In Microsoft’s public cloud platform, Azure Sentinel is a SIEM (Security Information and Event Management) and Security Orchestration and Automated Response (SOAR) system. It can combine alert detection, threat visibility, proactive hunting, and threat response into a single solution. It gathers data from several sources, performs data correlation, and displays the processed data in a single dashboard. One can collect, detect, investigate, and respond to the Security risks of using Azure Sentinel.

As a result, security analytics and threat intelligence are delivered intelligently across the organizational ecosystem. Azure Sentinel includes Azure Logic Apps and Log Analytics out of the box, enhancing its capabilities. It also has advanced machine learning capabilities built-in, which can spot threat actors and suspicious activities, greatly assisting security analysts in their analysis of their environment.

Azure Sentinel is simple to set up in both single and multi-tenant environments. Microsoft Azure Sentinel will be installed on each tenant in a multi-tenant scenario, and Azure Lighthouse will be used to create a multitenant visualization of all tenants.

AZURE SENTINEL WORKS LIKE THIS:

Devices and services must first begin flowing data into Sentinel using Data Connectors. The data feeds into Azure Log Analytics on a technical level. Workbooks are used to visualize data, potential issues, and trends, as well as to assist in the development of specialized queries. These queries can assist in the creation of analytics rules. After you’ve created analytic rules, you’ll be able to see Incidents and perform automatic actions using Playbooks. When investigating Incidents, you can use Bookmarks to identify intriguing or unusual data for further investigation and to discover other areas that may be affected. Finally, once you’ve gained some experience, you can go Threat Hunting.

Examining the Particulars

Microsoft provides built-in queries and analytics, so you’re unlikely to need to construct your own right away. However, as you grow, you may find a need for something more tailored to your organization’s security requirements. If that’s the case, here are some more in-depth explanations:

Log Analytics

Data must come from a Log Analytics workspace to be consumed into Azure Sentinel. A workspace is essentially an infinite storage container for all of your data from various sources. It is recommended that Azure Sentinel be installed in a single, dedicated workspace.

Workbooks 

 Workbooks allow you to keep track of the data you’ve ingested into Azure Sentinel. You can assess data right away thanks to built-in spreadsheets. You can also construct custom worksheets to see your data in the way you choose.

Analytics

Custom rule sets can be established to search all imported data for potential hazards using analytics. Many pre-built rules are available, as well as linkages to Microsoft sources including Microsoft Defender ATP and Cloud App Security. On the basis of searches, more custom rules can be developed. These can be set to run on a regular basis. Each rule’s hits can result in an incident and/or the execution of a playbook.

Incidents 

Alerts that are generated based on Analytics rule sets are referred to as incidents. Multiple notifications can be present in a single incident. They enable further inquiry utilizing the investigation graph to see whether there were any other locations of exposure. To delegate the investigating tasks, incidents can be allocated to a single individual.

Playbooks 

 Playbooks are simply Azure Logic Apps with Azure Sentinel alerts as their sole purpose. They make it possible to respond to alarms triggered by Analytics in a coordinated and automated manner. Anything you can perform in a Logic App, new or old, maybe expanded to run in response to an Azure Sentinel warning.

Notebooks 

Jupyter notebooks are now easily accessible via the Azure Portal thanks to Azure Sentinel. A notebook is a web application that integrates with your browser and allows you to perform live visualizations and code queries right in the browser. Microsoft has given a couple of notebooks to demonstrate its capabilities.

Hunting 

Based on the ingested data, hunting enables manual, proactive investigations into potential security concerns. Microsoft provides various built-in inquiries, as well as the ability to develop custom queries. After establishing, you can turn a query into an analytic activity to execute on a schedule. The following are examples of hunting abilities: Queries (Kusto Query Language), Notebooks, Bookmarks, and a Live Stream are all available.

Azure Sentinel’s four critical sections or stages are as follows:

Collect information

Azure Sentinel may collect data on all users, devices, applications, and infrastructure on-premises and across different cloud environments. It has an easy-to-use interface for connecting to security sources right out of the box. For Microsoft products, various connectors offer real-time integration. It also has built-in third-party product and service interfaces (non-Microsoft Solutions). Aside from that, Azure Sentinel can connect to the relevant data sources via Common Event Format (CEF), Syslog, or REST-API.

There is a need for Azure Active Directory, Azure Activity, Azure DDoS Protection, Azure AD Identity Protection, Azure Firewall, Azure Security Center, Azure Web Application Firewall, Office 365, Microsoft Defender for Identity, Amazon Web Services – CloudTrail, and Cloud App Security out-of-the-box.
The equipment that can use the API to connect to Okta SSO, Orca Security, Qualys VM, Citrix Analytics, Barracuda CloudGen Firewall, Perimeter 81 Logs, Proofpoint TAP, and others.

Any other data source enables connecting to Azure Sentinel using an agent. The particular protocol usable for this allows for real-time log streaming. The Log Analytics Agent is part of the Azure Sentinel Agent function. Its purpose is to convert CEF-formatted logs into a Log Analytics-compatible format. Linux servers, DNS servers, Azure Stack VMs, and DLP systems are examples of external solutions supported by Azure Sentinel via agents.

And…

Providers of Threat Intelligence (MISP Open Source Threat Intelligence Platform, Anomali ThreatStream, Palo Alto Networks MineMeld, ThreatConnect Platform, ThreatQ Threat Intelligence Platform, etc.). Firewalls, proxies, and endpoints supported by CEF (Check Point, F5 ASM, Palo Alto Networks, Zscaler, Cisco ASA, Fortinet, and other CEF-based appliances), as well as firewalls, proxies, and endpoints supported by Syslog (Check Point, F5 ASM, Palo Alto Networks, Zscaler, Cisco ASA, Fortinet, and other Syslog-based appliances) (Sophos XG, Symantec Proxy SG, Pulse Connect Secure and other Syslog-based appliances).

To connect and gather data and logs, Azure Sentinel supports both Fluentd and LogStash.

Identify Potential Threats

Using analytics and threat intelligence directly from Microsoft, Azure Sentinel can detect threats and reduce false positives. Azure Analytics serves a critical role in matching alarms with security team-identified issues. It comes with built-in templates for creating threat detection rules and automating threat responses right out of the box. Aside from that, Azure Sentinel also allows for the creation of custom rules. Review the four templates below:

Microsoft Security Templates- When this template is used, Azure Sentinel incidents will generate a real-time stream of warnings that are generated by other Microsoft security products.

Fusion Template- By default, this template can only produce one rule and is disabled. It’s based on powerful multistage attack detection logic. It employs scalable machine learning techniques to convert a large number of low-fidelity alerts and events from various products into high-fidelity and actionable issues.

Machine Learning Behavioral Analytics Template – Each type of template can only build one rule. These come from Microsoft’s proprietary Machine Learning Algorithms. Users cannot access the template logic’s underlying workings of the time it takes to run.

Scheduled Templates- This is the only template that allows users to see the query logic and make adjustments based on the environment’s needs. Scheduled templates are analytics rules that are based on Microsoft’s built-in queries. To develop new rules, these templates are available to customise query logic and scheduling settings.

Suspicious Activity Investigation

Azure Sentinel can look into and track down suspicious activity anywhere in the world. Based on the MITRE framework, it helps decrease noise and look for security threats. To detect suspicious activity, use Artificial Intelligence to proactively identify threats before trigging an alarm across the protected assets. The following features are available when using Azure Sentinel for hunting and investigation:

Built-in Queries: This feature was created by Microsoft and is provided to help you learn about tables and the query language. You may, however, develop new queries or fine-tune old ones to improve your detecting abilities.

Intelligent Query Language: It is built on top of a query language that gives you the freedom you need to take your hunting capabilities to the next level.

Create bookmarks for your findings that you come across during the hunting process so that you can go back and review them later and create an incident for further inquiry.

Use notebooks to automate investigation: Notebooks are similar to playbooks in that they provide a step-by-step guide. That you can use to keep track of the steps involved in a search and rescue operation. These notebooks compile all the processes required in the hunting process into a reusable playbook to share with team members.

Query the Stored Data: The data associated with and generated by Azure Sentinel is easily accessible and available in the form of tables.

The Azure Sentinel is a link to the community. The Github community is a great location to look for more queries and data sources.

How do you set up Azure Sentinel?

The Role-Depending Access Control (RBAC) authorization paradigm in Azure Sentinel allows administrators to set up granular permissions based on various criteria and permissions. There are three built-in jobs in Azure Sentinel.

Users with this role can view incidents and data, but they can’t edit them.

Responder: Users with this role can examine incidents and data, as well as to conduct some actions on adventures, such as assigning an adventure to another user or changing the severity of an incident.

Contributor: Users assigned to this job have access to incidents and data, as well as the ability to create and delete analytic rules.

There is a need for Contributor permissions to the Azure Sentinel workspace’s subscription to deploy Azure Sentinel. Utilize the RBAC approach to provide granular permissions to distinct groups to provide access to different teams based on their work using Azure Sentinel.

Why not let experts help you in your Azure Sentinel deployment? 

At “TOS”, our subject matter experts can help you in your Azure Sentinel Deployment by applying all the best practices and catering to your business needs.

Schedule an interaction call now!