Being a big fan of x-men series and security products, I couldn’t resist researching on the new SecOps offering from Microsoft called ” Azure Sentinel’. Those who are not familiar with x-men comics, Sentinel are mutant hunting robots which can monitor, detect and kill mutants 😛
Azure Sentinel service is a great SIEM and SOAR offering from Microsoft with the proper equation of SecOps + AI in a cloud native solution.
The great advantage and differentiator of this offering from other SIEM solution is, its backed by Microsoft which is turning into a biggest security company in the world with huge loads of investment going into security research. It’s clearly going to disrupt the SOC as a cloud security solution.
Since it’s a cloud native solution, no worries about capacity planning and other on-prem bottle necks.
Alright, upon doing some research and Lab on the Azure Sentinel, below are the list of high-level characteristics and feature set about this service offering.
Azure Sentinel SecOps flow:
Enable Azure Sentinel to easily aggregate security data generated by end point devices, network infrastructure, and other security systems, then leverage it to detect and respond to threats in your environment.
Collect / Visibility
Collect security data at cloud scale from mostly any source (On Premises, Cloud (Including Other Clouds like AWS) and SaaS Apps.
Data collection options: On-prem and Cloud:
- Agent based collection for Linux and windows devices (OS events, OS firewall, DNS, DHCP etc)
- Syslog based collection using syslog connector/CEF – either can be deployed in on-premises or cloud over TLS
- Supports REST API based collection for F5, Barracuda and Symantec and other similar products.
- Custom connectors using Azure functions for log storage like S3.
- Azure log analytic data will also support sentinel analysis.
Workbooks – Interactive dasboarding with the analysis. There are good number of built-in workbook templates available from Azure sentinel like, Azure Activity, Azure AD audit-logs, Azure AD Sign-in logs and variety of other product supports (AWS Network activities, AWS user activities). Based on the need custom workbook can be created
Detect – Analytics / Hunting
- There are good number of built-in analytics available in Azure sentinel to choose for detecting threats.
- Option available to create custom KQL based queries for analytics.
- Trigger automated playbooks to tackle threats.
- Leverage Machine learning to increase your catch rate without increasing the noise.
Investigate – Incidents
- Track investigation from sentinel security incident, raised based on priority.
- Bring you own ITSM framework by integrating with ticketing tool for the incident track and resolution.
- Visualize the entire threat attack to determine the scope and impact, by navigating the relationships between alerts.
Respond – Automation
- Automate and orchestrate the scopes using integrated Azure logic Apps. Logic Apps will help in building automated and scalable playbooks that integrate across tools. Able to setup the complete workflow from alert trigger to resolution.
- Again like other sections, there are good number of sample library available to configure and test the playbooks.
Complete Docs about Sentinel – https://docs.microsoft.com/en-us/azure/sentinel/
Free Trail – Azure Sentinel can be enabled at no additional cost on an Azure Monitor Log Analytics workspace for the first 31-days. Usage beyond the first 31-days will be charged per pricing listed above. Charges related to Azure Monitor Log Analytics for data ingestion and additional capabilities for automation. And bring your “own machine learning” are still applicable during the free trial.