In this post, we want to talk about Azure Sentinel. With this product we can Collect, monitor, and investigate data from many sources such as cloud, endpoint, and network devices
Azure Sentinel is known as one of the security information and event management (SIEM) platforms on the cloud which was created directly on Microsoft Azure, and by using artificial intelligence and providing cloud infrastructure, it was able to become one of the emerging SIEM platforms. This platform can easily collect data from various sources and can offer many features such as identification and monitoring, threat detection, and incident response.
Azure Sentinel natively incorporates Azure Logic Apps and Log Analytics that enhances its capabilities. Azure Sentinel uses built-in features such as artificial intelligence and machine learning to detect malicious behavior and threats.
Azure Sentinel Data Collecting
Azure Sentinel can easily receive various native and third party data from different sources. This feature allows security engineers to have complete control over all data. Azure Sentinel automatically correlates all data for security analysis and response.
Collecting Data From Users, Servers, Network Devices (Such as Routers, Switches, And Firewalls) As Well As Cloud Built-in Connector And Data Collector
Support Custom Collector For Third-Party Products And Services (Non-Microsoft Products And Services)
Support Common Event Format, Syslog And REST-API
And Solutions that can be directly connected to and integrated with Azure Sentinel include:
- Azure Active Directory
- Azure Activity
- Azure DDoS Protection
- Azure AD Identity Protection
- Azure Firewall
- Azure Security Center
- Azure Web Application Firewall
- Office 365
- Microsoft Defender for Identity
- AWS CloudTrail
- Cloud App Security
- and other Microsoft solutions.
Azure Sentinel Threat Hunting
Azure Sentinel with artificial intelligence and machine learning capabilities and methods by Microsoft can detect and hunt for threats and can also minimize false positives options.
Organizations prefer to use a human layer to detect and hunt down threats instead of using security products and solutions to identify threats. Azure Sentinel provides many different tools for security professionals and threat hunters to identify threats.
Azure Sentinel Security Orchestration And Automation
Azure Sentinel is also known as security orchestration and response (SOAR), which allows us to automate or schedule to incident response, threat detection, reporting, and alerts through Playbook feature.
What are the components of Azure Sentinel?
Dashboard – Azure Sentinel has a Dashboard for Data Visualization and display of generated alerts
Case – It is a collection of information related to a specific analysis and investigation, which is known as a case and can include several items, including security alerts.
Hunting – An important part of the Azure Sentinel is hunting. This section is used to identify and hunt threats. Azure Sentinel uses Kusto Query Language (KQL) to increase the ability and flexibility to detect and hunt threats.
Notebook – The integration of Jupyter Notebook and Azure Sentinel allows Azure Sentinel to use different modules and libraries for machine learning, embedded analysis, and increased flexibility.
Playbook – Described above
Data Connector – Through Data Connectors, we have the ability to connect and collect data from Microsoft solutions and non-Microsoft solutions.
Community – Azure Sentinel provides many examples on the Github page to identify and hunt for threats. This page contains security playbooks and query examples for threat hunting
Analytics – Azure Sentinel analytics allows users to customize alerts and identify threats through Kusto Query Language (KQL).
2 Comment