What is Azure Sentinel?
Using Azure Sentinel, you can:
So, like I previously mentioned, Azure Sentinel helps you detect, alert on, investigate and resolve security incidents quickly.
Let’s see how we can use it.
Log in to the Azure portal and search for Azure Sentinel in the services. Select it.
Now before we go ahead, we need to add it to an Azure Log Analytics Workspace. So, click Connect Workspace.
Click Create a new Workspace.
Give the workspace a name. Create a new resource group for it. And choose the pay-as-you-go pricing tier.
Once the workspace gets created, click Add Azure Sentinel.
It will take you to this blade. This is Azure Sentinel. It can collect data from many sources and analyse that for security incidents and threats. It provides tools to investigate the data, create alerts and mitigate security threats.
In the current blade, click Connect under the Collect Data step.
There are many data sources to connect to out of the box. Microsoft data sources as well third party ones like Amazon Web Services. Right now, there are 32 connectors available and 1 is coming soon.
Find Azure Active Directory and select it. On the right hand side, you will see its overview. Click Open Connector page.
Connecting it is very simple. All you have to do is click on the connect buttons and it would be done.
After a while, you’ll see that there would be events and possibly some incidents, on the overview tab. Right now, it shows me that 6 events have occurred. However, there aren’t any incidents yet.
You can visualize the data in the workbooks. Click Workbooks and from the given templates, choose Azure AD Audit Logs. Click Save.
Once it gets saved, click View Saved Workbook.
This shows all types of interesting data about my Azure Active Directory activity. You can use tools like Workbooks to gain more insights into your security data.
You can do the hunting by using queries in the hunting tab.
You can use Azure notebooks to mangle the data and identify threats.
From the Analytics tab, you can set up alerts for certain events and incidents. This helps you to act quickly if something happens.
Then, you can automate your mitigation response with playbooks. Playbooks are Azure Logic Apps that contain a workflow to do something based on security information. It is the same as creating a regular Logic App.