In the world of cybersecurity, the most important aspect that a Security Operations Center (SOC) depends upon is the ‘detection of attack.’ Detection leads to informing the team that something unusual or malicious is happening and it should be prevented. Detections come in the form of an ‘Incident’ and the tool used for incident management is called a SIEM (Security Information and Event Management). There are many different SIEM providers in the market that provide a wide array of different functionalities, a few popular ones include Splunk, QRadar, ArcSight, LogRhythm. But in this article, we will explore the first and to date the only cloud-based SIEM – Azure Sentinel!
Azure Sentinel is Microsoft’s cloud-native SIEM solution that gets deployed in an organisation’s Azure tenant and accessed via the Azure portal, ensuring alignment with pre-existing organisational policies. The ability to leverage elastic compute and storage capabilities inherent in Azure for data-intensive applications such as SIEM is a significant advantage over premise-based log analysis solutions. Additionally, Azure Sentinel can make use of infrastructure as a service (IaaS) and platform as a service (PaaS) available in Azure to deliver capabilities like workflow automation and long-term log retention that are typically provided as add-on services from other SIEM providers.
The unified integration capabilities of Azure Sentinel have created a buzz in the security industry where it integrates with Microsoft 365 Defender and Azure Defender to provide a unified way to manage risk in your digital landscape under a single umbrella. Incidents, schema, and alerts can be shared between Azure Sentinel and Microsoft 365 Defender, providing a holistic view with seamless drill-down for context.
Let us take a deep dive into the world of Azure Sentinel and try to understand why should Sentinel be your first choice for a SIEM.
Logs are an integral part of any organisation’s infrastructure. SIEMs cannot practically perform without logs. And thus, the first deployment prerequisite of Azure Sentinel is Log Analytics Workspace (LAW), where all ingested data or logs will be stored. With Log Analytics deployed, the Azure Sentinel resource is available for configuration to perform the SIEM functions. The process of connecting Azure Sentinel with a LAW only requires a few clicks because it has a friendly UI. Once connected, Azure Sentinel also offers you a wide variety of log categories to choose from to ensure you are ingesting only the data relevant to your needs. Azure Sentinel provides you with a highly scalable connection with the LAW to adjust the data ingestions feasibly.
Unified Data Collector
We often encounter a common misconception among security executives and practitioners that Azure Sentinel can only be used for Azure Cloud resources. In fact, Azure Sentinel can be successfully used to ingest and correlate data from a wide range of log sources located in a variety of cloud platforms (Azure, AWS, and Google Cloud), on-premises network and compute infrastructure, 3rd party security tools (including firewalls), or software as a service (SaaS) applications. Azure Sentinel includes more than 100 data connectors, out of the box, with the ability to create custom sources to meet individual requirements. In addition to those, the Azure Sentinel community is regularly demonstrating new use cases and data connectors that expand the capabilities of the solution.
Azure Sentinel is a SOAR too
The main engine behind the Azure Sentinel automation capability is Azure Logic Apps. In terms of cybersecurity, this capability is called Security Orchestration and Automated Response (SOAR). Azure Logic Apps power “playbooks” and are, effectively, a sequence of procedures that can be run in response to a security alert. Playbooks can help automate and orchestrate response actions that would typically be undertaken by security analysts. These can be triggered manually or set to run automatically when specific alerts are triggered. Additionally, automation rules allow for a more intuitive construction of SOAR activities, providing the ability to build combinations of playbook runs and incident updates (severity, ownership, status etc.) to match the required output.
For the love of dashboards
The Azure Sentinel workbooks provide a wide range of data visualisation capabilities based on KQL queries and integration with additional Microsoft resources (via REST APIs). Over 100 workbook templates are provided for the typical log sources such as Azure Active Directory, Office 365, Windows Active Directory, and third-party log sources (e.g., firewalls, SaaS). The workbooks provide several visualisation controls (bar, pie, area, time charts), conditional formatting, and several other features commonly found in analytical platforms. Through regular review and feedback from the consumer reports, workbooks can become highly effective tools.
Power of Threat Intelligence
Within a SIEM solution like Azure Sentinel, the most used form of TI is threat indicators, also known as Indicators of Compromise (IoCs). Threat indicators are data that associate observed artefacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. In Azure Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. The most important use case for threat indicators in Azure Sentinel is to power analytics rules for threat detection. These indicator-based rules compare raw events from your data sources against your threat indicators to detect security threats in your organisation.
Now that you know about the exceptional features of Azure Sentinel, let us understand how Atech will implement and leverage these features for improving your organisation’s security:
- As security researchers we are continuously working on improving Threat Intelligence of our customers by adding and updating the IoCs from various trusted security forums that help preventing attacks from the new vulnerabilities in the market.
- Our security analysts design and implement custom analytical rules that involve various MITRE techniques and tactics to improve the efficiency and speed of attack detections.
- We provision custom workflow automation or playbooks (organisation specific) to automate the response actions per incident type and effectively reduce the MTTR (Mean Time To React).
- We proactively look for security threats across your organisation’s data sources by developing advanced hunting queries that give us an early insight into events that may indicate if a compromise is in process or highlight vulnerable areas in your environment.
Additionally, we provide monthly and quarterly security reports that summarise the incidents over time and display improvements in your organisation’s security posture.
For anyone interested in improving their security posture, the security baseline assessment would be a good place to start. Contact our team to learn more.
Yash Mudaliar, Cloud Security Engineer