What is Azure Sentinel?
It is an SIEM (Security Information and Event Management) and Security Orchestration and Automated Response (SOAR) system on Microsoft’s cloud service for public use. It provides a single system for alert identification, threat visibility proactive hunting, as well as threat response. It collects information from various data sources, performs data correlation and Data Visualization the data it has processed in a single dashboard. It aids in the collection data, identify, and investigate, as well as respond to security-related incidents and threats.
Thus delivering intelligent security analysis and threat information across the enterprise. It integrates natively Azure Logic Apps and Log Analytics that improves its capabilities. It also incorporates advanced machine learning capabilities that identify threat actors and suspicious behavior that could aid security analysts greatly in examine their surroundings.
It’s simple to deploy in single or multi-tenant scenarios. In the case of the multitenant scenario, it is deployed on every tenant, and Azure Lighthouse will be used to have a multitenant visualization of every tenant.
What are the steps in it?
The four most important areas or stages in Managed Azure Sentinel are as follows:
Collect Data
It can collect data on all devices, users applications, as well as infrastructure both on-premises and across multiple cloud environments. It can easily connect to security systems out of the box. There are a variety of connectors available in Microsoft solutions that support real-time integration. It also includes built-in connectors that work with third-party items and solutions (non-Microsoft solutions). Other than that, Common Event Format (CEF), Syslog, or REST-API are also able to connect necessary data sources to it.
The services that can be directly connected through out-of the-box integration are Azure Active Directory, Azure Activity, Azure DDoS Protection, Azure AD Identity Protection, Azure Firewall, Azure Security Center, Azure Web Application Firewall, Office 365, Microsoft Defender for Identity, Amazon Web Services – CloudTrail, Cloud App Security and many other Microsoft solutions.
The appliances that can connect to Okta SSO, Orca Security, Qualys VM, Citrix Analytics, Barracuda CloudGen Firewall, Perimeter 81 Logs, Proofpoint TAP, and a few others using an API.
It can also be connect through agents to other sources of data. Syslog protocol can be used for this purpose , and it allows real-time log streaming. The Azure Sentinel Agent feature, i.e. the Log Analytics Agent. It is to convert CEF-formatted logs into a format which can be consumed through Log Analytics. Other solutions that can be used through agents are Linux Servers, DNS Servers as well as Azure Stack Virtual Machines. DLP Solutions.
Threat Intelligence Providers (MISP Open Source Threat Intelligence Platform, Anomali ThreatStream, Palo Alto Networks MineMeld, ThreatConnect Platform, ThreatQ Threat Intelligence Platform, etc.). Firewalls, proxies and endpoints supported through CEF (Check Point, F5 ASM, Palo Alto Networks, Zscaler, Cisco ASA, Fortinet and other CEF-based devices), and firewalls, proxies and other endpoints supported through Syslog (Sophos AX, Symantec Proxy SG, Pulse Connect Secure and other Syslog-based appliances).
It works with Fluentd and LogStash to connect and collect the data and logs.
Detection of Threats
It detects threats and limit false positives using analysis and threat intelligence sourced directly from Microsoft. Azure Analytics plays a major function in correlating alerts to incidents that are identified by the security team. It offers built-in templates out-of-the-box to create rules for detection of threats and automate response to threats. Additionally it also gives the ability to design custom rules. The four build-in templates available are listed below:
Microsoft Security Templates- When using this template, incidents will automatically create a real-time alert that will are generated by other Microsoft security tools.
Fusion Template- This template will only generate one rule, and it is enabled by default. This template relies on logic of advanced Multistage Attack Detection. It uses scalable machine learning algorithms that allow for the correlation of many low-fidelity events and alerts across different products into high-fidelity actionsable events.
Machine Learning Behavioral Analytics TemplatesThe templates are able to create only one rule for each type of template. These templates are based on the proprietary Microsoft Machine Learning Algorithms, and the user isn’t able to know the workings inside this template’s logic, and also the exact time it’s running.
Scheduled Templates: It’s the only template that is available with the ability to examine the query logic and make changes as per the needs of the environment. Scheduled templates are set up to be scheduled analytics and are based on built-in queries created by Microsoft. These templates are customizable with regard to the logic of queries and scheduling settings to make new rules.
Investigation Suspicious Activities
It is able to hunt and investigate suspicious activities across the environment. It can help reduce the noise and search for security threats that are based on the MITRE framework. Utilize Artificial Intelligence to proactively identify threats before an alert trigger through the secured assest to identify suspicious activity. When you are using it for research or hunting You can take advantage of the following capabilities:
Built-in Queries: It is developed by Microsoft and available to familiarize yourself with tables as well as the query language. However, you are able to create new queries and even fine-tune existing queries to enhance your ability to detect.
The most powerful query language that incorporates intelligence: The software is built top of a query language that provides the flexibility you require to take your hunt capabilities up a notch.
Create your Bookmarks: You can make bookmarks of the findings that you come across while hunting so that you can check them later and then create an incident for investigation.
Use notebooks to Automate Investigation: Notebooks are similar to a step-by-step manual that resembles playbooks. That you can create to track the steps of an investigation or hunting process. The notebooks will summarize all elements of the hunt process into a reusable playbook that can be shared with other members of your group.
Access the stored data The stored data and the data generated by it is accessible and available in the format of tables which can easily be asked.
Communities Links: Azure Sentinel Github’s community is the best place to find additional queries and data sources.
Respond
It’s ability to respond quickly and respond quickly to orchestration-related incidents built into the system, and the routine tasks are easily converted into automation. It can create simpler security orchestration through playbooks. It can also generate tickets in ServiceNow, Jira, etc. in the event of an event.
What are the main elements?
There are nine key Azure Sentinel components.
Dashboards: It comes with built-in dashboards that provide visualization of information gathered from various data sources. It allows security personnel to get a better understanding of the events generated by those services.
Cases: A set of all evidence that is relevant to an investigation specific to it is called a case. A case could contain at least one alert, based on the data defined in the case by its user.
Hunting: It’s an effective tool for security analysts as well as threat analysts. It’s responsible for performing proactive threat analysis across the entire environment to analyze and detect security threats. KQL (Kusto Query Language) improves the search capabilities of it. Due to its machine learning capabilities that detect suspicious behaviors. Such as abnormal traffic and patterns of traffic in firewall data or patterns of authentication that look suspicious and resource creation anomalies.
Notebooks: It allows flexibility and widens the scope of what can be accomplished with the collected data by providing a pre-built connection to Jupyter Notebook with an in-built collection of modules and libraries for machine learning, embedded analytics, visualization, and data analysis.
Data Connectors Inbuilt connectors are present in it to facilitate the ingestion of data from Microsoft products and solutions and other partner solutions.
Playbooks: A Playbook a collection of procedures to be executed in response an alert trigger by it. They leverage Azure Logic Apps. Therefore, users can use flexibility, capability, customizability, and built-in templates of Logic Apps. To automate and organize tasks and workflows that are easy to configure to run manually or automatically whenever certain alerts are triggered.
Analytics: Analytics allows users to create custom alerts by using Kusto Query Language (KQL).
Community TheGitHubAzure Sentinel Community page includes detections based on various data sources. The users are able to make alerts and react to threats that are present in their environment. The community page also has samples of hunting queries along with security playbooks, as well as other documents.
Workspace: Workspace or Log Analytics Workspace is the container which contains data and information about the configuration. It utilizes this container to store data collected from various sources of data. You can either create a brand new workspace or utilize an existing workspace to store the data. But it would help having a specific workspace, as alert rules and investigations aren’t able to work across workspaces.
Log Analytics workspace Log Analytics workspace provides the following functions:
A geographic location for data storage.
Data isolation is achieved through giving different users access rights following Log Analytics’ recommended design strategies for workspaces.
There is a possibility to configure settings, such as pricing tier retention, data capping.
How to deploy it?
It utilizes a Role-Based Access Control (RBAC) authorization model that permits administrators to set up specific levels of access in accordance with different needs and requirements. It comes with three roles to choose from.
Reader: Users assigned to this role have access to the data and incidents but not make modifications.
Responder: Users in this role can review incidents and data and perform specific actions related to adventures, such as assign to another user or alter the incident’s severity.
Contributor: Users in this role have the ability to look at incidents and other data, carry out certain actions with regard to incidents, and create or delete analytic rules.
To deploy it the workspace, you must have permissions for contributors to the subscription in which it is located. Azure Sentinel workspace resides. To provide access to different teams based on the work they do using it, make use of the RBAC model to assign access to groups with granular permissions.
What is Azure Sentinel Center?
Azure Security Center is a cloud-based workload protection system designed to address server workload protection’s specific requirements in today’s hybrid data center designs. It is, however, a cloud-native SIEM , which examines data from events in real-time to identify early signs of targeted security breaches and attacks, as well as to collect, store data, investigate and respond to security events.
What is Azure Security Center?
Azure Security Center deals with your Azure assets’ configuration using the most effective practices in simple terms. It assists in identifying malicious actors as well as preventing unauthorised access to your data. If you decide to install Azure Security Center and it simultaneously. If that’s the case it is imperative to make sure to not utilize the default workspace provided by Azure Security Center to deploy it as you can’t enable it to use the default namespace.
How can you identify security Threats?
When you use Azure Sentinel There are four different ways of searching for security threats.
Jupyter Notebook for Hunting: Utilizing Jupyter Notebooks to carry out the hunt extends the possibilities of what can be determined from the collected data. The Kqlmagic library offers the required functions needed to handle Azure Sentinel queries and run them directly inside a notebook. Azure is the home of Azure Notebooks, which is an integrated Jupyter Notebook for Azure environment which can be used to store, share and run notebooks.
Using Bookmarks to Hunt: Using bookmarks can help you keep the logs of your queries and the outcomes you have obtained in it. Additionally, you can add tags and notes to your bookmarks that you use as reference. Accessing bookmarks via the Hunting Bookmark table in your Log Analytics workspace enables you to sort and join bookmarked data with other sources of data which makes it simple to find evidence that supports your claims.
Making use of Livestream for hunting You can utilize hunting Livestream to create interactive sessions which allow you people perform the following functions:
Test newly created queries as things happen.
Be notified of threats that occur.
Start investigations that require assets such as host or user
Livestream sessions can be created by using any Log Analytics query.
Manage hunting and Livestream queries using the REST API: It allows you to utilize Log Analytics’ REST API to manage hunt and Livestream queries. These queries are displayed in the Azure Sentinel UI.
Conclusion
Azure Sentinel is a scalable cloud-native tool that helps detect to investigate, identify, and respond to potential threats if there are any. It helps users identify the potential threats earlier. It employs Machine learning to minimize the risk of a problem and to identify unusual behavior. IT departments also can save time and energy for maintenance. It allows them to monitor their ecosystem from cloud to workingstations on premises, as well as personal devices.