Working with Microsoft Sentinel- Cloud-Native SIEM and SOAR For Intelligent Security Analytics For Your Entire Enterprise

By Ashwin Venugopal -

 










What is Microsoft Sentinel?

Microsoft Sentinel is a scalable cloud-native solution. It provides intelligent security analytics and threat intelligence across the enterprise. It is a one stop solution for threat detection, threat visibility, threat proactive hunting, and threat response. It can perform following tasks:
  • It can collect data at cloud scale across all users, devices, applications, etc., both on-premises and multiple clouds.

  • It can also detect a previously undetected threat via Microsoft's analytics and threat intelligence, simultaneously minimizing false positives.

  • It is capable of investigating threats with artificial intelligence and hunt for any other suspicious activities.

  • It has a rapid response to threat incidents due to the built-in orchestration and automation of common tasks.

Collects Data Via Data Connectors

In order to onboard Microsoft Sentinel, it is required to connect with the data sources. It consists of various connectors for Microsoft solutions to offer real-time integration. Some of them are:
  1. Microsoft sources like Microsoft 365 Defender, Microsoft Defender for Cloud, Office 365, Microsoft Defender for IoT, etc.
  2. Azure service sources such as Azure AD, Azure Activity, Azure Storage, Azure Key Vault, etc.
The built-in connectors broadens the security and applications ecosystems for non-Microsoft solutions. Common event format, Syslog, or REST-API can also be used for connecting the data sources with Microsoft Sentinel.

Create Interactive Reports by Using Workbooks

When the onboarding is done, the data can be monitored via the integration with Azure Monitor workbooks. Microsoft Sentinel also contains built-in workbook templates for reference and permits to create custom workbooks across the data. These workbooks are generally used by SOC engineers and analysts of all tiers to visualize data. They are the best for high-level Microsoft Sentinel data and does not require coding knowledge. However, they cannot be integrated with an external data.

Correlate Alerts Into Incidents by using Analytical Rules

Microsoft Sentinel makes use of analytics to correlate alerts to incidents, in order to minimize the noise and number of alerts. Incidents are groups of related alerts that can point towards a possible threat and immediately needs to investigated and resolved. The built-in correlation can be used either as they are or as a starting point to build a new one. Machine learning rules are provided to map the network's behavior and find anomalies (if any), by combining low fidelity alerts of different entities into potential high-fidelity security incidents. 

Automate and Orchestrate Common Tasks by Using Playbooks

The automation and orchestration solution offers a highly extensible architecture capable of scalable automation for novel technology threats. Playbooks can created via Azure Logic Apps from a constantly expanding gallery with hundreds of connectors for various services and systems. These connectors will help in applying any custom logic in a workflow, such as, ServiceNow, Jira, Zendesk, Slack, etc. Playbooks are used by SOC engineers and analysts of all tiers to automate and simplify tasks including data ingestion, enrichment, investigation, and remediation.  They are the best with single, repeatable task, and does not require coding knowledge. However, they should not be used for complex task chains or ad-hoc, or for documenting and sharing evidence. 

Investigate the Scope and Root cause of Security Threats

The deep investigation tools of Microsoft Sentinel, helps in understanding the scope and root cause of a potential security threat. On an interactive graph, an entity can be chosen to ask questions to know more and get to the root cause of the threat. 

Hunt for Security Threats via Built-in Queries

The powerful hunting search-and-query tools of Microsoft Sentinel are based on MITRE framework. They help in proactive search for security threats across an organization's data sources before triggering of an alert. Custom-made detection rules can be created according to the hunting queries and can then be used as alerts for the security incident responders. 

Enhance Threat Hunting with Notebooks

Jupyter notebooks are supported by Microsoft Sentinel in Azure Machine learning workspaces. They increases the scope of using the Microsoft Sentinel data. For example, certain tasks can be done like performing analytics or creation of data visualizations, that are not built-in to Microsoft Sentinel. Notebooks are used by threat hunters or Tier 2-3 analysts , incident investigators, data scientists, and security researchers. However, a higher learning curve and coding knowledge are required, and the automation support is also limited. Notebooks are the best for more complex chains of tasks, ad-hoc procedural controls, machine learning and custom analysis. 

Download Security Content from Community

Microsoft Sentinel community is a powerful resource and the security analysts create as well as post new workbooks, playbooks, hunting queries, etc., on it. A sample content can be easily downloaded from the private community GitHub repository to create custom workbooks, hunting queries, etc., for Microsoft Sentinel. 



























































Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more