What is Azure Sentinel?
You are going to learn the following:
- What is Azure Sentinel?
- Azure Sentinel Solutions
- Normalization and the Azure Sentinel Information Model (ASIM)
- Microsoft Azure Sentinel Tutorial
Check out this YouTube video and get to know more about Azure
What is Azure Sentinel?
Microsoft Azure Sentinel is a scalable, cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across an enterprise.
Microsoft Azure Sentinel performs the tasks in the following order:
- Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
- Detect previously undetected threats and minimize false positives using Microsoft’s analytics and unparalleled threat intelligence.
- Investigate threats with artificial intelligence and hunt for suspicious activities at scale, tapping into years of cybersecurity work at Microsoft.
- Respond to incidents rapidly with built-in orchestration and automation of common tasks.
Connect to all Data
You first need to connect to your security sources. Azure Sentinel comes with a number of connectors for Microsoft solutions available out of the box and providing real-time integration. These include Microsoft 365 Defender solutions, Office 365, Azure AD, Microsoft Defender for Identity, Microsoft Cloud App Security, and many more.
Take a look at this Azure tutorial for a better overview and understanding.
After you have connected our data sources to Azure Sentinel, you can monitor the data using the Azure Sentinel integration with Azure Monitor Workbooks. This provides versatility in creating custom workbooks. Azure Sentinel allows you to create custom workbooks across your data, and also comes with built-in workbook templates.
To help you to reduce noise and minimize the number of alerts that come up and have to be reviewed and investigated, Azure Sentinel uses analytics to correlate alerts into incidents. Incidents are groups of related alerts that together create an actionable possible threat that can be investigated and resolved. You can use the built-in correlation rules as it is or use them as a starting point to build your own.
Security Automation and Orchestration
Built on the foundation of Azure Logic Apps, Azure Sentinel’s automation and orchestration solution provide a highly extensible architecture that enables scalable automation as new technologies and threats emerge. To build playbooks with Azure Logic Apps, you can choose from a growing gallery of built-in playbooks. The connectors allow you to apply any custom logic in code, ServiceNow, Jira, Zendesk, HTTP requests, Microsoft Teams, Slack, Windows Defender ATP, and Cloud App Security.
Currently, in preview, Azure Sentinel’s deep investigation tools help you to understand the scope and find the root cause of a potential security threat. You can choose an entity on the interactive graph to ask interesting questions for a specific entity and drill down into that entity and its connections to get to the root cause of the threat.
Use Azure Sentinel’s powerful hunting search-and-query tools, based on the MITRE framework, which enable you to proactively hunt for security threats across your organization’s data sources, before an alert is triggered.
After you discover which hunting query provides high-value insights into possible attacks, you can also create custom detection rules based on your query, and surface those insights as alerts to your security incident responders. While hunting, you can create bookmarks for interesting events, enabling you to return to them later, share them with others, and group them with other correlating events to create a compelling incident for investigation.
Have a look at our Azure training course to learn Microsoft Azure from experts and get certified!
The Microsoft Azure Sentinel community is a powerful resource for threat detection and automation. Microsoft security analysts constantly create and add new workbooks, playbooks, and hunting queries, and post them to the community for you to use.
Azure Sentinel Solutions
Azure Sentinel solutions provide in-product discoverability, single-step deployment, and enablement of end-to-end product, domain, and/or vertical scenarios in Azure Sentinel. This experience is powered by Azure Marketplace for solutions’ discoverability, deployment, and enablement and by Microsoft Partner Center for solutions’ authoring and publishing.
Why choose Microsoft Azure Sentinel Solutions
- Customers can easily discover packaged content and integrations that deliver value for a product, domain, or vertical within Azure Sentinel.
- Customers can easily deploy content in a single step and optionally enable content to get started immediately.
- The providers or partners can deliver the combined product, domain, or vertical value using solutions in Azure Sentinel and also productize investments.
Types of Azure Sentinel Solutions
Azure Sentinel currently offers packaged content solutions. These solutions include combinations of one or more data connectors, workbooks, analytics rules, playbooks, hunting queries, parsers, watchlists, and other components for Azure Sentinel.
There are two other types of solutions that can be offered at this time in the generic Azure Marketplace:
This includes services or tools built using Azure Sentinel APIs or Azure Log Analytics APIs to enable customers to integrate their existing applications with the Sentinel or migrate data, queries, etc., from existing applications to Azure Sentinel.
- Service offerings:
This includes listings to specifically managed services for Azure Sentinel.
Normalization and the Azure Sentinel Information Model (ASIM)
Azure Sentinel ingests data from many sources. Working with various data types and tables together requires you to understand each of them and write or use unique sets for analytics rules, workbooks, and hunting queries for each type or schema.
The ASIM provides a seamless experience for handling various sources in uniform, normalized views by:
- Allowing for source-agnostic content and solutions
- Simplifying analytic use of data in Sentinel workspaces
- Using query-time parsing while minimizing performance impact
Components of the Azure Sentinel Information Model (ASIM)
- Normalized schemas: Cover standard sets of predictable event types that you can use when building unified capabilities. Each schema defines the fields that represent an event, a normalized column naming convention, and a standard format for the field values.
- Parsers: Deploy the Microsoft-developed normalizing parsers from the Azure Sentinel GitHub Parsers folder; normalized parsers are located in subfolders starting with ASim.
- Content for each normalized schema: It includes analytics rules, workbooks, hunting queries, and much more. Content for each normalized schema works on any normalized data without the need to create source-specific content.
Preparing for a job interview? Have a look at our blog on Azure interview questions and excel your hiring journey!
Microsoft Azure Sentinel Tutorial
Moving ahead, you will learn to configure Azure Sentinel step by step:
- Open Azure Sentinel
- Search for Azure Sentinel in the portal’s search bar
- Create a new sentinel
- Click on the Create tab
- Create a workspace
- Create a new workspace
- Fill in the details
- Add the resource group that you want to connect; if it is not available, create a new one
- Put in the instance name
- Put in the region
- Click on Create + Review
- Review + Create
- Check the filled-in details and click on Create
- Wait for the instance to be created. It will take a minute or two
- Once the process is complete, you can see our instance name below
- Click on the instance that you have created
- You will be taken to the Overviewtab
- Here (1): The name of the instance that you created
- You can see how your created instance is working
- Here (2): News & Guides
- Click on News & Guides
- Here, you can add data collectors to your instance
- Click on Connect
- This is where you can look at the list of available data connectors
- Click on any data connector and you can see its details toward the right side
- Here, the first one is selected, Agari Phishing Defense and Brand Protection
- You can proceed further by buying the API of the data connector that suits your requirements.
- This is the Workbooks tab
- Here, you can save the templates of the workbook
- There is a list of various notebooks from which you can select
Courses you may like
Azure Sentinel is a powerful cloud-native SIEM tool that has the features of both SIEM and SOAR solutions. Azure Sentinel can detect and respond to threats due to its in-built artificial intelligence. It helps to monitor an ecosystem from cloud to on-premises, workstation, and personal devices.
If you have any questions, shoot them right away to our Azure community!