Omnipresent Level Security Through the
‘All-Seeing’ - Azure Sentinel

Intelligent Cloud Security with Azure Sentinel

  • Chris Allen
  • Managed Cloud, Publisher Advisory, Managed Security
  • Azure, Azure Sentinel

Azure Sentinel provides intelligent, cloud-scale security analytics across your entire enterprise. Our expert Chris Allen explains how it works and what it has to do with Lord of the Rings.

"The Eye was rimmed with fire, but was itself glazed, yellow as a cat's, watchful and intent, and the black slit of its pupil opened on a pit, a window into nothing"

Imagine sticking The Eye of Sauron, the all-seeing eye, in your enterprise estate? You could see all the sneaky little hobbitses trying to steal your precious! Well now you can thanks to the almighty Azure Sentinel.

  • Azure Sentinel is a cloud-native (so scalable) SIEM (Security Information event management) and SOAR (Security Orchestration Automated Response) solution.
  • SIEM - Real-time analysis of security alerts/logs
  • SOAR - Automate responses to security threats

In short, Azure Sentinel is jacked up Eye of Sauron looking over everything that happens, flagging hobbits that look like Frodo (security alerts) and automatically responding with orcs (quarantine, block, escalation etc.).

It works by doing 4 main things:

Azure-Sentinel_Steps
The All-Seeing Eye of Azure Sentionel, source: Microsoft

Connect to Collect

First things first you need to start connecting your security resources to Azure Sentinel, obviously it being a Microsoft product the Microsoft integrations are readily available but when it comes to non-MS stuff you can connect these via common event formats (e.g. Syslog). More info on Microsoft and external service connections here.

Azure-Sentinel_data collection
Azure Sentinel Data Connectors, source: Microsoft

Detect the Sneaky Hobbitses

As Azure Sentinel is using the wonderful thing of Machine learning and user analytics, it detects threats fast.

  1. Based on the security analytic rules, when a match is detected, Azure Sentinel sends the alerts to Azure ATP.
  2. Azure ATP checks which user entities are related to the alerts and calculates the investigation priority for those users.
  3. Azure ATP then recalculates the score of the users after it is enriched with data from your analytics rules for Azure Sentinel.

All of this information then gets populated into a pretty dashboard. Giving you the likes of Events and alerts overtime, potential malicious events, recent cases and data source anomalies.

Azure Sentinel Dashboard, source: Microsoft

Investigate Using the Nazgul's

When Sauron found out where Frodo was, he would send out the air-borne Nazgul's to investigate and hunt him down, in this case Azure Sentinel has deep investigation tools to turnover rocks, understand the scope and find potential route causes.

Azure Sentinel Case
Azure Sentinel Investigation, source: Microsoft

The above initially started from an alert of a failed login attempt from a user on a specific host. Next Azure Sentinel analyzed the data associated with the user to find additional insights and related alerts bringing up notifications of suspicious Powershell script's, odd sign-in's and mass downloads from said user bringing fall scope of what occurred to help paint a bigger picture.

Begin the Hunt

Investigating alerts is reactive, but organizations should be proactive about security also.

Azure Sentinel has a 'Hunting' feature (yes, the option is actually called Hunting) where you can run powerful queries both built-in or bespoke to scour the mountains of data you have for anomalies, suspicious activity and more.

There is a lot more information with respect to queries but it all goes over my head so click here for more information

Automation so You can Lay Back

Built on the foundation of Azure Logic Apps you are able to orchestrate automated responses based on rules you have set.

Alert in Azure Sentinel?

  1. Create record in ServiceNow
  2. Post message in Security Teams Channel
  3. Send approval Email
  4. Block user in Azure AD
  5. Block IP on Firewall
  6. Etc.

These procedures are known as security playbooks which are used in response to an alert, they are highly customizable to most scenarios.

Looking for more?

Get ready for the big journey and ask our experts!

Contact Us

Looking for more?

Get ready for the big journey and ask our experts!

Contact Us
  • Wednesday 17 April 2019

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment

Author

SoftwareONE contact

Chris Allen Account Manager

IT-Specialist Adoption and Change Management

Related Articles

4 Reasons Every Organization Needs Cloud Security
  • 23 October 2019
  • Bala Sethunathan
  • Managed Security
  • Cyber-Security, Cloud, Security

4 Reasons Every Organization Needs Cloud Security

While many organizations may believe a cloud environment can be deployed within their existing security infrastructure, this isn’t the case. Let’s take a closer look at four reasons why cloud security is essential to your organization.

SoftwareONE Cyber Security Update 2019-10
  • 15 October 2019
  • Bala Sethunathan
  • Cyber-Security Updates, Managed Security
  • Cyber-Security, Security

Cyber Security Updates – October 2019

Criminal cyber-activities come with only one goal: to attack your systems and to leave you with financial damages and reputational loss. In our October edition, we will cover latest data breaches such as a ransomware attack on several U.S.…

managed-security-teaser
  • 10 October 2019
  • Bala Sethunathan
  • Managed Security
  • Strategy, How-To

Building an Effective Security Operations Center (SOC) at Your Organization

Many organizations simply do not have the resources and expertise available to build an effective in-house security operations center (SOC). Let’s take a look at how you can put together an SOC that can be maintained for years to come.