Microsoft Azure Sentinel

IF you are working as SOC or DevSecOps in Cloud environments, we are need to ensure and highly responsible for security management capabilities.

Here some is the topic like SIEM (Security Information and Event Management) SOAR (Security Orchestration and Automated Response).

For above topics like SIEM and SOAR we have Microsoft Azure Sentinel in Public cloud is of the right solution to manage with minimal Administrations and flexible pricing model

SIEM - Tool that an organization uses to collect, analyze, and perform security operations on its computer systems. Those systems can be hardware appliances, applications, or both

Log management: The ability to collect, store, and query the log data from resources within your environment

Alerting: A proactive look inside the log data for potential security incidents and anomalies

Visualization: Graphs and dashboards that provide visual insights into your log data

Incident management: The ability to create, update, assign, and investigate incidents that have been identified

Querying data: A rich query language, similar to that for log management, that you can use to query and understand your data

Microsoft Sentinel in General term, cloud-native SIEM system used by SOC to

• Getting insights across by collecting data
• Detect and investigate threat by using advanced built in Machine Learning and Microsoft threat Intelligence
• Automate response by using playbooks and natively incorporates Azure Logic Apps and Log Analytics which enhances its capabilities
• Unlike an traditional Sentinel no worries about installation in servers or on premises.

Microsoft Sentinel is a service that you deploy in Azure. You can get up and running with Sentinel in just a few minutes in the Azure portal

Four Stages of Sentinel

• Collect (Visibility)
• Detect (Analytics, Hunting)
• Investigate (Incidents)
• Respond (Automations)

Collect Data

• collect data on all users, devices, applications, and infrastructure both on-premises and across multiple cloud environments. It can easily connect to security sources out of the box
• There are several connectors available for Microsoft solutions that provide real-time integration
• It also includes built-in connectors for third-party products and services (non-Microsoft Solutions) Data connectors are many * Syslog * Common Event Format (CEF) * Trusted Automated eXchange of Indicator Information (TAXII) (for threat intelligence) * Azure * AWS

Detect Threats

• can detect threats and minimizes false positives by using analytics and threat intelligence drawn directly from Microsoft. Azure * * Analytics plays a major role in correlating alerts into incidents identified by the security team
• It provides built-in templates directly out-of-the-box to create threat detection rules and automate threat responses

Investigation Suspicious Activities

• can investigate and hunt suspicious activities across the environment. It helps reduce noise and hunt for security threats
• Use Artificial Intelligence to proactively identify threats before an alert trigger across the protected assest to detect suspicious activities

Respond

• can react smoothly and respond quickly to built-in orchestration incidents, and common and frequent tasks can easily be converted into automation
• capable of creating simplified security orchestration with playbook

Major Key Components we can utilize in Sentinel

Data connectors
(we have seen above)

Log retention

• After it's been ingested into Microsoft Sentinel, your data is stored by using Log Analytics
• KQL is a rich query language that gives you the power to dive into and gain insights from our data

Workbooks

• can use workbooks to visualize your data within Microsoft Sentinel. Think as a Dashboard
• Each component in the dashboard is built by using an underlying KQL query of your data
• can use the built-in workbooks within Microsoft Sentinel and edit them to meet your own needs, or create your own workbooks from scratch

Analytics alerts

• As far as now we have, you have your logs and some data visualization
• Now it's great time to have some proactive analytics across your data, so you're notified when something suspicious occurs
• can enable built-in analytics alerts within your Sentinel workspace
• There are many types alerts are there. Can also create custom, scheduled alerts from scratch
• Other alerts are built on machine-learning models that are proprietary to Microsoft

Threat hunting

• there are some built-in hunting queries that they can use
• can also create their own queries

Incidents and investigations

• when an alert that you've enabled is triggered, Incident will be ceated
• you can do standard incident management tasks like changing status or assigning incidents to individuals for investigation
• Microsoft Sentinel also has investigation functionality, so you can visually investigate incidents by mapping entities across log data along a timeline

Automation playbooks

• With the ability to respond to incidents automatically now you can automate some of your security operations and make your SOC more productive
• Sentinel allows you to create automated workflows, or playbooks, in response to events and functionality could be used for incident management, enrichment, investigation, or remediation. This capabilities are often referred to as security orchestration, automation, and response (SOAR)

Continue......