Azure Sentinel is a cloud native Security Information Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) solution. A SIEM solution aggregates data and provides real-time analysis of security alerts generated by applications and network appliances. A SOAR solution automates the investigations and responses of security alerts. It is common for IT Professionals to mix up the capabilities of SIEM and SOAR since they tend to work together for the goal of protection. However, these were traditionally two separate products or components. Microsoft designed Azure Sentinel to handle both SIEM and SOAR.
What matters most about Sentinel is that it can:
- Be set up in a relatively short time
- Gather data from cloud and on-premises security sources
- Provide automated analysis and remediation of anomalies with little human intervention.
How does it work?
First, devices and services need to start streaming their data into Sentinel, via Data Connectors. Technically, the data flows into Azure Log Analytics. Workbooks are used to visualize the data, potential issues and trends, and help create specific queries. These queries can help create rules called analytics. After creating analytic rules, you start to see Incidents, as well as process automated actions via Playbooks. When analyzing Incidents, you can leave a trail of Bookmarks to flag interesting or anomalous data for follow up and discover other areas that may be affected. Finally, and after gaining experience, you can go Hunting for threats. Each concept is outlined in more detail below:
Data Connectors – These are connection methods to the variety of sources Azure Sentinel can integrate with. There are multiple different connector types:
- Service to Service: Out of the box, native connections (i.e. Office 365) are integrated with a few clicks
- External solution via API: 3rd party solutions that have integration provided by a set of APIs
- External solution via agent: Agent based deployment via Linux server to collect Syslog of Common Event Format (CEF) logs. Also, can be deployed directly on servers that are not connected to Azure directly.
Log Analytics – All data ingested into Azure Sentinel must come from a Log Analytics workspace. A workspace is basically a limitless storage container to hold all your data from a variety of sources. It is recommended to have a single, dedicated workspace created for Azure Sentinel.
Workbooks – Provides a means of monitor the data that has been ingested into Azure Sentinel. Built-in workbooks allow you to evaluate data immediately. Custom workbooks can also be created to allow you to view your data the way you need to.
Analytics – Custom rule sets that can be created to search across all ingested data to discover potential threats. There are many pre-built rules provided as well as connections to Microsoft sources such as Microsoft Defender ATP and Cloud App Security. Additional custom rules can be created based on queries. These can run on a scheduled interval. All hits from each rule can generate an incident and/or run a playbook.
Incidents – Alerts that are generated based on Analytic rule sets. An incident can contain multiple alerts. They allow for further investigation to determine if there were additional areas of exposure using the investigation graph. Incidents can be assigned to an individual to delegate the investigative tasks.
Playbooks – Playbooks are essentially Azure Logic Apps with specific designation to Azure Sentinel alerts. They allow for an orchestrated and automated response to alerts that are triggered via Analytics. Anything that you can do within a new or existing Logic App can also be extended to run based on an Azure Sentinel alert.
Notebooks – Azure Sentinel has integrated Jupyter notebooks directly into the Azure Portal. A notebook is a web application integrated into your browser that allows you to have live visualizations and code\queries running directly within the browser. A few notebooks are provided by Microsoft to illustrate their capabilities.
Hunting – Hunting allows for manual, proactive investigations into possible security threats based on the ingested data. Microsoft provided several built-in queries and custom queries can also be created. Once a query is created you can convert it into an analytic task to run on a schedule. Hunting capabilities include:
- Queries (using Kusto Query Language)
- Live Stream
How much does it cost?
Because you’re storing data in the cloud, and not in databases on premises, Sentinel’s cost is generally attractive. To calculate the anticipated costs, will need to estimate how much data will be ingested per day as well as how long the data will be retained.
There are multiple areas where charges are incurred:
- data ingested from network appliances, AWS, etc.
- data ingested from Log analytics, Logic app runs, and machine learning models
- data storage for longer than 90 days
Here is the breakdown of anticipated costs for data ingestion (this does not include Logic app or Machine Learning costs):
If you choose a capacity reservation, you are charged a fixed fee up to the capacity limits. If you exceed the chosen capacity, you are charged the per GB rate over the capacity.
The Pay-as-you-go rate is ideal for initial deployments, smaller organizations, or if you do not know how much data you will need to ingest. It takes between 65-70GB of data within the Pay-as-you-go model to match the costs of the 100GB/day capacity. You can increase or decrease your capacity at any time.
There are several free elements as well including:
- First 31 days of Azure Sentinel
- 90 Day retention ($0.12/GB/Month after 90 days)
- Microsoft Data source ingestion*:
- Azure Activity Logs
- Office 365 Audit Logs (all SharePoint activity and Exchange admin activity)
- Microsoft Threat Protection products:
- Azure Security Center
- Office 365 ATP
- Azure ATP
- Microsoft Defender ATP
- Microsoft Cloud App Security
- Azure Information Protection
*Azure Active Directory (AAD) data is not free.
Azure Sentinel may be the newcomer to the SIEM world; however, it is quickly becoming a top tier solution due to its cloud native design. Microsoft has made a significant investment into this service and has all intentions of driving its capabilities above and beyond what competitors offer. With the ease of deployment, minimal to no cost initial integrations into Microsoft services, and familiar Azure interface, Azure Sentinel provides the means for any organization to have a SIEM solution.
In the next article on Azure Sentinel, we will take you through the process of initial setup and onboarding data sources to Azure Sentinel. If you’d like assistance, Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. You can check out more in the Security section of our website. In addition, you can learn more on last month's recorded Azure Sentinel Webinar