Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

How to Use Azure Sentinel for Security Analytics and Threat Intelligence

Data Security

azure sentinel

Data is the key, and security is the topmost concern for every organization. It is nearly impossible to properly analyze and resolve high volumes of security alerts generated by the systems in order to smartly combat and respond to the increasingly sophisticated attacks. This is where Azure Sentinel comes into the picture.

There are so many Security Information and Event Management (SIEM) products in the market today, but many lack modern capabilities to integrate with a multitude of data sources at one time to help investigate, analyze, and respond to the actionable insights as per the results post-analysis.

In this article, we will cover the following

What is Azure Sentinel?

what is azure sentinel

Azure Sentinel is a cloud-native solution that helps in building next-generation security operations with the cloud and leveraging artificial intelligence (AI). Azure Sentinel is a robust security information event management (SIEM) and security orchestration automated response (SOAR) solution that provides intelligent security analysis and threat intelligence across enterprises. It helps to foresee and stop threats before they can occur and cause severe damages.

Azure Sentinel can be connected to different data sources across the entire organization. The data sources range from users to devices, to different databases, to apps, and even to data from different tenants and clouds.

Being cloud-native, it unleashes the security operations team from the overhead of monitoring, maintaining, and scaling the infrastructure, and provides high performance and speeds to complement your security needs. Most importantly, it is not as expensive to own and operate as other SIEM tools. You pay for what is used and is billed based on the volume of data ingested for analysis. This data is stored in the Azure Monitor Log Analytics workspace.

Azure Sentinel is built on the complete range of Azure services, and as already mentioned, it enriches investigation and threat detection with artificial intelligence (AI). It also enables you to bring your own threat intelligence, thereby, providing a rich user experience.

At times there are questions asking the difference between Azure Sentinel and Azure Security Center. Azure Security Center is a cloud workload protection platform that targets the unique requirements of server workload protection in modern hybrid scenarios.

Azure Sentinel on the other hand is a cloud-native SIEM and SOAR solution to analyze event data in real-time for early detection and prevention of targeted attacks and data breaches. Azure Sentinel takes a proactive approach to identify threats, as compared to Azure Security Center, which takes a reactive approach.

Azure Sentinel and Varonis

The Varonis Data Security Platform monitors on-premises and cloud technologies for abnormal behaviors that could signal cybersecurity incidents. Our unique approach to threat detection provides high-fidelity alerts into Sentinel with a fully enriched, cross-platform, human-readable event log that IR teams use to quickly diagnose alerts.

Varonis customers see fewer false positives and achieve faster incident response than they did when they used traditional SIEMs.

Not only can you add Varonis’s unique approach to threat detection to your M365 security stack, but you also get access to our complementary Incident Response Team to help you investigate and remediate cybersecurity attacks. The Varonis IR team has decades of cybersecurity experience available to augment and enhance your in-house resources.

Azure Sentinel Core Features

Microsoft’s objective to re-engineer the SIEM tool was to enable the organizations to focus and invest in security alone and not in infrastructure setup and maintenance. Sentinel comes with the following distinct and prominent features.

azure sentinel features

  1. Collect data at cloud scale: Azure sentinel is purely cloud-based. Built on log-analytics, Azure Sentinel comes with amazing scaling capabilities that allow connectivity to a wide variety of data sources for the collection of data. This can be from O365, different applications, across all users, different subscriptions as well as from other clouds. There are connectors available that can be leveraged to connect to these different data sources.
  2. Detect previously uncovered threats: Azure Sentinel detects previously uncovered threats and also minimizes false positives using analytics and threat intelligence from Microsoft. It thereby greatly reduces the effort spent by the security teams in investigating alerts that are raised but are not real incidents.
  3. Investigate threats with artificial intelligence: Azure Sentinel uses artificial intelligence for threat investigation and looks for any suspicious activities at scale. Microsoft brings over its own cybersecurity experience with Azure Sentinel.
  4. Respond to incidents and events rapidly: The artificial intelligence (AI) makes Azure Sentinel respond to the threat incidents and events rapidly. There are many possibilities to hunt for threats and orchestrate the responses accordingly. Open-source applications like Jupyter notebook can also be used.

Additional Key Features of Azure Sentinel

Apart from the above core features, there are certain other features, which are equally important and are worth mentioning.

  1. Intelligent built-in queries: Azure Sentinel has numerous built-in queries that can be leveraged by non-technical users for easily reviewing common attacks.
  2. Built-in artificial intelligence: As already mentioned above, Sentinel has built-in artificial intelligence to proactively detect real threats, investigate, analyze, and respond in order to mitigate the issues quickly.
  3. Threat hunting using bookmarks: Threat hunting allows you to proactively look out for security threats before the alerts are triggered creating an incident. You can create custom detection rules to surface the insights to send notifications to the security teams. Sentinel also provides the ability to bookmark suspicious events in order to easily refer and investigate such events in the future. These HuntingBookmark can be used to visualize data directly from the bookmark tab and promote it to incidents in case there is a need.
  4. Easy Installation: Azure Sentinel is a very easy to install Security Information Event Management (SIEM) tool. Infrastructure setup is very easy and it does not require any complex installation.
  5. Monitor Data using Azure Monitor Workbooks: Azure Sentinel integrates with Azure Monitor Workbooks that can be used to monitor data. Sentinel also allows the creation of custom workbooks across your data along with the available default templates, thereby allowing you to quickly gain insight as soon as the data sources are connected.

Now that you clearly understand the features of Azure Sentinel, there are a few more points that must be understood. These points are related to analytics, security automation & orchestration, and community.

Analytics

As already mentioned, Azure Sentinel has built-in artificial intelligence that provides machine learning rules to detect and report anomalies across all the data sources configured. It is also possible to create your own rules using the built-in rules. Analytics helps in connecting the dots, i.e., it has the ability to combine small alerts into a potentially high-security incident and proactively reports it to the security responders.

Security Automation & Orchestration

Azure Sentinel has the concept of playbooks. These playbooks are built on the foundation of Azure logic apps and help simplify security orchestration by automating the recurring common tasks. As with the machine learning analytics rules, there are prebuilt playbooks with 200+ connectors that also allow you to apply custom logic.

One common example you will find across different Microsoft documentations is that of ServiceNow, where you can use the logic apps to open a ticket in ServiceNow every time a new threat is detected within the services and other workloads in the organization.

Community

Azure Sentinel community is an ever-growing resource, where the security analysts constantly add new workbooks, playbooks, hunting queries, etc. that can be used within our own environment. It is an open-source community to facilitate collaboration among customers and partners using GitHub.

Therefore, these can be downloaded from the GitHub repository. You can also use them to create your own custom version that suits your requirement. Below are the different types of content that can be found in the community.

Create and Configure Azure Sentinel

In order to create and configure Azure Sentinel, we need to create the Azure Log Analytics Workspace, as Sentinel is built on top of Azure Log Analytics. After the Azure Sentinel is created and configured, we will use Azure Active Directory as a data source for this tutorial.

In order to view the log and events data, we will use the built-in workbooks for viewing sign-in and audit logs and events. To create and configure, we will follow the steps below:

  1. Create Resource Group
  2. Create and Configure Azure Sentinel
    1. Create Log Analytics Workspace for Azure Sentinel
    2. Create Azure Sentinel
    3. Connect to Data Sources
  3. Connect to Workbooks for Monitoring Data
    1. View Logs and Events using Workbooks
    2. View Reported Incidents

Create a Resource Group

The first step in the creation of any resource within Azure is to create the resource group. These resource groups are created within the subscription and are mapped to a location.

  1. Login to Azure Portal and go to “Resource Group” and click the “Add” button.
  2. On the “Create Resource Group” Page, choose your subscription, enter the resource group name and select a region based on your location.
  3. Click on Review + Create and after the validation is complete, click on the Create button.

Configure Log Analytics Workspace for Azure Sentinel

We will have to create the Log Analytics workspace for Azure Sentinel as the default workspaces created by Azure Security Center will not appear in the list and we will not be able to install Sentinel on them

  • On the search bar, type “Azure Sentinel”.
  • From the search results, click on the “Azure Sentinel” Option and hit enter.
  • From the Azure Sentinel page, click on ‘Create’ from the top menu or click on the ‘Create Azure Sentinel’ button. It will redirect you to the Log Analytics Workspace if the workspace does not exist for Sentinel.

  • From the ‘Add Azure Sentinel to a workspace’ page, click on ‘Create a new workspace’ button
  • On the ‘Create Log Analytics Workspace’ page select the subscription, the resource group.
  • Provide the name as ‘loganalyticsvaronis’
  • Choose the region as ‘East US2’

  • Once that is done, you can leave other options as-is, and then click on Review+Create and finally click on create after the validation.

Create Azure Sentinel

  1. Once the Azure Log Analytics Workspace has been created, you will be redirected back to the Azure Sentinel page, where you can click on the ‘Create’ button from the top menu or click on the ‘Create Azure Sentinel’ button at the bottom.
  2. After clicking on the Create button, you will be redirected to the page to ‘Add Azure Sentinel to a Workspace’
  3. Select the workspace name, ‘loganalyticsvaronis’ in this case, and then click on the Add button. This will add Azure Sentinel to the Log Analytics workspace. And you will be redirected to the Sentinel’s ‘News and Guides’ page.

There are certain key points to note with Azure Sentinel:

  1. Once deployed on the workspace, Azure Sentinel currently does not support switching or moving that workspace to another subscription or workspace.
  2. If you have already moved the workspace, disable all active rules under Analytics and re-enable them after five minutes. This should be effective in most cases, though, to reiterate, it is unsupported and undertaken at your own risk.

Connect to Data Sources

Azure Sentinel has the ability to connect to a variety of data sources. At present, there are around 98 connectors that allow connectivity to these different data sources.

  • Data ingestion from services and apps is done by connecting to the service and forwarding the events and logs to Azure Sentinel.
  • For physical and virtual machines, the Log Analytics agent is installed that collects the logs and forwards them to Azure Sentinel.
  • For Firewalls and proxies, Log Analytics agent is installed on a Linux Syslog server, from which the agent collects the log files and forwards them to Azure Sentinel.

In the example below, we will try to connect to the Azure Active Directory. This will help in streaming logs and events from Azure Active Directory into Azure Sentinel. During the configuration, we can select what types of logs are captured from Azure AD and forwarded to Azure sentinel.

  1. On the Data Connectors page, type Azure Active Directory in the search bar, and you will see the options for Azure AD
  2. Select Azure Active Directory and then click on ‘Open connector page’ button from the bottom right corner
  3. On the Azure Active Directory connector page, you will see Prerequisites that are needed to have a connection with Azure Active Directory
  4. Below the prerequisites, there is a configuration section that can be used to select the Active Directory log types. From the available checkboxes, check to select Sign-in logs and the audit logs, and then click on the ‘Apply Changes’ button
    After the changes have been applied, your Azure Sentinel is ready to collect the Sign-in and the Audit Logs from Azure Active Directory.

Connect to Workbooks for Monitoring Data

  1. Click on the ‘Next steps’ tab on the configuration page
  2. On the page that appears, there is a list of recommended built-in workbooks that can be used to check the logs. We can click on ‘Go to workbooks gallery’ as well, where we can see around 90 templates available for us to choose from, but for now, we are going to choose the default Azure AD Sign-in logs workbook.
    Here you will also see the query samples. They are the Kusto Query Language (KQL) queries, that can be used to extract information from the SigninLogs and the AuditLogs tables from within the Log Analytics database.
  3. After you choose the workbook, you will be redirected to the workbooks page. Here, you can select the ‘Azure AD Sign-in logs’ template and then click on the ‘Save’ button on the bottom right corner
  4. Once you click on the ‘Save’ button, it will open a small popup asking for a location for the workbook to be saved. Choose the location as ‘East US2’ and then click on ‘OK’
  5. You can repeat steps 1 through 4 to save the ‘Azure AD Audit logs’ workbook as well.

View Logs and Events using Workbooks

After the workbooks have been saved, you can monitor events and logs for any suspicious activities if they have been reported.

  1. To view the reported events and logs, you can also click on ‘Workbooks’ under ‘Threat Management’. Here you can see the two workbooks already in the saved state that were previously configured.
  2. Click on the Azure AD Sign-in logs to see the logs and events from Azure Active Directory for any suspicious sign-in event encountered and logged.

View Reported Incidents

Incidents reported by Azure Sentinel can also be viewed in a similar way as workbooks, directly from within Sentinel.

  1. Go to the Azure Sentinel page. Then click on ‘Incidents’ under ‘Threat Management’. Here you can see if there has been any incident reported.

Sentinel Summary

Azure Sentinel is a powerful cloud-native SIEM tool that has the features of both security information event management (SIEM) and security orchestration automated response (SOAR) solution. It provides intelligent security analysis and threat intelligence across enterprises. With Azure Sentinel, it is possible to proactively and smartly detect threats and respond faster with built-in artificial intelligence. In fact, it is considered as a bird’s eye view across the enterprise. It brings along decades of Microsoft’s security experience to work.

Azure Sentinel also eliminates the overhead of infrastructure setup, maintenance, and scaling requirements, thereby enabling the security responders to focus on threat management instead of thinking about infrastructure requirements, which is the case with other SIEM tools available in the market today.

Click here if you would like to schedule a call to discuss how Varonis can integrate with and enhance Azure Sentinel.

Neeraj Kumar

Neeraj Kumar

Neeraj is an Azure Enthusiast, Enterprise Architect, and Technical Program Manager. With an IT experience spanning 21 years, Neeraj is leading high-end programs focused on Digital and Cloud services by architecting and designing solutions on Azure Cognitive Services, Data Science, IoT, Cloud Migrations, etc. to benefit business by maximizing RoI. Neeraj is a certified Azure Architect and Administrator and is passionate about authoring real-world problem-solving courses on Azure to help organizations and learners in their cloud endeavors.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.