Intelligent Cloud Security with Azure Sentinel

Azure Sentinel provides intelligent, cloud-scale security analytics across your entire enterprise. Our expert Chris Allen explains how it works and what it has to do with Lord of the Rings.

Imagine sticking The Eye of Sauron, the all-seeing eye, in your enterprise estate? You could see all the sneaky little hobbitses trying to steal your precious! Well now you can thanks to the almighty Azure Sentinel.

• Azure Sentinel is a cloud-native (so scalable) SIEM (Security Information event management) and SOAR (Security Orchestration Automated Response) solution.
• SIEM - Real-time analysis of security alerts/logs
• SOAR - Automate responses to security threats

In short, Azure Sentinel is jacked up Eye of Sauron looking over everything that happens, flagging hobbits that look like Frodo (security alerts) and automatically responding with orcs (quarantine, block, escalation etc.).

It works by doing 4 main things:

First things first you need to start connecting your security resources to Azure Sentinel, obviously it being a Microsoft product the Microsoft integrations are readily available but when it comes to non-MS stuff you can connect these via common event formats (e.g. Syslog). More info on Microsoft and external service connections here.

As Azure Sentinel is using the wonderful thing of Machine learning and user analytics, it detects threats fast.

1. Based on the security analytic rules, when a match is detected, Azure Sentinel sends the alerts to Azure ATP.
2. Azure ATP checks which user entities are related to the alerts and calculates the investigation priority for those users.
3. Azure ATP then recalculates the score of the users after it is enriched with data from your analytics rules for Azure Sentinel.

All of this information then gets populated into a pretty dashboard. Giving you the likes of Events and alerts overtime, potential malicious events, recent cases and data source anomalies.

When Sauron found out where Frodo was, he would send out the air-borne Nazgul's to investigate and hunt him down, in this case Azure Sentinel has deep investigation tools to turnover rocks, understand the scope and find potential route causes.

The above initially started from an alert of a failed login attempt from a user on a specific host. Next Azure Sentinel analyzed the data associated with the user to find additional insights and related alerts bringing up notifications of suspicious Powershell script's, odd sign-in's and mass downloads from said user bringing fall scope of what occurred to help paint a bigger picture.

Investigating alerts is reactive, but organizations should be proactive about security also.

Azure Sentinel has a 'Hunting' feature (yes, the option is actually called Hunting) where you can run powerful queries both built-in or bespoke to scour the mountains of data you have for anomalies, suspicious activity and more.

There is a lot more information with respect to queries but it all goes over my head so click here for more information

Built on the foundation of Azure Logic Apps you are able to orchestrate automated responses based on rules you have set.

Alert in Azure Sentinel?

1. Create record in ServiceNow
2. Post message in Security Teams Channel
3. Send approval Email
4. Block user in Azure AD
5. Block IP on Firewall
6. Etc.

These procedures are known as security playbooks which are used in response to an alert, they are highly customizable to most scenarios.