What is Azure Sentinel?
It is an SIEM (Security Information and Event Management) and Security Orchestration and Automated Response (SOAR) system that is part of Microsoft’s cloud platform for public cloud. It provides a single platform for alert detection as well as threat visibility and proactive hunts, as well as threat response. It collects data from different data sources, does data correlation and Data Visualization the data processed into one dashboard. It helps to collect, detect, investigate and respond to security incidents and threats.
In this way, it provides smart security analytics and threat analysis throughout the enterprise. It incorporates natively Azure Logic Apps and Log Analytics that enhances its capabilities. It also includes advanced machine-learning capabilities that detect actors of threats and suspicious behaviors that can dramatically assist security analysts assess their environment.
It’s easy to deploy both in single and multi-tenant scenarios. In the event of the multitenant scenario, it will be deployed on each tenant and Azure Lighthouse will be used to create a multitenant visual of the tenants.
What are the different stages of it?
The four crucial areas or phases that comprise Azure Sentinel are as follows:
Collect Data
It is able to collect information on all devices, users, applications, and infrastructure that is on-premise and spread across several cloud environments. It can easily connect to security sources out-of-the-box. There are many connectors for Microsoft solutions that support real-time integration. Additionally, it has built-in connectors for third-party solutions and products (non-Microsoft Solution). Other than that, Common Event Format (CEF), Syslog, or REST-API are also able to connect needed data sources.
The services that can be directly connected through out-of the-box integration are Azure Active Directory, Azure Activity, Azure DDoS Protection, Azure AD Identity Protection, Azure Firewall, Azure Security Center, Azure Web Application Firewall, Office 365, Microsoft Defender for Identity, Amazon Web Services – CloudTrail, Cloud App Security and many other Microsoft solutions.
The appliances that can connect to Okta SSO, Orca Security, Qualys VM, Citrix Analytics, Barracuda CloudGen Firewall, Perimeter 81 Logs, Proofpoint TAP, and some others using an API.
It also allows for connection through agents to other sources of data. Syslog protocol is usable for this purpose and enables live streaming of logs in real time. This is accomplished by the Azure Sentinel Agent functionis i.e. the Log Analytics Agent. It converts CEF formatted logs into a format that can be accessed from Log Analytics. External solutions supported in it through agents include Linux Servers, DNS Servers and Azure Stack VMs. DLP Solutions.
Threat Intelligence Providers (MISP Open Source Threat Intelligence Platform, Anomali ThreatStream, Palo Alto Networks MineMeld, ThreatConnect Platform, ThreatQ Threat Intelligence Platform, etc.). Endpoints, firewalls and proxies that are supported by CEF (Check Point, F5 ASM, Palo Alto Networks, Zscaler, Cisco ASA, Fortinet and other CEF-based devices), and firewalls, proxies and other endpoints which are compatible with Syslog (Sophos XG, Symantec Proxy SG, Pulse Connect Secure and other Syslog-based appliances).
It can be used with Fluentd and LogStash to allow you to connect to and collect the data and logs.
Detection of threats
It can detect threats and limit false positives with the help of data analytics and threat intelligence straight from Microsoft. Azure Analytics plays a major role in integrating alerts with incidents discovered by the security team. It provides built-in templates directly from the box to build rules for detecting threats and automate response to threats. In addition it also allows the capability to build custom rules. The four built-in templates available are below:
Microsoft Security Templates- When you use this template, triggers an automatic real-time from of alerts that produce in other Microsoft security software.
Fusion Template- This template is able to create only one rule and is enabled by default. It is based on the principles of advanced security measures that employ multi-stage attacks. It uses scalable machine learning algorithms to correlate a variety of low-fidelity alerts and events from multiple products into high-fidelity and actionable incidents.
Machine Learning Behavioral Analytics Template- These templates can create only one rule for each type of template. These are based on proprietary Microsoft Machine Learning Algorithms, and the users aren’t aware of the workings inside this template’s logic or the duration it runs.
Scheduled Templatesare the only template available with the ability to examine the query logic and alter it as per the needs of the environment. Scheduled templates are scheduled analytics that depend on built-in queries developed by Microsoft. They can be customized with regard to query logic and scheduling parameters to design new rules.
Investigation Suspicious Activities
It can investigate and hunt suspicious activities across the environment. It can help reduce the noise and search for security threats that are based on the MITRE framework. Utilize Artificial Intelligence to proactively identify threats prior to triggering an alert over the secure assest to detect suspicious activities. When you are using it for investigation and hunting, you can make use of the following capabilities:
Built-in-Queries: It’s created by Microsoft and can be used to familiarize yourself with tables and the query language. However, you can develop new queries and refine existing queries to increase your ability to detect.
The most powerful query language that incorporates intelligence Built on top of a query language that supplies users with the flexibility you require to elevate your hunting capabilities up a notch.
Create Bookmarks: You can make bookmarks of the discoveries that you discover during your hunting trip to make sure you check them later and then create an incident for research.
Use notebooks for Automate Investigation: Notebooks are as a step-by step guide, resembling playbooks. These notebooks can be designed to track the various steps that are involved in an investigation and hunt. These notebooks list all the actions involved in the hunt process in a portable playbook that can be shared with other members of your group.
Queries on the Stored Data The stored data and the data generated by it is available and accessible in the forms of tables, which can easily be queried.
Links to Community: The Azure Sentinel Github community is the best place to locate additional queries as well as data sources.
Respond
It can react smoothly and respond quickly to orchestration events built-in, and the routine tasks can easily be convert into automation. It is capable of creating an easy security orchestration by using playbooks. It can also generate tickets for ServiceNow, Jira, etc. in the event of an event.
What are the key components?
There are nine important Azure Sentinel components.
Dashboards: It comes with built-in dashboards which display data gathered from different data sources. It allows security personnel to gain insight into the types of events that are generated by those services.
Cases: A set of all relevant evidence belongs to a specific investigation is known as a case. A case could contain at least one alert based on the analytics determined from the perspective of the client.
Hunting: It’s an extremely effective component for security analysts and threat analysts. It’s accountable for carrying out proactive threat analysis across the whole environment to analyze and detect security threats. KQL (Kusto Query Language) enhances the searching capabilities in it. Because of its machine learning capabilities that detect suspicious behaviors. For example, abnormal traffic or patterns of traffic in firewall data, suspicious authentication patterns, and resource creation anomalies.
Notebooks: It allows flexibility and expands the possibilities of what can be accomplished with the collected data by providing out-of-the-box connectivity to the Jupyter Notebook that comes with an in-built set of libraries and modules that can be used for machine learning embedding analytics visualization, analysis of data.
Data Connectors Inbuilt connectors are present to ease data ingestion from Microsoft products , solutions and the solutions of partners.
Playbooks: A Playbook is an assortment of actions to be executed in response an alert trigger. They are based on Azure Logic Apps. This means that the user has the ability to use flexibility, capabilities, customizability, and templates built into Logic Apps. To automate and organize tasks and workflows that are easy to be configured to run manual or execute automatically when specific alerts are triggered.
Analytics: Analytics enables the users to create custom alerts using Kusto Query Language (KQL).
Community: TheGitHubAzure Sentinel Community page has detections based upon different data sources. Users can use the information to create alerts and respond to threats in their environments. The page for community members also includes samples of hunting queries playing books for security, and other artifacts.
Workspace: Workspace or Log Analytics Workspace is a container that consists of data and configuration information. It utilizes this container to store data gathered from various data sources. You can either create a brand new workspace or make use of an existing workspace for storing the data. However, it is helpful when you have a designated workspace, as Alert rules, investigations and alerts can’t operate across different workspaces.
Contact our experts when searching for Managed Azure Sentinel.
A Log Analytics workspace provides these features:
A geographical location for data storage.
Data isolation by granting access rights to various users according to Log Analytics’ recommended design methods for workspaces.
The possibility of setting configuration options like pricing tier retention, pricing tier, as well as data capping.
What is the best way to deploy it?
It utilizes it’s Role-Based Access Control (RBAC) authorization model which allows administrators to establish the level of access according to different requirements and permissions. It has three built-in roles that are available.
Reader: Users assigned to this role can view incident and data, but cannot make modifications.
Responder: Users who have been assigned this role can review the data and incidents, as well as take some actions on adventures, like assigning to another user or alter the severity of an incident.
Contributor: Users assigned to this role are able view incidents and data, perform certain actions with regard to incidents, and create or delete analytic rules.
To deploy it, one needs contributor permissions to the subscription in which the Azure Sentinel workspace lives. To provide access to different teams based on their work using it, use the RBAC model to assign specific permissions to groups.
What exactly is Azure Sentinel Center?
Azure Security Center is a cloud-based platform for protection of workloads designed to address server workload protection’s particular requirements in today’s hybrid data center architectures. It is, however, a cloud-native SIEM , which analyses event data in real-time to help detect targeted attacks and data breaches and to gather, store information, analyze and react to security-related events.
What is Azure Security Center?
Azure Security Center deals with your Azure assets’ configuration using the best practices in more simple terms. It deals with detecting bad actors and blocking unauthorized access to your data. In the event that you wish to install Azure Security Center and it simultaneously. In this scenario then, you need to be sure to not utilize the default workspace provided through Azure Security Center to deploy it since you aren’t able to enable it in the default namespace.
How can you identify security Threats?
When using Azure Sentinel it is possible to use four different ways of searching for security risks.
Jupyter Notebook used for hunting: Utilizing Jupyter Notebooks to conduct the hunting process extends the range of information that can be analysed from the collected data. The Kqlmagic library provides the necessary features to be able to use Azure Sentinel queries and run directly within the notebook. Azure offers Azure Notebooks, an built-in Jupyter Notebook for Azure environment which allows users to store, share and execute notebooks.
Making use of Bookmarks to hunt: Using bookmarks will help you save your query logs and results you executed in it. Additionally, you can include notes and tags in your bookmarks for reference. The view of bookmarks in the Hunting Bookmark table in your Log Analytics workspace enables you to sort and join bookmarked information with other data sources which makes it simple to search for evidence supporting your claim.
Using Livestream for hunting: You can use hunting Livestream to create interactive sessions that let players perform the following actions:
Test newly created queries as incidents occur.
Be alerted when threats are detected.
Launch investigations that involve an asset , such as a host or user
Livestream sessions are created using the use of any Log Analytics request.
Manage hunter and Livestream queries with the REST API It lets you utilize Log Analytics REST API to handle hunting as well as Livestream queries. Such queries display in the Azure Sentinel UI.
Conclusion
Azure Sentinel is a scalable cloud-based tool that can help detect to investigate, identify, and respond to threats if any found. It enables users to catch any potential problems earlier. It utilizes Machine learning to reduce threats and capture unusual behaviors. IT professionals save time and effort for maintenance. It helps to monitor an environment from cloud to workingstations on premises, as well as personal devices.