- Solution for
- security information event management (SIEM)
- security orchestration automated response (SOAR)
- Delivers
- intelligent security analytics
- threat intelligence
- Key benefits
- Speed
- Scalability
- AI/automation to improve effectiveness
- Ability to consume data from different sources
- Provides solutions for security operations such as
- Collecting
- Collect data, analyze and parse it to some common format and place it in Log Analytics workspace
- Sources include on-premises and multiple cloud
- Can be across users, devices, applications
- 👀 See also: data sources
- Detecting - alert detection
- Minimize false positives by using an unparalleled threat intelligence
- Detects previously undetected threats using machine learning
- 👀 See also: hunting
- Investigating - threat visibility and proactive hunting
- Enhances with artificial intelligence
- Allows hunting for suspicious activities
- 👀 See also: incidents
- Responding - threat response
- Built-in orchestration and automation of common tasks.
- 👀 See also: playbooks
- Collecting
- Integrates with
- Log Analytics as data storage
- Logic Apps to e.g. automate security responses, see playbooks
- It's resource is called "Azure sentinel workspace"
- You can see incidents from multiple Azure Sentinel workspace or tenants
- Azure Lighthouse allows you to manage multiple tenants
- You can hunt in different workspaces in same query
- Interactive dashboards
- There are gallery of workbooks
- E.g. nice graphs for insecure protocols (LDAP, SMB, Kerberos...)
- You can also create your own workbooks using queries
- Can be exported/imported as JSON file, called Gallery Template
- 👀 See Workbooks | Azure/Azure-Sentinel (GitHub) for workbook examples
- Also known as detection rules
- Can be
- built-in: there are already many
- or custom: with custom triggers, periodicity etc.
- Each rule triggers an alert based on a condition
- Can enable User and Entity Behavior Analytics (UEBA)
- Can map query results to entities e.g. a malware or a security group
- Optionally creates incidents
- Each rule can have tactics
- Used to help with filtering rules and classification
- MITRE ATT&CK framework
- Built-in rules has different alert types
- Uses Kusto Query Language (KQL) as query language
- 👀 See Azure/Azure-Sentinel | GitHub for query examples
- Microsoft security (can be custom)
- Creates incidents every time an alert is triggered in a connected Microsoft security solution
- E.g. Microsoft Cloud App Security, Microsoft Defender for Identity
- Fusion (built-in only)
- Uses machine learning to correlate low-fidelity events
- E.g. "mass file download following suspicious Azure AD sign-in", see more
- Machine learning behavioral analytics (built-in only)
- Based on proprietary Microsoft machine learning algorithms
- Scheduled (can be custom)
- Based on built-in queries written by Microsoft security experts
- E.g. "Malware in the recycle bin"
- 👀 Read more: Detect threats out-of-the-box | Microsoft Docs
- Enrich alerts with screenshots (e.g. for phishing sites), verdicts, final URLs
- Query results can map to a new URL entity type
- Can configure URL entities in analytics rules
- Detect any anomalous behavior of users and entities by profiling them
- Entities include non-user accounts e.g. computers, services etc.
- Can detect e.g. • abuse of privileged identities • compromised user and entities • insider threats • data exfiltration
- E.g. if user downloads 10 MB per day and downloads many GBs it would trigger an alert
- Data sources include: • Audit logs • Azure activity • Security events • Signing logs
- Used by both Azure Sentinel and Defender for Identity"¨
- Enabled and data is stored inside Sentinel workspace
- No data is saved in Log Analytics workspace
- Run built-in queries or own queries with KQL
- You can save queries to run later
- You can add tags
- Azure Sentinel bookmarks
- You can tag and bookmark query results
- Allows you to investigate using investigation map
- Azure Sentinel livestreams
- Allows you to
- 💡 Good to start with creating livestreams and if queries work promote them to creating rules.
- Integrates Jupyter notebooks for hunting using an indeterminate component
- Charged for notebook compute + storage
- Can also save data as HTML/JSON
- ❗️ Requires Azure Machine Learning workspace
- 👀 See GitHub page (Azure/Azure-Sentinel-Notebooks) for open-source library of samples
- Also known as investigation map
- Allows you to investigate entity relationships in incidents
- Displays entity relationships extracted automatically from the raw data
- Requires using "entity mapping fields" in analytics rules
- Helps to automate and integrate across tools
- Can be triggered from an alert or incident investigation
- Can be used for e.g.
- incident management: to open a ticket in JIRA/service now
- enrich investigation: • GeoIP lookups
- remediation: • block IP address/user access • isolate machine • trigger conditional access
- 👀 See GitHub page for open-source library of samples
- Done using Logic apps + APIs
- Container for related alerts
- You can
- assign incident to someone
- change its severity
- track and change its status (new, done etc.)
- add bookmarks, tags and comments
- investigate in "Defender for Endpoint"
- Shows data connected to Sentinel
- Also collects data in Log Analytics Workspace
- can execute playbooks for automating stuff like
- integrating with a ticketing system using logic app
- automatically assigning an incident to someone when it's created
- can be investigated using investigation graphs
- Can use built-in models or bring your own models
- E.g. anomalous RDP detection for unusual IP/geolocation or new user
- Calculates possible kill chain
- Options
- Azure Machine Learning
- Run models hosted in the Azure Sentinel Notebooks
- 💡 Easier, good for small data sets
- Azure Databricks/Apache Spark
- You can
- bring your own data via EventHub or Azure Blobs
- or export the data from Azure Sentinel Log Analytics tables
- 💡 Good for deploying and operating models for larger data
- You can
- Azure Machine Learning
- Used for using own machine learning models
- Works with both Azure Databricks/Apache Spark and Jupyter Notebooks options
- Includes, samples, sample data, templates and libraries to communicate with Log Analytics (LA)
- Read more: Bring your own ML | Microsoft Docs
- Helps reduction of noise by preventing alert fatigue
- Bring probabilistic kill chain to find novel attacks using machine learning
- ❗️ Does not work without data connectors: • Azure Active Directory Identity Protection • Microsoft Cloud App Security
- 👀 Read more: Reducing security alert fatigue using machine learning in Azure Sentinel | Azure blog
- Azure services
- Azure AD, Activity Logs, AIP, ASC, AzWAF...
- Microsoft 365 Defender, Azure Defender, Microsoft 365 sources
- 3rd parties
- Cloud platforms such as AWS.
- Others e.g. Symantec, Cisco, Citrix...
- Threat intelligence
- Microsoft Host Integration Server (HIS) can be used to integrate IBM solutions.
- Custom
- Azure Sentinel receives custom data over HTTPs (443)
- Supports • REST-API • Common Event Format (CEF) • Syslog over port 443
- Other protocols (e.g. syslog 514) should use middleware (e.g. a linux agent) to transform data to log analytics REST HTTPs
- Log Analytics agent
- Can be installed on physical and Windows/Linux virtual machines
- E.g. can be installed on a Log Analytics server
- 💡 Connector proxy can be deployed if all machines should not be open to Internet
- E.g. Log Analytics gateway for log analytics agents
-
Custom CSV data you can upload to Azure
-
Its data can be used for correlation with the events in Sentinel
-
Can be used in search queries, detection rules, threat hunting, and response playbooks
-
E.g. using KQL:
let watchlist = (_GetWatchlist('CustomWatchListName') | project CustomColumnName); Heartbeat | where ComputerIP in (watchlist)
- Pay for per gigabyte (GB) for the volume of data ingested for analysis
- Can purchase Capacity Reservations to for CapEx commitment, will be up to 60% cheaper.
- Main costs
- Sentinel ingestion
- Log Analytics ingestion
- Storage (retention)
- No charges for queries
- Other (optional) costs for other integrated systems e.g.
- Azure Logic Apps activations
- Azure Notebooks (Jupyter hunting books)
- BYO Machine Learning
- Extract data from tenant
- Additional retention for Log Analytics (after >90 days)
- 👀 See its pricing page and Azure Pricing calculator
- Prerequisites
- Steps
- Enable Azure Sentinel
- Done by connecting Azure Sentinel into an existing Log analytics workspace
- ❗ Once enabled, workspace cannot be moved to other resource groups or subscriptions.
- Connect your data sources
- Steps: Main menu -> Data connectors -> Open connector page
- Set up threat detection rules
- Enable Azure Sentinel
- 👀 See also: Quickstart: On-board Azure Sentinel | Microsoft Docs
- 👀 See also: Log Analytics Workspace | Monitoring
- Saved for 90 days by default
- ❗️ Max available is 2 years (charged more)
- 💡 For long term storage, export data to storage account
- You can use Table Level retention for different retention settings based on data
- 💡 Use 1 workspace if you can; both for Azure Security Center and Azure Sentinel
- But can use multiple workspaces for e.g. granular access control, regulatory compliance.
- ❗️ You can only connect 1 log analytics workspace at a time
- Can log who runs queries and query text
- Diagnostic settings -> Audit -> Select workspace / Event Hub / Storage to store logs
- If workspace is chosen, information is saved in a table called
LAQueryLogsin workspace
| Role | Create and run playbooks | Create and edit dashboards, analytic rules, and other Azure Sentinel resources | Manage incidents (dismiss, assign, etc.) | View data, incidents, dashboards and other Azure Sentinel resources |
|---|---|---|---|---|
| Azure Sentinel Reader | - | - | - | ✔️ |
| Azure Sentinel Responder | - | - | ✔️ | ✔️ |
| Azure Sentinel Contributor | - | ✔️ | ✔️ | ✔️ |
| Azure Sentinel Contributor + Logic App Contributor | ✔️ | ✔️ | ✔️ | ✔️ |