As infrastructure gets more complex, distributed, and harder to maintain; the role of SIEM (Security Information Event Management) technology becomes ever more important. SIEM solutions are able to aggregate data from multiple sources, making it a lot easier for organisations to monitor important events. SIEM products were traditionally only accessible to large organisations with sizable budgets and a dedicated security team.
Introducing Azure Sentinel
Azure Sentinel is a SIEM and SOAR (Security Orchestration Automated Response) solution in Azure. Having originally launched in March 2019, its features are continuously evolving to reflect Microsoft’s ambitious roadmap.
Sentinel is a cloud-based solution, meaning there is no need to wait for hardware to be configured and software to be deployed, all you need to get started is an Azure subscription, a Log Analytics workspace and Sentinel can be enabled from the Azure portal. Cloud-based solutions scale effectively as your organisation grows and applications are added as opposed to traditional on-premise solutions where hardware and software require regular maintenance, support and upgrades to meet evolving business requirements.
Today Azure Sentinel comes with 115 data connectors including generic connectors allowing you to send data via Syslog, REST API, or CEF format and 300+ analytics rules out of the box.
Some of the features included in Azure Sentinel:
- Fusion Technology – Alert fatigue is a well-known issue with security products and will lead to alerts being ignored and incidents not being investigated. Fusion Technology aims to reduce that by combining low and medium severity alerts which may not be actionable by themselves, into high severity incidents. Fusion uses machine learning algorithms to correlate millions of signals from different products such as Azure Active Directory Identity Protection, Azure Defender, Microsoft Cloud App Security, Microsoft Defender for Endpoint and Palo Alto Networks. It is customised for your environment and reduces false positives and can detect attacks with limited information.
- Using bookmarks to hunt threats – Sentinel simplifies the process of threat hunting by providing the ability to bookmark suspicious events for future referencing or investigations. Bookmarks can also be used to visualize data, added to an existing incident or be promoted to a new incident.
- User and Entity Behaviour Analytics – When you encounter any entity (users, hosts and IPs) in a search, an alert, or an investigation, you can select the entity and be taken to an entity page, which contains information including basic facts about the entity, a timeline of notable events related to this entity and insights about the entity’s behaviour.
- Automation rules – With automation rules, incidents can trigger automated response chains, which can include new incident-triggered playbooks. Automation rules also allow you to automate responses for multiple analytics rules at once, automatically tag, assign, or close incidents, freeing up time and resources for more in-depth investigation of, and hunting for, advanced threats
- Playbooks – A playbook is a collection of remediation actions that can be run from Azure Sentinel, it can be run manually or set to run automatically in response to specific alerts or incidents. A Playbook can be configured to disable a user’s Azure AD account, add a comment to the incident and post a Teams message in the SOC channel when an alert is triggered, or it could send a simple email notification.
These are just some of the capabilities that Azure Sentinel provides. It is continuously growing and improving with an active and helpful community.
How Kontex can help
Kontex can help you at all stages of your Sentinel journey. We can support with the design and initiation of your SIEM environment or the expansion and maturation of an existing environment. Additionally, the Kontex SOC team can assume responsibility for your daily security operations, incident response and escalation; shouldering the operational burden for your team.
If you would like to discuss further or make an initial enquiry please contact [email protected]