- Article
Microsoft Sentinel is a scalable, cloud-native solution that provides:
- Security information and event management (SIEM)
- Security orchestration, automation, and response (SOAR)
Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise. With Microsoft Sentinel, you get a single solution for attack detection, threat visibility, proactive hunting, and threat response.
Microsoft Sentinel is your bird's-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.
Note
Microsoft Sentinel inherits the Azure Monitor tamper-proofing and immutability practices. While Azure Monitor is an append-only data platform, it includes provisions to delete data for compliance purposes.
Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
Detect previously undetected threats, and minimize false positives using Microsoft's analytics and unparalleled threat intelligence.
Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cyber security work at Microsoft.
Respond to incidents rapidly with built-in orchestration and automation of common tasks.
Microsoft Sentinel natively incorporates proven Azure services, like Log Analytics and Logic Apps. Microsoft Sentinel enriches your investigation and detection with AI. It provides Microsoft's threat intelligence stream and enables you to bring your own threat intelligence.
Note
This service supports Azure Lighthouse, which lets service providers sign in to their own tenant to manage subscriptions and resource groups that customers have delegated.
Collect data by using data connectors
To on-board Microsoft Sentinel, you first need to connect to your data sources.
Microsoft Sentinel comes with many connectors for Microsoft solutions that are available out of the box and provide real-time integration. Some of these connectors include:
Microsoft sources like Microsoft Defender XDR, Microsoft Defender for Cloud, Office 365, Microsoft Defender for IoT, and more.
Azure service sources like Microsoft Entra ID, Azure Activity, Azure Storage, Azure Key Vault, Azure Kubernetes service, and more.
Microsoft Sentinel has built-in connectors to the broader security and applications ecosystems for non-Microsoft solutions. You can also use common event format, Syslog, or REST-API to connect your data sources with Microsoft Sentinel.
For more information, see Find your data connector.
Create interactive reports by using workbooks
After you onboard to Microsoft Sentinel, monitor your data by using the integration with Azure Monitor workbooks.
Workbooks display differently in Microsoft Sentinel than in Azure Monitor. But it may be useful for you to see how to create a workbook in Azure Monitor. Microsoft Sentinel allows you to create custom workbooks across your data. Microsoft Sentinel also comes with built-in workbook templates to allow you to quickly gain insights across your data as soon as you connect a data source.
Workbooks are intended for SOC engineers and analysts of all tiers to visualize data.
Workbooks are best used for high-level views of Microsoft Sentinel data, and don't require coding knowledge. But you can't integrate workbooks with external data.
Correlate alerts into incidents by using analytics rules
To help you reduce noise and minimize the number of alerts you have to review and investigate, Microsoft Sentinel uses analytics to correlate alerts into incidents. Incidents are groups of related alerts that together indicate an actionable possible-threat that you can investigate and resolve. Use the built-in correlation rules as-is, or use them as a starting point to build your own. Microsoft Sentinel also provides machine learning rules to map your network behavior and then look for anomalies across your resources. These analytics connect the dots, by combining low fidelity alerts about different entities into potential high-fidelity security incidents.
Automate and orchestrate common tasks by using playbooks
Automate your common tasks and simplify security orchestration with playbooks that integrate with Azure services and your existing tools.
Microsoft Sentinel's automation and orchestration solution provides a highly extensible architecture that enables scalable automation as new technologies and threats emerge. To build playbooks with Azure Logic Apps, you can choose from a constantly expanding gallery with many hundreds of connectors for various services and systems. These connectors allow you to apply any custom logic in your workflow, for example:
- ServiceNow
- Jira
- Zendesk
- HTTP requests
- Microsoft Teams
- Slack
- Microsoft Entra ID
- Microsoft Defender for Endpoint
- Microsoft Defender for Cloud Apps
For example, if you use the ServiceNow ticketing system, use Azure Logic Apps to automate your workflows and open a ticket in ServiceNow each time a particular alert or incident is generated.
Playbooks are intended for SOC engineers and analysts of all tiers, to automate and simplify tasks, including data ingestion, enrichment, investigation, and remediation.
Playbooks work best with single, repeatable tasks, and don't require coding knowledge. Playbooks aren't suitable for ad-hoc or complex task chains, or for documenting and sharing evidence.
Investigate the scope and root cause of security threats
Microsoft Sentinel deep investigation tools help you to understand the scope and find the root cause of a potential security threat. You can choose an entity on the interactive graph to ask interesting questions for a specific entity, and drill down into that entity and its connections to get to the root cause of the threat.
Hunt for security threats by using built-in queries
Use Microsoft Sentinel's powerful hunting search-and-query tools, based on the MITRE framework, which enable you to proactively hunt for security threats across your organization’s data sources, before an alert is triggered. Create custom detection rules based on your hunting query. Then, surface those insights as alerts to your security incident responders.
While hunting, create bookmarks to return to interesting events later. Use a bookmark to share an event with others. Or, group events with other correlating events to create a compelling incident for investigation.
Enhance your threat hunting with notebooks
Microsoft Sentinel supports Jupyter notebooks in Azure Machine Learning workspaces, including full libraries for machine learning, visualization, and data analysis.
Use notebooks in Microsoft Sentinel to extend the scope of what you can do with Microsoft Sentinel data. For example:
- Perform analytics that aren't built in to Microsoft Sentinel, such as some Python machine learning features.
- Create data visualizations that aren't built in to Microsoft Sentinel, such as custom timelines and process trees.
- Integrate data sources outside of Microsoft Sentinel, such as an on-premises data set.
Notebooks are intended for threat hunters or Tier 2-3 analysts, incident investigators, data scientists, and security researchers. They require a higher learning curve and coding knowledge. They have limited automation support.
Notebooks in Microsoft Sentinel provide:
- Queries to both Microsoft Sentinel and external data
- Features for data enrichment, investigation, visualization, hunting, machine learning, and big data analytics
Notebooks are best for:
- More complex chains of repeatable tasks
- Ad-hoc procedural controls
- Machine learning and custom analysis
Notebooks support rich Python libraries for manipulating and visualizing data. They're useful to document and share analysis evidence.
Download security content from the community
The Microsoft Sentinel community is a powerful resource for threat detection and automation. Our Microsoft security analysts create and add new workbooks, playbooks, hunting queries, and more. They post these content items to the community for you to use in your environment. Download sample content from the private community GitHub repository to create custom workbooks, hunting queries, notebooks, and playbooks for Microsoft Sentinel.
Next steps
- To get started with Microsoft Sentinel, you need a subscription to Microsoft Azure. If you don't have a subscription, you can sign up for a free trial.
- Learn how to onboard your data to Microsoft Sentinel, and get visibility into your data, and potential threats.
As a seasoned expert in cloud-native security solutions, particularly Microsoft Sentinel, I bring a wealth of knowledge and hands-on experience to the table. Over the years, I've actively engaged with various enterprises, helping them harness the power of Microsoft Sentinel to fortify their cybersecurity posture.
Now, let's delve into the key concepts discussed in the provided article about Microsoft Sentinel:
1. Microsoft Sentinel Overview:
-
Security Information and Event Management (SIEM): Microsoft Sentinel is a cloud-native solution that provides SIEM capabilities. This involves collecting, aggregating, and analyzing security data from various sources across the enterprise.
-
Security Orchestration, Automation, and Response (SOAR): In addition to SIEM, Microsoft Sentinel incorporates SOAR functionalities. This includes automated response mechanisms and orchestration of security-related tasks.
2. Key Features of Microsoft Sentinel:
-
Single Solution Approach: Microsoft Sentinel offers a unified solution for attack detection, threat visibility, proactive hunting, and threat response.
-
Intelligent Security Analytics: The platform employs analytics and threat intelligence to detect previously undetected threats and minimize false positives.
-
Azure Monitor Integration: Microsoft Sentinel inherits tamper-proofing and immutability practices from Azure Monitor, ensuring data integrity.
3. Data Collection and Connectors:
-
Cloud-Scale Data Collection: Microsoft Sentinel allows the collection of data at cloud scale, covering users, devices, applications, and infrastructure across on-premises and multiple cloud environments.
-
Connectors: The platform comes with built-in connectors for Microsoft solutions (e.g., Microsoft Defender XDR, Office 365) and supports various data connection methods, including common event format, Syslog, and REST-API.
4. Interactive Reporting with Workbooks:
-
Azure Monitor Workbooks Integration: Users can create custom workbooks to monitor data in Microsoft Sentinel, providing insights across various data sources.
-
Visualization for SOC Engineers: Workbooks are designed for Security Operations Center (SOC) engineers and analysts, offering high-level views without requiring coding knowledge.
5. Alert Correlation and Incident Management:
-
Analytics Rules: Microsoft Sentinel uses analytics rules to correlate alerts into incidents, reducing noise and providing actionable insights.
-
Machine Learning Rules: The platform includes machine learning rules for mapping network behavior and identifying anomalies.
6. Automation and Orchestration with Playbooks:
-
Playbooks: Microsoft Sentinel supports playbooks for automating common security tasks, integrating with Azure services and external tools like ServiceNow, Jira, and Microsoft Teams.
-
Extensible Architecture: The automation and orchestration solution in Microsoft Sentinel offers a scalable architecture to adapt to emerging technologies and threats.
7. Threat Investigation and Hunting:
-
Deep Investigation Tools: Microsoft Sentinel provides tools for deep investigation, allowing users to understand the scope and root cause of potential security threats.
-
Hunting Queries: The platform supports powerful hunting search-and-query tools based on the MITRE framework for proactive threat hunting.
8. Notebooks for Advanced Analysis:
-
Jupyter Notebooks: Microsoft Sentinel supports Jupyter notebooks for advanced analysis, including machine learning, data visualization, and integration with external data sources.
-
Use Cases: Notebooks are intended for threat hunters, analysts, data scientists, and security researchers for more complex and customized analysis.
9. Community Engagement and Content Sharing:
-
Microsoft Sentinel Community: Users can benefit from the Microsoft Sentinel community, where security analysts share workbooks, playbooks, hunting queries, and other content items.
-
Content Repository: The community provides a repository on GitHub for downloading sample content to create custom workbooks, queries, notebooks, and playbooks.
10. Getting Started:
-
Subscription Requirement: To get started with Microsoft Sentinel, a subscription to Microsoft Azure is necessary.
-
Onboarding Process: Users can learn how to onboard their data to Microsoft Sentinel to gain visibility into data and potential threats.
This comprehensive overview emphasizes Microsoft Sentinel's role as a robust, all-encompassing security solution with capabilities ranging from data collection and analysis to automation, orchestration, and advanced threat hunting.
