Azure Sentinel Provides Omnipresent Level Security

Omnipresent Level Security Through the

‘All-Seeing’ - Azure Sentinel

Intelligent Cloud Security with Azure Sentinel

Azure Sentinel provides intelligent, cloud-scale security analytics across your entire enterprise. Our expert Chris Allen explains how it works and what it has to do with Lord of the Rings.

Imagine sticking The Eye of Sauron, the all-seeing eye, in your enterprise estate? You could see all the sneaky little hobbitses trying to steal your precious! Well now you can thanks to the almighty Azure Sentinel.

  • Azure Sentinel is a cloud-native (so scalable) SIEM (Security Information event management) and SOAR (Security Orchestration Automated Response) solution.
  • SIEM - Real-time analysis of security alerts/logs
  • SOAR - Automate responses to security threats

In short, Azure Sentinel is jacked up Eye of Sauron looking over everything that happens, flagging hobbits that look like Frodo (security alerts) and automatically responding with orcs (quarantine, block, escalation etc.).

It works by doing 4 main things:

The All-Seeing Eye of Azure Sentionel, source: Microsoft

Connect to Collect

First things first you need to start connecting your security resources to Azure Sentinel, obviously it being a Microsoft product the Microsoft integrations are readily available but when it comes to non-MS stuff you can connect these via common event formats (e.g. Syslog). More info on Microsoft and external service connections here.

Azure-Sentinel_data collection
Azure Sentinel Data Connectors, source: Microsoft

Detect the Sneaky Hobbitses

As Azure Sentinel is using the wonderful thing of Machine learning and user analytics, it detects threats fast.

  1. Based on the security analytic rules, when a match is detected, Azure Sentinel sends the alerts to Azure ATP.
  2. Azure ATP checks which user entities are related to the alerts and calculates the investigation priority for those users.
  3. Azure ATP then recalculates the score of the users after it is enriched with data from your analytics rules for Azure Sentinel.

All of this information then gets populated into a pretty dashboard. Giving you the likes of Events and alerts overtime, potential malicious events, recent cases and data source anomalies.

Azure Sentinel Dashboard, source: Microsoft

Investigate Using the Nazgul's

When Sauron found out where Frodo was, he would send out the air-borne Nazgul's to investigate and hunt him down, in this case Azure Sentinel has deep investigation tools to turnover rocks, understand the scope and find potential route causes.

Azure Sentinel Case
Azure Sentinel Investigation, source: Microsoft

The above initially started from an alert of a failed login attempt from a user on a specific host. Next Azure Sentinel analyzed the data associated with the user to find additional insights and related alerts bringing up notifications of suspicious Powershell script's, odd sign-in's and mass downloads from said user bringing fall scope of what occurred to help paint a bigger picture.

Begin the Hunt

Investigating alerts is reactive, but organizations should be proactive about security also.

Azure Sentinel has a 'Hunting' feature (yes, the option is actually called Hunting) where you can run powerful queries both built-in or bespoke to scour the mountains of data you have for anomalies, suspicious activity and more.

There is a lot more information with respect to queries but it all goes over my head so click here for more information

Automation so You can Lay Back

Built on the foundation of Azure Logic Apps you are able to orchestrate automated responses based on rules you have set.

Alert in Azure Sentinel?

  1. Create record in ServiceNow
  2. Post message in Security Teams Channel
  3. Send approval Email
  4. Block user in Azure AD
  5. Block IP on Firewall
  6. Etc.

These procedures are known as security playbooks which are used in response to an alert, they are highly customizable to most scenarios.

Looking for more?

Get ready for the big journey and ask our experts!

Contact Us

Reageer op dit artikel

Laat een reactie achter om ons te laten weten wat je van dit onderwerp vindt!

Laat een bericht achter


Chris Allen

Account Manager

IT-Specialist Adoption and Change Management

Related Articles

De nieuwe veranderingen binnen Autodesk

“De afgelopen drie jaar heeft men afscheid genomen van de perpetuele licenties met maintenance contracten” zegt Leon Wauters, Inside Solution Advisor bij SoftwareONE.

Meerlagen EDR (XDR)
  • 30 juli 2020
  • William Jansen
  • Managed Security, Cybersecurity
  • Security, Endpoint Management

What's next: Meerlagen-Endpoint Detection and Response (XDR)

In zijn vorige blog “Next-Gen”- EDR gaf William Jansen de verschillen aan met Endpoint security, SIEM en de uitdagingen met standalone EDR-oplossingen. Nu gaat William in op de trend richting Managed Detection and Response, Cross Layer…

Enterprise PyraCloud DSCSimple

Een labyrint van complexe licentiemodellen en veranderlijke marges

Grote organisaties maken steeds vaker de transitie van on-premise naar de cloud. De cloud voegt waarde toe, maar brengt ook complexiteit en hoge kosten met zich mee. Dave Leur en Lowin Vermeulen vertellen je hoe je blijvend het maximale uit…