Primer on Microsoft Sentinel

Primer on Microsoft Sentinel

Microsoft Sentinel

Microsoft Sentinel is a SIEM (Security Information and Event Management) and SOAR (Security Orchestration and Automated Response) system in the Microsoft cloud platform.

Before delving further into Sentinel, let’s see some brief descriptions of SIEM and SOAR.

Security Information and Event Management (SEIM)

  • SEIM collects data and query logs across the system.
  • It will provide some data correlation and anomaly detection.
  • With the help of SIEM, we can create alerts and incidents based on our findings.

Security Orchestration and Automated Response (SOAR)

  • It will respond automatically to incidents.
  • SOAR can create automated workflows from the alert triggered.
  • With the help of SOAR, tasks can be orchestrated across the system.

Sentinel is a powerful Microsoft defender tool that collects, analyzes, and normalizes data across on-premises and cloud workloads whether or not they are native to Microsoft. It can be connected to users’ devices such as laptops or phones, applications, infrastructures, and even IoT devices.

As mentioned, Sentinel collects and normalizes data from different signals and investigates potential threats using Artificial Intelligence (AI) and Machine Learning (ML) in the environment.

Sentinel provides intelligent security analytics and threat intelligence across the organization environment. It utilizes the Azure logic apps and Log Analytics present in the Azure to establish automated workflows that come into play once an alert is triggered.  It also has built-in ML that can be used to detect and investigate threats or suspicious behaviors in the enterprise ecosystem.

Microsoft Sentinel can be deployed in the Azure Tenant organization and accessed easily through the Azure Portal. It will ensure all the preexisting organizational policies. Sentinel provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Sentinel can also incorporate data from another cloud platform like AWS or any other third-party software installed on the premises already.

How to connect data to Microsoft Sentinel

Most network and security systems support Syslog or CEF (common event format), both of these are means for the system to send data to SIEM. And many of the resources available in Azure can directly connect to the log workspace, which is how Azure sentinel collects the data.

The feature Azure monitor will directly stream all these data into the sentinel. And Log analytics is another way to collect telemetry from servers or workstations. Microsoft Sentinel also imports threat indicators utilizing data connectors.

In the portal, you can search and select Microsoft Sentinel. On the configuration page, you can select data connectors. This will show the number of connectors available to connect to the sentinel. The below figures will show that there are 124 connectors available for me to connect.

Then choose from which connector you need and select connect. For the connectors of Microsoft native, the steps will be very simple; for other third parties, some additional details may be required.

Here we are coming to the end of this blog, which gives a brief introduction and ways to connect data to Sentinel. The upcoming blogs will give more information about incident creation, threat hunting, and others. To learn the latest trends and happenings in cybersecurity, you can look into clearinfosec.