Microsoft Sentinel OverView and Cloud Native SIEM

What is Microsoft Sentinel - Cloud Native SIEM?

It is a Cloud SIEM (Security Information and Event Management) and Security Orchestration and Automated Response (SOAR) system in Microsoft's public cloud platform. It can provide a single solution for alert detection, threat visibility, proactive hunting, and threat response. It collects data from different data sources, performs data correlation, and Data Visualisation of the processed data in a single dashboard. It helps to collect, detect, investigate and respond to security threats and incidents.

Thus delivering intelligent security analytics and threat intelligence all across the enterprise ecosystem. It natively incorporates Azure Logic Apps and Log Analytics which enhances its capabilities. It also has built-in advanced machine learning capabilities that can detect actors of threats and suspicious behaviours that can significantly help security analysts to analyse their environment.

With the growing intelligence of edge devices, capable of making real-time and near-real-time determinations, security can be built into every transaction. Source: How AI Is Revolutionising Fraud Detection And Risk Assessment.

Four Stages of Microsoft Sentinel 

Collect Data

• The services that can be connected directly via out-of-the-box integration include Azure Active Directory, Azure Activity, Azure DDoS Protection, Azure AD Identity Protection, Azure Firewall, Azure Security Center, Azure Web Application Firewall, Office 365, Microsoft Defender for Identity, Amazon Web Services - CloudTrail, Cloud App Security and other Microsoft solutions.
• The appliances that can connect to Okta SSO, Orca Security, Qualys VM, Citrix Analytics, Barracuda CloudGen Firewall, Perimeter 81 Logs, Proofpoint TAP, and some others via API .
• It can also be connect through an agent to any other data source. Syslog protocol is usable for this purpose and enables real-time log streaming. The Azure Sentinel Agent function, i.e., the Log Analytics Agent. It is to convert CEF-formatted logs into a format ingested by Log Analytics. External solutions supported in it via agents include Linux Servers, DNS Servers, Azure Stack VMs, DLP Solutions.
• Threat Intelligence Providers (MISP Open Source Threat Intelligence Platform, Anomali ThreatStream, Palo Alto Networks MineMeld, ThreatConnect Platform, ThreatQ Threat Intelligence Platform, etc.). Firewalls, proxies and endpoints supported through CEF (Check Point, F5 ASM, Palo Alto Networks, Zscaler, Cisco ASA, Fortinet, and other CEF-based appliances), and firewalls, proxies and endpoints supported through Syslog (Sophos XG, Symantec Proxy SG, Pulse Connect Secure and other Syslog-based appliances).

Detect Threats

It can detect threats and minimizes false positives by using analytics and threat intelligence drawn directly from Microsoft. Azure Analytics plays a major role in correlating alerts into incidents identified by the security team. It provides built-in templates directly out-of-the-box to create threat detection rules and automate threat responses. Apart from this, it also provides the feasibility to create custom rules. The four available build-in templates are below:

• Microsoft Security Templates- When using this template, it incidents will automatically create a real-time from of alerts that generate in other Microsoft security solutions.
• Fusion Template- This template can only create only one rule and is enable by default. It is based on the logic of advanced multistage attack detection. It uses scalable machine learning algorithms that can correlate many low-fidelity alerts and events across multiple products into high-fidelity and actionable incidents.
• Machine Learning Behavioural Analytics Template- These templates can create only one rule with each type template. These are based on proprietary Microsoft Machine Learning Algorithms, and the users can't know the internal working of this template logic and the time it runs.
• Scheduled Templates- It is the only available template in which the users can view the query logic and make changes as per the requirements in the environment. Scheduled templates are scheduled analytics rules depend on build-in queries written by Microsoft. These templates are customizable in terms of query logic and scheduling settings to create new rules.

How an analyst can leverage the Investigation and Log Search capabilities in Azure Security Center to determine whether an alert represents a security compromise, and understand the scope of that compromise. Source- How Azure Security Center Analyze Attacks

Investigation Suspicious Activities

• Built-in Queries: It is develop by Microsoft and available to familiarize yourself with tables and the query language. However, you can create new queries and even fine-tune existing queries to enhance your detection capabilities.
• Powerful Query Language with Intelligence: It is built on top of a query language that provides you with the flexibility that you need to take your hunting capabilities to the next level.
• Create your Bookmarks: You can create bookmarks of your findings that you come across during the hunting process so that you can check them later in the future and create an incident for investigation.
• Use notebooks to Automate Investigation: Notebooks are like a step-by-step guide resembling playbooks. That you can create to keep track of the steps involved during an investigation and hunting process. These notebooks summarize all the steps involved in the hunting process into a reusable playbook shared with other members within your organization.
• Query the Stored Data: The data associated and generated by it is readily available and accessible in the form of tables that can be easily queried.
• Links to Community: The Azure Sentinel Github's community is a central place to find additional queries and data sources.

Respond

IAM is a combination of processes and policies to manage the identity of individuals or groups and access to the resources within an organization. Click to explore, How Identity and Access Management Work?

Key Components of Microsoft Sentinel?

1. Dashboards: It has built-in dashboards that provide visualisation of data gathered from different data sources. Enables the security team to gain insights into the events generated by those services.
2. Cases: A collection of all relevant evidence belonging to a specific investigation is referred to as a case. A case can contain one or more than one alert based on the analytics defined by the user.
3. Hunting: It is a powerful component for security analysts and threat analysts. It is responsible for performing proactive threat analysis across the environment to detect and analyse security threats. KQL (Kusto Query Language) enhances its searching capabilities in it. Due to its machine-learning capabilities that can detect suspicious behaviours. Such as abnormal traffic and traffic patterns in firewall data, suspicious authentication patterns, and resource creation anomalies.
4. Notebooks: It provides flexibility and widens the scope of what can be done with the collected data by providing out-of-the-box integration with Jupyter Notebook with an in-built collection of libraries and modules for machine learning, embedded analytics, visualisation, and data analysis.
5. Data Connectors: Built-in connectors are available in it to facilitate data ingestion from Microsoft products and solutions and partner solutions.
6. Playbook: A Playbook is a collection of procedures to execute in response to an alert triggered by it. They leverage Azure Logic Apps. So, the user can use flexibility, capability, customisability, and built-in templates of Logic Apps. To automate and orchestrate tasks/workflows that can be readily configured to run manually or execute automatically when specific alerts are triggered.
7. Analytics: Analytics enables the users to create custom alerts using Kusto Query Language (KQL).
8. Community: The GitHub Azure Sentinel Community page contains detections based on different data sources. The users can leverage it to create alerts and respond to threats in their environments. The community page also contains sample hunting queries, a security playbook, and other artefacts.
9. Workspace: Workspace or Log Analytics Workspace is a container that consists of data and configuration information. It uses this container to store data collected from different data sources. You can create a new workspace or use an existing workspace for storing the data. But it would help if you had a dedicated workspace because alert rules and investigations don't work across workspaces.

• A geographic location for data storage.
• Data isolation by granting different users access rights following Log Analytics' recommended design strategies for workspaces.
• A scope for configuration settings, such as pricing tier, retention, and data capping.

Azure provides tools and capabilities for security to create a secure Azure platform. Click to explore, Azure Security Services Checklist

How to deploy Microsoft Sentinel?

• Reader: Users assigned to this role can view incidents and data but cannot make changes.
• Responder: Users assigned to this role can view incidents and data and perform some actions on adventures, such as assigning to another user or changing the incident's severity.
• Contributor: Users assigned to this role can view incidents and data, perform some actions on incidents and create or delete analytic rules.

What is Azure Sentinel Center?

What is Azure Security Center?

According to the U.S. State of Cybercrime Report, 50% of data breaches and information leakage happened unintentionally due to employees' negligence. Click to explore the Impact of Insider Threats on Cyber Security

How to Hunt for Security Threats?

1. Jupyter Notebook for Hunting: Using Jupyter Notebooks for carrying out the hunting process extends the scope of what can be analysed from the gathered data. The Kqlmagic library provides the necessary functions to take Azure Sentinel queries and run them directly inside a notebook. Azure delivers the Azure Notebooks, an integrated Jupyter Notebook for the Azure environment that can store, share and execute notebooks.
2. Using Bookmarks for Hunting: Using bookmarks helps you preserve the query logs and the results you executed in it. It also allows you to add notes and tags to your reference bookmarks. Viewing bookmarks from the Hunting Bookmark table in your Log Analytics workspace enables you to filter and join bookmarked data with other data sources, making it easy to look for corroborating evidence.
3. Using Livestream for hunting: You can use hunting Livestream to create interactive sessions that let to perform the following tasks:
   1. Test newly created queries as events occur.
   2. Get notified when threats occur.
   3. Launch investigations that involve an asset such as a host or user
   4. Livestream sessions can be created using any Log Analytics query.
4. Manage hunting and Livestream queries using REST API:

Microsoft Azure Sentinel Pricing

1. Capacity Reservation-based Pricing Model
   • Capacity Reservation is a fixed-fee license, where you pay for the capacity of data ingested into it (this pricing model is provided at a discounted rate)
   • For example, if you purchase a capacity of 100 GB per day in the Central India region, it will cost you around ₹9,253.48 per day for it and ₹18,136.82 per day for ₹18,136.82 per day for Log Analytics. The price differs from region to region.
2. Pay-As-You-Go Pricing Model
   • The first 5 GB is free, and then you are charged ₹185.07 per GB for data ingested into it.
   • Pay-As-You-Go is based on Log Analytics pricing, and it's set at ₹212.830 per GB with 5GB free per month per billing account.

Get the automation you need to stop sophisticated, cross-domain attacks across your organization with SIEM and XDR solutions from Microsoft. Xenonstack Managed Services for Azure Sentinel

Conclusion

Azure Sentinel is a scalable cloud-native tool that helps detect, investigate, and respond to threats if any are found. It enables users to catch potential issues more quickly. It uses Machine learning to reduce threats and capture unusual behaviours. Also, IT teams save time and effort for maintenance. It helps to monitor an ecosystem from cloud to on-premise, workstation, and personal devices.

What's Next?

• Azure Serverless Computing: Learn about the Architecture, Tools and Processes 
• Azure Arc: Simplifying Infrastructure Management across on-premises, cloud and edge environments.
• Azure Kubernetes Solutions: Leverage AKS to Accelerate Application Development
• Transform your Cloud with Azure Managed Services