Azure Sentinel Provides Omnipresent Level Security

Omnipresent Level Security Through the

‘All-Seeing’ - Azure Sentinel

Intelligent Cloud Security with Azure Sentinel

Azure Sentinel provides intelligent, cloud-scale security analytics across your entire enterprise. Our expert Chris Allen explains how it works and what it has to do with Lord of the Rings.

Imagine sticking The Eye of Sauron, the all-seeing eye, in your enterprise estate? You could see all the sneaky little hobbitses trying to steal your precious! Well now you can thanks to the almighty Azure Sentinel.

  • Azure Sentinel is a cloud-native (so scalable) SIEM (Security Information event management) and SOAR (Security Orchestration Automated Response) solution.
  • SIEM - Real-time analysis of security alerts/logs
  • SOAR - Automate responses to security threats

In short, Azure Sentinel is jacked up Eye of Sauron looking over everything that happens, flagging hobbits that look like Frodo (security alerts) and automatically responding with orcs (quarantine, block, escalation etc.).

It works by doing 4 main things:

The All-Seeing Eye of Azure Sentionel, source: Microsoft

Connect to Collect

First things first you need to start connecting your security resources to Azure Sentinel, obviously it being a Microsoft product the Microsoft integrations are readily available but when it comes to non-MS stuff you can connect these via common event formats (e.g. Syslog). More info on Microsoft and external service connections here.

Azure-Sentinel_data collection
Azure Sentinel Data Connectors, source: Microsoft

Detect the Sneaky Hobbitses

As Azure Sentinel is using the wonderful thing of Machine learning and user analytics, it detects threats fast.

  1. Based on the security analytic rules, when a match is detected, Azure Sentinel sends the alerts to Azure ATP.
  2. Azure ATP checks which user entities are related to the alerts and calculates the investigation priority for those users.
  3. Azure ATP then recalculates the score of the users after it is enriched with data from your analytics rules for Azure Sentinel.

All of this information then gets populated into a pretty dashboard. Giving you the likes of Events and alerts overtime, potential malicious events, recent cases and data source anomalies.

Azure Sentinel Dashboard, source: Microsoft

Investigate Using the Nazgul's

When Sauron found out where Frodo was, he would send out the air-borne Nazgul's to investigate and hunt him down, in this case Azure Sentinel has deep investigation tools to turnover rocks, understand the scope and find potential route causes.

Azure Sentinel Case
Azure Sentinel Investigation, source: Microsoft

The above initially started from an alert of a failed login attempt from a user on a specific host. Next Azure Sentinel analyzed the data associated with the user to find additional insights and related alerts bringing up notifications of suspicious Powershell script's, odd sign-in's and mass downloads from said user bringing fall scope of what occurred to help paint a bigger picture.

Begin the Hunt

Investigating alerts is reactive, but organizations should be proactive about security also.

Azure Sentinel has a 'Hunting' feature (yes, the option is actually called Hunting) where you can run powerful queries both built-in or bespoke to scour the mountains of data you have for anomalies, suspicious activity and more.

There is a lot more information with respect to queries but it all goes over my head so click here for more information

Automation so You can Lay Back

Built on the foundation of Azure Logic Apps you are able to orchestrate automated responses based on rules you have set.

Alert in Azure Sentinel?

  1. Create record in ServiceNow
  2. Post message in Security Teams Channel
  3. Send approval Email
  4. Block user in Azure AD
  5. Block IP on Firewall
  6. Etc.

These procedures are known as security playbooks which are used in response to an alert, they are highly customizable to most scenarios.

Looking for more?

Get ready for the big journey and ask our experts!

Contact Us

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment


Chris Allen

Account Manager

IT-Specialist Adoption and Change Management

Related Articles

Cyber Security Update August / September 2020
  • 07 septembre 2020
  • Bala Sethunathan
  • Cybersecurity, Managed Security
  • Ransomware

Cyber Security Update - August/September 2020

Data breaches like these show that one single breach can not only irreparably damage the firm’s brand, but also jeopardize clients’ names and operations. Read more about recent attacks.


The End of Office 2010 – Get Active!

On October 13, 2020 Microsoft will end support for Office 2010, which is still widely used in the corporate segment. Learn more about your options.

  • 01 septembre 2020
  • Bala Sethunathan
  • Managed Security
  • Microsoft

Securing Workforces with ATP & SOC

Microsoft ATP promises cutting-edge security to remote workforces – but your workforce should still invest in a SOC to stay secure. Here’s why.