as soon as you connect to a data source.

Workbooks can be helpful in the following ways:

  • Exploring and understanding the capabilities of your App in advance, the number of users, retention rates conversion rates, etc. Workbooks allow you to combine with multiple visualizations and analyses, making them exceptional for this type of exploration.
  • Explaining to your team the performance of a newly released feature by using various analytical methods.
  • Sharing the results of an experiment in your app with the whole team using texts along with clear call-outs for whether each metric was above or below target.
  • Reporting and discussing the impact of an outage on your app by combining data, text explanation, and the steps to prevent future outages.   

Saving & Sharing Workbooks with your team

 Workbooks can be saved in either My Reports section or the Shared Reports section depending upon your requirements and can be easily shared by a link or email, but the recipients should have access and contributors permission to this resource in Azure Sentinel to view and edit the Workbook.

Analytics & Incidents

Azure Sentinel uses analytics to correlate alerts into incidents that are a group of related alerts that together create an actionable possible threat needed to be investigated and resolved. This combination helps you to minimize the noise and the number of alerts you have to review and investigate.

You can use the built-in rules within Azure Sentinel to choose the Microsoft security solutions to create incidents in real-time.

Using Microsoft Security Incident creation analytic rules

Azure Sentinel Incidents can be automatically created by using built-in rules available in Azure Sentinel to choose Microsoft Security solutions for the same. You can also edit the rules to define more specific options to create Incidents in Azure Sentinel.

For example- you can choose to create Azure Sentinel Incidents automatically only from high severity Center alerts.

You can also create more than one Microsoft security analytic rule per service type and since each rule works as a filter it will not create any duplicate incidents. \you can also select the alerts from the security solution to automatically generate incidents in Azure Sentinel, when you connect a Microsoft security solution.

Investigation & Hunting

Azure Sentinel's investigating tools help analyze and investigate the root cause of a potential threat. Based on the MITRE framework, Azure Sentinel's power hunting tools will help you hunt down the threats even before an alert is triggered. For example- one built-in query may provide data about many uncommon processes running on your infrastructure and you would not want an alert every time they run.

Use the Investigation graph to deep dive

The investigation graph offers you:

  • Visual context from raw data- It displays the entity-relationship extracted automatically from the raw data and enables you to easily view connections across different data sources.
  • Full investigation scope discovery- It will expand your scope of the investigation by using in-built exploration queries to surface the full scope of the breach.
  • Built-in investigation steps- It uses predefined exploration options to make sure you are asking the right question in the face of a threat.          

Hunting

Azure Sentinel hunting is capable of providing the following advantages: 

  • Built-in queries- The starting page provides you with preloaded query examples designed to help you get started and be familiar with the tables and the query language.
  •  Powerful query language with IntelliSense- The query language will provide you the flexibility needed to take the hunting to the next level.
  • Create your own bookmarks- You can use the bookmark functionality to mark any matches or findings that seem unusual or suspicious and can come back to them in the future.
  • Use notebook to automate investigation- They are playbooks that can be built to walk through the steps of an investigation and hunt. Notebooks can easily combine all the hunting steps in a reusable playbook that can also be shared with others in your organization.
  • Query the stored data-You can access the data in tables to query like you can query the process creation, DNS events, and many other event types.      
  • Links to community- You can also borrow the power of the greater community to find additional queries and data sources.   
\   Community
The Azure Sentinel community is the best resource for threat detection and automation. Our Microsoft security analysts constantly add new workbooks, hunting queries, etc. Sample content can be downloaded from the private company GitHub Repository to make your custom workbooks, hunting queries, notebooks, etc. to Azure Sentinel.

Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)