Microsoft Sentinel

  • Microsoft Sentinel is a SIEM (Security information and event management; a tool that an organization uses to collect, analyze, and perform security operations on its computer systems.) and a SOAR (Security orchestration automation and response; helps coordinate, execute and automate tasks between various people and tools all within a single platform.). A centralized management interface that leverages other Azure services as well.

  • It can collect security data across your enterprise, detect threats with intelligence, investigate incidents using the help of AI, and respond rapidly with automation.

  • Key Features

    • Data connectors - Connect to a variety of data sources, including Microsoft and other third party products.

    • Analytics and alerts - Intelligently analyze monitoring data and create alerts for suspicious activities or threats.

    • Workbooks - Integrate with Azure Monitor workbooks for interactive reporting and analysis.

    • Automation/Orchestration - Automate security tasks and response through Azure Logic apps-based playbooks.

    • Hunting - Proactively hunt for security threats across monitoring data, before an alert is triggered.

    • Notebooks - Leverage Azure Machine learning to extend analytics through Jupyter notebooks.

    • It is built on top of a Log Analytics workspace to house all monitoring data. Data connecters parse data into the workspace first.

  • When configuring alerts for Microsoft Sentinel you have to do so through the analytics component. You can use Microsoft Analytics rule templates.

  • Rule Types

    • Microsoft Security - Automatically create incidents from alerts generated by other Microsoft security solutions (in real time)

    • Fusion - Multi-stage attack detection using machine learning. Logic is hidden and not customizable. Only one rule allowed.

    • ML Behavioral - Proprietary Microsoft machine learning-based analytics. Logic is hidden and not customizable. Only one rule allowed.

    • Anomaly - Use SOC-ML to detect specific types of anomalous behavior. Can be fine-tuned using a duplicate in Flighting mode.

    • Scheduled - Leverages built-in queries written by Microsoft security experts. The rules query data on a scheduled basis.

  • Microsoft Sentinel playbooks are based on Azure Logic Apps.

  • Analytics rules are used to detect threats and analyze data.

  • You can use the Kusto Query Language (KQL) to query your data.

  • You use workbooks to visualize your data within Microsoft Sentinel. Think of workbooks as dashboards. Each component in the dashboard is built by using an underlying KQL query of your data.

  • Microsoft Sentinel integrates with Azure Logic Apps, enabling you to create automated workflows, or playbooks, in response to events.

https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-sentinel/

https://docs.microsoft.com/en-us/azure/sentinel/overview