AZURE SENTINEL

What is Azure Sentinel?

  • Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM)and security orchestration automated response (SOAR)solution.
  • Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
  • Azure Sentinel is your birds-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution timeframes.

Using Azure Sentinel, you can:

  • Collect data at cloud scaleacross all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
  • Detect previously undetected threats, and minimize false positives using Microsoft’s analytics and unparalleled threat intelligence.
  • Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cyber security work at Microsoft.
  • Respond to incidents rapidlywith built-in orchestration and automation of common tasks.
  • Full documentation of Azure Sentinel can be found on the official documentation here.

So, like I previously mentioned, Azure Sentinel helps you detect, alert on, investigate and resolve security incidents quickly.

Let’s see how we can use it.

Log in to the Azure portal and search for Azure Sentinel in the services. Select it.

Now before we go ahead, we need to add it to an Azure Log Analytics Workspace. So, click Connect Workspace.

Click Create a new Workspace.

Give the workspace a name. Create a new resource group for it. And choose the pay-as-you-go pricing tier.

Once the workspace gets created, click Add Azure Sentinel.

It will take you to this blade. This is Azure Sentinel. It can collect data from many sources and analyse that for security incidents and threats. It provides tools to investigate the data, create alerts and mitigate security threats.

  • We’ll start by connecting a data source.

In the current blade, click Connect under the Collect Data step.

There are many data sources to connect to out of the box. Microsoft data sources as well third party ones like Amazon Web Services. Right now, there are 32 connectors available and 1 is coming soon.

Find Azure Active Directory and select it. On the right hand side, you will see its overview. Click Open Connector page.

Connecting it is very simple. All you have to do is click on the connect buttons and it would be done.

  • So now, Azure Sentinel has access to the data from my Azure Active Directory.

After a while, you’ll see that there would be events and possibly some incidents, on the overview tab. Right now, it shows me that 6 events have occurred. However, there aren’t any incidents yet.

You can visualize the data in the workbooks. Click Workbooks and from the given templates, choose Azure AD Audit Logs. Click Save.

Once it gets saved, click View Saved Workbook.

This shows all types of interesting data about my Azure Active Directory activity. You can use tools like Workbooks to gain more insights into your security data.

  • Azure Sentinel provides more tools to analyse data and identify security incidents.
  • You can hunt for them with queries.

You can do the hunting by using queries in the hunting tab.

You can use Azure notebooks to mangle the data and identify threats.

From the Analytics tab, you can set up alerts for certain events and incidents. This helps you to act quickly if something happens.

Then, you can automate your mitigation response with playbooks. Playbooks are Azure Logic Apps that contain a workflow to do something based on security information. It is the same as creating a regular Logic App.

  • Application and Infrastructure security is extremely important to get right.
  • Azure Sentinel provides a threat detection and mitigation service that helps you to detect incidents and threats when they happen and helps you to solve them as effectively as possible.