Downloaded 62 times
Uploaded byCheah Eng Soon
Modernize your Security Operations with Azure Sentinel
Modernize your security operations with Azure Sentinel. Azure Sentinel is a cloud-native security information and event management (SIEM) solution that uses artificial intelligence and automation to help detect threats across your entire enterprise. It collects security data from any source, uses built-in analytics and AI to detect threats, enables hunting of security data through queries, and allows you to start investigations from prioritized incidents. Azure Sentinel also provides automation capabilities through integrated logic apps to automate security operations.
More Related Content
Similar to Modernize your Security Operations with Azure Sentinel
More from Cheah Eng Soon
Modernize your Security Operations with Azure Sentinel
- 1. Modernize your security operationswith Azure Sentinel Eng Soon Cheah , Microsoft MVP
- 2. ©Microsoft Corporation Azure SecurityOperations Challenges Expanding digital estate
- 3. ©Microsoft Corporation Azure Toomany disconnected products 76% report increasing security data* 3.5M unfilled security jobs in 2021 Lack of automation 44% of alerts are never investigated IT deployment & maintenance Sophistication of threats Security operations challenges
- 4. Cloud + ArtificialIntelligence Security Operations Team
- 5. Uses AI andautomation to improve effectiveness Scales to support your growing digital estate Introducing Azure Sentinel Cloud-native SIEM for intelligent security analytics for your entire enterprise Delivers instant value to your defenders
- 6. Analytics End-to-end solution forsecurity operations DetectCollect Incidents AutomationVisibility Hunting Investigate Respond Powered by community + backed by Microsoft’s security experts
- 7.
- 8. Collect security dataat cloud scale from any source
- 9. Choose from agallery of workbooks Customize or create your own workbooks using queries Take advantage of rich visualization options Gain insight into one or more data sources Get interactive dashboards for powerful insights
- 10.
- 11. Leverage analytics todetect threats Choose from more than 100 built-in analytics rules Customize and create your own rules using KQL queries Correlate events with your threat intelligence and now with Microsoft URL intelligence + network data Trigger automated playbooks
- 12. Tap into thepower of ML, increase your catch rate without increasing noise Use built–in models – no ML experience required Detects anomalies using transferred learning Fuses data sources to detect threats that span the kill chain Simply connect your data and learning begins Bring your own ML models (coming soon)
- 13.
- 14. Start hunting oversecurity data with fast, flexible queries Run built-in threat hunting queries - no prior query experience required Customize and create your own hunting queries using KQL Integrate hunting and investigations
- 15. Use bookmarks andlive stream to manage your hunts Bookmark notable data Start an investigation from a bookmark or add to an existing incident Monitor a live stream of new threat related activity
- 16. Use Jupyter notebooksfor advanced hunting Run in the Azure cloud Save as sharable HTML/JSON Query Azure Sentinel data Bring external data sources Use your language of choice - Python, SQL, KQL, R, …
- 17.
- 18. Start and trackinvestigations from prioritized, actionable security incidents Use incident to collect related alerts, events, and bookmarks Manage assignments and track status Add tags and comments Trigger automated playbooks
- 19. Visualize the entireattack to determine scope and impact Navigate the relationships between related alerts, bookmarks, and entities Expand the scope using exploration queries View a timeline of related alerts, events, and bookmarks Gain deep insights into related entities – users, domains, and more
- 20. Gain deeper insightwith built-in automated detonation Configure URL Entities in analytics rules Automatically trigger URL detonation Enrich alerts with Verdicts, Final URLs and Screen Shots (e.g. for phishing sites)
- 21.
- 22. Automate and orchestratesecurity operations using integrated Azure Logic Apps Build automated and scalable playbooks that integrate across tools Choose from a library of samples Create your own playbooks using 200+ built-in connectors Trigger a playbook from an alert or incident investigation
- 23. Take actions today- Get started with Azure Sentinel To learn more, visit https://aka.ms/AzureSentinel Create Azure Sentinel instance Connect data sources Start Microsoft Azure trial
- 24. Demo How can TailwindTraders detect suspicious activity in Tailwind Traders Azure AD instance?
- 26. Resources https://aka.ms/AzureSentinel To learn more,visit: https://docs.microsoft.com/en-us/azure/sentinel/ Azure Sentinel documentation: https://techcommunity.microsoft.com/t5/Azure-Sentinel/bg-p/AzureSentinelBlog Tech Community Blog https://techcommunity.microsoft.com/t5/Azure-Sentinel/bd-p/AzureSentinel Join our community
- 27.
Editor's Notes
- #3 Today, organizations are faced with the incredibly difficult task of trying to protect their expanded digital estate from increasing cyber threats. The move to the cloud and a mobile workforce have pushed the border of your estate beyond the boundary of your physical network. Your data and users and systems are everywhere. Meanwhile the frequency and sophistication of attacks are ever growing. Regardless of the size of your organization or the industry, you are a target. This is the challenge that we all struggle with in IT security. And it's a challenge we at Microsoft think that we can uniquely help with.
- #4 This creates significant challenges for your security operations teams who are tasked with defending your extended estate. Security data explosion As your digital estate grows, so does the volume of security data. In fact 76% of organizations report an increase. And much of it is coming from in the cloud. So pumping it into legacy, on-premises systems (with all the deployment and maintenance overhead that comes with that) just doesn’t make a ton of sense. And that volume is just going to keep growing. Data is the fuel for ML models that have become so critical to threat detection. The models need both more signals and more diverse signals. To shore up their defenses, enterprise have deployed dozens of security products, each producing a large volume of alerts. In isolation, these products may have high false positive rates and poor response prioritization, resulting in deafening alert noise. As a result, organizations report that nearly half of alerts (44%) are never investigated. Part of the reason for these alerts to fall through the cracks is a massive shortage in security professionals. A recent report by CSO magazine showed that this global talent shortage will increase to 3.5 million unfilled security jobs by 2021.
- #5 The cloud can help manage that complexity of the expanding digital estate. It simplifies and makes security easy to manage. Harnessing the power of cloud will set your SecOps teams free of IT work and help them focus on security work with no limits. Next generation of AI and automation in the cloud helps to super-charge your work. It will leverage the large-scale intelligence available in the cloud and make it work for you.
- #6 Introducing Azure Sentinel – our new intelligent, cloud-native SIEM. Meets your defenders where they are and delivers instant value Choose from hundreds of built-in dashboards, hunting queries, analytics, playbooks and more Guided hunting and investigation experiences help security analysts of all skill levels get their work done Of course, Azure Sentinel offers all the extensibility you need to customize and create your own dashboards, analytics, workbooks And even offers integration with professional-grade tools like Jupyter notebooks Enables you to collect, store and analyze all of your security data with cloud scale and economics Scale automatically as data volume and compute needs grows – incremental growth or bust during an incident No infrastructure costs or upfront commitment - only pay for what you use No infrastructure setup or maintenance Agility to add data as you need it Leverages AI and automation as force multipliers for your SOC Detect threats you may have otherwise missed Fuse alerts into actionable, prioritized incidents – to reduce alert fatigue Apply automation to reduce manual processes and speed response
- #9 One-click integration with Microsoft solutions Data connectors for growing list of other technologies – on-premises and cross-cloud Support for standard log formats (CEF/Syslog and WEF) Specialized TAXII and Graph connectors for threat intelligence data REST API for connecting to cloud solutions Proven log analytics platform with more than 10Pb of daily data ingestion
- #10 Interactive dashboards Combines multiple kinds of visualizations – including graphs and maps Provides deep insights into a single data source or combining multiple sources Powered by KQL queries, making workbooks easy to build and customize
- #11 Barracuda - Barracuda CloudGen Web Application Firewall (WAF) already available. Workbook provides insights into top connections by destination IP and application usage data. TAXII 2.0 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send threat indicators from TAXII 2.0 servers to Azure Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes.
- #13 More than 100 built-in alert rules were developed by Microsoft and community security experts A wizard enables you to create your own analytics rules using KQL queries Thresholds can be set to alert when activity levels exceed normal patterns Correlation events with your threat intelligence and now with Microsoft intel about malicious URLs. Microsoft has unparalleled view of evolving threat landscape Customers can now match Microsoft URL TI with network logs Matched MS indicators are added to the TI table for use like any other indicator Retrospective lookbacks that match TI against historical event data and more TI types will be coming soon. Alerts can be used to trigger automated playbooks
- #14 Built–in models offer the benefits of ML without the complexity We apply proven off-the-shelf Machine Learning models for identifying suspicious logins across Microsoft identity services to discover malicious SSH accesses. By using transferred learning from existing Machine Learning models, Azure Sentinel can detect anomalies from a single dataset with accuracy. In addition, we use a Machine Learning technique called fusion to connect data from multiple sources, like Azure AD anomalous logins and suspicious Office 365 activities, to detect 35 different threats that span different points on the kill chain. The chart on the right-hand side is based on real life example that shows how Azure Sentinel ML models are able to analyze billions of signals to highlight small number of high severity threats. Simply connect your data and learning begins
- #16 Built-in threat hunting queries developed by Microsoft and community experts Run threat hunting queries and see the results without prior query experience Create your own threat hunting queries unique to your environment using KQL Start investigations directly from hunting queries
- #17 Bookmarks enable you to flag notable data for further investigation Annotate and visualize bookmarked data in an investigation graph Add bookmarks to enrich existing incidents or create new ones Receive notifications of new threat related activity using live stream
- #18 You can now launch Azure Notebooks directly from Azure Sentinel, making it easy to create and execute Jupyter notebooks to analyze your data. Notebooks combine live code, graphics, visualizations, and text, making them a valuable tool for threat hunters. Choose from a built-in gallery of notebooks developed by Microsoft security analysts or import others from GitHub to get started. These notebooks are the same professional-strength hunting solutions Microsoft’s own threat hunters use every day. Hosted in the Azure cloud so accessible anytime from anywhere Investigation workflow and data can be saved as sharable HTML/JSON document Query Azure Sentinel data directly in the notebook Bring external data sources such as threat Intelligence into your investigations Supports Python, SQL, KQL, R, and other languages
- #20 Container for alerts, events, and bookmarks related to a particular security threat Automatically created from alerts or initiated by a security analyst when threat hunting Can be assigned to analysts for further investigation and status can be tracked Analysts can easily tag incidents and add comments Trigger automated playbooks from incidents
- #21 Automatically correlate entities across different data sources and alerts Expand the scope of your investigation using built-in exploration queries View a timeline of related alerts, events, and bookmarks Click on any node to see detailed information Gain deep insights into related entities – users, domains, and more
- #22 Automatically detonate URLs to speed investigation Azure Sentinel customers can now use the power of URL detonation to enrich alerts and quickly discover threats related to malicious URLs. When creating scheduled alerts, any URL data in the query results can be mapped to a new URL entity type. Whenever an alert containing a URL entity is generated, the mapped URL will be automatically detonated, and the investigation graph will be immediately enriched with the detonation results. A verdict, final URL and screen shot (especially useful for identifying phishing) can be used to quickly assess a potential threat. To use this feature, make sure you’ve enabled URL logging (e.g. threat logging) for your secure web gateways, web proxies, firewalls or legacy IDS/IPS. You can try this feature during the preview at no cost. Azure Sentinel is introducing URL Entities Use alert rules to automatically trigger URL detonation Enrich alerts with Verdicts, Final URLs and Screen Shots (e.g. for phishing sites)
- #24 Powered by Azure Logic Apps and fully integrated with Azure Sentinel Build automated and scalable playbooks that integrate across tools Choose from a library of samples or create your own using more than 200+ built-in connectors plus generic connectors like HTTPS Trigger a playbook from an alert or incident investigation
- #32 Login to the Azure Portal. Search at the top for Azure Sentinel. Click Add to setup the Azure Sentinel workspace.
- #33 Click Create a new workspace. (You could also add to an existing one if desired.)
- #34 Name your new workspace and place in the proper Resource Group. NOTE: The Azure Sentinel Preview is currently Free. Microsoft states they will release pricing information at a later date. Be aware that you can still accrue charges with storage, throughput, and Machine Learning automation responses.
- #35 On the next page click the new workspace you created and click Add Azure Sentinel.
- #36 Click on the new workspace. Click the Getting Started tab and you will see the overview of the setup.
- #38 Click on the Connect for step 1 we will need to setup Sentinel to collect data from on-prem and cloud locations. Out of the box it looks like Sentinel can integrate with many data collectors including: Azure Active Directory, Azure Ad Identity Protection, Office 365, Microsoft Cloud Application Security, Azure Advanced Threat Protection, Security Events, Azure Security Center, Azure Activity, Azure Information Protection, WAF, Windows Firewall, AWS, Common Event Format, Palo Alto Networks, Cisco ASA, Check Point, Fortinet, FS, Barracuda, Syslog, DNS.
- #39 Click through any you wish to setup… each Data Collection plugin has step by step instructions. For example the Azure Active Directory was just 2 easy clicks to connect the logs. Some will be more involved and need you to point your current Syslog files or a client install.
- #41 Once you have Data Collection setup go to Dashboards, select the pre-made dashboards for your Collectors and click Install on the bottom right.
- #43 Select Analytics and then Add.
- #44 This is where i notice things get tricky… Microsoft does not appear to have a nice selection of pre-made rules. Admins will have to create their own alert rules using the query system. The example from Microsoft is shown here. I really hope they create some built-in best practice rules that can be easily enabled but it appears they plan to rely on the Community Section.
- #45 Click Create.
- #47 Next Select the Community tab under configuration and select Go to Azure Sentinel community.
- #48 From this community GitHub you can find many useful alerts to setup in you Azure Sentinel Preview. Conclusion From here we have Sentinel setup to collect data, view the dashboards, and trigger alerts.
- #49 Fusion is the AI/Machine Learning portion of Sentinel designed to help analysts with Alert Fatigue. More info here. Open the Cloud Shell and select Powershell. Create Storage and authenticate.
- #50 Fusion is the AI/Machine Learning portion of Sentinel designed to help analysts with Alert Fatigue. More info here. Open the Cloud Shell and select Powershell. Create Storage and authenticate.