As always happens this time of year, with Microsoft Ignite just around the corner, there has been a flurry of Azure announcements, services leaving their ‘preview’ status and many new services announced. As apart of this Microsoft have announced this week that their SIEM service – ‘Azure Sentinel’ has gone ‘GA’, which means it is now Generally Available and Microsoft supports its use in production, live environments.
So, the first question is ‘what is SIEM and do I need one’? SIEM stands for Security Information Event Management, which, as the same suggests is about security logging and management that can provide real-time analysis of security alerts generated by applications and network hardware. SIEM is not a new concept SIEM tools have been around for a long time with many well-known toolsets such as Manage Engine and Splunk leading the pack. What sets Azure Sentinel apart is, of course, Azure. Being apart of Azure offers the usual scalability but in addition, allows you to utilise Microsoft’s machine learning abilities we’ll see later.
Data and connectors
With Azure Sentinel, you really will get out of it what you put in. Connecting Azure Sentinal to an existing workspace that already collects Azure logs will almost instantly start to highlight security data to you, but, if you invest the time and create connectors into other services and tools you will really start to get a more rounded picture of your security position. And those connectors don’t stop with Microsoft services, Microsoft is working with several well-known security hardware and service vendors to pull their logs into Azure Sentinal quickly and effortlessly.
Analysis and Machine Learning
It’s great having all of this data in one place but as is always the case with large pools of data, understanding the data you have and analysing it is where the real difficulty arises. Azure Sentinel’s Machine Learning capabilities can help to quickly highlight suspicious activity all without any Machine Learning knowledge – it will just work out of the box (providing you have the data, obviously!)
Microsoft two different Machine Learning approaches. First is a more simplistic approach to identifying suspicious logins across Microsoft identity services. The second approach uses a Machine Learning technique called ‘Fusion’. Fusion allows Microsoft to connect data from multiple sources, like Azure AD anomalous logins and Office 365 activities, to detect 35 different types of threats!
Hunting and Investigation
If you already work in the security space or with other SIEM toolsets you will be familiar with the concepts of hunting, investigation and response. Azure Sentinel provides an extensive list of hunting queries (hunting is the process of proactively searching through datasets to detect and respond to threats). While talking of the available queries it is worth noting that you can use the Azure Sentinel GitHub repo which now contains 400 hunting and detection queries all for your use. The repo also contains sample Azure Notebooks, playbooks, and parsers.
Microsoft has integrated Jupyter Notebooks into the Azure Sentinal environment. Jupyter Notebooks are open-source that allows you to create and share documents that contain live code, equations, visualizations and narrative text. Notebooks allow you to pull together all your investigation results into one place.
One of my favourite features is the investigation graph. The graph allows you to easily visualise and traverse the connections between entities like users, assets, applications, or URLs by clicking into an entity and ‘drilling down’ to understand the relationships and what is happening in the environment.
Azure Sentinal isn’t just a SIEM tool it is also a SOAR (Security Orchestration, Automation and Response), in other words, it allows you to automate and orchestrate the response to a potential threat. As already mentioned Azure Sentinel brings together many preexisting Azure services and this is a great example, Azure LogicAps are used to provide the automation. As a very basic example if suspicious activity is detected for a user you could use a LogicApp to lock the users’ account.
I would highly recommend getting stuck in and exploring further what Azure Sentinel has to offer.