close

Guide For Azure Sentinel: Intelligence and Threat Detection

Posted by Roger Padgett on Jun, 30, 2021 06:06

When talking about Security Information and Event Management (SIEM), Azure Sentinel remains the top option. Besides, it offers unparalleled security through automation, analytics, and Artificial Intelligence (AI).

In today’s organizations, security plays a critical role in cloud infrastructures. Ensuring cybersecurity is often a complicated and complex task to do since it involves large and resource-intensive solution deployment.

From the start, you have to realize that cloud management is complex. You need to deal with things like operational processes, surfacing insights at scale, or investigating incidents. Fortunately, Microsoft’s Azure Sentinel is here to help you address any challenges along the way.

If you are unfamiliar with SIEMs and Azure Sentinel, this beginner’s guide is for you!

What is SIEM (Security Information and Event Management) ?

Individuals or organizations will find it hard to monitor all logs generated daily. That is why SIEM solutions are critical to capture all the data and provide a comprehensive business information security view.

SIEM combines Security Information Technology (SIM) and Security Event Management (SEM), two essential technologies. SIM is responsible for collecting logs and data to perform careful analysis and reporting on cybersecurity events and threats. As for SEM, it is designed to monitor and perform co-relation between events and logs.

Additionally, SIEM helps generate a large volume of incidents and alerts alongside Security Orchestration, Automation, and Response (SOAR). Security analysts have a tough time looking into events and alerts and manage them. Fortunately, SOAR helps companies with regard to designing workflow and bringing playbooks for quick security threat response. Both SIEM and SOAR deliver the necessary automation capabilities so that organizations will meet today’s security demands.

AI Automation and threat detection in Azure

What is Azure Sentinel?

Microsoft’s Azure Sentinel is a SIEM and SOAR solution that is cloud-native and scalable. It delivers threat intelligence and security analytics across an organization. It offers a single hub dedicated to proactive hunting, threat response, alert detection, and threat visibility.

With the advanced SIEM SOAR features and capabilities, Azure Sentinel keeps every organization safe and secure against different cyber threats and attacks. It collects data at a cloud-scale from various infrastructures, users, applications, and devices, both on-premise and multiple clouds.

Azure Sentinel ensures that security in Azure is more accessible and more scalable to manage. It brings together the latest in advanced AI and security innovation. That way, your organization’s IT estate can reap the advantages of real-time intelligent security analytics using Azure Consulting services.

Azure Sentinel Security Pillars

With Azure Sentinel and Azure Security Center, you will not only consume security-related data from sources within your MS tenant but also from almost any source. That way, the requirement to manage multiple pieces of costly and complex infrastructure components is removed while delivering easy to scale cloud platform solution.

In a nutshell, Sentinel security solution allows you to:

  • Respond : Azure Sentinel enables you to react quickly but calmly through built-in automation responses and processes.
  • Investigate: Since Sentinel comes with AI capabilities, hunting and investigating suspicious activities and identifying threats at scale is a lot easier.
  • Detect: Azure Sentinel can recognize previously detected threats. It also minimizes any false positives using Microsoft’s threat intelligence and analytics.
  • Collect: With Azure Sentinel, collecting data at a cloud-scale across infrastructure, applications, devices, and users, both on-premise and multiple clouds, is a straightforward process.
Azure Sentinel Investigation

Azure Sentinel Deployment 

Now, it’s time for you to learn how to deploy Azure Sentinel.

Workspace 

First, you have to create a Log Analytics workspace. Follow the steps below:

  • Log in to portal.azure.com
  • Search for Azure Sentinel and Click on the “Create” option 
  • Create a new workspace. If you have an existing log analytics workspace, select the Subscription and Resource Group
  • After creating a workspace, an Azure Sentinel Dashboard will appear

If you are new to Azure Sentinel, you may find it overwhelming. However, you will quickly get familiar with the different elements in the dashboard.

Data Connectors 

After the workplace creation, ensure to set up the data connectors. You can start with the free data ingestion connectors like Office 365 and Azure Active Directory.

  • On the Azure Sentimental Dashboard, select the “Data Connectors” option
  • From the left panel, look for the “Azure Active Directory” option and select it
  • Click on the “Open Connectors Page” option from the bottom right corner

From there, you will see the data ingested and full details. If you want to see the connector’s description, go to the left panel. Below that panel, you will see the Data Types. If you want to see the changes you need to make, go to the right panel, and you will see the Prerequisites.

connects with other sources

Analytic Rules 

If you are not familiar with analytic rules, they are a set of Kusto Query Language (KQL) queries scheduled to run. Every time the analytic rule discovers an output, it creates the severity’s corresponding incident as specified by the rule. From there, analysis takes place.

Analytic rules will run and look towards the data constantly and then look for helpful information. Below are ways how to add analytic rules as well as what to look for:

  • From the left panel, select the “Analytics” option that will lead you to the “Active Rules” tab 
  • From the middle window’s topmost part, select the “Rules Templates” option 
  • On the right panel, you will see all the details and description associated with a specific rule
  • On the top part, you will see the rule type as “Scheduled” and severity like “Medium”

Hunting Rules 

Hunting rules have similarities to analytic rules, except that the former is not scheduled to run over time and does not create incidents. This means you can run all queries at once and then see the results, making it an excellent technique to hunt and look behind the environment’s scenes.

Beside each rule, you can click on the “star” icon to bookmark it. That way, you can keep critical as a priority. You can also change the hunting rules into analytic rules if you wish them to run on a specific, scheduled period.

Azure Sentinel enables you to view the tactics associated with each hunting rule, the total results, and data sources.

Workbooks 

When it comes to Azure Sentinel, Workbooks is considered one of the critical features. They are logs in the form of tables and graphs, making it easier for you to check the environment more quickly than manual big log queries typing.

Azure Sentinel comes with 90-100 templates for various table data scheme kinds, including third-party sources. If you want to add new workbooks:

  • Go to Azure Sentinel Dashboard and select the “Workbooks” option from the left menu
  • Look for the workbook you want to add
  • Click on the “Save” button from the bottom right corner

The new workbook is saved in the “My Workbook” tab. From there, you can quickly view them and even customize or edit them.

Below are some of the workbooks you should check out:

  • Workspace Audit 
  • Insecure Protocols 
  • Azure AD Activity and Audit 
  • Azure Key Vault Security 
  • Cybersecurity Maturity Model Certification 
  • Azure AD Sign-in Logs 
  • Azure AD Audit Logs

When you weekly or monthly check the above workbooks, you can investigate all data more deeply and thoroughly.

Automation 

As you work with SIEMs like Azure Sentinel, minimize the manual intervention and filter out the noise. That way, you can focus on essential alerts more effectively. Good thing Microsoft did a great join designing Sentinel with Automation capability.

If you want to run playbooks, you have to permit automation rules. Through these automation rules, you can centrally manage all the incident handling automation. They will help you simplify the incident orchestration processes’ complex workflows.

When incidents are created, automation rules are then triggered. You have the freedom to set conditions to control when actions run according to analytic rules, entity details, and incidents. Additionally, you can set the expiration time of the rules and order of actions.

Azure Sentinel overview

Threat Intelligence 

A vast number of cyber threats occur every day. In fact, plenty of communities, organizations, and Microsoft monitor and save their IP addresses, hashes, and domains where the attacks are coming from. Azure Sentinel offers Threat Intelligence capability, increasing the protection against malicious attacks. 

Top Benefits of Azure Sentinel 

Here are some of the benefits you can enjoy once you take advantage of Azure Sentinel:

  • Complete a security overview of your organization by collecting all data on one platform
  • More data means more effective investigation and analysis of security issues 
  • Faster detection of new potential threats through AI and machine learning 
  • Faster response to incidents through general tasks automation and build-on orchestration 
  • Reliable Microsoft security experts’ experience and skills on a global scale 

Conclusion 

As a cloud-native and scalable SIEM, MS Azure Sentinel offers a single solution for threat response, proactive hunting, threat visibility, and alert detection. It serves as your birds-eye view across your organization. It will help you reduce the stress of long resolution time frames, increasing volumes of alerts, and growing cyber-attacks.

Hopefully, the guide above helped you gain a better understanding of Azure Sentinel. Besides the deployment process is straightforward, you can also access lots of benefits for your business security.

FAQs About Azure Sentinel

What are the benefits of using Threat Intelligence?

With Threat Intelligence you can simplify security operations and speed up threat response with integrated automation and orchestration of common tasks and workflows.

What are the benefits of Azure Sentinel?

Amon many benefits, you can eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs while reducing costs as much as 48 percent compared to traditional SIEMs.1 .

What are the benefits of AI for threat intelligence?

Make your threat detection and response smarter and faster with artificial intelligence (AI).

How do I integrate Azure Sentinel with my security solutions?

Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity (formerly Azure ATP), and Microsoft Cloud App Security, and more.

What is Azure Sentinel deep investigation?

Currently in preview, Azure Sentinel deep investigation tools help you to understand the scope and find the root cause, of a potential security threat.

What is Azure Sentinel Analytics?

Analytics helps in connecting the dots, i.e., it has the ability to combine small alerts into a potentially high-security incident and proactively reports it to the security responders.

What is the benefits of cloud-native security?

Being cloud-native, it unleashes the security operations team from the overhead of monitoring, maintaining, and scaling the infrastructure, and provides high performance and speeds to complement your security needs.

What is the difference between Azure Security Center and Azure Sentinel?

Azure Sentinel takes a proactive approach to identify threats, as compared to Azure Security Center, which takes a reactive approach.

What are the features of Azure Sentinel?

Apart from the above core features, there are certain other features, which are equally important and are worth mentioning.

[gravityform id="43" title="true" description="false" ajax="true"]
<div class='gf_browser_unknown gform_wrapper gform_legacy_markup_wrapper' id='gform_wrapper_43' ><div id='gf_43' class='gform_anchor' tabindex='-1'></div> <div class='gform_heading'> <h3 class="gform_title">Subscriber - Powerbi e-book</h3> </div><form method='post' enctype='multipart/form-data' target='gform_ajax_frame_43' id='gform_43' action='/azure-sentinel-what-is-microsoft-azure-sentinel/#gf_43' > <div class='gform_body gform-body'><ul id='gform_fields_43' class='gform_fields top_label form_sublabel_below description_below'><li id="field_43_7" class="gfield gfield--width-full gform_hidden field_sublabel_below field_description_below gfield_visibility_visible" ><div class='ginput_container ginput_container_text'><input name='input_7' id='input_43_7' type='hidden' class='gform_hidden' aria-invalid="false" value='https://www.epcgroup.net/azure-sentinel-what-is-microsoft-azure-sentinel/' /></div></li><li id="field_43_4" class="gfield gfield_html gfield_html_formatted gfield_no_follows_desc field_sublabel_below field_description_below gfield_visibility_visible" > <div class="description_data"> <p class="dp_one">Subscribe to our newsletter and get the first three chapters of the eBook for <strong>free<strong>.</p> </div></li><li id="field_43_6" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label gfield_label_before_complex' >Name<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label><div class='ginput_complex ginput_container no_prefix has_first_name no_middle_name has_last_name no_suffix gf_name_has_2 ginput_container_name' id='input_43_6'> <span id='input_43_6_3_container' class='name_first' > <input type='text' name='input_6.3' id='input_43_6_3' value='' aria-label='First name' aria-required='true' placeholder='First Name' /> <label for='input_43_6_3' >First</label> </span> <span id='input_43_6_6_container' class='name_last' > <input type='text' name='input_6.6' id='input_43_6_6' value='' aria-label='Last name' aria-required='true' placeholder='Last Name' /> <label for='input_43_6_6' >Last</label> </span> </div></li><li id="field_43_2" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label' for='input_43_2' >Email Address<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label><div class='ginput_container ginput_container_email'> <input name='input_2' id='input_43_2' type='text' value='' class='medium' aria-required="true" aria-invalid="false" aria-describedby="gfield_description_43_2" /> </div><div class='gfield_description' id='gfield_description_43_2'>Please enter your correct email address. You will receive an email to download the eBook.</div></li><li id="field_43_3" class="gfield g-captcha field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label screen-reader-text' for='input_43_3' ></label><div id='input_43_3' class='ginput_container ginput_recaptcha' data-sitekey='6LdQ388UAAAAAJaahWs7D_jWzeQhUZW6-VNwWfaU' data-theme='light' data-tabindex='0' data-badge=''></div></li><li id="field_43_5" class="gfield gfield_html gfield_html_formatted gfield_no_follows_desc field_sublabel_below field_description_below gfield_visibility_visible" ><div class="note_description"><p><i><strong>NOTE: </strong>We will never send you spam or pass on your email address to any third party. You may choose to opt-out at any time.</i></p></div></li></ul></div> <div class='gform_footer top_label'> <input type='submit' id='gform_submit_button_43' class='gform_button button' value='Download Now' onclick='if(window["gf_submitting_43"]){return false;} window["gf_submitting_43"]=true; ' onkeypress='if( event.keyCode == 13 ){ if(window["gf_submitting_43"]){return false;} window["gf_submitting_43"]=true; jQuery("#gform_43").trigger("submit",[true]); }' /> <input type='hidden' name='gform_ajax' value='form_id=43&amp;title=1&amp;description=&amp;tabindex=0' /> <input type='hidden' class='gform_hidden' name='is_submit_43' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='43' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_43' value='WyJbXSIsIjEwNTJhNGVmMWMyNzI3YTJmMjdiZTA1NjU4ZDMzYzY3Il0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_43' id='gform_target_page_number_43' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_43' id='gform_source_page_number_43' value='1' /> <input type='hidden' name='gform_field_values' value='' /> </div> <p style="display: none !important;"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="ak_js" value="7"/><script>document.getElementById( "ak_js" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div> <iframe style='display:none;width:0px;height:0px;' src='about:blank' name='gform_ajax_frame_43' id='gform_ajax_frame_43' title='This iframe contains the logic required to handle Ajax powered Gravity Forms.'></iframe> <script type="text/javascript"> gform.initializeOnLoaded( function() {gformInitSpinner( 43, 'https://www.epcgroup.net/wp-content/plugins/gravityforms/images/spinner.svg' );jQuery('#gform_ajax_frame_43').on('load',function(){var contents = jQuery(this).contents().find('*').html();var is_postback = contents.indexOf('GF_AJAX_POSTBACK') >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find('#gform_wrapper_43');var is_confirmation = jQuery(this).contents().find('#gform_confirmation_wrapper_43').length > 0;var is_redirect = contents.indexOf('gformRedirect(){') >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;var mt = parseInt(jQuery('html').css('margin-top'), 10) + parseInt(jQuery('body').css('margin-top'), 10) + 100;if(is_form){jQuery('#gform_wrapper_43').html(form_content.html());if(form_content.hasClass('gform_validation_error')){jQuery('#gform_wrapper_43').addClass('gform_validation_error');} else {jQuery('#gform_wrapper_43').removeClass('gform_validation_error');}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ jQuery(document).scrollTop(jQuery('#gform_wrapper_43').offset().top - mt); }, 50 );if(window['gformInitDatepicker']) {gformInitDatepicker();}if(window['gformInitPriceFields']) {gformInitPriceFields();}var current_page = jQuery('#gform_source_page_number_43').val();gformInitSpinner( 43, 'https://www.epcgroup.net/wp-content/plugins/gravityforms/images/spinner.svg' );jQuery(document).trigger('gform_page_loaded', [43, current_page]);window['gf_submitting_43'] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find('.GF_AJAX_POSTBACK').html();if(!confirmation_content){confirmation_content = contents;}setTimeout(function(){jQuery('#gform_wrapper_43').replaceWith(confirmation_content);jQuery(document).scrollTop(jQuery('#gf_43').offset().top - mt);jQuery(document).trigger('gform_confirmation_loaded', [43]);window['gf_submitting_43'] = false;wp.a11y.speak(jQuery('#gform_confirmation_message_43').text());}, 50);}else{jQuery('#gform_43').append(contents);if(window['gformRedirect']) {gformRedirect();}}jQuery(document).trigger('gform_post_render', [43, current_page]);} );} ); </script>
[gravityforms id=41 title=”true” description=”false”]
<div class='gf_browser_unknown gform_wrapper exit_intent_popup_wrapper gform_legacy_markup_wrapper' id='gform_wrapper_41' > <div class='gform_heading'> <h3 class="gform_title">Exit Intent</h3> <span class='gform_description'></span> </div><form method='post' enctype='multipart/form-data' id='gform_41' class='exit_intent_popup gform_legacy_markup' action='/azure-sentinel-what-is-microsoft-azure-sentinel/' > <div class='gform_body gform-body'><ul id='gform_fields_41' class='gform_fields top_label form_sublabel_below description_below'><li id="field_41_1" class="gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible" ><div class='ginput_container ginput_container_text'><input name='input_1' id='input_41_1' type='hidden' class='gform_hidden' aria-invalid="false" value='https://www.epcgroup.net/azure-sentinel-what-is-microsoft-azure-sentinel/' /></div></li><li id="field_41_11" class="gfield gfield--width-full gform_hidden field_sublabel_below field_description_below gfield_visibility_visible" ><div class='ginput_container ginput_container_text'><input name='input_11' id='input_41_11' type='hidden' class='gform_hidden' aria-invalid="false" value='ddd01b75-d4fc-ea11-a816-000d3a591fb8' /></div></li><li id="field_41_12" class="gfield gfield--width-full gform_hidden field_sublabel_below field_description_below gfield_visibility_visible" ><div class='ginput_container ginput_container_text'><input name='input_12' id='input_41_12' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></div></li><li id="field_41_13" class="gfield gfield--width-full gform_hidden field_sublabel_below field_description_below gfield_visibility_visible" ><div class='ginput_container ginput_container_text'><input name='input_13' id='input_41_13' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></div></li><li id="field_41_9" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label' for='input_41_9' >Full Name<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label><div class='ginput_container ginput_container_text'><input name='input_9' id='input_41_9' type='text' value='' class='medium' placeholder='Full Name' aria-required="true" aria-invalid="false" /> </div></li><li id="field_41_6" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label' for='input_41_6' >Email<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label><div class='ginput_container ginput_container_email'> <input name='input_6' id='input_41_6' type='text' value='' class='medium' placeholder='Email Address' aria-required="true" aria-invalid="false" /> </div></li><li id="field_41_7" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label' for='input_41_7' >Phone<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label><div class='ginput_container ginput_container_phone'><input name='input_7' id='input_41_7' type='text' value='' class='medium' placeholder='Phone Number' aria-required="true" aria-invalid="false" /></div></li><li id="field_41_10" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label' for='input_41_10' >Company Name<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label><div class='ginput_container ginput_container_text'><input name='input_10' id='input_41_10' type='text' value='' class='medium' placeholder='Company Name' aria-required="true" aria-invalid="false" /> </div></li><li id="field_41_8" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label' for='input_41_8' >Message<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label><div class='ginput_container ginput_container_textarea'><textarea name='input_8' id='input_41_8' class='textarea medium' placeholder='Type your message here...' aria-required="true" aria-invalid="false" rows='10' cols='50'></textarea></div></li></ul></div> <div class='gform_footer top_label'> <input type='submit' id='gform_submit_button_41' class='gform_button button' value='Submit' onclick='if(window["gf_submitting_41"]){return false;} window["gf_submitting_41"]=true; ' onkeypress='if( event.keyCode == 13 ){ if(window["gf_submitting_41"]){return false;} window["gf_submitting_41"]=true; jQuery("#gform_41").trigger("submit",[true]); }' /> <input type='hidden' class='gform_hidden' name='is_submit_41' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='41' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_41' value='WyJbXSIsIjEwNTJhNGVmMWMyNzI3YTJmMjdiZTA1NjU4ZDMzYzY3Il0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_41' id='gform_target_page_number_41' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_41' id='gform_source_page_number_41' value='1' /> <input type='hidden' name='gform_field_values' value='' /> </div> <p style="display: none !important;"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="ak_js" value="26"/><script>document.getElementById( "ak_js" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div>