Azure Sentinel - A move towards modernization of SIEM
It's been a month now, we are working on SIEM modernization and looking how can we feel the gaps between multiple disconnected products and bring all the events together in single SIEM platform.
In this Sentinel blog series, I will cover a basic understanding on Sentinel and why it's important for you to deploy Sentinel in your organization?
Let's understand the current landscape during the new normal of Covid. Most of the organizations workforce are working remotely. It's quite tough for the SOC team to deal with high volume of data getting ingested in their SIEM and to get analyzed. Not all the organization having same type of challenges but the ultimate goal is to deal with the threats and to remediate the threats. Tons of the data are getting transaction over internet and it's quite important for the organizational SOC team to continuously keep an eye on it.
To understand your security architectures requirements, you must need to ensure that you have complete understanding of IT environment to which you try to protect. The following list provides the major components of any modern IT environment:
Identity for authentication and authorization of access to systems.
Networks to gain access to internal resources and the internet.
Storage and compute in the data center for internal applications and sensitive information.
End user devices and the applications they use to interact with the data.
Azure Sentinel is new cloud native SIEM (Security Information and Event Management) solution provide. Azure Sentinel also contains SOAR (Security Orchestration and Automated Response) capability. Azure Sentinel natively incorporates proven foundation services from Azure, such as Log Analytics and Logic Apps. Also, Azure Sentinel enriches your investigation and detection with Artificial Intelligence (AI) in conjunction with Microsoft's threat intelligence stream.
Azure Sentinel is part of Azure, the first prerequisite to deployment is to have an active Azure Subscription. As with any other security information and event management (SIEM), Azure Sentinel needs to store the data that it will collect from the different data sources that you configure. Azure Sentinel will store this data in your preferred Log Analytics workspace. You can create a new workspace or use an existing one.
Let's understand Azure Sentinel components
Dashboards provide data visualization for connected data sources, which enables you to deep dive into the events generated by those services.
Cases is an aggregation of all the relevant evidence for a specific investigation. It can contain one or more multiple alerts, which are based on the analytics which you define.
Hunting is a powerful tool for investigators and security analysts who need to proactively look for security threats. The searching capability is powered by Kusto Query Language.
Notebooks Azure Sentinel extends the scope of what you can do with the data that was collected. The notebooks feature combine full programmability with a collection of libraries for machine learning, visualization and data analysis.
Data Connectors allows the data ingestion from Microsoft and partner solutions.
Playbooks is a collection of procedures that can be automatically executed upon an alert triggered by Azure Sentinel. Playbooks leverage Azure Logic Apps, which help you automate and orchestrate task/workflows.
Analytics enable you to create custom alerts using Kusto Query Language (KQL).
Community The Azure Sentinel Community page is located on GitHub, and it contains detection based on different types of data sources that you can leverage in order to create alerts and respond to threats in your environment.
Workspace is a container that includes data and configuration information. Azure Sentinel uses the container to store the data that you collect from the different data sources.
Happy Learning !!