Beginner's Guide to Azure Sentinel

It is widely known that the adoption of cloud computing will be one of the key trends in the coming decade. No wonder it is hailed as the next big thing capable of bolstering the IT sector to its peak.

Cloud companies are ramping up their performances and expanding their territories to large data centers in the cloud, owing to its enormous potential. However, even in the cloud, data is the key and security is the topmost concern for most organizations. Even a minor breach can radiate through the different workflow stages disrupting the performance at various levels.

There are several modern tools that flood the system with high volumes of security alerts in response to sophisticated attacks. However, with such high volumes of security alerts, it is almost impossible to gather valuable insights and act accordingly.

Security Information and Event Management(SIEM) products are available in abundance for use across IT sectors. But many lack resources to integrate the multitude of data sources, analyze and respond to the results gathered post-analysis.

This is where Azure Sentinel can help.

Table of contents

1. What is Azure Sentinel?
2. Key features of Azure Sentinel
3. Deep investigation
4. How to start using Azure Sentinel?
5. Winding Up

What is Azure Sentinel?

Azure Sentinel is a cloud-native security application that leverages next-generation security tools over the cloud, using artificial intelligence as its main source of power. Azure Sentinel is both a SIEM and SOAR(Security Orchestration Automated Response) solution that provides intelligent security solutions and threat insights across enterprises. This means that the Sentinel is capable of foreseeing threats and preventing them from happening and causing severe damages.

Azure Sentinel can be connected across different data sources across an organization. The data sources range from users to data from different tenants over the cloud server.

Let us now dive deeper into the array of services that are exclusive to Azure Sentinel.

Key features of Azure Sentinel

A well-organized dashboard

From an administrator’s viewpoint, the dashboard is the most important element of any tool when it comes to an application. As far as Sentinel is concerned, its toolbar is very intuitive and handy for the users. Sentinel’s toolbar provides multiple ways of looking into security situations. It also gives deep insights into any new events and alerts. The administrator can have a geospatial view of malicious incidents across an enterprise. The built-in dashboard includes firewall intrusion alert, Azure DB logs, insecure protocols, and activity to name a few.

Correlating security situations with machine learning

Sentinel makes data more structured with built-in ML and a module called fusion. Third-party applications can build their own ML models to comprehend suspicious activities such as logging in from an unusual IP address. It resolves multiple alerts into cases, relieving alert fatigue. The cases programmed in Sentinel are not common in other security solutions, as administrators receive tons of redundant alerts in conventional security solutions.

Software integration

Sentinel is built on Azure log analytics, which collects security logs from various applications and resolves them into manageable information. The Sentinel services include Azure identity protection, cloud app security, Azure advanced protection security, and integration with third-party tools such as Cisco and various firewalls on the go.

Orchestrations and triggers

A prompt response is as equally important as a prompt warning. The warning of a problem is usually counteracted with an effective response. Built on Azure logic apps, Sentinel enables automated threat responses in the form of playbooks. Administrators can use playbooks to manually or automatically trigger events to respond to threats. Playbook events can include opening a ticket, sending an email or message alerts, or disabling an account. There are predefined playbooks in the Sentinel to respond to attacks, although administrators can create their own custom playbooks using Azure logic apps.

Deep investigation

An interesting feature of Sentinel is its capability to hunt down or conduct deep investigations of attacks. It allows administrators to filter the cases based on their severity and status. Administrators can assign someone or click on the investigate button to get more information regarding an attack.

The investigation page consists of a graph representing 360-degree information about the attacks. The nodes in the graph represent entities such as users, incidents, and connected systems. The admin can click on any of these entities to get a detailed insight into any connected systems and events.

How to start using Azure Sentinel?

Here are the prerequisites to start using Azure Sentinel:

1. Have an active Azure subscription
2. Have a contributor or reader permission enabled on the resources group to which the workspace belongs to.
3. Have log analytics workspace.

Once you have these three prerequisites you are free to browse Sentinel within the Azure portal. You can add data connectors i.e the resources that are to be secured.

Also, note that Azure Sentinel is free to use during the preview period, and the log analytics workspace will deduct the cost for the data ingested via data connectors after the first 5 GB of usage.

Currently, Sentinel houses several Microsoft data connectors, providing near real-time integrations, for applications including Office 365, Azure AD, Azure ATP, and Cloud application security(CAS).

Sentinel also provides data connectors for non-Microsoft solutions, including AWS, Cisco, and Symantec. From this, it is evident that Sentinel is a viable security solution and very flexible to your infrastructure. Once the data connectors are enabled, Sentinel will analyze and report threats across your IT space with its built-in alert system.

Winding up…

The real power of Sentinel lies in its ability to create custom alerts and automated playbooks that help remediate the attack and halt the breach. In fact, automated playbooks and investigation feature is the most utilizable functionality in Sentinel that is exclusive to Azure. Such features in Sentinel can help keep your organization free from threats at any level.