In this post we will learn about using Azure Sentinel for cloud security and threat detection.
Below is a quick summary of the main points which we will be covering in this post. But make sure to read till the end for other useful information also.
- What is Azure Sentinel, what are its features and architecture?
- How to onboard Azure Sentinel?
- Connectors Tutorial – How to connect various data sources?
- Playbooks Tutorial – How to set up an automated threat response?
- Azure Sentinel Pricing Calculator
- Azure Sentinel vs. other similar tools
If you running late, below is a quick video of this post.
What is Azure Sentinel?
As of today cyber crime is increasing manifold and it also has a human touch. Hence in order to be able to respond pro-actively, the security tools must use Machine Learning (ML) to gather insights on this human aspect.
Azure Sentinel is based on this thought. It is a SIEM which is cloud-native and it uses machine learning techniques to achieve security, threat management, alerts, etc.
Sentinel is basically a SIEM and SOAR solution which stands for security information event management and security orchestration automated response respectively.
It is a 360 degree view for a business enterprise which shows various alerts, attacks, threats and other responses. Also it delivers smart security analytics and provides a stand-alone system for threat detection, alerts and threat responses.
Fusion – The underlying technology
- The Fusion technology is the one that Azure Sentinel is based on
- Fusion combines low level abnormal activities (yellow) into high level incidents (red)
- It uses machine learning to do this by using a combination of data from a variety of sources
- Fusion uses a graph-type machine learning
Azure Sentinel Info Graphics
During December 2019, event data in the order of billions entered Azure Sentinel. This was from a lot of existing Azure Sentinel customers. Around 50 billion alerts were identified.
Then they were graphed. After Fusion applied a probability algorithm, this graph was downsized to around 110 sub graphs only.
Another second level of machine learning was applied, this reduced the graph to just 25 incidents. This info graphic shows how Azure Sentinel reduced around 90% alert fatigue.
Azure Sentinel Architecture and Components
Since it is a part of Azure, you need at a minimum level an active Azure subscription. Sentinel will store the data which it collects from the different data sources you choose in a Log Analytics workspace.
Either you create a new workspace or use an existing workspace which works fine. As per recommendation it is better to have a dedicated workspace for Azure Sentinel. This is because rules for alerts won’t work on cross work spaces and they also need permissions for the same.
- Dashboards: For data visualization of connected data sources.
- Cases: Group of investigations containing one or multiple alerts.
- Hunting: Proactive tool for searching security threats using Kusto Query Language (KQL). You can use in-built queries, bookmarks and notebooks. You can also query the data stored and use the REST API of Log Analytics to do hunting.
- Data Connectors: Built-in connectors are available to facilitate data ingestion from Microsoft and partner solutions. You will learn more about data connectors via a tutorial later in this post.
- Playbooks: Collection of procedures which can be automatically run by an alert. This is based on Logic Apps.
- Workspace: It is a container that has configuration and data to store the information collected from various data sources.
- Community: The community page is on GitHub. It contains playbooks and hunting query examples.
Azure Sentinel Features
Azure Sentinel SIEM has the following features
- Automated threat and alert responses via Azure Sentinel Playbooks
- Data grouping
- Future threat detection by running investigations before hand
- Incident and Event based investigations
- Collection and consumption of logs from multiple sources which are been added regularly
Prerequisites for Azure Sentinel
- You need an active Azure subscription
- Also a workspace for Log Analytics will be required
- Contributor permissions for your subscription and contributor / reader permissions for your resource groups
- Others permissions for the data sources you will be connecting
- Pricing since this is a paid service
How to on-board Azure Sentinel?
First you have to enable it from the Azure Portal
Sign in to the Azure portal with the relevant subscription.
Search Azure Sentinel and select the same
Click Add -> Either create a new workspace or use an existing one.
Click Add Azure Sentinel
Azure Sentinel Connectors Tutorial – How to connect various data sources?
Sentinel ingests data logs from apps and services by first connecting to the service. Its then sends the logs and event data to Sentinel.
Main menu -> Data connectors -> Data Connectors Gallery
Select a data source -> Open connector page button.
Next steps tab -> Data connector in-built sample queries, workbooks and rule templates can be viewed.
Add or modify the same for getting insights for your data.
Once you connect to your data sources, data will start coming into Sentinel. You can then start working with this data.
– End of Connectors tutorial
Azure Sentinel Playbooks Tutorial – How to set up an automated threat response?
Put simply, a playbook is a collection of some procedure which is executed as a response to an alert. It can be run automatically or certain alerts are triggered manually. Note that this feature is based on the Azure Logic Apps service and hence is a paid service.
Creating a Playbook
Azure Sentinel dashboard -> Configuration -> Playbooks
Click Add and then Create as shown below
Logic App Designer -> Choose the template you want to use else Select Blank Logic App
For blank playbook -> Search all connectors field -> type Azure Sentinel
Select ‘When response to Sentinel alert is triggered.’
It will then appear in the Playbooks list. If not visible, click Refresh
Select Get entities functions for getting IP addresses, accounts, hosts and running actions on them
Here you can add some loops, actions, switch case or logical conditions to define the response to take when the playbook is triggered.
How to run a playbook on demand?
On the Incidents page -> Select Incident -> View full details
On Alerts tab -> Click any Alert -> Scroll extreme right -> View playbooks
Select the playbook to run on demand
How to automate threat responses?
For automating responses
Select the relevant alert
Edit alert rule page -> Real-time automation -> Select the Triggered playbook to be executed when the alert rule matches
– End of Playbooks tutorial
Azure Sentinel Pricing Calculator
Since this is a paid service you must be wondering what the actual Azure Sentinel cost is. So I headed over to the Azure Sentinel calculator link
The calculator expects some input hence I entered the following data –
- Region – East US
- Logs Ingested – To give you an idea of the minimum cost, I put in 1 GB per day
- Retention – As per Microsoft, the first 3 months retention is free, so I put retention as 1 month
- Support – Included
After that I used the ‘Export’ option to view the monthly cost in an excel file and it showed me the below cost which came out to be $117.50 monthly for the above input.
Note that I had put in the bare minimum data and as per Microsoft, the price is just an estimate. It is not intended as an actual quote. The actual cost may differ based upon the agreement type, currency, purchase date and other resource usage you might incur.
What other users say about the cost
I did some research on various forums and some of the users who are currently using Sentinel mention that it isn’t that costly until you to start ingesting around tens of gigabytes per day.
Note that they have not mentioned the other parameters hence this is just an estimate and it is advised to do your own cost research.
Azure Sentinel vs. Splunk
Splunk is an older player in the market with other vendors like QRadar. What Microsoft has done is that it has learnt from these vendors and has come out with a SIEM/SOAR solution.
Hence you can think of Sentinel as a new service and it can be said that while Sentinel is not at the same maturity level as Splunk but if your organization is already using Azure then you can consider it.
Note that this is not a recommendation or a review for either of the products. Hence you have to research and find what fits your requirements.
Azure Sentinel vs. Security Center
Currently a lot of businesses are following best practices for security. And they are most likely using Azure Security Center for alerts.
But now Sentinel ingests these alerts from security center, custom apps and other third party data sources and provides a consolidated dashboard across your enterprise. This dashboard can highlight common threats and alerts based on regions.
Azure Sentinel Gartner Magic Quadrant
As per the Microsoft security blog, it was named as a leader in five Magic Quadrants by Gartner in the following five security areas
- Archiving of Enterprise Information
- Access Management
- CASB solutions (Cloud Access Security Broker)
- Platforms for Endpoint Protection
- UEM (Unified Endpoint Management)
Disclaimer – Above information is taken from the Microsoft Security blog.
Azure Sentinel Training
Many of you might be thinking of doing a security certification. Hence I tried to look at some information regarding this on the internet. What I found was that many users have mentioned that Sentinel topics are covered in the AZ-500: Microsoft Azure Security Technologies exam.
Interesting read – For an in-depth coverage of Azure Certifications visit my article 7 Step Azure Certification Guide – Which one is best for you?
However many users who have worked with Sentinel advise that those targeting the exam should first have some kind of hands-on in Log Analytics and in particular KQL i.e. Kusto Query Language. Without any knowledge of KQL, it doesn’t make sense to hop directly to Sentinel.
Another update is that from September 2020, there would be some changes to the syllabus of the AZ-900: Microsoft Azure Fundamentals exam. Some topics like Sentinel and Azure Dedicated Hosts are going to be added in the syllabus.
How to prepare
- Microsoft Learning Path
- Spend a lot of time on deploying various resources in Azure. They can be Sentinel Logs, Virtual Machines (VM), Virtual Networks (VNet), Key Vaults, Log Analytics, Storage accounts, Workspaces, etc.
- Try to study the various workloads that can be deployed on Azure.
- Some practices labs and practice tests.
- Azure Sentinel GitHub
Interesting read – How to connect GitHub accounts with Visual Studio?
In this post we saw a lot of useful information. This new feature comes out of the fact that security and defense will always be followed by one another as seen in the past.
The current realm of cyber security has become technically very advanced. Also right from the beginning there were a lot of businesses which were hesitant of moving to the cloud, the number one reason being security.
Of late, Microsoft has been very active in the area of Analytics, Machine Learning (ML), Artificial Intelligence (AI) and Security. There are a lot of cloud services right from monitoring, defender, security center and now Azure Sentinel.
I hope you found this article interesting and of some help. Do share and comment on your views. We will continue to learn as the world is preparing for the corona virus vaccine.
2020 is about to leave us with a lot of strong memories both good and bad. Together we all will emerge stronger in the next year. I wish all my readers, Happy Holidays and a Happy and Prosperous New Year.