Azure Sentinel is a great product and it has so much capability. In this post, I will try to summarise what I know and what I have learned so far but by no means it will cover all its extent.
Before we start talking about Sentinel, it is worth noting that Microsoft is investing heavily on security (over $1B annual investment), with 3500+ global security experts and trillions of diverse signals for unparalleled intelligence.
Azure Sentinel is a cloud-native Security Information and Event Management (SIEM) and as a cloud solution it provides virtually infinite scalability. It also leverages Microsoft provided AI and automation to improve effectiveness. In addition, it is very simple to onboard and it provides immediate benefits.Sentinel is essentially a Log Analytics solution, it is built on top of Log Analytics.So now let's get to know more about where all the work with Sentinel takes place:
Azure Sentinel workspaceThe figure below is how a workspace looks like.
Think about the workspace as a container for Azure Sentinel which contains the event database, rules and incidents. However not everything related to Azure Sentinel is part of a workspace. Playbooks which are Logic Apps are not part of a workspace as well as Azure Monitor Workbooks. They can still be managed from a workspace but they are separate resources.
Sentinel also supports multiple workspaces. The following are some of the reasons to have multiple workspaces.
- Data owners need access to their data (although a better solution is to use RBAC instead of multiple workspaces in this case)
- Global SOC and Local SOC
- MSSP and customers
- Data ownership or sovereignty
- Multiple Azure tenants
- Fine grained retention setting (table level retention settings can be used instead of multiple workspaces)
- Separate billing
- However the rule is the fewer workspaces the better. Use one workspace for each tenant, geo and subsidiary.
Before we go any further, let's take a look in the roles of a SIEM.
- Collect
- Detect
- Investigate
- Respond
OK now that we covered the roles of a SIEM, let's go in more detail on how Sentinel provides excellent value for each one of them. I will provide an overview of key components which make up Azure Sentinel and I will map each of them to the roles above which will, most of the time, match the flow on how you would work with Azure Sentinel.
Data connectors
First thing you do with a SIEM is collect data. Sentinel can collect data from a variety of sources such as:
- On-premises (Linux, FW, Windows, DNS, DHCP, files, etc)
- Office 365
- Security Center
- Azure AD
- SaaS Applications
- AWS
- and the list goes on.
To send the data from systems to Azure Sentinel, agents are the recommended option and a collector proxy can be used if there isn't a direct connection to the cloud.
For Windows systems if the agent can't be installed, a WEF (Windows Event Forwarding) connector can be used. For other systems where an agent can't be installed, a CEF or Syslog connector can be used. Other options are LogStash which a plugin is also available and custom connectors using PowerShell, Logic Apps or REST API using Ruby, Python, PHP, C# and Azure Functions.
Workbooks
Querying the data ingested from your data sources can feed information to workbooks which provide visibility of your data and power interactive dashboards. Many workbooks are already available from the gallery, they can be customised or you can create your own. Workbooks are used for visualisation of your data and are good for investigation and reporting
The workbooks are based on Azure Monitor Workbooks to provide you with enhanced customisation and flexibility in designing your own workbook.
Analytics
Once you have the data, you can use the data for analysis, investigation and to hunt for issues, vulnerabilities and threats.
There are 100+ built-in analytics rules and these rules are also customisable. In addition, you can create your own rules using the KQL query.
These rules, once enabled, detect anomalies and suspect activity. The alerts generated from these rules create incidents.
Incidents
Incidents can be used to collect related alerts, events and bookmarks. Bookmarks are how you mark notable data then you can start an investigation from a bookmark or add to an existing incident. Then you can assign those incidents and keep track of them. Tags and comments can be added to incidents. In addition, you can also integrate with your ticketing system.
Hunting
Azure Sentinel provides many built-in hunting queries to get you started proactively looking for threats and anomalies that weren't detect by other mechanisms.
For advanced hunting you can use Jupyter notebooks to query Azure Sentinel data or bring external data sources. However, you must use programming languages such as Python, SQL, KQL, R.
Playbooks
Finally, you can trigger automated playbooks powered by Logic Apps based on alerts or incident investigations generated from the rules. From the playbooks you can do actions such as open a ticket in ServiceNow, trigger a Defender ATP investigation or trigger some sort of remediation.
Threat Intelligence
Sentinel also provides Threat Intelligence via Data Connectors. Threat Intelligence is information such as malicious URLs, IP addresses, file hashes, etc. Currently you can push threat intelligence data to Azure Sentinel from Threat Intelligence Platforms or from TAXII servers. Once you have that information, as an example you could create a rule to generate an incident if one of the IPs from the Threat Intelligence feed matches the IP of an Azure Activity event.
Notebooks
Notebooks are used for advanced hunting and investigation. They allow API connections through programming languages such as Python and C# to allow for data manipulation and enrichment of the data.
Jupyter notebooks extend the scope of what you can do with this data. It combines full programmability with a huge collection of libraries for machine learning, visualization, and data analysis.
Azure Sentinel Pricing
Azure Sentinel provides very competitive prices. There are two ways to pay for the Azure Sentinel service: Capacity Reservations and Pay-As-You-Go.
As you would imagine there are big discounts when you do capacity reservation, between 50-60% discount comparing to pay-as-you-go prices.
You pay for the data ingested into Azure Sentinel and also the data stored in the Log Analytics workspace. The data can be retained for free for 90 days, longer than that you are charged.
In addition, you may be charged for Logic Apps if you run any automated responses and for Azure Databricks and/or Azure Machine Learning Studio if you bring your own machine learning modules.
Tips
Before I make my conclusion, I have a few tips that are good to know:
- When you assign a Service Principal to create a connection from Logic Apps to Azure Sentinel, make sure you assign the Service Principal the Azure Sentinel Reader role
- You can create the Logic App with the Azure Sentinel connector using ARM templates
- ARM templates can be used to deploy Azure Sentinel
- You can use Azure Lighthouse to manage Azure Sentinel across multiple tenants
- You can find on GitHub a PowerShell module to enable cmdlets for many Azure Sentinel operations
- Office 365 audit logs, Azure activity logs and alerts from Microsoft Threat Protection can be ingested for free
So why Azure Sentinel?
Azure Sentinel provides everything traditional SIEM tools provide and more. Leverage the several built-in connectors, pre-baked templates for workbooks, hunting and rules or make your own with full flexibility.
Hackers out there are always inventing new ways to crack through the fences. Azure Sentinel not only provide you with the tools to investigate and block these threats but also the latest technology and a team of security specialists behind the scenes.
Another great advantage of Azure Sentinel is that machine learning is built in the product to detect anomalies . Once you connect your data sources the learning begins. You can also bring your own machine learning modules.
All that in addition to the competitive prices makes it a very strong candidate to disrupt the SIEM landscape.
No comments:
Post a Comment