Table of Contents
The vast landscape of on premises, co-hosted and cloud infrastructures makes it harder to monitor security across these wide-reaching environments. SIEM solutions help to aggregate data from many different types of systems and present a clear view of actionable security items for the security teams to protect businesses. They are the most powerful tools to detect and remediate potential security threats.
Today we look more in detail about Azure Sentinel, an SIEM solution, its features and use cases, advantages and disadvantages and so on.
What is Azure Sentinel
Microsoft or Azure Sentinel is a cloud-native, scalable security Information event management (SIEM) and Security orchestration automated response (SOAR) solution. It delivers intelligent security and threat analytics at enterprise level and provides a single solution for detection of alerts, visibility of threats, proactive threat hunting , and threat response. This empowers organizations to bring disparate data sources from resource’s hosted on cloud and on premises and able to collect, detect, investigate and provide response for threats.
Core Areas of Azure Sentinel
Azure Sentinel has four core areas.
- Collect – collects security data across your enterprise and keeps them for 31 days (by default). This tenure is extendable up to 730 days.
- Detect – detects threats using analytics and vast threat intelligence from Microsoft.
- Investigate – It investigates critical incidents guided by AI.
- Respond – Finally, responds to incidents rapidly with built-in orchestration and automation of common tasks.
Azure Sentinel: Components and its deployment
Major components of Azure Sentinel are explained more in detail below.
- Dashboards – Built in dashboards provide visualization of data for connected data sources, to enable you to deep dive into the generated events by services.
- Cases – case is aggregation of all evidence collected in connection with a species investigation. It may contain one or more alerts based on analytics defined by you
- Hunting – The search capability is provided by Kusto Query language (KQL) which help in investigations and proactive management of threats
- Notebooks – Integration with Jupyter notebooks, Azure Sentinel extends scope of what you can do with data collected. It has full programmability with a collection of libraries for machine learning, visualization, and data analysis
- Data connectors are them to facilitate data ingestion from Microsoft and other partner solutions
- Playbooks – is a collection of procedures which will automatically execute on an alert triggered by Azure Sentinel. They leverage logic apps and help to automate and orchestrate tasks / workflows.
- Analytics – let you create custom alerts
- Community – is a page located at GitHub and it has detections based on different data sources which can be leveraged in order to create alerts and respond to threats in environment
- Workspace – is a log analytics container which includes data and configuration details.
Steps to Enable Azure Sentinel
Azure sentinel is available in the Azure portal and to enable it you need a log analytics workspace. This space provides :
- Geographic location for data storage
- Isolation of data by granted different users access rights as per log analytics recommended design strategies for workspaces
- Scope for configuration of settings such as pricing tier, retention, and data capping
Since alerts and rules do not function across workspaces it is recommended to use a centralized workspace.
- To create a workspace open Azure portal and sign in with a user having contributor privileges in the subscription in which Azure sentinel workspace resides.
- Use all services, type Sentinel and click Azure Sentinel
- Initial launch of Azure sentinel no workspace is associated to it
- Click Add button or click the connect workspace button. Both options let you choose a workspace to add to Azure sentinel page
- Click create new workspace , the log analytics workplace page appear
- In Log analytics workspace field, type name of workspace
- In subscription field select subscription you want to use
- From resource group menu choose resource group to use
- From pricing tier choose per GB
- And click Ok
- Choose a workspace to add to Azure Sentinel select workspace you created and click Add Azure Sentinel button
Now workspace is ready and configured and you can start ingesting data from various sources.
Data ingestion is performed using data connectors to configure connections to different providers, Microsoft partners, and other resources. There are several out of box connectors available in Azure Sentinel such as:
- Azure AD,
- Office 365,
- cloud app security,
- Azure activity log,
- Azure AD identity protection,
- Azure information protection,
- Azure ATP,
- Azure security centre,
- Domain name server,
- Microsoft Defender ATP,
- Microsoft web application firewall,
- Windows firewall and
- Windows security events.
Other vendor connectors include Amazon web services (AWS), Barracuda, Checkpoint, Palo Alto networks, Fortinet, F5, Symantec ICDX.
If the external solution is not on data connector list but the appliance supports saving logs as syslog common event format (CEF) the integration with Azure Sentinel is possible using CEF connector. If CEF support is also not available but it supports call to a REST API we can use HTTP data collector API to send log data to workspace.
Conclusion
Ease of integration with telemetry resources are key to SIEM success. The cloud environment enables Azure Sentinel which offers a resilient and straight way to connect to data sources and it offers service based server less computing. Log collection from on premises systems require legacy collection methods, Azure sentinel provides cloud native collection benefits to on premises equipment.