Blog | Arxus

All you need to know about Azure Sentinel (cloud security)

Written by Davy Vandevinne | Oct 22, 2019 8:00:00 AM

Azure Sentinel is Microsoft's cloud-native Security Information Event Management (SIEM) solution. This solution is Microsoft's answer to the question to make security in Azure more scalable and easier to manage. But what do you need to know about Azure Sentinel? In this blog post we provide answers to the most important questions.

Many organizations today use Microsoft 365 and are increasingly adopting the advanced security and compliance rules of Microsoft 365. At the same time, more and more companies are also using the well-secured Azure cloud to have their infrastructure and applications available 24/7.

In the ideal world you can combine the security data of users, endpoints (read: desktops, laptops, smartphones, etc.) with that of your infrastructure and applications to better understand, address and prevent possible security risks or attacks. That is now possible with Azure Sentinel.
 

What specific benefits does Azure Sentinel offer?

Azure Sentinel offers companies and organizations a number of security benefits. We give you the most important:

  • You get a complete overview of the security for the entire organization, because you collect all data (users, devices, applications and infrastructure, both on-premise and in multiple clouds) on one platform
  • You can better investigate and analyze security issues because you have more data
  • You can detect new potential threats faster with the help of machine learning and AI
  • You can respond faster to incidents with built-in orchestration and automation of general tasks
  • You can count on the experience, security data and the community of Microsoft security experts on a global scale
     

What is under the hood of Azure Sentinel?

Azure Sentinel is developed cloud-native on the scalable and high-performance Azure platform and uses multiple existing Azure services, each of which has already amply earned their spurs.

The analysis component is provided by Log Analytics, a mature service that is part of the general Azure Monitor platform. The data exploration is provided via Data Explorer and the queries use Kusto Query Language (KQL), the same language used in Log Analytics.

Data entry is done via a large number of ready-made data connectors, for services such as Office 365, Azure Active Directory (AAD), AAD Identity Protection, Azure Advanced Threat Protection, Cloud App Security and Azure Security Center, Azure Activity and Azure Information Protection and the Azure Web Application Firewall (WAF), along with Azure DNS.

But also external platforms such as Amazon Web Services (AWS), Palo Alto Networks, Cisco ASA, Check Point, Fortinet, F5, Barracuda and Symantec ICDX are supported. You can also use raw syslog data and Common Event Format (CEF) data, together with Threat Intelligence.

One of the other foundations of Azure Sentinel is Machine Learning (ML). This should help to correlate low fidelity signals with warnings with high reliability, so that analysts only have to deal with problems that really require the insight of a human person. In this way, Microsoft wants to combat “alert fatigue”, whereby security specialists no longer see the trees between the alert forest. This approach is strongly linked to automation, whereby as many of the routine tasks as possible no longer have to be checked by people.

Microsoft does not reinvent cloud security but makes smart use of the qualitative tools that the company has in house and which have already proven their services. With Azure Sentinel, it now adds a very strong management layer that, certainly for a managed cloud service provider such as Arxus, makes it even easier to better monitor the security of existing customers, to analyze it more efficiently and to intervene faster in the event of incidents.
 

How do you start with Azure Sentinel?

Starting with Azure Sentinel can be done in a few steps. Naturally, every step requires a certain technical set-up. We list the most important steps for you.

Step 1: Add Azure Sentinel to your Azure account

If you have an Azure account, you can add Azure Sentinel to your Azure Portal. Keep in mind that you need a few things for this:

  • A Log Analytics workspace
  • Rights to the account on which the Azure Sentinel workspace is located
  • Rights to the resource group of which the workspace is a part
  • Additional rights may be required for specific data sources

Step 2: Connect your data sources

Azure Sentinel has a number of connectors to make data from certain Microsoft solutions available out of the box in real time in Azure Sentinel. These include Microsoft Threat Protection, Microsoft 365, Office 365, Azure AD, Azure ATP, Microsoft Cloud App Security, etc. In addition, there are standard connectors for the wider ecosystem of other security solutions. Once you have connected your sources, the data enters Azure Sentinel.

Step 3: Use workbooks to make data transparent

You can use workbooks to view data in the overview dashboard or create your own interactive dashboards, entirely from scratch or based on existing templates. In this way you gain insight into specific data sources or data that is relevant to your organization.

Step 4: Make rules to detect threats

After you connect resources and create dashboards, you can create rules to detect threats. You can start with the out-of-the-box detection that you can easily activate via the "Rule Templates". You can then create customized rules, specifically adapted to your data, your requirements and your environment. These rules will ensure that you receive notifications when suspicious activities take place in your environment.
 

Arxus & Azure Sentinel

Azure Sentinel offers a lot of possibilities to protect your Azure environment even better. At the same time, setting up the tool correctly, creating relevant dashboards and rules requires some technical expertise.

As a managed cloud service provider, Arxus can play an important role. We can fully manage and monitor the security in your environment via Azure Sentinel, so that you only have to deal with your core business. Do you want to know more about Azure Sentinel and what it can mean for your organization? Then make sure to contact us via blog@arxus.eu