What exactly is Azure Sentinel?
It’s an SIEM (Security Information and Event Management) and Security Orchestration and Automated Response (SOAR) system that is part of Microsoft’s cloud service for public use. It provides a single system for alert identification and visibility of threats as well as proactive hunting and threat response. It gathers data from various sources of data, and conducts data correlation and data Visualization the data processed into one dashboard. It assists in collecting data, identify, and investigate, as well as respond to security incidents and threats.
This allows for intelligent security analysis and threat intelligence throughout the enterprise ecosystem. It is natively integrated with Azure Logic Apps and Log Analytics which enhance its capabilities. It also comes with advanced machine learning capabilities that identify threats’ actors and suspicious behavior that could greatly assist security analysts in their efforts to examine their surroundings.
It’s easy to deploy in single or multi-tenant scenarios. If you are in multi-tenant scenarios, it will be installed on each tenant and Azure Lighthouse will be used to provide a multitenant view of the tenants.
What are the phases in it?
The four key areas or phases in Azure Sentinel are as follows:
Collect Data
It is able to collect information on every device, user applications, as well as infrastructure in both on-premises and cloud environments. It is able to connect easily to security services out of the box. There are a variety of connectors available to Microsoft solutions that offer real-time integration. There are also built-in connectors for solutions and products (non-Microsoft solutions). In addition, Common Event Format (CEF), Syslog, or REST-API are also able to connect necessary data sources to it.
The services that are directly connected via an out-of-the-box integration are Azure Active Directory, Azure Activity, Azure DDoS Protection, Azure AD Identity Protection, Azure Firewall, Azure Security Center, Azure Web Application Firewall, Office 365, Microsoft Defender for Identity, Amazon Web Services – CloudTrail, Cloud App Security and many other Microsoft solutions.
The devices that connect with Okta SSO, Orca Security, Qualys VM, Citrix Analytics, Barracuda CloudGen Firewall, Perimeter 81 Logs, Proofpoint TAP, and a few other devices via API.
It is also possible to connect via agents to other sources of data. Syslog protocol can be used to accomplish this and allows live streaming of logs in real time. It is the Azure Sentinel Agent functionis i.e., it is the Log Analytics Agent. It converts CEF-formatted logs into a format that can be accessed through Log Analytics. The external solutions that are supported through agent include Linux Servers, DNS Servers and Azure Stack VMs. DLP Solutions.
Click here for the best Managed Azure Sentinel services.
Threat Intelligence Providers (MISP Open Source Threat Intelligence Platform, Anomali ThreatStream, Palo Alto Networks MineMeld, ThreatConnect Platform, ThreatQ Threat Intelligence Platform, etc.). Endpoints, firewalls, and proxies are supported by CEF (Check Point F5 ASM, Check Point, Palo Alto Networks, Zscaler, Cisco ASA, Fortinet and other CEF-based devices) as well as firewalls, proxies and other endpoints that are supported by Syslog (Sophos AX, Symantec Proxy SG, Pulse Connect Secure and other Syslog-based devices).
It works with Fluentd and LogStash to connect and gather logs and data.
Find threats
It is able to detect threats and reduce false positives using the threat intelligence and analytics straight from Microsoft. Azure Analytics plays a major part in integrating alerts into incidents that are identified by the security team. It comes with templates built in from the box to build rules for detecting threats and automate response to threats. In addition it also offers the possibility of creating custom rules. The four templates that are available for build-in are listed below:
Microsoft Security Templates- When you use this template, events will generate a real-time alert that will are generated by other Microsoft security products.
Fusion Template- This template is able to create only one rule, and it is enabled by default. The template is built on principles of sophisticated multiple-stage detection of attacks. It employs scalable machine learning algorithms that allow for the correlation of many low-fidelity alerts and events from several products into high-fidelity, relevant incidents.
Machine Learning Behavioral Analytics TemplatesThe templates are able to create only one rule for each type of template. They are built on the proprietary Microsoft Machine Learning Algorithms, and users don’t have any idea of the inner workings of this template’s logic or the duration it is running.
Scheduled Templates- It’s the only template available that allows users to examine the query logic and modify it according to the needs of the environment. Scheduled templates are scheduled analytics that are based on built-in queries created by Microsoft. They can be customized with regard to the logic of queries and scheduling settings to make new rules.
Investigation Suspicious Activities
It is able to investigate and track any suspicious activity in the surrounding environment. It reduces the noise and search for security threats that are based on the MITRE framework. Utilize Artificial Intelligence to proactively identify dangers before alerts trigger through the secured assest to identify suspicious activity. If you’re using it to conduct research and hunting it is possible to make use of the following features:
Built-in Queries: It was developed by Microsoft and is available for you to familiarize you with tables and query language. You can however, create new queries or modify existing queries to improve the capabilities of detection.
Intelligent and powerful Query Language: The software is built the top of a query language that supplies the flexibility you require to take your search capabilities up a notch.
Make Bookmarks: You can make bookmarks of the discoveries that you discover in the course of your hunt to be able to revisit them in the future and then create an incident for an investigation.
Notebooks can be used for Automate Investigation: Notebooks are similar to a step-by-step manual that resembles playbooks. You can make them to track the various steps that are involved in the hunt and investigation process. The notebooks will summarize all actions involved in the hunt process into a playbook that can be reused and that can be shared with other members of your group.
Access the stored data The information associated with and generated by it is easily accessible and available in the format of tables which are easily asked.
Link to the Community The Azure Sentinel Github community is the best place to search for additional queries and data sources.
Respond
It is able to react quickly and quickly to orchestration-related incidents built into the system, and routine and repetitive tasks are easily converted into automated. It can create simple security orchestration using playbooks. It also creates tickets for ServiceNow, Jira, etc. in the event of an event.
What are the most important elements?
Here are the nine important Azure Sentinel components.
Dashboards: It comes with built-in dashboards that display information gathered from various data sources. It allows security personnel to get a better understanding of the actions generated by these services.
Cases: A set of all evidence relevant to a particular investigation is known as a case. A case may contain at least one alert that is based on the analytics that are defined in the case by its user.
Hunting is an effective tool for security analysts as well as threat analysts. It’s responsible for conducting proactive threat analysis across the entire environment to identify and analyze security threats. KQL (Kusto Query Language) improves the search capabilities of it. Because of its machine-learning capabilities, it is able to detect suspicious behavior. For example, abnormal traffic or patterns of traffic in firewall data and authentication patterns that are suspicious, and anomalies in resource creation.
Notebooks: It offers flexibility and expands the range of what you can do using the data collected by offering out-of-the-box connection to Jupyter Notebook and an integrated collection of modules and libraries for machine learning embedded analytics visualization, analysis of data.
Data Connectors built-in connectors are included to ease data ingestion using Microsoft products and solutions as well as other partner solutions.
Playbooks: A playbook is an array of processes that are executed in response to an alert trigger from it. They make use of Azure Logic Apps. This means that the user has the ability to use flexibility, capabilities customization, and the built-in templates from Logic Apps. Automate and manage workflows that are easy to be configured to run manual or automatically whenever certain alarms are activated.
Analytics: Analytics allows users to make custom alerts by using Kusto Query Language (KQL).
Community: TheGitHubAzure Sentinel Community page includes detections based on various sources of data. Users can use the information to make alerts and react to threats within their environment. The page for community members also includes examples of hunting questions as well as security playbooks and other documents.
Workspace: Workspace or Log Analytics Workspace is an object that is made up of data and information about the configuration. It makes use of this container to store data gathered from various data sources. It is possible to create a new workspace or utilize an existing workspace to store the data. It would be helpful to have a separate workspace since the alert rule and investigation do not operate across different workspaces.
Log Analytics workspace Log Analytics workspace offers the following functions:
A geographical location for data storage.
Data isolation is achieved by giving access rights to different users in accordance with Log Analytics’ recommended design methods for workspaces.
The possibility of setting configuration options like pricing tier retention, pricing tier, as well as data capping.
How do you deploy it?
It utilizes an Role-Based Access Control (RBAC) authorization model that allows administrators to establish an granular level of authorizations according to different needs and requirements. It comes with three roles that are available.
Reader: Users who are assigned this role are able to view the data and incidents but not make modifications.
Responder: Users who are assigned to this role are able to view the incident and its data, and take certain actions in the course of adventures, like assigning to another user or alter the severity of an incident.
Contributor: Users who are assigned to this role are able to view the incident and its data, take certain actions with regard to incidents, and also create or remove analytic rules.
To install it you need contributor rights to the subscription where it is located. Azure Sentinel workspace is located. To grant access to various teams based on the work they do using it, use it by using the RBAC model to grant specific permissions to groups.
What exactly is Azure Sentinel Center?
Azure Security Center is a cloud-based workload protection system which focuses on server workload protection’s specific requirements in today’s hybrid data center designs. It is, however, an cloud-based SIEM that analyzes the event data in real time to detect early warning signs of targeted attacks and data breaches , and to gather, store information, analyze and react to security incidents.
What exactly is Azure Security Center?
Azure Security Center deals with your Azure assets’ configuration based on the most effective practices in simple terms. It is responsible for identifying bad actors and blocking unauthorized access to your data. If you decide to install Azure Security Center and it simultaneously. In this case it is imperative to make sure that you don’t make use of the default workspace that was created in Azure Security Center to deploy it, as you cannot enable it in this default namespace.
How do you find Security Threats?
If you are using Azure Sentinel There are four ways to search for security risks.
Jupyter Notebook to Hunt: Utilizing Jupyter Notebooks to carry out the hunt process expands the possibilities of what can be analysed from the collected data. The Kqlmagic library includes the essential capabilities to process Azure Sentinel queries and run directly in the notebook. Azure offers Azure Notebooks, a fully built-in Jupyter Notebook for Azure environment which can be used to store, share and run notebooks.
Utilizing Bookmarks to Hunt: Using bookmarks can help you keep the logs of your queries and the results you obtained from it. You can also add tags and notes to your bookmarks for reference. The view of bookmarks in your Hunting Bookmark table in your Log Analytics workspace enables you to join and filter bookmarked data with other sources of data which makes it simple to find evidence that supports your claims.
Utilizing Livestream to hunt It is possible to use hunting Livestream to make interactive sessions that allow you users perform the following tasks:
Check out new queries created as the events happen.
Be notified of threats that occur.
Investigate launch investigations that involve assets such as host or user
Livestream sessions can be made by using the use of any Log Analytics queries.
Manage hunter and Livestream queries with the REST API It lets you make use of Log Analytics’ REST API to handle hunt as well as Livestream queries. These queries are displayed in the Azure Sentinel UI.
Conclusion
Azure Sentinel is a scalable cloud-based tool that can help detect the threat, investigate it, and react to any threats that are discovered. It allows users to detect possible issues earlier. It makes use of Machine learning to minimize risks and identify unusual behavior. IT professionals also can save time and energy for maintenance. It assists in monitoring an ecosystem , from cloud to workstations, on-premise and personal devices.