Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Watch our demo to learn how it works and how it can help protect your organization.
Azure Sentinel Demo

Transcript

Hello everybody and welcome to the short demonstration of Azure Sentinel.

The current view is of the Sentinel dashboard in the Azure portal where you gain a bird’s eye view to the events and alerts that are aggregated from your organization, the number of events  that have been collected and the incidents colour coded by severity. Azure Sentinel leverages built-in AI capabilities to detect anomalies and events along with signals from Microsoft intelligent security graph to identify tags based on your data and that places them on a map so that you can analyze them for potentially malicious traffic.

Azure Sentinel seamlessly integrates with Microsoft services including Microsoft 365. First, you need to connect your data sources. Azure Sentinel comes with a number of out of the box connectors from Microsoft solutions including Microsoft 365 defenders machines. These connectors make it easy to connect data sources in just a few steps. Once your data sources are connected, you can easily review suggested next steps. You will find recommended work books, query samples and relevant analytics templates.

Organizations use a variety of security appliances therefore, Microsoft has created a flexible and easy way to connect almost any data source to Azure Sentinel. Azure Sentinel also includes many built-in connectors for non Microsoft solutions like firewalls, endpoint protection and, network appliances. Of course, you can also use common event format, syslog or rest APIs to connect your data sources to Sentinel. In addition to customizing the data sources, you can also choose from a gallery of expertly created workbooks or create your own to get custom dashboards for insights on specific data sources. Let’s take a look at workbooks.

This workbook gives you the ability to drill down into color activities and summarizes detected failure and warning events.

Now let’s take a quick look at a workbook for a partner solution like Palo Alto Firewall data. This workbook makes it easy to track malware, vulnerability and, virus log events.

Once your data sources are connected, you can start analyzing your data by querying a scalable log analytics database. You can use rich query language to create advanced and complex queries in just a few lines. Let’s take a look at a couple of safe queries for this demo.

This first query is a simple query that monitors trends week over week for our firewall logs. You can easily visualize results by selecting a chart type. You can also leverage built-in analytics and machine learning in Azure to detect any anomalies. This chart shows the volume of security events received per hour. The arrow on the chart points to an anomaly found by the service. Let’s select the data point to learn more. The machine learning algorithm found a pattern that correlate with the change and then generated a query to decipher why this point in time differed from normal patterns without requiring any additional work on our part.

You can think of an incident as a container filled with alerts, entities, and insights on a specific threat in your organization. The investigation tool helps you understand the scope and root cause of a potential security threat. In this case, it was an anomalous login and you are able to see the top five hosts the user logged onto. We’re able to drill down to one of the machines that the anomalous login occured on, and we are able to see that one of the alerts related is a connection to a malicious URL and the other for suspicious PowerShell Command. It can also be useful to look at the timeline events. For instance here you can see a malicious URL was visited, then anomalous login occurred, and finally a suspicious PowerShell Command was executed.

As you can see, the investigation tool is helpful for understanding the scope and root cause of a potential security threat. Detecting threats is only half the battle. To solve alert volume challenges, Azure Sentinel is designed to automatically investigate and remediate alerts.

Let’s take a look at Playbooks. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. These playbooks are automatically triggered when there is an Azure Sentinel alert. In this case, if the person approves the action in the playbook, it will block the user in Azure AD and add a rule to the firewall to block that suspicious IP. With Azure hunting you can take advantage of prebuilt queries crafted by Microsoft security experts. Now let’s take a look at a Sentinel service that investigates anomalies and malicious behaviors. Azure notebooks is a cloud service that provides access to the popular Jupiter Notebook ML modeling tool. With the Jupiter Notebook, you can automate common investigative steps, query Azure Sentinel data about users, machines, IP or any other entity and enrich the notebook with additional services to visualize the results and trigger actions. Next, let’s look at how security operations staff can identify compromised users and insider threats quickly across the enterprise. Here you can quickly see the accounts and hosts with the most alerts. Let’s search for the IP address of one of these to investigate further.

In the overview section, you can see events and alerts overtime and review the alerts and activities timeline. You can also get insights about suspicious behavior such as unusual Windows sign in activity and process executions. Let’s take a closer look at the alerts associated with this device. The unique integration between Azure Sentinel and extended detection and response solution enables you to also review the alerts from this device with Microsoft Defender for. The unique integration between Sentinel and extended detection and response solution enables you to also review the alerts from this device with Microsoft defender for endpoint. We can also investigate this device directly in the Azure portal.

The investigation tool shows a graph of alerts and incidents associated with the device. We will review the details for the associated user account. You can also get an overview, alerts and activities, as well as insights about the user account such as total number of successful and failed logons overtime. And finally, as your Sentinel provides access to a GitHub community where you can share and consume content related to Azure Sentinel.

Avatar
Written By:

Brendan Timm

More By This Author