Introduction to Azure Sentinel and Steps to Setup

Before coming to Azure Sentinel, you should ask three questions, What is Azure Sentinel? Why does an organization need it? And how can you deploy it?

In this blog, I will cover everything you should know about Azure Sentinel.

This blog covers:

Overview:

We will cover all the topics, but I want you to know about SIM and SEM first. So let’s talk about them before coming to the main topic.

SIM

SIM stands for Security Information Management, and SEM stands for Security event management, which when combined SIM + SAM known as SIEM: Security Information event management, what it does is gathers information from all sorts of sources, including on-premises, cloud, or any other place you can Imagine where your data is present, and then detect, investigate and respond to any action if required.

Introduction:

Azure Sentinel is a cloud-based SIEM solution. The ability to detect, collect, investigate and respond is the heart of the Azure Sentinel. It is a birds-eye view across all the enterprises you have set up on azure. Due to a lot of data flow, an organization often misses keeping track of all the data. As said, Sentinel keeps a birds eye on your enterprise and makes sure your data is not compromised. The information is stored with the Azure monitor log analytics space. Sentinel continues to do its work to collect, detect, investigate and respond to any vulnerability, keeping your enterprise safe.

LOGO

LifeCycle :

The life of Azure sentinel starts with understanding what information is available to us, then how we are looking into it, followed by investigation when we see the evidence of things that may or may not be usual and finally responds to that unusual activity associated with that investigation.

Lifecycle

Undoubtedly, It is a complicated technology, but we have to understand why it is essential for an organization to consider deploying it. It is essential because of the elements in its lifecycle.

When we talk about collect, we could reach out and get information from various systems, endpoints, devices, servers, workstations, mobile platforms, and our on-premise, cloud-based infrastructure, multi cloud-based infrastructure. With the help of connects, we can reach out to other clouds, integrate and pull the information using Azure Sentinel.
We can detect millions of different events across that globe in real-time using artificial intelligence, machine learning, and advanced analytics capability.
Not only detect but also investigate the information across that globe using artificial intelligence and machine learning.
Microsoft looks at all sorts of information every day and tells us how to understand our system in the best possible way. If there is an issue, the system will know what action we have to take or how we have to respond to address the issue to minimize its impact potentially.

A playbook can help you automate and coordinate your threat response; it can integrate with other internal and external systems, and it can be set to execute automatically in response to certain warnings or incidents prompted by analytics or automation rules, respectively. It can also be run manually from the incidents page in response to alerts.

Also Read: Our blog post on AZ 500 Learning Path.

Features of Azure Sentinel :

There are many SIEM tools within the platform. But still, Azure Sentinel is designed to take care of even a tiny possibility of a security loophole and ensure a secure environment.
Few key features to note are:

Log Management and gathering data from across your enterprise.
Enhanced Threat Detection.
Puts together a Security Automation and Security Orchestration
It automates repetitive tasks and an Incident Response.

It offers many features, and for all of the features, AI is the key. And With the use of AI, Sentinel shoots any suspicious activities within your cloud services.

Components of Azure Sentinel:

components of sentinel

There are nine significant Components :

Dashboards: It provides a visualization of data gathered from different sources, enabling the security team to look into events generated by those services.
Cases: The collection of evidence related to the specific investigation is known as cases. It can contain more than one alert based on analytics defined.
Hunting: As the name suggests, it is responsible for performing proactive threat analysis across the environment.
Notebooks: Integrates with Jupyter Notebook, Sentinel provides a lot of scope of using libraries and modules for ML, visualization, etc.
Data Connectors: Built-in connectors are available to facilitate data from Microsoft products and partners.
Playbooks: It is like a guide that contains a collection of procedures to execute in response to an alert triggered by the sentinel.
Analytics: It enables the users to create custom alerts using KQL( Kusto Query Language).
Community: The community page contains sample queries for hunting, playbooks, and other stuff. It’s a GitHub-based Azure Sentinel page that has different data sources.
Workspace: Log Analytics workspace or Workspace is a container that consists of data and configured information. Sentinel uses it to store data collected from different sources.

Also Check: Our blog post on AZ 500.

How to deploy Azure Sentinel

Before coming to actual deployment, there are a few prerequisites you need to take care of:

You must have an active Azure subscription.
Log analytics workspace.
To enable this service, you need contributor permissions to the subscription in which the workspace resides.
To use this service, you need to have either contributor or reader role on the resource group to which workspace belongs.
You can not use it in China or Germany regions.

Enable Azure Sentinel

search-product

Choose an existing workspace or create a new one. You can run sentinel on multiple workspaces, but the data is only stored in one of them.

To create a workspace: In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Log Analytics workspaces and press the Enter key.

Create the log Analytics:

Connect Data Source

By connecting to the service and passing the events and logs to it, Azure Sentinel ingests data from services and apps. You can deploy the Log Analytics agent on both real and virtual machines, which collects logs and sends them to Azure Sentinel. It installs the Log Analytics agent on a Linux Syslog server for firewalls and proxies, from which the agent gathers log files and passes them to Azure Sentinel.

Select Data connectors from the main menu. This brings up a gallery of data connectors.

The gallery contains a list of all the data sources that you can use. Then click the Open connector page button after selecting a data source.

The connector page includes instructions for setting up the connector and any further instructions that may be required.

The Next steps tab on the connection page displays the data connector’s built-in workbooks, example queries, and analytics rule templates. You can use them as-is or tweak them; either way, you’ll receive exciting insights into your data right away.

After you connect your data sources, your data begins to flood into Azure Sentinel and is ready for you to work with. To explore the data, you may browse the logs in the built-in workbooks and start generating queries in Log Analytics.

Conclusion:

Azure Sentinel is a cloud-native SIEM tool that has the features of both SIEM and SOAR solutions, and is a scalable solution for detecting, investigating, and responding to threats. It allows consumers to spot potential problems sooner. Machine learning is used to reduce hazards and detect anomalous activities. It is all about bringing everything we want to see together in order to reduce false positives and eliminate issues, which has historically been a difficult topic to solve.

References

Next Task For You

In this blog, we discussed the overview of Azure Sentinel; if you want to know more about the Microsoft Azure Security Technologies and certification. Click on the below image and Register for our FREE CLASS Now!