Mighty Guides, Inc., profile picture
Uploaded byMighty Guides, Inc.
PDF, PPTX396 views

7 Experts on Implementing Azure Sentinel

Azure Sentinel is a security information and event management solution hosted in the Azure public cloud. It integrates data from various security tools and enables consolidation, correlation, querying, and analysis of security data. Key advice from experts includes choosing the right data sources to optimize security performance while managing costs, learning to apply analytics rules and create custom queries, and taking advantage of Azure Sentinel's automation and orchestration capabilities. Managing automated responses and remediations requires careful consideration.

Embed presentation

Download as PDF, PPTX
2 INTRODUCTION © 2021 Mighty Guides, Inc. I 9920 Moorings Drive I Jacksonville, Florida 32257 I 516-840-0244 I www.mightyguides.com 2 One big challenge for many security teams is consolidating and analyzing the data generated in a networked environment. Organizations attempt to address this challenge by using a security information and event management (SIEM) system to collect that data for analysis. In addition to being a best-in-class SIEM system, Azure Sentinel is a platform for security orchestration, automation, and response capable of automating playbooks; monitoring both Windows and Linux environments; and monitoring Amazon, Google, and Azure clouds—and that’s just for starters. Azure is a powerful tool that is easy to set up, but optimizing it requires security analysis skills and knowledge. To learn more about setup and optimization, with the generous support of BlueVoyant, we asked seven experts the following question: Given your experience with Azure Sentinel, what advice can you offer for transitioning to and optimizing this solution? The experts tell us that one key to getting the most out of Azure Sentinel is choosing the right data. You don’t want to ingest too much, which increases costs, or too little. Also, taking full advantage of the automation features in Azure Sentinel is critical for rapid detection and response. This ebook provides good advice from seasoned Azure Sentinel users that will help point you in the right direction for your own Azure Sentinel implementation. David Rogelberg Editor Mighty Guides, Inc. Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty.
3 FOREWORD New approaches to cybersecurity are needed more than ever! The pandemic has led to exponential growth in remote employees, expanding the attack surface for companies big and small. Security teams struggle to cobble together solutions consisting of technologies from multiple vendors, many of which were only designed to operate in legacy environments. Integration complexities, a lack of security resources, and unrelenting attacks from cyber criminals have made securing the organization a seemingly unattainable goal. So what is the solution to eliminating this pain while also providing the security your company needs in a cloud-first world? We believe a cloud-native, fully integrated security solution is what makes the most sense. To bring our vision to life, we partnered with Microsoft to build consulting, implementation, and managed security services around their SIEM and XDR tools that deliver the outcomes needed by companies operating in today’s dangerous, highly interconnected world. This Mighty Guide, one of three in a series, was written to help you better understand how specific Microsoft security tools are being used by companies today and help you benefit from the lessons they have learned. Enjoy the book! Milan Patel Global Head of Managed Security Services BlueVoyant BlueVoyant is an expert-driven cybersecurity services company whose mission is to proactively defend organizations of all sizes against today’s constant, sophisticated attackers and advanced threats. Led by CEO - Jim Rosenthal, BlueVoyant’s highly skilled team includes former government cyber officials with extensive frontline experience in responding to advanced cyber threats on behalf of the National Security Agency, Federal Bureau of Investigation, Unit 8200, and GCHQ, together with private sector experts. BlueVoyant services utilize large real- time datasets with industry-leading analytics and technologies. Founded in 2017 by Fortune 500 executives and former Government cyber officials and headquartered in New York City, BlueVoyant has offices in Maryland, Tel Aviv, San Francisco, London, and Latin America.
MEET OUR EXPERTS SHARJEEL QAYYUM KHAN edotco Group, IT Security Operation Lead, pg. 24 RAJESH KUMAWAT Mastercard, Information Security Analyst, pg. 21 MAARTEN LEYMAN delaware BeLux, Senior Security Consultant, pg. 12 LAWK SALIH Independent Community Bankers of America, Vice President, Technology Systems and Services, pg. 9 REBECCA WYNN Global CISO & Chief Privacy Officer, pg. 15 MICHAEL KAVKA R.J. O’Brien, Sr. Security Engineer, pg. 18 OSCAR MONGE Rabobank, Security Solutions Architect, pg. 6
6 “For new users, the biggest challenge will be learning how best to use the technology and data connections to produce the security protection they need.” Microsoft Azure Sentinel Provides Total Integration of Detection and Response Microsoft Azure Sentinel is a security information event management solution hosted in the Azure public cloud. It integrates with Microsoft’s portfolio of security products, which enables you to send security data into a common Azure Sentinel workspace-essentially a big bucket of information. There, you can tell Azure Sentinel how to query the data, apply analytical rules to it, and trigger alerts and other actions. With Azure Sentinel, you can correlate data, create thresholds, create alarms, and integrate the tool with a ticketing system. In that way, if Azure Sentinel identifies an incident, it can immediately turn it into a ticket that goes to the first-line security operations center (SOC) so that the analysts can investigate and respond. You can also orchestrate and automate responses to alerts and automate playbooks. Azure Sentinel is native to the Microsoft security ecosystem, but it also integrates with Amazon Web Services (AWS). For example, application programming interfaces enable you to configure Azure Sentinel to consume Oscar Monge is a seasoned information security professional with more than seventeen years of experience. He is a Security Solutions Architect at Rabobank, where he helps shape security monitoring direction and technology integration. Oscar is passionate about technology and its alignment to IT business needs. Oscar Monge, Rabobank, Security Solutions Architect
AWS CloudTrail and Amazon GuardDuty logs. Microsoft is adding integrations with other cloud providers as well. For new users, the biggest challenge will be learning how best to use the technology and data connections to produce the security protection they need. Azure Sentinel is artificial intelligence driven, so it is always in learning mode and monitoring activity to identify trends and look for deviations from those trends. It’s important to collect the data you need to provide the level of monitoring, alerting, and orchestration your organization requires. Azure Sentinel is easy to enable, but choosing the right data requires careful thought because the tool’s costs are tied to the amount of data it consumes. Choosing the right data is a continuous process. In addition to selecting the right data sources and types, you must learn how to apply analytics rules to the data. Azure Sentinel has many built-in rules that are easy to use, but you may need to adjust them so that they work more effectively in your environment. You will also likely want to create custom queries that are more specific to your monitoring environment. In addition to querying and analyzing data, Azure Sentinel can automate many detection and response functions. To get the most out of this capability, you need an understanding of Azure Logic Apps, which helps with application and data integrations, and workflow scheduling. Azure Logic Apps is useful for scaling Azure Sentinel in your environment and creating the more complex automations that make up playbooks. 7 Azure Sentinel is only as good as the data it consumes, but you have to pay for that data.
8 Azure Sentinel is only as good as the data it consumes, but you have to pay for that data. To get the most value from the product, avoid sending it unimportant activity data while providing the data that is important for detecting potentially threatening activity so that Azure Sentinel can detect and act on those data patterns. Choosing the right data is a continuous effort because organizations and IT groups are always changing. When refining the data Azure Sentinel collects, always be looking at recognized information sources within the network environment as well as potentially new sources of valuable security data. Key Points 1 2 Azure Sentinel enables you to correlate data, create thresholds, create alarms, orchestrate and automate responses to alerts, and automate playbooks. You can also integrate the tool with a ticketing system. Choosing the right data is important because Azure Sentinel costs are based on the data it consumes. A knowledgeable security consultant can help you optimize data sources and types for peak security performance while managing data-ingestion costs. 8 Oscar Monge, Rabobank, Security Solutions Architect
9 “Azure Sentinel correlates data from all those logs and presents events in real time in a single pane of glass.” Many Eyes Reviewing Security Logs Generates a Big Advantage A couple of years ago, we made the decision to move to the Microsoft Azure cloud. It was a strategic initiative to move all of our premise servers to the cloud. This was a strategic initiative to adopt the cloud for hosting of applications, data warehouse, and key infrastructure components. This move has made it easier to standardize on Microsoft’s security tools to monitor, protect, and alert on cyberthreats. One of the key services we use within the Microsoft Azure stack is Azure Sentinel. Sentinel has enabled us to consolidate most of our security logs in one single Security Information and Event Management (SIEM) to ingest logs from multiple security controls such as firewall, endpoint protection, collaboration suites, active directories, DNS traffic, DDoS protection, and others. We began feeding Azure Sentinel log data from virtual machines; Microsoft 365 Defender (formerly Microsoft Threat Protection); Microsoft Cloud App Security; and Microsoft 365, including OneDrive, Exchange Online, Microsoft SharePoint, and Microsoft Teams. We are monitoring all those tools in Azure Sentinel through data connections available from the Sentinel dashboard. In addition Lawk Salih is Vice President of Technology Systems and Services for Independent Community Bankers of America (ICBA). In his role, Lawk leads cloud migration efforts, the cybersecurity program, infrastructure, and customer service support in alignment with the ICBA’s strategic goals. He has more than twenty years of experience in IT, including fifteen years with nonprofit organizations and trade associations. Lawk Salih, Independent Community Bankers of America, Vice President, Technology Systems and Services
10 to an extensive list of connections to Microsoft technologies, Azure Sentinel has connections to many non-Microsoft vendors, such as Cisco, Check Point, Barracuda, Citrix, and Amazon Web Services. These connections would be beneficial to anyone with a more complex or multi-cloud infrastructure. To keep cost at a minimum while protecting the environment, it’s important to recognize that ingesting logs can become costly. At the moment, we are on pay-as- you-go as we assess the needs of our security operations. As we mature, we will consider purchasing resources on a retention basis to save costs in the long run. Azure Sentinel provides great visibility. It consolidates and correlates everything into one display, which is a huge advantage. Having one dashboard, and the eyes of your whole team on the same display at different times, is the key to a successful cybersecurity program. Azure Sentinel correlates data from all those logs and presents events in real time in a single pane of glass. When an alert comes in, Azure Sentinel provides a full description of the alert, events involved in the event such as entities, and a detailed timeline of the incident. Having such key information available without much digging is key to saving time during an investigation process. One challenge in setting up Azure Sentinel is managing remediations, particularly when you want to automate playbooks. The question becomes, what are the best actions to take under certain circumstances? For instance, if Azure Sentinel detects suspicious activity on a computer, do you immediately isolate that machine, or will you take granulated steps such as TCP disruption? How do you disrupt rogue IP connections without bringing down a whole system? In the case of a user, certain alerts and playbooks can completely isolate the endpoint from the world wide web until an investigation is complete. As such, false positives can be a headache until a full resolution is determined. One challenge in setting up Azure Sentinel is managing remediations, particularly when you want to automate playbooks.
11 Key Points 1 2 Having one dashboard, and the eyes of your whole team on the same display at different times, is the key to a successful cyber screening program. To take full advantage of Azure Sentinel’s automation capabilities, you need to understand how best to create auto-remediations that can run without disrupting production servers or bringing down systems. For us, Azure Sentinel has been a wonderful experience. We are learning as we go while Microsoft continues to enhance the product with many partnerships in the pipeline. We will consider engaging an Managed Security Service Provider (MSSP) to help monitor our Azure Sentinel 24/7 similar to a virtual security operations center. Lawk Salih, Independent Community Bankers of America, Vice President, Technology Systems and Services
12 “The machine learning and automation capabilities in Azure Sentinel are much further developed than in traditional SIEM solutions.” Azure Sentinel Provides One View of Your Entire Environment Microsoft Azure Sentinel is a security information and event management (SIEM) system for security orchestration automated response. Azure Sentinel is most useful when you have data coming in from many tools or when your environment includes more than just Microsoft technologies. It provides a central security view of computer systems, applications, cloud instances, firewalls, and other networking components. The machine learning and automation capabilities in Azure Sentinel are much further developed than in traditional SIEM solutions. It also has advantages over the Microsoft Defender Security Center dashboard, including the ability to incorporate data from many non-Microsoft technologies; develop more involved playbook automations; and run more advanced, in-depth log investigations and perform threat hunting. When an incident occurs, Azure Sentinel provides all the details you need to remediate it. You can see all the logs and alerts and follow every action related to that incident. You can also create your own process automations. For example, say that Azure Sentinel detects something and creates an incident alert. You get the IP address Maarten Leyman is a Senior Security Consultant with experience in the full Microsoft 365 security suite and Azure security. In 2013, he started his career at delaware BeLux, where he performs security assessments and conducts workshops at customer sites to identify security risks. He also helps fine-tune IT architecture and implementations to increase overall security at customer locations and mitigate possible threats. Maarten Leyman, delaware BeLux, Senior Security Consultant
from that incident, log the IP address in Office 365 and block it, and then send an email to the IT department detailing the changes that were made. You can automate this whole process in Azure Sentinel. The first step is getting data into Azure Sentinel, which requires making data connections. With one click, Azure Sentinel is up and running; with a few more clicks, you can make connections to begin receiving data. Azure Sentinel has built-in data connections to Microsoft security tools and to many third-party tools. For example, Microsoft has worked with many of its partners, including Cisco, Barracuda, and Citrix, to build data connections for their products. As you configure data connections, it’s important to keep in mind that pricing is based on data consumption. As such, you can pay as you go or pay in advance for a specific amount of data. For instance, you can pay for a full 100 gigabytes of data; per gigabyte, that package costs less than paying as you go for the same amount of data. Of course, when you pay in advance, you must calculate how much data you will actually feed into Azure Sentinel so that you don’t buy more than you need. To control costs, send only necessary security data to Azure Sentinel. For example, firewalls have rules that typically include a deny rule. This deny rule catches a lot because active internet scanning produces a hit each time someone is prevented from connecting. Logging all that deny rule activity in Azure Sentinel doesn't add value, so you don’t want to pay for that. You need expertise with the tools you want to connect to Azure Sentinel. Also, tuning and maintaining Azure Sentinel automations require continuous monitoring and refinement. When done properly, though, Azure Sentinel is a powerful tool for managing detections and response. If you don’t have the necessary IT personnel to set up and tune Azure Sentinel, a managed security service provider (MSSP) can help. 13 You need expertise with the tools you want to connect to Azure Sentinel.
Many MSSPs have automated templates that speed the process of coding everything for your environment. They can also help with detection and response activities. Azure Sentinel makes it easy to transfer all this work to a service provider if you need that support. 14 Key Points 1 2 The first step in implementation is getting data into Azure Sentinel. Azure Sentinel has built-in data connections to Microsoft’s security tools and connects to many third- party vendors, such as Cisco, Barracuda, and Citrix. Tuning and maintaining Azure Sentinel automations requires continuous monitoring and refinement, but when done properly, Azure Sentinel is a powerful tool for managing detections and response. Maarten Leyman, delaware BeLux, Senior Security Consultant
15 “Think about the quickest way to get from where you are now to where you want to be using Azure Sentinel.” Before You Deploy Microsoft Azure Sentinel, Know What You Want to Accomplish When implementing Microsoft Azure Sentinel, you must • understand what you want to accomplish through Microsoft Azure Sentinel, which both monitors and orchestrates automated responses to events; • understand the IT assets in your environment, endpoints, servers, network devices, clouds, and applications. Think about how much data from your environment Azure Sentinel must consume to achieve your objectives; and • think about the quickest way to get from where you are now to where you want to be using Azure Sentinel. Azure Sentinel pulls in data from many sources, which makes it uniquely effective for managing security from a single portal—especially important as companies move more of their assets into the cloud. Azure Sentinel works with more than Microsoft products, as well. It can monitor Amazon Web Dr. Rebecca Wynn received the 2017 Cybersecurity Professional of the Year– Cybersecurity Excellence Award, was Chief Privacy Officer of SC Magazine, is a Global Privacy and Security by Design International Council member, and was 2018 Women in Technology Business Role Model of the Year. She is lauded as a “gifted polymath and game- changer who is ten steps ahead in developing and enforcing cybersecurity and privacy best practices and policies.” Rebecca Wynn, Global CISO & Chief Privacy Officer
Services (AWS), Google Cloud Platform (GCP), and other clouds with application programming interface hooks. Being able to see Azure, AWS, and GCP in one place is valuable because most corporate models today use multiple clouds. Some security information event management solutions have this capability on their technology roadmap, but Microsoft is already there. Microsoft makes it easy to deploy Azure Sentinel, too. Good documentation and many videos show you how to make data connections to devices and virtual machines and help you determine which data to ingest. Microsoft also provides Azure Blueprints, which are templated configurations for different types of environments. These blueprints simplify configuration, especially for environments that must comply with regulatory regimes such as the Health Insurance Portability and Accountability Act and Payment Card Industry. When you begin configuring Azure Sentinel, you will start seeing events and notifications quickly. The biggest challenges in deploying Azure Sentinel are making sure that Azure Sentinel ingests only the data you need to meet your security objectives and using automations effectively to make detection and response faster. Processing more data through Azure Sentinel than you actually need costs money and is counterproductive to your security strategy because oversubscribing prevents your company from using that money for more effective threat mitigation. Configuring and optimizing Azure Sentinel for your environment require analytical expertise. Whether you are working with a consultant or hiring people for your team, they must be critical thinkers and root cause analysts. Azure Sentinel 16 Processing more data through Azure Sentinel than you actually need costs money and is counterproductive to your security strategy.
17 enables you to look at the details of an event, drill into log data for that event, and be more mindful about how you analyze and respond to the events you are seeing. The tool augments your team, and it is the mindful use of that tool that enables you to work more intelligently with other teams in your organization. 17 Key Points 1 2 You must understand the IT assets in your environment, endpoints, servers, network devices, clouds, and applications. Think about how much data from your environment Azure Sentinel must consume to achieve your objectives. The biggest challenges in deploying Azure Sentinel are making sure that Azure Sentinel ingests the data you need to meet your security objectives and using automations effectively to make detection and response faster. Rebecca Wynn, Global CISO & Chief Privacy Officer
18 “Implementing Azure Sentinel is straightforward, coming down to implementing your data connections and deciding how much space to allocate for data storage.” Microsoft Azure Sentinel Delivers Visibility and Insight Microsoft Azure Sentinel combines security information event management and security orchestration automated response functionality in one tool, making it much easier to have all security data and controls in one place. That consolidated platform simplifies monitoring, correlating, and automating security functions such as detections, alerting, and playbooks. Implementing Azure Sentinel is straightforward, coming down to implementing your data connections and deciding how much space to allocate for data storage. Both are important because they can have a big impact on the tool’s operational cost. Regarding data storage, Azure Sentinel defaults to holding log data for 30 days, which will be plenty for most companies. Some high-risk businesses that represent attractive targets, such as financial services firms, may want to hold data longer. The longer you store data, however, the more space it consumes, which increases costs. The amount of data Azure Sentinel consumes also comes with costs, but you can monitor and analyze a lot of data for free. For example, it costs nothing to ingest data from other Microsoft security products, such as the Microsoft 365 Defender suite (Microsoft Defender for Endpoint [formerly Michael Kavka has been an IT professional for more than 20 years. He contributes to the community, helping run the Burbsec set of infosec meetups in the Chicago area, and volunteers for Hak4Kidz, a kids-orientated STEM conference. He is currently a Security Engineer; his areas of focus include security information and event management, Microsoft security technologies, and vulnerability assessment. Michael is a CISSP and a GCIH. Michael Kavka, R.J. O’Brien, Sr. Security Engineer
19 Microsoft Advanced Threat Protection], Microsoft Cloud App Security, and others). Monitoring these tools is easy: In the Azure portal, select Azure Sentinel, select Data connections, and then turn on the data connections for those tools. If you have a largely Microsoft environment and are using these tools, turning all that data on enables Azure Sentinel to provide you with a lot of visibility into what’s happening in your environment. It takes only a few minutes to start seeing results. One of the most challenging aspects of Azure Sentinel is balancing costs against benefits. It’s easy to activate built-in connectors to other technology in your environment, such as Cisco, Citrix, and Amazon Web Services, but importing that data can incur costs depending on the amount. You can gain amazing insights from cloud data imported into Azure Sentinel, but the amounts of data can vary and be difficult to predict, especially if you are transitioning to the cloud or ramping up cloud computational activity. One month you may have two cloud servers, and then suddenly you could have five, ten, twenty, or thirty. Each is an individual cost, in addition to log transaction costs and the costs of Microsoft SQL Server instances. There are intricacies to the cost structure that can be confusing, and it can get out of hand quickly if you’re not careful. Many of these questions are ongoing as you use Azure Sentinel and modify it to keep it operating optimally for your environment. Most of your maintenance and optimization work will focus on reporting; automations for queries, alerts, and responses; and reviewing incidents. Set reporting schedules that make sense in relation to automated querying so that you don’t waste resources with unnecessary reporting. In addition, you must continually adjust these features to adapt to your changing environment and usage patterns. 19 There are intricacies to the cost structure that can be confusing, and it can get out of hand quickly if you’re not careful.
20 For some companies, it makes a lot of sense to work with a managed security service provider (MSSP) or consultant to hammer out these details. The choice depends on your staffing, budget, and environment size. If you have a solid team but don’t have a security operations center (SOC), or you have a SOC that would be overwhelmed with a one- or two-person team, then using an MSSP to augment your staff can be fantastic. If you're a small business without a security department, a service provider can be invaluable. Like everything else, you must balance the costs against the services and benefits you receive. 20 Key Points 1 2 Azure Sentinel can monitor and analyze a lot of data for free. For example, it costs nothing to ingest data from Microsoft security products such as those in the Microsoft 365 Defender suite. You can gain amazing insights from cloud data imported into Azure Sentinel, but the amounts of data can vary and be difficult to predict, especially if you are transitioning to the cloud or ramping up cloud computational activity. Michael Kavka, R.J. O’Brien, Sr. Security Engineer
21 21 “Azure Sentinel automatically performs the analytical work on alerts and provides a clear, straightforward presentation of the incident history and event relationships.” Microsoft Azure Sentinel Is a Different Kind of SIEM System The most important part of implementing Microsoft Azure Sentinel is knowing your objectives because Azure Sentinel differs from traditional security information event management (SIEM) tools in two key ways: • Sentinel is smart. Many companies that use SIEM tools know their traditional role as security data aggregators. The SIEM system collects raw logs and provides the data to analysts in the security operations center, who look at that data and use other analytical tools to determine its meaning. Azure Sentinel automatically performs the analytical work on alerts and provides a clear, straightforward presentation of the incident history and event relationships. It does a lot of the analytical work for analysts. An analyst can choose an incident off the Azure Sentinel incident list and within seconds have a complete view of what happened. • Azure Sentinel also provides security orchestration and automated response. These features enable you to build automated playbooks into your Azure Sentinel implementation. Azure Sentinel has no preconfigured playbooks. Instead, you use the tool’s analytical rules, triggers, and logic Rajesh Kumawat has four years of experience working as an Information Security Analyst. He completed his Engineering in E&TC studies from Pune. Rajesh is passionate about infosec and its domains like cyber forensics, cloud security, incident management, and IT compliance. He likes to engage in freelancing projects and do bug bounty hunting in his spare time, which mostly focuses on web application security. Rajesh Kumawat, Mastercard, Information Security Analyst
22 apps to create your own playbooks based on your requirements. You can then run these playbooks manually or automatically. Playbooks make Azure Sentinel a powerful security automation tool. These capabilities make Azure Sentinel a different kind of SIEM system, and to get the most out of it, you need to know what you want it to do for you. One other aspect of Azure Sentinel that can affect how you implement it is continuous synchronization with Microsoft Defender for Endpoint (formerly Microsoft Advanced Threat Protection). Continuous synchronization means that you can set up Microsoft Defender for Endpoint so that if it assigns an incident, the same incident is assigned in Azure Sentinel. Then, after you resolve the incident and close the incident in Microsoft Defender for Endpoint, it also closes in Azure Sentinel— something not possible with any other SIEM system. When implementing Azure Sentinel, pay attention to the data connections you create to make sure that you are collecting the right data and not too much data. In some cases, such as for on-premises servers, you will need to install an agent that connects to Azure Sentinel, which is cloud based. In addition, spend time working on the analytics rules. Microsoft includes default rules, but you should edit and test them to make sure that they meet your requirements. Azure Sentinel also has allow list capabilities that permit actions that may otherwise trigger an alert. To make your Azure Sentinel implementation more capable and more powerful, you must engineer every alert; then, with time, the rules you use will become more effective. 22 Playbooks make Azure Sentinel a powerful security automation tool.
23 The best way to keep Azure Sentinel in optimum condition to defend your network is continuous monitoring of incidents. If the tool’s ability to catch incidents provides value, then it’s a good tool. But if it’s producing a lot of false positives, you have to work on editing the rules. Maintaining Azure Sentinel involves continuously tuning the rules, saving them, watching how they perform, and learning how to make them deliver better results. 23 Rajesh Kumawat, Mastercard, Information Security Analyst Key Points 1 2 Use Azure Sentinel analytical rules, triggers, and logic apps to create your own playbooks based on your requirements. You can then run these playbooks manually or automatically. To keep Azure Sentinel in optimum condition to defend your network, continuously monitor for incidents. If the tool’s ability to catch incidents provides value, then it’s a good tool. But if it's producing a lot of false positives, you have to work on editing the rules.
24 24 “The most challenging aspect of Azure Sentinel deployment is deciding what you need the system to tell you, and then configuring data collection and analytics so that you can extract that information.” You Must Understand What You Want to Extract from Azure Sentinel Effective security monitoring and analysis require a security information event management solution such as Microsoft Azure Sentinel, but that tool must be configured properly. You can configure data collection and analysis for Azure Sentinel in many ways. Which way you choose depends on your security needs and what is in your environment. A configuration management tool such as Microsoft Endpoint Configuration Manager (formerly System Center Configuration Manager) is essential for deploying Azure Sentinel. Before you can deploy Azure Sentinel, you must install the correct monitoring agents on the servers in your environment, whether on-premises servers or virtual servers deployed in the cloud. Microsoft provides monitoring agents for Windows and Linux operating systems, and agents are available that work in Azure, Amazon Web Services, and other providers’ clouds. Microsoft monitoring agents are mandatory for getting log data into the Azure Sentinel analytics workspace. The most challenging aspect of Azure Sentinel deployment is deciding what you need the system to tell you, and then configuring data collection and analytics Sharjeel Qayyum Khan has ten years of experience in IT. His focus is on enhancing business alignment and growth by deploying stable cloud environments and adopting best practices for security. Sharjeel regulates security operations and technologies, including end security, security information event management, incident response, and NIST compliance reporting. His areas of expertise include cybersecurity, system architecture design, vulnerability evaluation, risk management, and configuration management. Sharjeel Qayyum Khan, edotco Group, IT Security Operation Lead
25 so that you can extract that information. Azure Sentinel enables you to integrate all your data monitoring into one tool in the Azure portal. That can speed up mean time to detection and mean time to response, but you need to know what you are looking for. This determines which data you will collect, which analytical rules you will use, and which automations you will configure. When deciding on data collection, eliminate noise that does not contribute to the information you are trying to extract from the system. Use data connectors to pull in the important data, and enable rules for analysis and behavior tracking. Collecting too much data increases the operational cost of using Azure Sentinel. Microsoft makes it easy to implement data connectors for its own products and for many third-party tools. For example, data collectors are available for Cisco networking solutions that can also monitor virtual routing and forwarding. Azure Sentinel has a list of preconfigured data collectors; you just select the ones you want to use. Properly configuring Azure Sentinel for your environment enables broad visualization. If an attacker is trying to access your environment, you can see who the attacker is, which virtual machines they have run, and the data the attacker is trying to exfiltrate. Azure Sentinel shows you who has been compromised and what the impact of that compromise might be. 25 It’s important to recognize that Azure Sentinel requires ongoing monitoring and adjustment to changes in your environment.
26 It’s important to recognize that Azure Sentinel requires ongoing monitoring and adjustment to changes in your environment. It is not a tool that you can configure once and then leave alone. You must check analytical rules, detections, and your automations because technology in your environment changes every day, and the tool itself is evolving. Microsoft has built 200 preconfigured detections for Azure Sentinel, but it regularly updates them. Continuously check the detections you use to see if new ones can improve your security operations. 26 26 Key Points 1 2 Azure Sentinel enables you to integrate all your data monitoring into one tool in the Azure portal. That can speed up mean time to detection and mean time to response, but you need to know what you are looking for. With Azure Sentinel, you can collect and analyze data in ways that meet your security needs and fit your environment. A configuration management tool such as Microsoft Endpoint Configuration Manager is essential for deploying Azure Sentinel. Sharjeel Qayyum Khan, edotco Group, IT Security Operation Lead
7 Experts on Implementing Azure Sentinel

More Related Content

PDF
Introduction to Azure Sentinel
byarnaudlh
 
PPTX
Azure Sentinel
byCheah Eng Soon
 
PPTX
Azure Sentinel Jan 2021 overview deck
byMatt Soseman
 
PDF
Microsoft Azure Sentinel
byBGA Cyber Security
 
PPTX
Azure Sentinel.pptx
byMohit Chhabra
 
PPTX
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
byVignesh Ganesan I Microsoft MVP
 
PDF
Microsoft Defender and Azure Sentinel
byDavid J Rosenthal
 
PDF
An introduction to Office 365 Advanced Threat Protection (ATP)
byRobert Crane
 
Introduction to Azure Sentinel
byarnaudlh
 
Azure Sentinel
byCheah Eng Soon
 
Azure Sentinel Jan 2021 overview deck
byMatt Soseman
 
Microsoft Azure Sentinel
byBGA Cyber Security
 
Azure Sentinel.pptx
byMohit Chhabra
 
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
byVignesh Ganesan I Microsoft MVP
 
Microsoft Defender and Azure Sentinel
byDavid J Rosenthal
 
An introduction to Office 365 Advanced Threat Protection (ATP)
byRobert Crane
 

What's hot

PPTX
SEIM-Microsoft Sentinel.pptx
byAmrMousa51
 
PPTX
Microsoft Purview Overview Deck.pptx is for Microsoft Purview
byahsanf1
 
PDF
Microsoft 365 Security Overview
byRobert Crane
 
PPTX
Fundamentals of Microsoft 365 Security , Identity and Compliance
byVignesh Ganesan I Microsoft MVP
 
PDF
Microsoft 365 Enterprise Security with E5 Overview
byDavid J Rosenthal
 
PDF
Microsoft 365 Compliance and Security Overview
byDavid J Rosenthal
 
PPTX
Azure security and Compliance
byKarina Matos
 
PDF
Azure Sentinel
byKumton Suttiraksiri
 
PDF
introduction to Azure Sentinel
byRobert Crane
 
PDF
Cyber Security For Organization Proposal Powerpoint Presentation Slides
bySlideTeam
 
PDF
Microsoft Zero Trust
byDavid J Rosenthal
 
PPTX
Microsoft Defender for Endpoint
byCheah Eng Soon
 
PPTX
Microsoft Teams Governance and Security Best Practices - Joel Oleson
byJoel Oleson
 
PPTX
Azure sentinel
byMarius Sandbu
 
PPTX
Microsoft Defender for Endpoint Overview.pptx
byBenAissaTaher1
 
PDF
Azure governance v4.0
byMarcos Oikawa
 
PPTX
Office 365 Security Best Practices
byCommunity IT Innovators
 
PPTX
Azure Security Fundamentals
byLorenzo Barbieri
 
PPTX
Azure governance
bygirish goudar
 
PDF
Microsoft Office 365 Advanced Threat Protection
byDavid J Rosenthal
 
SEIM-Microsoft Sentinel.pptx
byAmrMousa51
 
Microsoft Purview Overview Deck.pptx is for Microsoft Purview
byahsanf1
 
Microsoft 365 Security Overview
byRobert Crane
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
byVignesh Ganesan I Microsoft MVP
 
Microsoft 365 Enterprise Security with E5 Overview
byDavid J Rosenthal
 
Microsoft 365 Compliance and Security Overview
byDavid J Rosenthal
 
Azure security and Compliance
byKarina Matos
 
Azure Sentinel
byKumton Suttiraksiri
 
introduction to Azure Sentinel
byRobert Crane
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
bySlideTeam
 
Microsoft Zero Trust
byDavid J Rosenthal
 
Microsoft Defender for Endpoint
byCheah Eng Soon
 
Microsoft Teams Governance and Security Best Practices - Joel Oleson
byJoel Oleson
 
Azure sentinel
byMarius Sandbu
 
Microsoft Defender for Endpoint Overview.pptx
byBenAissaTaher1
 
Azure governance v4.0
byMarcos Oikawa
 
Office 365 Security Best Practices
byCommunity IT Innovators
 
Azure Security Fundamentals
byLorenzo Barbieri
 
Azure governance
bygirish goudar
 
Microsoft Office 365 Advanced Threat Protection
byDavid J Rosenthal
 

Similar to 7 Experts on Implementing Azure Sentinel

PPTX
07 - Defend Against Threats with SIEM Plus XDR Workshop - Microsoft Sentinel ...
bycarlitocabana
 
PDF
7 Experts on Implementing Microsoft 365 Defender
byMighty Guides, Inc.
 
PDF
Azure Security Overview
byDavid J Rosenthal
 
PPTX
SC-900 Capabilities of Microsoft Security Solutions
byFredBrandonAuthorMCP
 
PDF
Microsoft Sentinel- a cloud native SIEM & SOAR.pdf
byKranthi Aragonda
 
PPTX
Modernize your Security Operations with Azure Sentinel
byCheah Eng Soon
 
PPTX
Azure Sentinel with Office 365
byCheah Eng Soon
 
PDF
do you want to know about what is Microsoft Sentinel.pdf
byamilsaifi5
 
PDF
Microsoft Security adoptionguide for the enterprise
byssuserd58af7
 
PPTX
Microsoft Sentinel and Its Components.pptx
byInfosectrain3
 
PDF
Microsoft Azure Security Techniquesand How Azure security can enhance your or...
byEric Amarasinghe
 
PDF
Gill C. Configuring Windows Server Hybrid Advanced Services Exam Ref AZ-801 2...
byHafiz Rahmat Ullah
 
PPTX
Remediate and secure your organization with azure sentinel
bySamik Roy
 
PDF
Azure Security Center
byMicrosoft
 
PPTX
Adam ochs sentinel
byAdam Ochs
 
PPTX
NVS_Sentinel
byMike Mihm
 
PDF
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...
byPrometix Pty Ltd
 
PPTX
TechTalksUtah-Sentinel-20191108.pptx
byJustineGarcia32
 
PDF
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
bySBA Research
 
PPTX
Power of the cloud - Introduction to azure security
byBruno Capuano
 
07 - Defend Against Threats with SIEM Plus XDR Workshop - Microsoft Sentinel ...
bycarlitocabana
 
7 Experts on Implementing Microsoft 365 Defender
byMighty Guides, Inc.
 
Azure Security Overview
byDavid J Rosenthal
 
SC-900 Capabilities of Microsoft Security Solutions
byFredBrandonAuthorMCP
 
Microsoft Sentinel- a cloud native SIEM & SOAR.pdf
byKranthi Aragonda
 
Modernize your Security Operations with Azure Sentinel
byCheah Eng Soon
 
Azure Sentinel with Office 365
byCheah Eng Soon
 
do you want to know about what is Microsoft Sentinel.pdf
byamilsaifi5
 
Microsoft Security adoptionguide for the enterprise
byssuserd58af7
 
Microsoft Sentinel and Its Components.pptx
byInfosectrain3
 
Microsoft Azure Security Techniquesand How Azure security can enhance your or...
byEric Amarasinghe
 
Gill C. Configuring Windows Server Hybrid Advanced Services Exam Ref AZ-801 2...
byHafiz Rahmat Ullah
 
Remediate and secure your organization with azure sentinel
bySamik Roy
 
Azure Security Center
byMicrosoft
 
Adam ochs sentinel
byAdam Ochs
 
NVS_Sentinel
byMike Mihm
 
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...
byPrometix Pty Ltd
 
TechTalksUtah-Sentinel-20191108.pptx
byJustineGarcia32
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
bySBA Research
 
Power of the cloud - Introduction to azure security
byBruno Capuano
 

More from Mighty Guides, Inc.

PDF
7 Experts on Implementing Microsoft Defender for Endpoint
byMighty Guides, Inc.
 
PDF
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
byMighty Guides, Inc.
 
PDF
Building Security Into Your Cloud IT Practices
byMighty Guides, Inc.
 
PDF
8 Experts on Flawless App Delivery
byMighty Guides, Inc.
 
PDF
Sharktower: Will AI change the way you manage change?
byMighty Guides, Inc.
 
PDF
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
byMighty Guides, Inc.
 
PDF
Kyriba: 7 Experts on Activating Liquidity
byMighty Guides, Inc.
 
PDF
Iron Mountain: 8 Experts on Workplace Transformation
byMighty Guides, Inc.
 
PDF
15 Experts on Reimagining Field Marketing
byMighty Guides, Inc.
 
PDF
Avoiding Limitations of Traditional Approaches to Security
byMighty Guides, Inc.
 
PDF
Resetting Your Security Thinking for the Public Cloud
byMighty Guides, Inc.
 
PDF
Avoiding Container Vulnerabilities
byMighty Guides, Inc.
 
PDF
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
byMighty Guides, Inc.
 
PDF
Citrix: 7 Experts on Transforming Employee Experience
byMighty Guides, Inc.
 
PDF
7 Experts on Transforming Customer Experience with Data Insights (1)
byMighty Guides, Inc.
 
PDF
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
byMighty Guides, Inc.
 
PDF
Defining Marketing Success- 28 Experts Tell You How
byMighty Guides, Inc.
 
PDF
Workfront: 7 Experts on Flawless Campaign Execution
byMighty Guides, Inc.
 
PDF
11 Experts on Using the Content Lifecycle to Maximize Content ROI
byMighty Guides, Inc.
 
PDF
7 Experts on Using the Content Lifecycle to Maximize Content ROI
byMighty Guides, Inc.
 
7 Experts on Implementing Microsoft Defender for Endpoint
byMighty Guides, Inc.
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
byMighty Guides, Inc.
 
Building Security Into Your Cloud IT Practices
byMighty Guides, Inc.
 
8 Experts on Flawless App Delivery
byMighty Guides, Inc.
 
Sharktower: Will AI change the way you manage change?
byMighty Guides, Inc.
 
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
byMighty Guides, Inc.
 
Kyriba: 7 Experts on Activating Liquidity
byMighty Guides, Inc.
 
Iron Mountain: 8 Experts on Workplace Transformation
byMighty Guides, Inc.
 
15 Experts on Reimagining Field Marketing
byMighty Guides, Inc.
 
Avoiding Limitations of Traditional Approaches to Security
byMighty Guides, Inc.
 
Resetting Your Security Thinking for the Public Cloud
byMighty Guides, Inc.
 
Avoiding Container Vulnerabilities
byMighty Guides, Inc.
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
byMighty Guides, Inc.
 
Citrix: 7 Experts on Transforming Employee Experience
byMighty Guides, Inc.
 
7 Experts on Transforming Customer Experience with Data Insights (1)
byMighty Guides, Inc.
 
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
byMighty Guides, Inc.
 
Defining Marketing Success- 28 Experts Tell You How
byMighty Guides, Inc.
 
Workfront: 7 Experts on Flawless Campaign Execution
byMighty Guides, Inc.
 
11 Experts on Using the Content Lifecycle to Maximize Content ROI
byMighty Guides, Inc.
 
7 Experts on Using the Content Lifecycle to Maximize Content ROI
byMighty Guides, Inc.
 

Recently uploaded

PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
software-security-intro in information security.ppt
byismaeelsahib032
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
The Landscape of Computer Software Development Companies
byYash Singh
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 

7 Experts on Implementing Azure Sentinel

  • 2.
    2 INTRODUCTION © 2021 MightyGuides, Inc. I 9920 Moorings Drive I Jacksonville, Florida 32257 I 516-840-0244 I www.mightyguides.com 2 One big challenge for many security teams is consolidating and analyzing the data generated in a networked environment. Organizations attempt to address this challenge by using a security information and event management (SIEM) system to collect that data for analysis. In addition to being a best-in-class SIEM system, Azure Sentinel is a platform for security orchestration, automation, and response capable of automating playbooks; monitoring both Windows and Linux environments; and monitoring Amazon, Google, and Azure clouds—and that’s just for starters. Azure is a powerful tool that is easy to set up, but optimizing it requires security analysis skills and knowledge. To learn more about setup and optimization, with the generous support of BlueVoyant, we asked seven experts the following question: Given your experience with Azure Sentinel, what advice can you offer for transitioning to and optimizing this solution? The experts tell us that one key to getting the most out of Azure Sentinel is choosing the right data. You don’t want to ingest too much, which increases costs, or too little. Also, taking full advantage of the automation features in Azure Sentinel is critical for rapid detection and response. This ebook provides good advice from seasoned Azure Sentinel users that will help point you in the right direction for your own Azure Sentinel implementation. David Rogelberg Editor Mighty Guides, Inc. Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty.
  • 3.
    3 FOREWORD New approaches tocybersecurity are needed more than ever! The pandemic has led to exponential growth in remote employees, expanding the attack surface for companies big and small. Security teams struggle to cobble together solutions consisting of technologies from multiple vendors, many of which were only designed to operate in legacy environments. Integration complexities, a lack of security resources, and unrelenting attacks from cyber criminals have made securing the organization a seemingly unattainable goal. So what is the solution to eliminating this pain while also providing the security your company needs in a cloud-first world? We believe a cloud-native, fully integrated security solution is what makes the most sense. To bring our vision to life, we partnered with Microsoft to build consulting, implementation, and managed security services around their SIEM and XDR tools that deliver the outcomes needed by companies operating in today’s dangerous, highly interconnected world. This Mighty Guide, one of three in a series, was written to help you better understand how specific Microsoft security tools are being used by companies today and help you benefit from the lessons they have learned. Enjoy the book! Milan Patel Global Head of Managed Security Services BlueVoyant BlueVoyant is an expert-driven cybersecurity services company whose mission is to proactively defend organizations of all sizes against today’s constant, sophisticated attackers and advanced threats. Led by CEO - Jim Rosenthal, BlueVoyant’s highly skilled team includes former government cyber officials with extensive frontline experience in responding to advanced cyber threats on behalf of the National Security Agency, Federal Bureau of Investigation, Unit 8200, and GCHQ, together with private sector experts. BlueVoyant services utilize large real- time datasets with industry-leading analytics and technologies. Founded in 2017 by Fortune 500 executives and former Government cyber officials and headquartered in New York City, BlueVoyant has offices in Maryland, Tel Aviv, San Francisco, London, and Latin America.
  • 5.
    MEET OUR EXPERTS SHARJEELQAYYUM KHAN edotco Group, IT Security Operation Lead, pg. 24 RAJESH KUMAWAT Mastercard, Information Security Analyst, pg. 21 MAARTEN LEYMAN delaware BeLux, Senior Security Consultant, pg. 12 LAWK SALIH Independent Community Bankers of America, Vice President, Technology Systems and Services, pg. 9 REBECCA WYNN Global CISO & Chief Privacy Officer, pg. 15 MICHAEL KAVKA R.J. O’Brien, Sr. Security Engineer, pg. 18 OSCAR MONGE Rabobank, Security Solutions Architect, pg. 6
  • 6.
    6 “For new users,the biggest challenge will be learning how best to use the technology and data connections to produce the security protection they need.” Microsoft Azure Sentinel Provides Total Integration of Detection and Response Microsoft Azure Sentinel is a security information event management solution hosted in the Azure public cloud. It integrates with Microsoft’s portfolio of security products, which enables you to send security data into a common Azure Sentinel workspace-essentially a big bucket of information. There, you can tell Azure Sentinel how to query the data, apply analytical rules to it, and trigger alerts and other actions. With Azure Sentinel, you can correlate data, create thresholds, create alarms, and integrate the tool with a ticketing system. In that way, if Azure Sentinel identifies an incident, it can immediately turn it into a ticket that goes to the first-line security operations center (SOC) so that the analysts can investigate and respond. You can also orchestrate and automate responses to alerts and automate playbooks. Azure Sentinel is native to the Microsoft security ecosystem, but it also integrates with Amazon Web Services (AWS). For example, application programming interfaces enable you to configure Azure Sentinel to consume Oscar Monge is a seasoned information security professional with more than seventeen years of experience. He is a Security Solutions Architect at Rabobank, where he helps shape security monitoring direction and technology integration. Oscar is passionate about technology and its alignment to IT business needs. Oscar Monge, Rabobank, Security Solutions Architect
  • 7.
    AWS CloudTrail andAmazon GuardDuty logs. Microsoft is adding integrations with other cloud providers as well. For new users, the biggest challenge will be learning how best to use the technology and data connections to produce the security protection they need. Azure Sentinel is artificial intelligence driven, so it is always in learning mode and monitoring activity to identify trends and look for deviations from those trends. It’s important to collect the data you need to provide the level of monitoring, alerting, and orchestration your organization requires. Azure Sentinel is easy to enable, but choosing the right data requires careful thought because the tool’s costs are tied to the amount of data it consumes. Choosing the right data is a continuous process. In addition to selecting the right data sources and types, you must learn how to apply analytics rules to the data. Azure Sentinel has many built-in rules that are easy to use, but you may need to adjust them so that they work more effectively in your environment. You will also likely want to create custom queries that are more specific to your monitoring environment. In addition to querying and analyzing data, Azure Sentinel can automate many detection and response functions. To get the most out of this capability, you need an understanding of Azure Logic Apps, which helps with application and data integrations, and workflow scheduling. Azure Logic Apps is useful for scaling Azure Sentinel in your environment and creating the more complex automations that make up playbooks. 7 Azure Sentinel is only as good as the data it consumes, but you have to pay for that data.
  • 8.
    8 Azure Sentinel isonly as good as the data it consumes, but you have to pay for that data. To get the most value from the product, avoid sending it unimportant activity data while providing the data that is important for detecting potentially threatening activity so that Azure Sentinel can detect and act on those data patterns. Choosing the right data is a continuous effort because organizations and IT groups are always changing. When refining the data Azure Sentinel collects, always be looking at recognized information sources within the network environment as well as potentially new sources of valuable security data. Key Points 1 2 Azure Sentinel enables you to correlate data, create thresholds, create alarms, orchestrate and automate responses to alerts, and automate playbooks. You can also integrate the tool with a ticketing system. Choosing the right data is important because Azure Sentinel costs are based on the data it consumes. A knowledgeable security consultant can help you optimize data sources and types for peak security performance while managing data-ingestion costs. 8 Oscar Monge, Rabobank, Security Solutions Architect
  • 9.
    9 “Azure Sentinel correlatesdata from all those logs and presents events in real time in a single pane of glass.” Many Eyes Reviewing Security Logs Generates a Big Advantage A couple of years ago, we made the decision to move to the Microsoft Azure cloud. It was a strategic initiative to move all of our premise servers to the cloud. This was a strategic initiative to adopt the cloud for hosting of applications, data warehouse, and key infrastructure components. This move has made it easier to standardize on Microsoft’s security tools to monitor, protect, and alert on cyberthreats. One of the key services we use within the Microsoft Azure stack is Azure Sentinel. Sentinel has enabled us to consolidate most of our security logs in one single Security Information and Event Management (SIEM) to ingest logs from multiple security controls such as firewall, endpoint protection, collaboration suites, active directories, DNS traffic, DDoS protection, and others. We began feeding Azure Sentinel log data from virtual machines; Microsoft 365 Defender (formerly Microsoft Threat Protection); Microsoft Cloud App Security; and Microsoft 365, including OneDrive, Exchange Online, Microsoft SharePoint, and Microsoft Teams. We are monitoring all those tools in Azure Sentinel through data connections available from the Sentinel dashboard. In addition Lawk Salih is Vice President of Technology Systems and Services for Independent Community Bankers of America (ICBA). In his role, Lawk leads cloud migration efforts, the cybersecurity program, infrastructure, and customer service support in alignment with the ICBA’s strategic goals. He has more than twenty years of experience in IT, including fifteen years with nonprofit organizations and trade associations. Lawk Salih, Independent Community Bankers of America, Vice President, Technology Systems and Services
  • 10.
    10 to an extensivelist of connections to Microsoft technologies, Azure Sentinel has connections to many non-Microsoft vendors, such as Cisco, Check Point, Barracuda, Citrix, and Amazon Web Services. These connections would be beneficial to anyone with a more complex or multi-cloud infrastructure. To keep cost at a minimum while protecting the environment, it’s important to recognize that ingesting logs can become costly. At the moment, we are on pay-as- you-go as we assess the needs of our security operations. As we mature, we will consider purchasing resources on a retention basis to save costs in the long run. Azure Sentinel provides great visibility. It consolidates and correlates everything into one display, which is a huge advantage. Having one dashboard, and the eyes of your whole team on the same display at different times, is the key to a successful cybersecurity program. Azure Sentinel correlates data from all those logs and presents events in real time in a single pane of glass. When an alert comes in, Azure Sentinel provides a full description of the alert, events involved in the event such as entities, and a detailed timeline of the incident. Having such key information available without much digging is key to saving time during an investigation process. One challenge in setting up Azure Sentinel is managing remediations, particularly when you want to automate playbooks. The question becomes, what are the best actions to take under certain circumstances? For instance, if Azure Sentinel detects suspicious activity on a computer, do you immediately isolate that machine, or will you take granulated steps such as TCP disruption? How do you disrupt rogue IP connections without bringing down a whole system? In the case of a user, certain alerts and playbooks can completely isolate the endpoint from the world wide web until an investigation is complete. As such, false positives can be a headache until a full resolution is determined. One challenge in setting up Azure Sentinel is managing remediations, particularly when you want to automate playbooks.
  • 11.
    11 Key Points 1 2 Having onedashboard, and the eyes of your whole team on the same display at different times, is the key to a successful cyber screening program. To take full advantage of Azure Sentinel’s automation capabilities, you need to understand how best to create auto-remediations that can run without disrupting production servers or bringing down systems. For us, Azure Sentinel has been a wonderful experience. We are learning as we go while Microsoft continues to enhance the product with many partnerships in the pipeline. We will consider engaging an Managed Security Service Provider (MSSP) to help monitor our Azure Sentinel 24/7 similar to a virtual security operations center. Lawk Salih, Independent Community Bankers of America, Vice President, Technology Systems and Services
  • 12.
    12 “The machine learningand automation capabilities in Azure Sentinel are much further developed than in traditional SIEM solutions.” Azure Sentinel Provides One View of Your Entire Environment Microsoft Azure Sentinel is a security information and event management (SIEM) system for security orchestration automated response. Azure Sentinel is most useful when you have data coming in from many tools or when your environment includes more than just Microsoft technologies. It provides a central security view of computer systems, applications, cloud instances, firewalls, and other networking components. The machine learning and automation capabilities in Azure Sentinel are much further developed than in traditional SIEM solutions. It also has advantages over the Microsoft Defender Security Center dashboard, including the ability to incorporate data from many non-Microsoft technologies; develop more involved playbook automations; and run more advanced, in-depth log investigations and perform threat hunting. When an incident occurs, Azure Sentinel provides all the details you need to remediate it. You can see all the logs and alerts and follow every action related to that incident. You can also create your own process automations. For example, say that Azure Sentinel detects something and creates an incident alert. You get the IP address Maarten Leyman is a Senior Security Consultant with experience in the full Microsoft 365 security suite and Azure security. In 2013, he started his career at delaware BeLux, where he performs security assessments and conducts workshops at customer sites to identify security risks. He also helps fine-tune IT architecture and implementations to increase overall security at customer locations and mitigate possible threats. Maarten Leyman, delaware BeLux, Senior Security Consultant
  • 13.
    from that incident,log the IP address in Office 365 and block it, and then send an email to the IT department detailing the changes that were made. You can automate this whole process in Azure Sentinel. The first step is getting data into Azure Sentinel, which requires making data connections. With one click, Azure Sentinel is up and running; with a few more clicks, you can make connections to begin receiving data. Azure Sentinel has built-in data connections to Microsoft security tools and to many third-party tools. For example, Microsoft has worked with many of its partners, including Cisco, Barracuda, and Citrix, to build data connections for their products. As you configure data connections, it’s important to keep in mind that pricing is based on data consumption. As such, you can pay as you go or pay in advance for a specific amount of data. For instance, you can pay for a full 100 gigabytes of data; per gigabyte, that package costs less than paying as you go for the same amount of data. Of course, when you pay in advance, you must calculate how much data you will actually feed into Azure Sentinel so that you don’t buy more than you need. To control costs, send only necessary security data to Azure Sentinel. For example, firewalls have rules that typically include a deny rule. This deny rule catches a lot because active internet scanning produces a hit each time someone is prevented from connecting. Logging all that deny rule activity in Azure Sentinel doesn't add value, so you don’t want to pay for that. You need expertise with the tools you want to connect to Azure Sentinel. Also, tuning and maintaining Azure Sentinel automations require continuous monitoring and refinement. When done properly, though, Azure Sentinel is a powerful tool for managing detections and response. If you don’t have the necessary IT personnel to set up and tune Azure Sentinel, a managed security service provider (MSSP) can help. 13 You need expertise with the tools you want to connect to Azure Sentinel.
  • 14.
    Many MSSPs haveautomated templates that speed the process of coding everything for your environment. They can also help with detection and response activities. Azure Sentinel makes it easy to transfer all this work to a service provider if you need that support. 14 Key Points 1 2 The first step in implementation is getting data into Azure Sentinel. Azure Sentinel has built-in data connections to Microsoft’s security tools and connects to many third- party vendors, such as Cisco, Barracuda, and Citrix. Tuning and maintaining Azure Sentinel automations requires continuous monitoring and refinement, but when done properly, Azure Sentinel is a powerful tool for managing detections and response. Maarten Leyman, delaware BeLux, Senior Security Consultant
  • 15.
    15 “Think about thequickest way to get from where you are now to where you want to be using Azure Sentinel.” Before You Deploy Microsoft Azure Sentinel, Know What You Want to Accomplish When implementing Microsoft Azure Sentinel, you must • understand what you want to accomplish through Microsoft Azure Sentinel, which both monitors and orchestrates automated responses to events; • understand the IT assets in your environment, endpoints, servers, network devices, clouds, and applications. Think about how much data from your environment Azure Sentinel must consume to achieve your objectives; and • think about the quickest way to get from where you are now to where you want to be using Azure Sentinel. Azure Sentinel pulls in data from many sources, which makes it uniquely effective for managing security from a single portal—especially important as companies move more of their assets into the cloud. Azure Sentinel works with more than Microsoft products, as well. It can monitor Amazon Web Dr. Rebecca Wynn received the 2017 Cybersecurity Professional of the Year– Cybersecurity Excellence Award, was Chief Privacy Officer of SC Magazine, is a Global Privacy and Security by Design International Council member, and was 2018 Women in Technology Business Role Model of the Year. She is lauded as a “gifted polymath and game- changer who is ten steps ahead in developing and enforcing cybersecurity and privacy best practices and policies.” Rebecca Wynn, Global CISO & Chief Privacy Officer
  • 16.
    Services (AWS), GoogleCloud Platform (GCP), and other clouds with application programming interface hooks. Being able to see Azure, AWS, and GCP in one place is valuable because most corporate models today use multiple clouds. Some security information event management solutions have this capability on their technology roadmap, but Microsoft is already there. Microsoft makes it easy to deploy Azure Sentinel, too. Good documentation and many videos show you how to make data connections to devices and virtual machines and help you determine which data to ingest. Microsoft also provides Azure Blueprints, which are templated configurations for different types of environments. These blueprints simplify configuration, especially for environments that must comply with regulatory regimes such as the Health Insurance Portability and Accountability Act and Payment Card Industry. When you begin configuring Azure Sentinel, you will start seeing events and notifications quickly. The biggest challenges in deploying Azure Sentinel are making sure that Azure Sentinel ingests only the data you need to meet your security objectives and using automations effectively to make detection and response faster. Processing more data through Azure Sentinel than you actually need costs money and is counterproductive to your security strategy because oversubscribing prevents your company from using that money for more effective threat mitigation. Configuring and optimizing Azure Sentinel for your environment require analytical expertise. Whether you are working with a consultant or hiring people for your team, they must be critical thinkers and root cause analysts. Azure Sentinel 16 Processing more data through Azure Sentinel than you actually need costs money and is counterproductive to your security strategy.
  • 17.
    17 enables you tolook at the details of an event, drill into log data for that event, and be more mindful about how you analyze and respond to the events you are seeing. The tool augments your team, and it is the mindful use of that tool that enables you to work more intelligently with other teams in your organization. 17 Key Points 1 2 You must understand the IT assets in your environment, endpoints, servers, network devices, clouds, and applications. Think about how much data from your environment Azure Sentinel must consume to achieve your objectives. The biggest challenges in deploying Azure Sentinel are making sure that Azure Sentinel ingests the data you need to meet your security objectives and using automations effectively to make detection and response faster. Rebecca Wynn, Global CISO & Chief Privacy Officer
  • 18.
    18 “Implementing Azure Sentinelis straightforward, coming down to implementing your data connections and deciding how much space to allocate for data storage.” Microsoft Azure Sentinel Delivers Visibility and Insight Microsoft Azure Sentinel combines security information event management and security orchestration automated response functionality in one tool, making it much easier to have all security data and controls in one place. That consolidated platform simplifies monitoring, correlating, and automating security functions such as detections, alerting, and playbooks. Implementing Azure Sentinel is straightforward, coming down to implementing your data connections and deciding how much space to allocate for data storage. Both are important because they can have a big impact on the tool’s operational cost. Regarding data storage, Azure Sentinel defaults to holding log data for 30 days, which will be plenty for most companies. Some high-risk businesses that represent attractive targets, such as financial services firms, may want to hold data longer. The longer you store data, however, the more space it consumes, which increases costs. The amount of data Azure Sentinel consumes also comes with costs, but you can monitor and analyze a lot of data for free. For example, it costs nothing to ingest data from other Microsoft security products, such as the Microsoft 365 Defender suite (Microsoft Defender for Endpoint [formerly Michael Kavka has been an IT professional for more than 20 years. He contributes to the community, helping run the Burbsec set of infosec meetups in the Chicago area, and volunteers for Hak4Kidz, a kids-orientated STEM conference. He is currently a Security Engineer; his areas of focus include security information and event management, Microsoft security technologies, and vulnerability assessment. Michael is a CISSP and a GCIH. Michael Kavka, R.J. O’Brien, Sr. Security Engineer
  • 19.
    19 Microsoft Advanced ThreatProtection], Microsoft Cloud App Security, and others). Monitoring these tools is easy: In the Azure portal, select Azure Sentinel, select Data connections, and then turn on the data connections for those tools. If you have a largely Microsoft environment and are using these tools, turning all that data on enables Azure Sentinel to provide you with a lot of visibility into what’s happening in your environment. It takes only a few minutes to start seeing results. One of the most challenging aspects of Azure Sentinel is balancing costs against benefits. It’s easy to activate built-in connectors to other technology in your environment, such as Cisco, Citrix, and Amazon Web Services, but importing that data can incur costs depending on the amount. You can gain amazing insights from cloud data imported into Azure Sentinel, but the amounts of data can vary and be difficult to predict, especially if you are transitioning to the cloud or ramping up cloud computational activity. One month you may have two cloud servers, and then suddenly you could have five, ten, twenty, or thirty. Each is an individual cost, in addition to log transaction costs and the costs of Microsoft SQL Server instances. There are intricacies to the cost structure that can be confusing, and it can get out of hand quickly if you’re not careful. Many of these questions are ongoing as you use Azure Sentinel and modify it to keep it operating optimally for your environment. Most of your maintenance and optimization work will focus on reporting; automations for queries, alerts, and responses; and reviewing incidents. Set reporting schedules that make sense in relation to automated querying so that you don’t waste resources with unnecessary reporting. In addition, you must continually adjust these features to adapt to your changing environment and usage patterns. 19 There are intricacies to the cost structure that can be confusing, and it can get out of hand quickly if you’re not careful.
  • 20.
    20 For some companies,it makes a lot of sense to work with a managed security service provider (MSSP) or consultant to hammer out these details. The choice depends on your staffing, budget, and environment size. If you have a solid team but don’t have a security operations center (SOC), or you have a SOC that would be overwhelmed with a one- or two-person team, then using an MSSP to augment your staff can be fantastic. If you're a small business without a security department, a service provider can be invaluable. Like everything else, you must balance the costs against the services and benefits you receive. 20 Key Points 1 2 Azure Sentinel can monitor and analyze a lot of data for free. For example, it costs nothing to ingest data from Microsoft security products such as those in the Microsoft 365 Defender suite. You can gain amazing insights from cloud data imported into Azure Sentinel, but the amounts of data can vary and be difficult to predict, especially if you are transitioning to the cloud or ramping up cloud computational activity. Michael Kavka, R.J. O’Brien, Sr. Security Engineer
  • 21.
    21 21 “Azure Sentinel automaticallyperforms the analytical work on alerts and provides a clear, straightforward presentation of the incident history and event relationships.” Microsoft Azure Sentinel Is a Different Kind of SIEM System The most important part of implementing Microsoft Azure Sentinel is knowing your objectives because Azure Sentinel differs from traditional security information event management (SIEM) tools in two key ways: • Sentinel is smart. Many companies that use SIEM tools know their traditional role as security data aggregators. The SIEM system collects raw logs and provides the data to analysts in the security operations center, who look at that data and use other analytical tools to determine its meaning. Azure Sentinel automatically performs the analytical work on alerts and provides a clear, straightforward presentation of the incident history and event relationships. It does a lot of the analytical work for analysts. An analyst can choose an incident off the Azure Sentinel incident list and within seconds have a complete view of what happened. • Azure Sentinel also provides security orchestration and automated response. These features enable you to build automated playbooks into your Azure Sentinel implementation. Azure Sentinel has no preconfigured playbooks. Instead, you use the tool’s analytical rules, triggers, and logic Rajesh Kumawat has four years of experience working as an Information Security Analyst. He completed his Engineering in E&TC studies from Pune. Rajesh is passionate about infosec and its domains like cyber forensics, cloud security, incident management, and IT compliance. He likes to engage in freelancing projects and do bug bounty hunting in his spare time, which mostly focuses on web application security. Rajesh Kumawat, Mastercard, Information Security Analyst
  • 22.
    22 apps to createyour own playbooks based on your requirements. You can then run these playbooks manually or automatically. Playbooks make Azure Sentinel a powerful security automation tool. These capabilities make Azure Sentinel a different kind of SIEM system, and to get the most out of it, you need to know what you want it to do for you. One other aspect of Azure Sentinel that can affect how you implement it is continuous synchronization with Microsoft Defender for Endpoint (formerly Microsoft Advanced Threat Protection). Continuous synchronization means that you can set up Microsoft Defender for Endpoint so that if it assigns an incident, the same incident is assigned in Azure Sentinel. Then, after you resolve the incident and close the incident in Microsoft Defender for Endpoint, it also closes in Azure Sentinel— something not possible with any other SIEM system. When implementing Azure Sentinel, pay attention to the data connections you create to make sure that you are collecting the right data and not too much data. In some cases, such as for on-premises servers, you will need to install an agent that connects to Azure Sentinel, which is cloud based. In addition, spend time working on the analytics rules. Microsoft includes default rules, but you should edit and test them to make sure that they meet your requirements. Azure Sentinel also has allow list capabilities that permit actions that may otherwise trigger an alert. To make your Azure Sentinel implementation more capable and more powerful, you must engineer every alert; then, with time, the rules you use will become more effective. 22 Playbooks make Azure Sentinel a powerful security automation tool.
  • 23.
    23 The best wayto keep Azure Sentinel in optimum condition to defend your network is continuous monitoring of incidents. If the tool’s ability to catch incidents provides value, then it’s a good tool. But if it’s producing a lot of false positives, you have to work on editing the rules. Maintaining Azure Sentinel involves continuously tuning the rules, saving them, watching how they perform, and learning how to make them deliver better results. 23 Rajesh Kumawat, Mastercard, Information Security Analyst Key Points 1 2 Use Azure Sentinel analytical rules, triggers, and logic apps to create your own playbooks based on your requirements. You can then run these playbooks manually or automatically. To keep Azure Sentinel in optimum condition to defend your network, continuously monitor for incidents. If the tool’s ability to catch incidents provides value, then it’s a good tool. But if it's producing a lot of false positives, you have to work on editing the rules.
  • 24.
    24 24 “The most challengingaspect of Azure Sentinel deployment is deciding what you need the system to tell you, and then configuring data collection and analytics so that you can extract that information.” You Must Understand What You Want to Extract from Azure Sentinel Effective security monitoring and analysis require a security information event management solution such as Microsoft Azure Sentinel, but that tool must be configured properly. You can configure data collection and analysis for Azure Sentinel in many ways. Which way you choose depends on your security needs and what is in your environment. A configuration management tool such as Microsoft Endpoint Configuration Manager (formerly System Center Configuration Manager) is essential for deploying Azure Sentinel. Before you can deploy Azure Sentinel, you must install the correct monitoring agents on the servers in your environment, whether on-premises servers or virtual servers deployed in the cloud. Microsoft provides monitoring agents for Windows and Linux operating systems, and agents are available that work in Azure, Amazon Web Services, and other providers’ clouds. Microsoft monitoring agents are mandatory for getting log data into the Azure Sentinel analytics workspace. The most challenging aspect of Azure Sentinel deployment is deciding what you need the system to tell you, and then configuring data collection and analytics Sharjeel Qayyum Khan has ten years of experience in IT. His focus is on enhancing business alignment and growth by deploying stable cloud environments and adopting best practices for security. Sharjeel regulates security operations and technologies, including end security, security information event management, incident response, and NIST compliance reporting. His areas of expertise include cybersecurity, system architecture design, vulnerability evaluation, risk management, and configuration management. Sharjeel Qayyum Khan, edotco Group, IT Security Operation Lead
  • 25.
    25 so that youcan extract that information. Azure Sentinel enables you to integrate all your data monitoring into one tool in the Azure portal. That can speed up mean time to detection and mean time to response, but you need to know what you are looking for. This determines which data you will collect, which analytical rules you will use, and which automations you will configure. When deciding on data collection, eliminate noise that does not contribute to the information you are trying to extract from the system. Use data connectors to pull in the important data, and enable rules for analysis and behavior tracking. Collecting too much data increases the operational cost of using Azure Sentinel. Microsoft makes it easy to implement data connectors for its own products and for many third-party tools. For example, data collectors are available for Cisco networking solutions that can also monitor virtual routing and forwarding. Azure Sentinel has a list of preconfigured data collectors; you just select the ones you want to use. Properly configuring Azure Sentinel for your environment enables broad visualization. If an attacker is trying to access your environment, you can see who the attacker is, which virtual machines they have run, and the data the attacker is trying to exfiltrate. Azure Sentinel shows you who has been compromised and what the impact of that compromise might be. 25 It’s important to recognize that Azure Sentinel requires ongoing monitoring and adjustment to changes in your environment.
  • 26.
    26 It’s important torecognize that Azure Sentinel requires ongoing monitoring and adjustment to changes in your environment. It is not a tool that you can configure once and then leave alone. You must check analytical rules, detections, and your automations because technology in your environment changes every day, and the tool itself is evolving. Microsoft has built 200 preconfigured detections for Azure Sentinel, but it regularly updates them. Continuously check the detections you use to see if new ones can improve your security operations. 26 26 Key Points 1 2 Azure Sentinel enables you to integrate all your data monitoring into one tool in the Azure portal. That can speed up mean time to detection and mean time to response, but you need to know what you are looking for. With Azure Sentinel, you can collect and analyze data in ways that meet your security needs and fit your environment. A configuration management tool such as Microsoft Endpoint Configuration Manager is essential for deploying Azure Sentinel. Sharjeel Qayyum Khan, edotco Group, IT Security Operation Lead