Azure Sentinel
Azure Sentinel is your birds-eye view on centralized security data and events across an organization, using integrated AI for large-scale threat analysis and response.
It is Microsoft’s cloud-based security information and events management (SIEM) and security orchestration, automation, and response (SOAR) tool; it provides security data aggregation, threat analysis, and response across public cloud and on-premises environments.
A SIEM solution collects security log data (security signaling) and examines this log data for patterns that could indicate an attack, then correlates event information to identify potentially abnormal activity. Finally, any issues are alerted and this automates responses and remediation. The following diagram illustrates this relationship:
Figure 7.11 – Sentinel positioning
Azure Sentinel provides the following core capabilities:
- Collects security data across an organization
- Detects threats through AI-powered threat intelligence
- Investigates threat-generated critical incidents
- Responds through automated reactions and remediations
Azure Sentinel is more than a regular SIEM tool whose core focus is only to provide visibility of threats by collecting security data; the collected data’s value is only as good as the analysis of that data in finding threat and attack patterns.
Azure Sentinel’s remits go beyond that of traditional SIEM solutions. It provides integrated SOAR capabilities that allow you to orchestrate and automate responses once critical incidents occur; all this can occur with unlimited speed and scale that only a public cloud platform such as Azure can provide. The following diagram outlines these capabilities for an end-to-end (E2E) security operations solution:
Figure 7.12 – Sentinel security operations proposition
Additional benefits to an organization are that as this is a Microsoft-provided and managed software-as-a-service (SaaS) solution, there is no infrastructure setup or maintenance to provide the service. It can unburden teams from non-intelligent, manual SecOps tasks so that they can be retasked on higher-value initiatives and activities.
Implementing Azure Sentinel will increase the attacker’s attack costs while reducing the defender’s operations costs of protection from these threats and attacks. Some may question if they can often afford these security solutions; the answer can only be a question itself: Can your organization afford not to implement these measures?
Azure Sentinel supports several different ways to collect data, such as connecting to Microsoft solutions natively—for example, Microsoft 365 (M365) sources, Azure Active Directory (Azure AD)—as well as collecting data from non-Microsoft security data sources, along with any source at another cloud provider, SP, or on-prem that uses System Logging Protocol (Syslog), Common Event Format (CEF), or that has a REpresentational State Transfer (REST) API.
After connecting the security data sources to Azure Sentinel, the Azure Log Analytics service is used; the Log Analytics workspaces act as the data store for collecting and retaining logs.
In this section, we looked at security operations using Azure Sentinel. The following section looks at the Azure Security Center service, which provides Azure’s security-posture management capabilities.