Cloud based SIEM for the people
24th September 2019: Microsoft announced the general availability of Azure Sentinel. In this post, I aim to answer the following questions you might have about Azure Sentinel and where to start with your Azure Sentinel setup.
- What is Azure Sentinel?
- Who is Azure Sentinel for?
- Why do we need Azure Sentinel?
- How does one get Azure Sentinel?
- When is Azure Sentinel available?
- How much will Azure Sentinel cost?
- What connectors work with Azure Sentinel?
- Are there any custom Azure Sentinel dashboards?
What is Azure Sentinel?
Ann Johnson Corporate Vice President, Cybersecurity Solutions Group
Azure Sentinel—the cloud-native SIEM that empowers defenders
Ok? Security Information and Event Management (SIEM) is a combination of security information and security event management, where information management is storage, analysis and reporting of logs, and event management is real-time monitoring, notification and dashboard views of security events.
Most SIEM products are centrally deployed in one’s datacenter. Logs are received from hardware and software systems via various protocols such as SysLogs, SNMP etc. Traditional SIEM tools are unable to keep pace with the volume of data or the agility of today’s adversaries (baddies).
Azure Sentinel is a native SIEM within Microsoft’s Azure cloud platform. Because it’s built on Azure, organisations can take advantage of nearly limitless cloud speed and scale, investing time in security and not servers or appliances. Azure Sentinel also utilizes cloud AI to reduce noise and empower SecOps teams to keep their organizations safe.
It is also a SOAR. Security Orchestration Automated Response. Which means respond to incidents rapidly with built-in orchestration and automation of common tasks. Built on the foundation of Azure Logic Apps. The connectors allow you to apply any custom logic in code, ServiceNow, Jira, Zendesk, HTTP requests, Microsoft Teams, Slack, Windows Defender ATP, and Cloud App Security.
For example, if you use the ServiceNow ticketing system, you can use the tools provided to use Azure Logic Apps to automate your workflows and open a ticket in ServiceNow each time a particular event is detected.
Who is Azure Sentinel for?
Traditionally, SIEM systems are purchased and deployed by medium to large sized organisations with dedicated SecOps (Security Operations) teams working from a SOC (security operations center) and form part of their daily tool-set in combating cyber-crime. Azure Sentinel, however is so simple to deploy, fast to produce information, in impactful dashboards, that even small organisations with no dedicated information security personnel can benefit from using it.
If you have an Office 365 tenant, some Azure resources or on-premises servers, you want to see the threats your company may be exposed to.
Why do we need Azure Sentinel?
Azure Sentinel is simple to setup (I’ll get into that later in this post). Because of that is will create value to your organisation almost immediately. If you have an existing SIEM deployed, augment the logs from it with dashboards in Azure Sentinel, and you will most likely derive more value from your existing SIEM than before, because visually you are able to identify data that is pertinent vs irrelevant data, making your threat hunting more efficient.
How does one get Azure Sentinel?
- Create or us an existing Azure Subscription
- A log analytics workspace – https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-create-workspace
- Enable Azure Sentinel (This is a paid service) – Add a workspace, the one you just created.
- Connect Data connectors. For example: Connect Azure AD for Sign-in logs
- View the built-in workspaces.
When is Azure Sentinel available?
Azure Sentinel has been available in public preview for anyone to try since February 2019, however, on 24th September 2019, Azure Sentinel was made GA (generally available). What GA means is it is now a supported product with defined service levels etc.
How much will Azure Sentinel cost?
Azure Sentinel is priced on the data that you ingest into the worspace/s. There is no upfront cost and includes the cost related to analytics provided by Azure Sentinel. It is dependent on the region as well as how long you wish to retain the logs for (The first 3 months of retention are free.)
Capacity Reservation provides you a discount (up to 60%) on the cost based on your selected capacity reservation compared to Pay-As-You-Go pricing.
What connectors work with Azure Sentinel?
There are currently 49 connectors available and more coming soon:
Are there any custom Azure Sentinel dashboards?
Yes, absolutely, there is a GitHub repository of Dashboards available: