Looking for more?
Get ready for the big journey and ask our experts!
Contact UsAzure Sentinel provides intelligent, cloud-scale security analytics across your entire enterprise. Our expert Chris Allen explains how it works and what it has to do with Lord of the Rings.
Imagine sticking The Eye of Sauron, the all-seeing eye, in your enterprise estate? You could see all the sneaky little hobbitses trying to steal your precious! Well now you can thanks to the almighty Azure Sentinel.
In short, Azure Sentinel is jacked up Eye of Sauron looking over everything that happens, flagging hobbits that look like Frodo (security alerts) and automatically responding with orcs (quarantine, block, escalation etc.).
It works by doing 4 main things:
First things first you need to start connecting your security resources to Azure Sentinel, obviously it being a Microsoft product the Microsoft integrations are readily available but when it comes to non-MS stuff you can connect these via common event formats (e.g. Syslog). More info on Microsoft and external service connections here.
As Azure Sentinel is using the wonderful thing of Machine learning and user analytics, it detects threats fast.
All of this information then gets populated into a pretty dashboard. Giving you the likes of Events and alerts overtime, potential malicious events, recent cases and data source anomalies.
When Sauron found out where Frodo was, he would send out the air-borne Nazgul's to investigate and hunt him down, in this case Azure Sentinel has deep investigation tools to turnover rocks, understand the scope and find potential route causes.
The above initially started from an alert of a failed login attempt from a user on a specific host. Next Azure Sentinel analyzed the data associated with the user to find additional insights and related alerts bringing up notifications of suspicious Powershell script's, odd sign-in's and mass downloads from said user bringing fall scope of what occurred to help paint a bigger picture.
Investigating alerts is reactive, but organizations should be proactive about security also.
Azure Sentinel has a 'Hunting' feature (yes, the option is actually called Hunting) where you can run powerful queries both built-in or bespoke to scour the mountains of data you have for anomalies, suspicious activity and more.
There is a lot more information with respect to queries but it all goes over my head so click here for more information
Built on the foundation of Azure Logic Apps you are able to orchestrate automated responses based on rules you have set.
Alert in Azure Sentinel?
These procedures are known as security playbooks which are used in response to an alert, they are highly customizable to most scenarios.
Leave a comment to let us know what you think about this topic!
Leave a comment