3. 3
FOREWORD
New approaches to cybersecurity are needed more than ever!
The pandemic has led to exponential growth in remote employees, expanding the attack surface for companies
big and small. Security teams struggle to cobble together solutions consisting of technologies from multiple
vendors, many of which were only designed to operate in legacy environments. Integration complexities, a lack
of security resources, and unrelenting attacks from cyber criminals have made securing the organization a
seemingly unattainable goal.
So what is the solution to eliminating this pain while also providing the security your company needs in a
cloud-first world? We believe a cloud-native, fully integrated security solution is what makes the most sense. To
bring our vision to life, we partnered with Microsoft to build consulting, implementation, and managed security
services around their SIEM and XDR tools that deliver the outcomes needed by companies operating in today’s
dangerous, highly interconnected world.
This Mighty Guide, one of three in a series, was written to help you better understand how specific Microsoft
security tools are being used by companies today and help you benefit from the lessons they have learned.
Enjoy the book!
Milan Patel
Global Head of Managed Security Services
BlueVoyant
BlueVoyant is an expert-driven
cybersecurity services company
whose mission is to proactively defend
organizations of all sizes against
today’s constant, sophisticated
attackers and advanced threats.
Led by CEO - Jim Rosenthal,
BlueVoyant’s highly skilled team
includes former government cyber
officials with extensive frontline
experience in responding to advanced
cyber threats on behalf of the National
Security Agency, Federal Bureau of
Investigation, Unit 8200, and GCHQ,
together with private sector experts.
BlueVoyant services utilize large real-
time datasets with industry-leading
analytics and technologies.
Founded in 2017 by Fortune 500
executives and former Government
cyber officials and headquartered in
New York City, BlueVoyant has offices
in Maryland, Tel Aviv, San Francisco,
London, and Latin America.
4.
5. MEET OUR EXPERTS
SHARJEEL QAYYUM KHAN
edotco Group,
IT Security Operation Lead,
pg. 24
RAJESH KUMAWAT
Mastercard,
Information Security Analyst,
pg. 21
MAARTEN LEYMAN
delaware BeLux,
Senior Security Consultant,
pg. 12
LAWK SALIH
Independent Community
Bankers of America,
Vice President, Technology
Systems and Services,
pg. 9
REBECCA WYNN
Global CISO & Chief
Privacy Officer,
pg. 15
MICHAEL KAVKA
R.J. O’Brien,
Sr. Security Engineer,
pg. 18
OSCAR MONGE
Rabobank,
Security Solutions Architect,
pg. 6
6. 6
“For new users, the biggest challenge will be learning
how best to use the technology and data connections
to produce the security protection they need.”
Microsoft Azure Sentinel Provides Total Integration of
Detection and Response
Microsoft Azure Sentinel is a security information event management
solution hosted in the Azure public cloud. It integrates with Microsoft’s
portfolio of security products, which enables you to send security data into a
common Azure Sentinel workspace-essentially a big bucket of information.
There, you can tell Azure Sentinel how to query the data, apply analytical
rules to it, and trigger alerts and other actions.
With Azure Sentinel, you can correlate data, create thresholds, create alarms,
and integrate the tool with a ticketing system. In that way, if Azure Sentinel
identifies an incident, it can immediately turn it into a ticket that goes to
the first-line security operations center (SOC) so that the analysts can
investigate and respond. You can also orchestrate and automate responses
to alerts and automate playbooks.
Azure Sentinel is native to the Microsoft security ecosystem, but it also
integrates with Amazon Web Services (AWS). For example, application
programming interfaces enable you to configure Azure Sentinel to consume
Oscar Monge is a seasoned information
security professional with more than seventeen
years of experience. He is a Security Solutions
Architect at Rabobank, where he helps shape
security monitoring direction and technology
integration. Oscar is passionate about
technology and its alignment to IT business
needs.
Oscar Monge, Rabobank, Security
Solutions Architect
7. AWS CloudTrail and Amazon GuardDuty logs. Microsoft is adding integrations
with other cloud providers as well.
For new users, the biggest challenge will be learning how best to use the
technology and data connections to produce the security protection they need.
Azure Sentinel is artificial intelligence driven, so it is always in learning mode and
monitoring activity to identify trends and look for deviations from those trends.
It’s important to collect the data you need to provide the level of monitoring,
alerting, and orchestration your organization requires. Azure Sentinel is easy to
enable, but choosing the right data requires careful thought because the tool’s
costs are tied to the amount of data it consumes. Choosing the right data is a
continuous process.
In addition to selecting the right data sources and types, you must learn how to
apply analytics rules to the data. Azure Sentinel has many built-in rules that are
easy to use, but you may need to adjust them so that they work more effectively
in your environment. You will also likely want to create custom queries that
are more specific to your monitoring environment. In addition to querying and
analyzing data, Azure Sentinel can automate many detection and response
functions. To get the most out of this capability, you need an understanding
of Azure Logic Apps, which helps with application and data integrations, and
workflow scheduling. Azure Logic Apps is useful for scaling Azure Sentinel in
your environment and creating the more complex automations that make up
playbooks.
7
Azure Sentinel is only
as good as the data
it consumes, but you
have to pay for that
data.
8. 8
Azure Sentinel is only as good as the data it consumes, but you have to pay for
that data. To get the most value from the product, avoid sending it unimportant
activity data while providing the data that is important for detecting potentially
threatening activity so that Azure Sentinel can detect and act on those data
patterns. Choosing the right data is a continuous effort because organizations
and IT groups are always changing. When refining the data Azure Sentinel
collects, always be looking at recognized information sources within the network
environment as well as potentially new sources of valuable security data.
Key Points
1
2
Azure Sentinel enables you to
correlate data, create thresholds,
create alarms, orchestrate and
automate responses to alerts, and
automate playbooks. You can also
integrate the tool with a ticketing
system.
Choosing the right data is important
because Azure Sentinel costs are
based on the data it consumes. A
knowledgeable security consultant
can help you optimize data sources
and types for peak security
performance while managing
data-ingestion costs.
8
Oscar Monge, Rabobank,
Security Solutions Architect
9. 9
“Azure Sentinel correlates data from all those logs and
presents events in real time in a single pane of glass.”
Many Eyes Reviewing Security Logs Generates a Big
Advantage
A couple of years ago, we made the decision to move to the Microsoft Azure
cloud. It was a strategic initiative to move all of our premise servers to the cloud.
This was a strategic initiative to adopt the cloud for hosting of applications, data
warehouse, and key infrastructure components.
This move has made it easier to standardize on Microsoft’s security tools to
monitor, protect, and alert on cyberthreats. One of the key services we use
within the Microsoft Azure stack is Azure Sentinel. Sentinel has enabled us to
consolidate most of our security logs in one single Security Information and
Event Management (SIEM) to ingest logs from multiple security controls such
as firewall, endpoint protection, collaboration suites, active directories, DNS
traffic, DDoS protection, and others.
We began feeding Azure Sentinel log data from virtual machines; Microsoft 365
Defender (formerly Microsoft Threat Protection); Microsoft Cloud App Security;
and Microsoft 365, including OneDrive, Exchange Online, Microsoft SharePoint,
and Microsoft Teams. We are monitoring all those tools in Azure Sentinel
through data connections available from the Sentinel dashboard. In addition
Lawk Salih is Vice President of Technology
Systems and Services for Independent
Community Bankers of America (ICBA). In his
role, Lawk leads cloud migration efforts, the
cybersecurity program, infrastructure, and
customer service support in alignment with the
ICBA’s strategic goals. He has more than twenty
years of experience in IT, including fifteen
years with nonprofit organizations and trade
associations.
Lawk Salih, Independent Community
Bankers of America, Vice President,
Technology Systems and Services
10. 10
to an extensive list of connections to Microsoft technologies, Azure Sentinel has
connections to many non-Microsoft vendors, such as Cisco, Check Point, Barracuda,
Citrix, and Amazon Web Services. These connections would be beneficial to anyone
with a more complex or multi-cloud infrastructure.
To keep cost at a minimum while protecting the environment, it’s important to
recognize that ingesting logs can become costly. At the moment, we are on pay-as-
you-go as we assess the needs of our security operations. As we mature, we will
consider purchasing resources on a retention basis to save costs in the long run.
Azure Sentinel provides great visibility. It consolidates and correlates everything
into one display, which is a huge advantage. Having one dashboard, and the eyes of
your whole team on the same display at different times, is the key to a successful
cybersecurity program. Azure Sentinel correlates data from all those logs and
presents events in real time in a single pane of glass. When an alert comes in, Azure
Sentinel provides a full description of the alert, events involved in the event such as
entities, and a detailed timeline of the incident. Having such key information available
without much digging is key to saving time during an investigation process.
One challenge in setting up Azure Sentinel is managing remediations, particularly
when you want to automate playbooks. The question becomes, what are the best
actions to take under certain circumstances? For instance, if Azure Sentinel detects
suspicious activity on a computer, do you immediately isolate that machine, or will
you take granulated steps such as TCP disruption? How do you disrupt rogue IP
connections without bringing down a whole system? In the case of a user, certain
alerts and playbooks can completely isolate the endpoint from the world wide web
until an investigation is complete. As such, false positives can be a headache until a
full resolution is determined.
One challenge in
setting up Azure
Sentinel is managing
remediations,
particularly when you
want to automate
playbooks.
11. 11
Key Points
1
2
Having one dashboard, and the eyes
of your whole team on the same
display at different times, is the key
to a successful cyber screening
program.
To take full advantage of Azure
Sentinel’s automation capabilities,
you need to understand how best to
create auto-remediations that can
run without disrupting production
servers or bringing down systems.
For us, Azure Sentinel has been a wonderful experience. We are learning as we go
while Microsoft continues to enhance the product with many partnerships in the
pipeline. We will consider engaging an Managed Security Service Provider (MSSP)
to help monitor our Azure Sentinel 24/7 similar to a virtual security operations
center.
Lawk Salih, Independent Community
Bankers of America, Vice President,
Technology Systems and Services
12. 12
“The machine learning and automation capabilities
in Azure Sentinel are much further developed than in
traditional SIEM solutions.”
Azure Sentinel Provides One View of Your Entire
Environment
Microsoft Azure Sentinel is a security information and event management
(SIEM) system for security orchestration automated response. Azure Sentinel
is most useful when you have data coming in from many tools or when your
environment includes more than just Microsoft technologies. It provides a
central security view of computer systems, applications, cloud instances,
firewalls, and other networking components.
The machine learning and automation capabilities in Azure Sentinel are much
further developed than in traditional SIEM solutions. It also has advantages
over the Microsoft Defender Security Center dashboard, including the ability to
incorporate data from many non-Microsoft technologies; develop more involved
playbook automations; and run more advanced, in-depth log investigations and
perform threat hunting. When an incident occurs, Azure Sentinel provides all the
details you need to remediate it. You can see all the logs and alerts and follow
every action related to that incident.
You can also create your own process automations. For example, say that Azure
Sentinel detects something and creates an incident alert. You get the IP address
Maarten Leyman is a Senior Security Consultant
with experience in the full Microsoft 365
security suite and Azure security. In 2013, he
started his career at delaware BeLux, where he
performs security assessments and conducts
workshops at customer sites to identify security
risks. He also helps fine-tune IT architecture and
implementations to increase overall security
at customer locations and mitigate possible
threats.
Maarten Leyman, delaware BeLux,
Senior Security Consultant
13. from that incident, log the IP address in Office 365 and block it, and then send an
email to the IT department detailing the changes that were made. You can automate
this whole process in Azure Sentinel.
The first step is getting data into Azure Sentinel, which requires making data
connections. With one click, Azure Sentinel is up and running; with a few more clicks,
you can make connections to begin receiving data. Azure Sentinel has built-in data
connections to Microsoft security tools and to many third-party tools. For example,
Microsoft has worked with many of its partners, including Cisco, Barracuda, and
Citrix, to build data connections for their products.
As you configure data connections, it’s important to keep in mind that pricing is
based on data consumption. As such, you can pay as you go or pay in advance for
a specific amount of data. For instance, you can pay for a full 100 gigabytes of data;
per gigabyte, that package costs less than paying as you go for the same amount of
data. Of course, when you pay in advance, you must calculate how much data you
will actually feed into Azure Sentinel so that you don’t buy more than you need.
To control costs, send only necessary security data to Azure Sentinel. For example,
firewalls have rules that typically include a deny rule. This deny rule catches a lot
because active internet scanning produces a hit each time someone is prevented
from connecting. Logging all that deny rule activity in Azure Sentinel doesn't add
value, so you don’t want to pay for that.
You need expertise with the tools you want to connect to Azure Sentinel. Also,
tuning and maintaining Azure Sentinel automations require continuous monitoring
and refinement. When done properly, though, Azure Sentinel is a powerful tool for
managing detections and response. If you don’t have the necessary IT personnel to
set up and tune Azure Sentinel, a managed security service provider (MSSP) can help.
13
You need expertise
with the tools you
want to connect to
Azure Sentinel.
14. Many MSSPs have automated templates that speed the process of coding everything
for your environment. They can also help with detection and response activities.
Azure Sentinel makes it easy to transfer all this work to a service provider if you need
that support.
14
Key Points
1
2
The first step in implementation is
getting data into Azure Sentinel.
Azure Sentinel has built-in data
connections to Microsoft’s security
tools and connects to many third-
party vendors, such as Cisco,
Barracuda, and Citrix.
Tuning and maintaining Azure
Sentinel automations requires
continuous monitoring and
refinement, but when done properly,
Azure Sentinel is a powerful tool for
managing detections and response.
Maarten Leyman, delaware BeLux,
Senior Security Consultant
15. 15
“Think about the quickest way to get from where you
are now to where you want to be using Azure Sentinel.”
Before You Deploy Microsoft Azure Sentinel, Know
What You Want to Accomplish
When implementing Microsoft Azure Sentinel, you must
• understand what you want to accomplish through Microsoft Azure
Sentinel, which both monitors and orchestrates automated responses to
events;
• understand the IT assets in your environment, endpoints, servers,
network devices, clouds, and applications. Think about how much data
from your environment Azure Sentinel must consume to achieve your
objectives; and
• think about the quickest way to get from where you are now to where you
want to be using Azure Sentinel.
Azure Sentinel pulls in data from many sources, which makes it uniquely
effective for managing security from a single portal—especially important as
companies move more of their assets into the cloud. Azure Sentinel works
with more than Microsoft products, as well. It can monitor Amazon Web
Dr. Rebecca Wynn received the 2017
Cybersecurity Professional of the Year–
Cybersecurity Excellence Award, was Chief
Privacy Officer of SC Magazine, is a Global
Privacy and Security by Design International
Council member, and was 2018 Women in
Technology Business Role Model of the Year.
She is lauded as a “gifted polymath and game-
changer who is ten steps ahead in developing
and enforcing cybersecurity and privacy best
practices and policies.”
Rebecca Wynn,
Global CISO & Chief Privacy Officer
16. Services (AWS), Google Cloud Platform (GCP), and other clouds with application
programming interface hooks. Being able to see Azure, AWS, and GCP in one
place is valuable because most corporate models today use multiple clouds.
Some security information event management solutions have this capability on
their technology roadmap, but Microsoft is already there.
Microsoft makes it easy to deploy Azure Sentinel, too. Good documentation
and many videos show you how to make data connections to devices and
virtual machines and help you determine which data to ingest. Microsoft also
provides Azure Blueprints, which are templated configurations for different
types of environments. These blueprints simplify configuration, especially for
environments that must comply with regulatory regimes such as the Health
Insurance Portability and Accountability Act and Payment Card Industry.
When you begin configuring Azure Sentinel, you will start seeing events and
notifications quickly.
The biggest challenges in deploying Azure Sentinel are making sure that Azure
Sentinel ingests only the data you need to meet your security objectives and
using automations effectively to make detection and response faster. Processing
more data through Azure Sentinel than you actually need costs money and is
counterproductive to your security strategy because oversubscribing prevents
your company from using that money for more effective threat mitigation.
Configuring and optimizing Azure Sentinel for your environment require analytical
expertise. Whether you are working with a consultant or hiring people for your
team, they must be critical thinkers and root cause analysts. Azure Sentinel
16
Processing more
data through Azure
Sentinel than you
actually need
costs money and is
counterproductive to
your security strategy.
17. 17
enables you to look at the details of an event, drill into log data for that event,
and be more mindful about how you analyze and respond to the events you are
seeing. The tool augments your team, and it is the mindful use of that tool that
enables you to work more intelligently with other teams in your organization.
17
Key Points
1
2
You must understand the IT assets
in your environment, endpoints,
servers, network devices, clouds,
and applications. Think about how
much data from your environment
Azure Sentinel must consume to
achieve your objectives.
The biggest challenges in deploying
Azure Sentinel are making sure that
Azure Sentinel ingests the data
you need to meet your security
objectives and using automations
effectively to make detection and
response faster.
Rebecca Wynn,
Global CISO & Chief Privacy Officer
18. 18
“Implementing Azure Sentinel is straightforward,
coming down to implementing your data connections
and deciding how much space to allocate for data
storage.”
Microsoft Azure Sentinel Delivers Visibility and Insight
Microsoft Azure Sentinel combines security information event management
and security orchestration automated response functionality in one
tool, making it much easier to have all security data and controls in one
place. That consolidated platform simplifies monitoring, correlating, and
automating security functions such as detections, alerting, and playbooks.
Implementing Azure Sentinel is straightforward, coming down to
implementing your data connections and deciding how much space to
allocate for data storage. Both are important because they can have a big
impact on the tool’s operational cost. Regarding data storage, Azure Sentinel
defaults to holding log data for 30 days, which will be plenty for most
companies. Some high-risk businesses that represent attractive targets,
such as financial services firms, may want to hold data longer. The longer
you store data, however, the more space it consumes, which increases
costs.
The amount of data Azure Sentinel consumes also comes with costs, but
you can monitor and analyze a lot of data for free. For example, it costs
nothing to ingest data from other Microsoft security products, such as the
Microsoft 365 Defender suite (Microsoft Defender for Endpoint [formerly
Michael Kavka has been an IT professional
for more than 20 years. He contributes to
the community, helping run the Burbsec set
of infosec meetups in the Chicago area, and
volunteers for Hak4Kidz, a kids-orientated STEM
conference. He is currently a Security Engineer;
his areas of focus include security information
and event management, Microsoft security
technologies, and vulnerability assessment.
Michael is a CISSP and a GCIH.
Michael Kavka, R.J. O’Brien,
Sr. Security Engineer
19. 19
Microsoft Advanced Threat Protection], Microsoft Cloud App Security, and
others). Monitoring these tools is easy: In the Azure portal, select Azure Sentinel,
select Data connections, and then turn on the data connections for those tools.
If you have a largely Microsoft environment and are using these tools, turning
all that data on enables Azure Sentinel to provide you with a lot of visibility into
what’s happening in your environment. It takes only a few minutes to start seeing
results.
One of the most challenging aspects of Azure Sentinel is balancing costs against
benefits. It’s easy to activate built-in connectors to other technology in your
environment, such as Cisco, Citrix, and Amazon Web Services, but importing that
data can incur costs depending on the amount. You can gain amazing insights
from cloud data imported into Azure Sentinel, but the amounts of data can
vary and be difficult to predict, especially if you are transitioning to the cloud or
ramping up cloud computational activity. One month you may have two cloud
servers, and then suddenly you could have five, ten, twenty, or thirty. Each is an
individual cost, in addition to log transaction costs and the costs of Microsoft
SQL Server instances. There are intricacies to the cost structure that can be
confusing, and it can get out of hand quickly if you’re not careful.
Many of these questions are ongoing as you use Azure Sentinel and modify it
to keep it operating optimally for your environment. Most of your maintenance
and optimization work will focus on reporting; automations for queries, alerts,
and responses; and reviewing incidents. Set reporting schedules that make
sense in relation to automated querying so that you don’t waste resources with
unnecessary reporting. In addition, you must continually adjust these features to
adapt to your changing environment and usage patterns.
19
There are intricacies
to the cost structure
that can be confusing,
and it can get out of
hand quickly if you’re
not careful.
20. 20
For some companies, it makes a lot of sense to work with a managed security
service provider (MSSP) or consultant to hammer out these details. The choice
depends on your staffing, budget, and environment size. If you have a solid
team but don’t have a security operations center (SOC), or you have a SOC that
would be overwhelmed with a one- or two-person team, then using an MSSP to
augment your staff can be fantastic. If you're a small business without a security
department, a service provider can be invaluable. Like everything else, you must
balance the costs against the services and benefits you receive.
20
Key Points
1
2
Azure Sentinel can monitor and
analyze a lot of data for free. For
example, it costs nothing to ingest
data from Microsoft security
products such as those in the
Microsoft 365 Defender suite.
You can gain amazing insights from
cloud data imported into Azure
Sentinel, but the amounts of data
can vary and be difficult to predict,
especially if you are transitioning
to the cloud or ramping up cloud
computational activity.
Michael Kavka, R.J. O’Brien,
Sr. Security Engineer
21. 21
21
“Azure Sentinel automatically performs the analytical
work on alerts and provides a clear, straightforward
presentation of the incident history and event
relationships.”
Microsoft Azure Sentinel Is a Different Kind of SIEM
System
The most important part of implementing Microsoft Azure Sentinel is knowing
your objectives because Azure Sentinel differs from traditional security
information event management (SIEM) tools in two key ways:
• Sentinel is smart. Many companies that use SIEM tools know their
traditional role as security data aggregators. The SIEM system collects
raw logs and provides the data to analysts in the security operations
center, who look at that data and use other analytical tools to determine
its meaning. Azure Sentinel automatically performs the analytical work on
alerts and provides a clear, straightforward presentation of the incident
history and event relationships. It does a lot of the analytical work for
analysts. An analyst can choose an incident off the Azure Sentinel incident
list and within seconds have a complete view of what happened.
• Azure Sentinel also provides security orchestration and automated
response. These features enable you to build automated playbooks into
your Azure Sentinel implementation. Azure Sentinel has no preconfigured
playbooks. Instead, you use the tool’s analytical rules, triggers, and logic
Rajesh Kumawat has four years of experience
working as an Information Security Analyst. He
completed his Engineering in E&TC studies from
Pune. Rajesh is passionate about infosec and
its domains like cyber forensics, cloud security,
incident management, and IT compliance. He
likes to engage in freelancing projects and do
bug bounty hunting in his spare time, which
mostly focuses on web application security.
Rajesh Kumawat, Mastercard,
Information Security Analyst
22. 22
apps to create your own playbooks based on your requirements. You can then
run these playbooks manually or automatically. Playbooks make Azure Sentinel
a powerful security automation tool.
These capabilities make Azure Sentinel a different kind of SIEM system, and to
get the most out of it, you need to know what you want it to do for you. One other
aspect of Azure Sentinel that can affect how you implement it is continuous
synchronization with Microsoft Defender for Endpoint (formerly Microsoft
Advanced Threat Protection). Continuous synchronization means that you can
set up Microsoft Defender for Endpoint so that if it assigns an incident, the same
incident is assigned in Azure Sentinel. Then, after you resolve the incident and close
the incident in Microsoft Defender for Endpoint, it also closes in Azure Sentinel—
something not possible with any other SIEM system.
When implementing Azure Sentinel, pay attention to the data connections you
create to make sure that you are collecting the right data and not too much data. In
some cases, such as for on-premises servers, you will need to install an agent that
connects to Azure Sentinel, which is cloud based.
In addition, spend time working on the analytics rules. Microsoft includes default
rules, but you should edit and test them to make sure that they meet your
requirements. Azure Sentinel also has allow list capabilities that permit actions that
may otherwise trigger an alert. To make your Azure Sentinel implementation more
capable and more powerful, you must engineer every alert; then, with time, the rules
you use will become more effective.
22
Playbooks make
Azure Sentinel a
powerful security
automation tool.
23. 23
The best way to keep Azure Sentinel in optimum condition to defend your network
is continuous monitoring of incidents. If the tool’s ability to catch incidents provides
value, then it’s a good tool. But if it’s producing a lot of false positives, you have to
work on editing the rules. Maintaining Azure Sentinel involves continuously tuning
the rules, saving them, watching how they perform, and learning how to make them
deliver better results.
23
Rajesh Kumawat, Mastercard,
Information Security Analyst
Key Points
1
2
Use Azure Sentinel analytical rules,
triggers, and logic apps to create
your own playbooks based on
your requirements. You can then
run these playbooks manually or
automatically.
To keep Azure Sentinel in optimum
condition to defend your network,
continuously monitor for incidents.
If the tool’s ability to catch incidents
provides value, then it’s a good
tool. But if it's producing a lot of
false positives, you have to work on
editing the rules.
24. 24
24
“The most challenging aspect of Azure Sentinel
deployment is deciding what you need the system to tell
you, and then configuring data collection and analytics
so that you can extract that information.”
You Must Understand What You Want to Extract from Azure
Sentinel
Effective security monitoring and analysis require a security information event
management solution such as Microsoft Azure Sentinel, but that tool must be
configured properly. You can configure data collection and analysis for Azure
Sentinel in many ways. Which way you choose depends on your security needs and
what is in your environment. A configuration management tool such as Microsoft
Endpoint Configuration Manager (formerly System Center Configuration Manager)
is essential for deploying Azure Sentinel.
Before you can deploy Azure Sentinel, you must install the correct monitoring
agents on the servers in your environment, whether on-premises servers or virtual
servers deployed in the cloud. Microsoft provides monitoring agents for Windows
and Linux operating systems, and agents are available that work in Azure, Amazon
Web Services, and other providers’ clouds. Microsoft monitoring agents are
mandatory for getting log data into the Azure Sentinel analytics workspace.
The most challenging aspect of Azure Sentinel deployment is deciding what you
need the system to tell you, and then configuring data collection and analytics
Sharjeel Qayyum Khan has ten years of
experience in IT. His focus is on enhancing
business alignment and growth by deploying
stable cloud environments and adopting
best practices for security. Sharjeel regulates
security operations and technologies,
including end security, security information
event management, incident response,
and NIST compliance reporting. His areas
of expertise include cybersecurity, system
architecture design, vulnerability evaluation, risk
management, and configuration management.
Sharjeel Qayyum Khan, edotco
Group, IT Security Operation Lead
25. 25
so that you can extract that information. Azure Sentinel enables you to integrate all
your data monitoring into one tool in the Azure portal. That can speed up mean time to
detection and mean time to response, but you need to know what you are looking for.
This determines which data you will collect, which analytical rules you will use, and which
automations you will configure.
When deciding on data collection, eliminate noise that does not contribute to the
information you are trying to extract from the system. Use data connectors to pull in
the important data, and enable rules for analysis and behavior tracking. Collecting too
much data increases the operational cost of using Azure Sentinel. Microsoft makes it
easy to implement data connectors for its own products and for many third-party tools.
For example, data collectors are available for Cisco networking solutions that can also
monitor virtual routing and forwarding. Azure Sentinel has a list of preconfigured data
collectors; you just select the ones you want to use.
Properly configuring Azure Sentinel for your environment enables broad visualization.
If an attacker is trying to access your environment, you can see who the attacker is,
which virtual machines they have run, and the data the attacker is trying to exfiltrate.
Azure Sentinel shows you who has been compromised and what the impact of that
compromise might be.
25
It’s important to
recognize that Azure
Sentinel requires
ongoing monitoring
and adjustment to
changes in your
environment.
26. 26
It’s important to recognize that Azure Sentinel requires ongoing monitoring and
adjustment to changes in your environment. It is not a tool that you can configure once
and then leave alone. You must check analytical rules, detections, and your automations
because technology in your environment changes every day, and the tool itself is
evolving. Microsoft has built 200 preconfigured detections for Azure Sentinel, but it
regularly updates them. Continuously check the detections you use to see if new ones
can improve your security operations.
26
26
Key Points
1
2
Azure Sentinel enables you to
integrate all your data monitoring
into one tool in the Azure portal.
That can speed up mean time
to detection and mean time to
response, but you need to know
what you are looking for.
With Azure Sentinel, you can collect
and analyze data in ways that
meet your security needs and fit
your environment. A configuration
management tool such as Microsoft
Endpoint Configuration Manager
is essential for deploying Azure
Sentinel.
Sharjeel Qayyum Khan, edotco Group,
IT Security Operation Lead