How Azure Sentinel Works (2024)

How Azure Sentinel Works (1)

Azure Sentinel is a cloud native Security Information Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) solution from Microsoft. It was the topic of discussion at one of our recent Daymark Cloud Clinics where our technical cloud consultants offer complimentary technical training and tips on a wide range of Azure and Office 365 features.

SOAR vs. SIEM

SOAR refers to a collection of software solutions and tools that allow organizations to streamline security operations in three key areas: threat and vulnerability management, incident response, and security operations automation. An SIEM solutionaggregatesdata andprovidesreal-time analysis ofsecurity alerts generated by applications and network appliances.It’s common for IT professionals tomix up the capabilities of SIEM and SOARsince they tend to work together with agoalof protection.In fact, traditionally, they were two separate products or components, however Microsoft designed Azure Sentinel tohandleboth SIEM and SOAR in a single solution.

See Also
Playbooks | Sumo Logic Docs

How Sentinel Works

How Azure Sentinel Works (2)

First, devices and services need to start streaming their data into Sentinel, via Data Connectors. Technically, the data flows into Azure Log Analytics. Workbooks are used to visualize the data, potential issues and trends, and help create specific queries. These queries can help create rules called analytics. After creating analytic rules, you start to see Incidents, as well as process automated actions via Playbooks. When analyzing Incidents, you can leave a trail of Bookmarks to flag interesting or anomalous data for follow up and discover other areas that may be affected. Finally, and after gaining experience, you can go hunting for threats.

Diving into the Details

Microsoft has created built-in queries and Analytics and so it’s unlikely that you would need to create your own out of the box, however as you progress you could find a need for something more specific for your organization’s security needs. If so, here are more detailed explanations:

Log Analytics – All data ingested into Azure Sentinel must come from a Log Analytics workspace.A workspace is basically a limitless storage container that holds all your data from a variety of sources.It is recommended to have a single, dedicated workspace created for Azure Sentinel.

Workbooks – Provide a means of monitoring the data that has been ingested into Azure Sentinel.Built-in workbooks allow you to evaluate data immediately.Custom workbooks can also be created to allow you to view your data the way you need to.

Analytics – Custom rule sets that can be created to search across all ingested data to discover potential threats.There are many pre-built rules provided as well as connections to Microsoft sources such as Microsoft Defender ATP and Cloud App Security.Additional custom rules can be created based on queries.These can run on a scheduled interval.All hits from each rule can generate an incident and/or run a playbook.

Incidents – Alerts that are generated based on Analytics rule sets.An incident can contain multiple alerts.They allow for further investigation to determine if there were additional areas of exposure using the investigation graph.Incidents can be assigned to a specific individual to delegate the investigative tasks.

Playbooks – Playbooks are essentially Azure Logic Apps with specific designation to Azure Sentinel alerts.They allow for an orchestrated and automated response to alerts that are triggered via Analytics.Anything that you can do within a new or existing Logic App can also be extended to run based on an Azure Sentinel alert.

Notebooks – Azure Sentinel has integratedJupyter notebooks directly into the Azure Portal.A notebook is a web application integrated into your browser that allows you to have live visualizations and code\queries running directly within the browser.A few notebooks are provided by Microsoft to illustrate their capabilities.

Hunting – Hunting allows for manual, proactive investigations into possible security threats based on the ingested data.Microsoft provided several built-in queries and custom queries can also be created. Once a query is created you can convert it into an analytic task to run on a schedule.Hunting capabilities include: Queries (using Kusto Query Language), Notebooks, Bookmarks, Live Stream

I hope that gives you a good idea of what Sentinel is all about and how to make the most of its capabilities. If you want to learn more about Microsoft security features, I suggest you check out or blog "An Inside Look at Azure Security."

How Azure Sentinel Works (2024)
Top Articles
6 Phrases Not to Say During Potty Training
Best way to create default deny outbound rule(s) in pfSense
This website is unavailable in your location. – WSB-TV Channel 2 - Atlanta
Is Paige Vanzant Related To Ronnie Van Zant
Walgreens Pharmqcy
Amtrust Bank Cd Rates
Overnight Cleaner Jobs
Cumberland Maryland Craigslist
Heska Ulite
Swimgs Yung Wong Travels Sophie Koch Hits 3 Tabs Winnie The Pooh Halloween Bob The Builder Christmas Springs Cow Dog Pig Hollywood Studios Beach House Flying Fun Hot Air Balloons, Riding Lessons And Bikes Pack Both Up Away The Alpha Baa Baa Twinkle
Snowflake Activity Congruent Triangles Answers
Progressbook Brunswick
Florida (FL) Powerball - Winning Numbers & Results
Ave Bradley, Global SVP of design and creative director at Kimpton Hotels & Restaurants | Hospitality Interiors
Ukraine-Russia war: Latest updates
Bernie Platt, former Cherry Hill mayor and funeral home magnate, has died at 90
Arboristsite Forum Chainsaw
Navy Female Prt Standards 30 34
Jayah And Kimora Phone Number
Vrachtwagens in Nederland kopen - gebruikt en nieuw - TrucksNL
Www.publicsurplus.com Motor Pool
Www Craigslist Com Bakersfield
Ups Print Store Near Me
Isaidup
Busted Mcpherson Newspaper
Gazette Obituary Colorado Springs
Shreveport City Warrants Lookup
Obituaries Milwaukee Journal Sentinel
Bocca Richboro
As families searched, a Texas medical school cut up their loved ones
3 Ways to Drive Employee Engagement with Recognition Programs | UKG
The Rise of "t33n leaks": Understanding the Impact and Implications - The Digital Weekly
Kids and Adult Dinosaur Costume
Swgoh Boba Fett Counter
Where Can I Cash A Huntington National Bank Check
Texters Wish You Were Here
B.k. Miller Chitterlings
Autozone Locations Near Me
What Does Code 898 Mean On Irs Transcript
140000 Kilometers To Miles
More News, Rumors and Opinions Tuesday PM 7-9-2024 — Dinar Recaps
Wolf Of Wallstreet 123 Movies
Hello – Cornerstone Chapel
UNC Charlotte Admission Requirements
House For Sale On Trulia
2000 Ford F-150 for sale - Scottsdale, AZ - craigslist
Craigslist Pets Charleston Wv
Jeep Forum Cj
Who Is Nina Yankovic? Daughter of Musician Weird Al Yankovic
Craigslist Cars And Trucks For Sale By Owner Indianapolis
WHAT WE CAN DO | Arizona Tile
Bloons Tower Defense 1 Unblocked
Latest Posts
Important Notice for Money Services Businesses
What is Fear | How to Use Your Fear | tonyrobbins.com
Article information

Author: Msgr. Benton Quitzon

Last Updated:

Views: 6009

Rating: 4.2 / 5 (63 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Msgr. Benton Quitzon

Birthday: 2001-08-13

Address: 96487 Kris Cliff, Teresiafurt, WI 95201

Phone: +9418513585781

Job: Senior Designer

Hobby: Calligraphy, Rowing, Vacation, Geocaching, Web surfing, Electronics, Electronics

Introduction: My name is Msgr. Benton Quitzon, I am a comfortable, charming, thankful, happy, adventurous, handsome, precious person who loves writing and wants to share my knowledge and understanding with you.