Azure Sentinel

Azure Sentinel can only be enabled for a single Log Analytics Workspace. Therefore it is recommended to centralize all security logs to a dedicated central workspace. Use Azure Lighthouse if you have multiple workspaces.

To create Azure Sentinel, an active subscription and a Log Analytics workspace need to be available.

The permissions required

• Contributor on Subscription level
• Contributor or Reader on Resource Group or Resource level

Resource

• Step-by-Step Guide to Deploy Azure Sentinel

Azure Sentinel is a next-generation Security Information and Event Management (SIEM) and Security Operation Automation Response (SOAR) solution provided by Microsoft.

• Data Collection
• Threat Detection
• Threat Investigation
• Rapid Response

• Automatically scaling to meet the data collection and storage requirements
• Integrate directly with Microsoft Intelligent Security Graph
• Include advanced anomaly detections using Microsoft machine learning
• Leveraging automation capability for investigating and responding to alerts
• Provide intuitive dashboard and querying capabilities

Types

• Native or service to service integrates directly with resources across the Microsoft product range. This is the preferred method for ingestion
• API
• Agent-Based
• Direct

Azure Sentinel

A cloud-based SIEM and SOAR solution that depends on various security solutions to provide threat detection, investigation, hunting, and automated response capabilities.

Azure Security Center

A Cloud Security Posture Management and Cloud Workload Platform Protection solution.

Complements Azure Sentinel

Types of Analytic Rules

• Scheduled rules run on a set schedule to detect suspicious events
• Microsoft Security rules are used to create Azure Sentinel incidents from alerts generated from other Microsoft Security solutions
• Machine learning behavioral analytics rules can only be created from templates provided and use proprietary Microsoft machine learning algorithms
• Fusion is a Microsoft machine learning technology to combine information from various sources to generate alerts

Manging and Investigating Incidents

An incident

• is created based on alerts
• can be based on first-party analytics from Microsoft Security Solutions
• can also be created via a bookmark
• can include one or multiple alerts
• contains evidence that can be used for further investigation

A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. Playbooks provide the ability to build flows that can automate investigations and respond to security alerts that happen in the environment.