Azure Sentinel
9 min to read
April 23, 2021

Azure Sentinel #

  • Solution for
    • security information event management (SIEM)
    • security orchestration automated response (SOAR)
  • Delivers
    • intelligent security analytics
    • threat intelligence
  • Key benefits
    • Speed
    • Scalability
    • AI/automation to improve effectiveness
    • Ability to consume data from different sources
  • Provides solutions for security operations such as
    • Collecting
      • Collect data, analyze and parse it to some common format and place it in Log Analytics workspace
      • Sources include on-premises and multiple cloud
      • Can be across users, devices, applications
      • 👀 See also: data sources
    • Detecting - alert detection
      • Minimize false positives by using an unparalleled threat intelligence
      • Detects previously undetected threats using machine learning
      • 👀 See also: hunting
    • Investigating - threat visibility and proactive hunting
      • Enhances with artificial intelligence
      • Allows hunting for suspicious activities
      • 👀 See also: incidents
    • Responding - threat response
      • Built-in orchestration and automation of common tasks.
      • 👀 See also: playbooks
  • Integrates with
  • It’s resource is called “Azure sentinel workspace”
  • You can see incidents from multiple Azure Sentinel workspace or tenants
    • Azure Lighthouse allows you to manage multiple tenants
    • You can hunt in different workspaces in same query

Workbooks #

  • Interactive dashboards
  • There are gallery of workbooks
    • E.g. nice graphs for insecure protocols (LDAP, SMB, Kerberos…)
  • You can also create your own workbooks using queries
  • Can be exported/imported as JSON file, called Gallery Template
  • 👀 See Workbooks | Azure/Azure-Sentinel (GitHub)  for workbook examples

Analytics rules #

  • Also known as detection rules
  • Can be
    • built-in: there are already many
    • or custom: with custom triggers, periodicity etc.
  • Each rule triggers an alert based on a condition
    • When an alert is generated it can run playbook
    • or automation rules that can tag, assign, or run a playbook
  • Can enable User and Entity Behavior Analytics (UEBA)
    • Can map query results to entities e.g. a malware or a security group
  • Optionally creates incidents
  • Each rule can have tactics
    • Used to help with filtering rules and classification
    • MITRE ATT&CK  framework
  • Built-in rules has different alert types
  • Uses Kusto Query Language (KQL) as query language
  • 👀 See Azure/Azure-Sentinel | GitHub  for query examples

Rules alert types #

  • Microsoft security (can be custom)
    • Creates incidents every time an alert is triggered in a connected Microsoft security solution
    • E.g. Microsoft Cloud App Security, Microsoft Defender for Identity
  • Fusion (built-in only)
    • Uses machine learning to correlate low-fidelity events
    • E.g. “mass file download following suspicious Azure AD sign-in”, see more 
  • Machine learning behavioral analytics (built-in only)
    • Based on proprietary Microsoft machine learning algorithms
  • Scheduled (can be custom)
    • Based on built-in queries written by Microsoft security experts
    • E.g. “Malware in the recycle bin”
  • 👀 Read more: Detect threats out-of-the-box | Microsoft Docs 

Automatic URL detonation #

  • Enrich alerts with screenshots (e.g. for phishing sites), verdicts, final URLs
  • Query results can map to a new URL entity type
  • Can configure URL entities in analytics rules

User and Entity Behavior Analytics (UEBA) #

  • Detect any anomalous behavior of users and entities by profiling them
  • Entities include non-user accounts e.g. computers, services etc.
  • Can detect e.g. • abuse of privileged identities • compromised user and entities • insider threats • data exfiltration
  • E.g. if user downloads 10 MB per day and downloads many GBs it would trigger an alert
  • Data sources include: • Audit logs • Azure activity • Security events • Signing logs
  • Used by both Azure Sentinel and Defender for Identity"¨
  • Enabled and data is stored inside Sentinel workspace

Hunting #

Queries #

  • Run built-in queries or own queries with KQL
  • You can save queries to run later
  • You can add tags
  • Azure Sentinel bookmarks
    • You can tag and bookmark query results
    • Allows you to investigate using investigation map
  • Azure Sentinel livestreams
    • Allows you to
      • test queries without conflicting with existing rules
      • get notified when it hits without creating a rule rules
      • add queries to livestreams to run them later or in a scheduled manner.
      • investigate them
    • 💡 Good to start with creating livestreams and if queries work promote them to creating rules.

Azure Sentinel Notebooks #

  • Integrates Jupyter notebooks for hunting using an indeterminate component
    • Charged for notebook compute + storage
  • Can also save data as HTML/JSON
  • ❗️ Requires Azure Machine Learning workspace
  • 👀 See GitHub page (Azure/Azure-Sentinel-Notebooks)  for open-source library of samples

Investigation graph #

  • Also known as investigation map
  • Allows you to investigate entity relationships in incidents
  • Displays entity relationships extracted automatically from the raw data
  • Requires using “entity mapping fields” in analytics rules
  • Azure Sentinel Investigation Graph / Investigation map

Playbooks #

  • Helps to automate and integrate across tools
  • Can be triggered from an alert or incident investigation
  • Can be used for e.g.
    • incident management: to open a ticket in JIRA/service now
    • enrich investigation: • GeoIP lookups
    • remediation: • block IP address/user access • isolate machine • trigger conditional access
  • 👀 See GitHub page  for open-source library of samples
  • Done using Logic apps + APIs

Incidents #

  • Container for related alerts
  • You can
    • assign incident to someone
    • change its severity
    • track and change its status (new, done etc.)
    • add bookmarks, tags and comments
    • investigate in “Defender for Endpoint”
    • can execute playbooks for automating stuff like
      • integrating with a ticketing system using logic app
      • automatically assigning an incident to someone when it’s created
    • can be investigated using investigation graphs

Machine learning #

  • Can use built-in models or bring your own models
  • E.g. anomalous RDP detection  for unusual IP/geolocation or new user
  • Calculates possible kill chain
  • Options
    1. Azure Machine Learning
      • Run models hosted in the Azure Sentinel Notebooks
      • 💡 Easier, good for small data sets
    2. Azure Databricks/Apache Spark
      • You can
        • bring your own data via EventHub or Azure Blobs
        • or export the data from Azure Sentinel Log Analytics tables
      • 💡 Good for deploying and operating models for larger data

Bring Your Own Machine Learning (BYO-ML) platform #

  • Used for using own machine learning models
  • Works with both Azure Databricks/Apache Spark and Jupyter Notebooks options
  • Includes, samples, sample data, templates and libraries to communicate with Log Analytics (LA)
  • Read more: Bring your own ML | Microsoft Docs 

Azure Sentinel Fusion #

Data sources #

  • Azure services
    • Azure AD, Activity Logs, AIP, ASC, AzWAF…
    • Microsoft 365 Defender, Azure Defender, Microsoft 365 sources
  • 3rd parties
    • Cloud platforms such as AWS.
    • Others e.g. Symantec, Cisco, Citrix…
    • Threat intelligence
      • Lets you import the threat indicators from 3rd parties
      • Imports log events that can be used in queries, notebooks, workbooks and rules.
      • Providers include MISP, Palo Alto, Check Point…
      • Via Microsoft Graph Security API
    • Microsoft Host Integration Server (HIS) can be used to integrate IBM solutions.
  • Custom
    • Azure Sentinel receives custom data over HTTPs (443)
    • Supports • REST-API • Common Event Format (CEF) • Syslog over port 443
    • Other protocols (e.g. syslog 514) should use middleware (e.g. a linux agent) to transform data to log analytics REST HTTPs
    • Log Analytics agent
      • Can be installed on physical and Windows/Linux virtual machines
      • E.g. can be installed on a Log Analytics server
    • 💡 Connector proxy can be deployed if all machines should not be open to Internet

Watchlists #

  • Custom CSV data you can upload to Azure

  • Its data can be used for correlation with the events in Sentinel

  • Can be used in search queries, detection rules, threat hunting, and response playbooks

  • E.g. using KQL:

      let watchlist = (_GetWatchlist('CustomWatchListName') | project CustomColumnName);
      | where ComputerIP in (watchlist)

Pricing #

  • Pay for per gigabyte (GB) for the volume of data ingested for analysis
  • Can purchase Capacity Reservations to for CapEx commitment, will be up to 60% cheaper.
  • Main costs
    • Sentinel ingestion
    • Log Analytics ingestion
    • Storage (retention)
  • No charges for queries
  • Other (optional) costs for other integrated systems e.g.
  • 👀 See its pricing page  and Azure Pricing calculator 

Onboarding Azure Sentinel #

Log Analytics Workspace for Azure Sentinel #

Retention #

  • Saved for 90 days by default
  • ❗️ Max available is 2 years (charged more)
  • 💡 For long term storage, export data to storage account
  • You can use Table Level retention for different retention settings based on data

One vs multiple log analytics workspaces #

  • 💡 Use 1 workspace if you can; both for Azure Security Center and Azure Sentinel
    • But can use multiple workspaces for e.g. granular access control, regulatory compliance.
  • ❗️ You can only connect 1 log analytics workspace at a time

Audit logs #

  • Can log who runs queries and query text
  • Diagnostic settings -> Audit -> Select workspace / Event Hub / Storage to store logs
  • If workspace is chosen, information is saved in a table called LAQueryLogs in workspace

Built-in RBAC roles #

Role  Create and run playbooks  Create and edit dashboards, analytic rules, and other Azure Sentinel resources Manage incidents (dismiss, assign, etc.)  View data, incidents, dashboards and other Azure Sentinel resources
Azure Sentinel Reader - - - ✔️
Azure Sentinel Responder - - ✔️ ✔️
Azure Sentinel Contributor - ✔️ ✔️ ✔️
Azure Sentinel Contributor + Logic App Contributor ✔️ ✔️ ✔️ ✔️