Data is the key, and security is the topmost concern for every organization. It nearly is impossible to properly analyze and resolve high volumes of security alert generated by the systems in order to smartly combat and respond to the increasingly sophisticated attacks.
There are so many Security Information and Event Management (SIEM) products in the market today, but they all lack modern capabilities to integrate with multitude of data sources at one time to help investigate, analyze, and respond to the actionable insights as per the results post analysis. This is where Azure Sentinel comes into picture.
In this article, we will cover the following
- What is Azure Sentinel?
- Azure Sentinel Core Features
- Additional Key Features of Azure Sentinel
- Create and Configure Azure Sentinel
What is Azure Sentinel?
Azure Sentinel is a cloud-native solution that helps in building next generation security operations with cloud and leveraging artificial intelligence (AI). Azure Sentinel is a robust security information event management (SIEM) and security orchestration automated response (SOAR) solution that provides intelligent security analysis and threat intelligence across enterprise. It helps to foresee and stop threats before they can occur and cause severe damages.
Azure Sentinel can be connected to different data sources across the entire organization. The data sources range from users, to devices, to different databases, to apps, and even to data from different tenants and clouds. Being cloud-native, it unleashes the security operations team from the overhead of monitoring, maintaining, and scaling the infrastructure, and provides high performance and speeds to complement your security needs. Most importantly, it is not as expensive to own and operate as other SIEM tools. You pay for what is used, and is billed based on the volume of data ingested for analysis. This data is stored in the azure Monitor Log Analytics workspace.
Azure Sentinel is built on the complete range of Azure services, and as already mentioned, it enriches investigation and threat detection with artificial intelligence (AI). It also enables you to bring your own threat intelligence, thereby, providing rich user experience.
At times there are questions asking the difference between Azure Sentinel and Azure Security Center. Azure Security Center is a cloud workload protection platform that targets the unique requirements of server workload protection in modern hybrid scenarios. Azure Sentinel on the other hand is a cloud-native SIEM and SOAR solution to analyze event data in real time for early detection and prevention of targeted attacks and data breaches. Azure Sentinel takes proactive approach to identify threats, as compared to Azure Security Center, which takes a reactive approach.
Azure Sentinel Core Features
Microsoft’s objective to re-engineer the SIEM tool was to enable the organizations focus and invest in security alone and not in infrastructure setup and maintenance. Azure Sentinel comes with the following distinct and prominent features.
- Collect data at cloud scale –
Azure sentinel is purely cloud based. Built on log-analytics, Azure Sentinel comes with amazing scaling capabilities that allows connectivity to wide variety of data sources for collection of data. This can be from O365, different applications, across all users, different subscriptions as well as from other clouds. There are connectors available that can be leveraged to connect to these different data sources.
- Detect previously uncovered threats –
Azure Sentinel detects previously uncovered threats and also minimizes false positives using analytics and threat intelligence from Microsoft. It thereby greatly reduces the effort spent by the security teams in investigating alerts that are raised, but are not real incidents.
- Investigate threats with artificial intelligence –
Azure Sentinel uses artificial intelligence for threat investigation and looks for any suspicious activities at scale. Microsoft brings over its own cybersecurity experience with Azure Sentinel.
- Respond to incidents and events rapidly –
The artificial intelligence (AI) makes Azure Sentinel respond to the threat incidents and events rapidly with. There are many possibilities to hunt for threats and orchestrate the responses accordingly. Open-source applications like Jupyter notebook can also be used.
Additional Key Features of Azure Sentinel
Apart from the above core features, there are certain other features, which are equally important and are worth mentioning.
- Intelligent built-in queries –
Azure Sentinel has numerous built-in queries that can be leveraged by non-technical users for easily reviewing common attacks.
- Built-in artificial intelligence –
As already mentioned above, Azure Sentinel has built in artificial intelligence to proactively detect real threats, investigate, analyze, and respond in order to mitigate the issues quickly.
- Threat hunting using bookmarks –
Azure Sentinel provides the ability to bookmark suspicious events in order to easily refer and investigate such events in the future. These HuntingBookmark can be used to visualize data directly from the bookmark tab and promote it to incidents in case there is need.
- Easy Installation –
Azure Sentinel is a very easy to install Security Information Event Management (SIEM) tool. Infrastructure setup is very easy and it does not require any complex installation.
Now that you clearly understand the features of Azure Sentinel, there are a few more points that must be understood. These points are related to analytics, security automation & orchestration, and community.
As already mentioned, Azure Sentinel has built-in artificial intelligence that provides machine learning rules to detect and report anomalies across all the data sources configured. It is also possible to create your own rules using the built-in rules. Analytics helps in connecting the dots, i.e., it has the ability to combine small alerts into a potentially high security incident and proactively reports it to the security responders.
Security Automation & Orchestration
Azure Sentinel has the concept of playbooks. These playbooks are built on the foundation of Azure logic apps and helps simplify security orchestration by automating the recurring common tasks. As with the machine learning analytics rules, there are prebuilt playbooks with 200+ connectors that also allows to apply custom logic. One common example you will find across different Microsoft documentations is that of ServiceNow, where you can use the logic apps to open a ticket in ServiceNow every time a new threat is detected within the services and other workloads in the organization.
Azure Sentinel community is an ever-growing resource, where the security analysts constantly add mew workbooks, playbooks, hunting queries, etc. that can be used within our own environment. It is an open-source community to facilitate collaboration among customers and partners using GitHub. Therefore, these can be downloaded from the GitHub repository. You can also use them to create custom your own custom version that suits your requirement.