What Is Azure Sentinel (Renamed to Microsoft Sentinel)?
Azure Sentinel, renamed to Microsoft Sentinel, is a cloud native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution that runs in the Azure cloud. It aims to enable holistic security operations by providing collection, detection, response, and investigation capabilities.
You can use Microsoft Sentinel for security event analysis in cloud and on-premises environments. Common use cases include:
Visualization of log data
Anomaly detection and alerting
Investigation of security incidents
Proactive threat hunting
Automated response to security events
This is part of our series of articles about Microsoft Security.
Microsoft Sentinel (Formerly Azure Sentinel) Features and Capabilities
Here are key capabilities of Azure Sentinel:
Quick setup — you can deploy Sentinel via the Azure portal in a matter of minutes — there is no need to install servers in the cloud or on-premises.
Hundreds of connectors—Sentinel provides multiple connection methods to ingest data, including Function Apps, Logic Apps, Agents, Syslog, and native codeless connectors..
Automated threat response—Sentinel uses playbooks and leverages Azure Logic Apps capabilities to provide automated threat response capabilities.
Cloud-native solution—easy to scale with no upfront costs and low administrative overhead.
Supports hybrid environments—can ingest data from cloud-based and on-premise systems and analyze them in a unified manner.
Includes a data lake—comes integrated with an infinitely scalable, low-cost data lake based in the Azure cloud.
Microsoft research—leverages Microsoft expertise with machine learning analysis of security data.
Integration with Microsoft security solutions—the Microsoft SIEM is tightly integrated with Microsoft’s security solutions, Microsoft 365 Defender and Azure Defender for Cloud.
Related content: Read our guide to Azure Sentinel (Microsoft Sentinel)
How Microsoft Sentinel Works
Azure Sentinel, now known as Microsoft Sentinel, centralizes your threat collection, detection, response, and investigation efforts. It provides threat intelligence and intelligent security analytic capabilities that facilitate threat visibility, alert detection, threat response, and proactive hunting.
Microsoft Sentinel works according to a cycle that starts with log management, continues to schema normalization, data validation, detection and investigation, and includes automated responses to alerts. Here is how Sentinel delivers this end-to-end functionality:
Collection—Sentinel collects data across all devices, users, applications, and infrastructure, including components located on-premises and in multiple clouds. How data is collected dictates what detections can be run against that data.
Detection—Sentinel provides analytics and threat intelligence capability to help detect previously uncovered threats and reduce false positives. Detections are written in KQL and can be stored as code.
Investigation—Sentinel provides artificial intelligence technology to help you hunt suspicious activities at scale. Enrichment automation and containment automation both contribute to successful SOC operations.
Response—Sentinel allows for custom orchestration and automation for common security tasks and business integration tasks to facilitate rapid incident response between teams who use Microsoft technologies.
Learn more in our white paper: Azure Sentinel Deployment Best Practices
Microsoft Sentinel Key Components
Data connectors enable Microsoft Sentinel to ingest data from various sources. In some cases, you can add a service, like Azure activity logs, by selecting a button. Other services, like syslog, may require configuration. You can find references to data source schemas in the official documentation.
Struggling to build your own connector? Read our blog about Azure Functions security (coming soon).
Sentinel provides data connectors covering common sources and scenarios, including syslog, clouds like Amazon Web Services (AWS) and Microsoft Azure, Common Event Format (CEF), and Trusted Automated eXchange of Indicator Information (TAXII). Custom applications, unique non-security logs, and physical security (OT) logs can be integrated into Microsoft Sentinel as well.
Sentinel lets you integrate Workbooks to monitor, measure, and control your data. Creating custom and interactive workbooks can start with a variety of templates that can view them in Sentinel. You can use built-in Sentinel workbook templates to gain insights immediately after connecting a data source. Custom workbooks can be created to help with investigation workflow, executive reporting, or to monitor for specific anomalies with WAF, for example.
Sentinel stores ingested data by using Log Workspaces. Logs can also be forwarded for long-term storage to ADX. Querying in Microsoft Sentinel requires knowledge of the Kusto Query Language (KQL). Here is a great tutorial from Microsoft on the basics of how to get started with KQL.'
Analytic rules, or SIEM content, is used to correlate alerts into incidents. Analytic rules can either be scheduled queries or queries that are run on demand An incident includes a group of related alerts that together form a potential threat. Grouping alerts into groups of alerts enables you to investigate and resolve several alerts.
Sentinel provides built-in correlation rules and machine learning rules to help map the behavior of your network and detect anomalies, but will require tuning within your environment to obtain maximum value. Some rules combine low-fidelity alerts on different entities into a potential high-fidelity security incident. Customizing rules, while requiring an up front investment, can save hours of investigations of false positives.
If Microsoft 365 logs are forwarded to Sentinel, the scope of threat hunting can expand past EDR. Successful threat hunting activities may leverage specific detection content released by Microsoft, or other threat intelligence. Threat hunting involves identifying threats that have bypassed other detection controls in the environment. Security analysts performing threat hunting follow the zero trust, “assume breach” mindset, and are able to identify sophisticated threats already dwelling in the environment.
See how BlueVoyant uses threat hunting with Microsoft 365 Defender and Azure Sentinel.
Here is how you can use this feature:
Query—Sentinel threat hunting can help you discover a query that provides high-value insights into potential attacks. You can use insights derived from your query to create your own customized detection rules. You can also surface these insights as alerts to incident responders.
Hunt—Sentinel lets you create bookmarks for interesting events while hunting. You can return to these events later on or share the information with other collaborators. Additionally, Sentinel lets you create group events into one incident to investigate as a whole.
Incidents and Investigations
Sentinel creates an incident when an alert is triggered. Automation can also be tied to an incident firing. You can investigate these incidents using the following capabilities:
Assignment and incident status —you can change the status of an incident or assign to specific individuals for investigation.
Investigation functionality— Sentinel automatically maps entities across incidents along a timeline to visually investigate concurrent or multifaceted attacks.
Sentinel provides SOAR capabilities that can aid in enrichment, containment, integration to an ITSM, or other custom automated incident response. Using Azure Logic Apps or Azure Functions, automated playbooks to reduce analyst overhead, decrease response times, or integrate workflows between security and observability.
Microsoft Sentinel Costs
Microsoft Sentinel is a cloud-based solution, and fees are based on the service tier and the amount of data the solution captures for analysis and stores in the Azure Monitor Log Analytics workspace.
Log source cost should be weighted both against detection value as well as investigation value. It may also make sense to temporarily enable a log source, and disable it because the log source is no longer relevant or the threat profile changed. The best way to plan for SIEM costs is to enable a capacity plan.
There are two payment methods for the Microsoft Sentinel service:
Pay-as-you-go—charges per ingested GB of data. In addition, Azure may charge fees for data ingestion to the Log Analytics service.
Capacity Reservation—requires users to commit to a certain number of GB of storage per day, and charges a flat daily price for storage. This model provides savings of up to 65% compared to pay-as-you-go.
E5 license data grant—the Microsoft 365 E5 license provides a data grant of up to 5MB / user / day to ingest Microsoft 365 data.
Free data sources—certain Microsoft 365 data sources are always free for Microsoft Sentinel users. These include Azure Activity Logs, Office 365 Audit Logs, and Alerts from Microsoft Defender security products.
Managed Microsoft Security with BlueVoyant
BlueVoyant is the industry’s leading integrated, end-to-end internal and external cyber defense platform based on Microsoft security technology. The BlueVoyant platform provides the following key features:
Managed Threat Correlations - BlueVoyant Security Content Engineering continuously creates and deploys new and updated correlations to the client’s Azure environment, making it easy to enable best practices with Microsoft Sentinel.
Log source optimization - if you are transferring from another SIEM to Microsoft Sentinel, we can review existing log sources and determine which to migrate and which don’t have value. We can also help with implementing Microsoft’s ASIM model for content normalization.
Security reporting and visualizing data value - if you need help with SOC metrics or KPIs for internal reporting, and need to justify Microsoft Security spend to non-practitioners, let us build the workbooks you need. We provide the security expertise to know what security metrics to track and where to track it.
Custom automation - building and maintaining automation is hard. Let us do it for you. We both create and monitor the automations used in your environment: rotating credentials, monitoring the attack surface, and more. All these should be provided as part of a managed service.