Getting started with Azure Sentinel – a Cloud-Native SIEM

Microsoft Azure Sentinel is a cloud-native security information event management (SIEM) solution that delivers security threat analysis across multiple platforms. Azure Sentinel tackles the problem that most companies who have gone cloud-based face: cloud security breach. What Azure Sentinel does is that it collects all security data from other applications, both cloud-based and on-premise. This way, you don’t have to switch consoles or log into different programs to keep track of all the threat alerts. Azure Sentinel makes it available to you on one single dashboard. Like any other SIEM, Azure Sentinel allows you to customize use cases of how a threat is defined and reported, as well as whether a response could be automatically applied or not.

Azure Sentinel uses AI which is powered by Microsoft Threat Intelligence, an artificial intelligence database that receives over 6.5 trillion processed signals on a daily basis, therefore, making it the largest security database in the world. By leveraging this powerful resource, Azure Sentinel is capable of detecting threats faster than other SIEMs. No matter how big your enterprise is, this SIEM tool can be seamlessly integrated into the system without modifying existing tools. Azure Sentinel grows as your enterprise grows, with no upper limit on cloud speed and scale.

How to Get Started with Azure Sentinel

It’s extremely simple to integrate Azure Sentinel into your existing system. Azure Sentinel is built on Azure Port, so you just have to navigate to the Azure portal to search for Azure Sentinel. The next step would be to integrate your existing security solution into the cloud-based SIEM. You can import anything that outputs Common Event Format or Syslog logs into Azure Sentinel. On the dashboard, you’ll see a number of one-click setups for certain data connectors such as Microsoft Office 365, AWS, Cisco ASA, Windows Firewall, Palo Alto Networks, etc.

Azure Sentinel has partnered with many security companies who helped build custom dashboards for the platform. For example, Palo Alto Networks has many built-in dashboards for Azure Sentinel that you can easily install upon accessing the connector corresponding to Palo Alto on the main dashboard.

To be able to have a bird’s-eye view of your data, you need to install all the dashboards corresponding to your data sources. Azure Sentinel has made this easy with just a few clicks of a button. After all dashboards have been installed, you can start threat hunting configurations which can be accessed clicking on the Hunting blade from the dashboard. This is where you can configure how Sentinel will detect threats. It already has some built-in log queries that you can use, but you are free to use your custom queries as you see it. Another option is to import the Azure Sentinel Notebooks from Github to access Microsoft’s predefined hunting patterns. You can access it by clicking on the Notebooks blade.

Taking It to the Next Level

Azure Sentinel is not just another SIEM solution. You can empower it with AI by enabling Sentinel Fusion. Sentinel Fusion uses advanced machine learning models for threat detection. Remember what we talked about Microsoft Threat Intelligence earlier? With Fusion, you’ll be able to tap into the power of the largest security dataset on the planet. For example, the AI will try to correlate events from different data sources to see if there’s a pattern indicating threats from the same entity. The AI can also help you automatically decide if your low or medium security events are worth looking into or not. This will save the security analyst precious time not having to micro-manage everything.