I am sure by now you have heard about the Microsoft Azure Sentinel product. To understand Azure Sentinel, you first need to know what a Security Incident and Event Management (SEIM) application is and do.

A Security Incident and Event Management (SEIM) application aggregates, analyzes, and actions security operations from other systems such as networked computers or even Microsoft 365 services. All Security Incident and Event Management (SEIM) applications enable collecting and querying log data, performing correlation or anomaly detection, and creating alerts and incidents based on an investigation. Most tools also provide visualization such as graphs and dashboards, incident management, and a powerful, rich query language.

Azure Sentinel is a Microsoft cloud-native Security Incident and Event Management (SEIM) system designed to manage security operations within Azure, Microsoft 365, and other connected platforms and services. An advantage of using Azure Sentinel is there is no need to install any software locally onto any on-premises servers. As with all Microsoft services, integration is a vital part of the platform and automatically harnesses the power of Microsoft threat intelligence, security playbooks, and other services in the cloud. Azure Sentinel tightly integrates with other cloud services. Organizations can quickly ingest logs from the native Microsoft cloud and other cloud services natively. Azure Sentinel helps organizations enable end-to-end security operations, including collection, detection, investigation, and response.

  • Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
  • Detect previously undetected threats, and minimize false positives using Microsoft’s analytics and unparalleled threat intelligence.
  • Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cyber security work at Microsoft.
  • Respond to incidents rapidly with built-in orchestration and automation of everyday tasks.

Collect 

To onboard Azure Sentinel, you need to connect to organizational security sources such as Microsoft 365. Azure Sentinel comes with several connectors for Microsoft solutions. The out-of-the-box provides real-time integration to services like Microsoft 365 Defender solutions, Microsoft 365 sources such as Office 365, Azure AD, Microsoft Defender for Identity, Microsoft Cloud App Security, and many others. In addition, there are built-in connectors for the broader security ecosystem for non-Microsoft solutions. Standard event formats like Syslog or REST-API work with Azure Sentinel.

Detect

After connecting data sources to Azure Sentinel, organizations can monitor the data using the Azure Sentinel integration with Azure Monitor Workbooks, which provides versatility in creating custom workbooks. Azure Sentinel allows the creation of custom workbooks across the data. Workbooks are intended for Security Operations Center (SOC) engineers and analysts to visualize data.

Investigate

Azure Sentinel uses analytics to correlate alerts into incidents to minimize what needs reviewing and investigating. Incidents are groups of related warnings that need investigating and resolving. Azure Sentinel provides machine learning rules to map organizational network behavior and then identify anomalies. These analytics connect the dots by combining low-fidelity alerts about different entities into potential high-fidelity security incidents.

Respond

Azure Sentinel’s automation and orchestration capabilities provide an extensible architecture that enables scalable automation for new technologies and threats. Organizations can build security playbooks based on Azure Logic Apps. There are currently over 200+ connectors for services such as Azure functions. The connectors allow you to apply any custom logic in code or supported applications such as ServiceNow, Jira, Zendesk, HTTP requests, Microsoft Teams, Slack, Windows Defender ATP, and Cloud App Security. Playbooks are intended for Security Operations Center (SOC) engineers and analysts to automate and simplify tasks, including data ingestion, enrichment, investigation, and remediation. They work best with single, repeatable tasks and require no coding knowledge.

Use Azure Sentinel if the organization needs to collect event data from various sources and then perform security operations on the data to identify suspicious activity.