Azure Sentinel – The reinvented SIEM

1. Why Azure Sentinel
2. Azure Sentinel – Data connectors
3. Azure Sentinel – Analytics
4. Azure Sentinel – Cases
5. Azure Sentinel – Overview page

Why Azure Sentinel

Azure Sentinel is the latest, security related, innovation from Microsoft. Microsoft calls it a “reinvented SIEM” solution. Well, it’s not really innovation, it’s more of a combination of all security products of Microsoft. We have Cloud App Security, Azure Advanced Threat Protection, Security Events, Windows Firewall, Windows Azure Firewall etc. etc.

Azure Sentinel has not only built-in AI (which we expect from nowadays products from Microsoft), but it transcends the AI, already available in the product itself (like the AI in Identity Protection), but it creates an extra AI layer, on top of the already existing AI infrastructure which makes it really cool. So the AI of Sentinel doesn’t have to know the underlaying AI technology, it just needs to combine the output of every separate AI and create valuable input. Microsoft already uses this technique for years and because of their experience, it’s now broadly available.

Azure Sentinel has not only built-in AI (which we expect from nowadays products from Microsoft), but it transcends the AI, already available in the product itself (like the AI in Identity Protection), but it creates an extra AI layer, on top of the already existing AI infrastructure which makes it really cool. So the AI of Sentinel doesn’t have to know the underlaying AI technology, it just needs to combine the output of every separate AI and create valuable input. Microsoft already uses this technique for years and because of their experience, it’s now broadly available.

Let’s have a look at Azure Sentinel. Go to the Azure Portal and search for “Azure Sentinel”. As you can see it’s still in preview.

You need to create a Log Analytics Workspace for Sentinel to work. As long as Sentinel is in preview, you won’t pay anything, except costs like storage which you will make creating a workspace.

Azure Sentinel – Data connectors

The first page you see is the “Getting started” page. Click on “Collect data” to start collecting data.

You will see an overview of all the data you connect. It’s already a nice list of services you can connect. If you are already full onboarded in Azure/Office 365, you will have many relevant products to connect!

Of course, we are going to connect “Azure Information Protection” first. You need to go to the “Azure Information Protection” tab Click “Azure Information Protection” and click “connect to your Azure Sentinel workspace”.

Click on the Azure Sentinel workspace, you need to reconfigure the AIP log so that it stores the AIP information in the Azure Sentinel workspace (if you don’t see any, you should go to Azure Information Protection” and enable logging there) and also check the deeper analytics checkbox to see sensitive information types as well.

Now connect everything you want to connect, like Azure AD. Cool thing is that if you connect Office 365, you can connect multiple tenants! So I expect that more data connectors are going to be multi-tenant which mean we really have the reinvented SIEM.

Azure Sentinel – Analytics

If you click in the Azure Sentinal tab on “Analytics”, you can create rules when you want to be alerted. For example you can create an alert when a virtual machine is created or updated. For more information, check the code example from Microsoft Docs as well.

1
2
3
4
5
AzureActivity

 | where OperationName == "Create or Update Virtual Machine" or OperationName == "Create Deployment"

 | where ActivityStatus == "Succeeded"

| extend AccountCustomEntity = ResourceGroup

| extend IPCustomEntity = TenantId

You can create a lot of rules, but in my opinion it’s not that simple to configure the alerts you need. Especially if you need many specific rules. But this is still a preview version, I expect more options and simplifications in the general available version.

Azure Sentinel Cases

A case in Sentinel is automatically created, once an event is triggered. Soon I will update this with more data.

Azure Sentinel Overview page

In the “Overview” section, you have a nice dashboard of everything that is going on. See an example here below. It’s not much data yet, but this is from just a few hours. I will update this dashboard once I have more detailed information.