Azure Sentinel AKA The Eye of Sauron
"The Eye was rimmed with fire, but was itself glazed, yellow as a cat’s, watchful and intent, and the black slit of its pupil opened on a pit, a window into nothing".
Imagine sticking The Eye of Sauron, the all seeing eye, in your enterprise estate?
You could see all the sneaky little hobbitses trying to steal your precious!
Well now you can thanks to the almighty Azure Sentinel.
Azure Sentinel is a cloud-native (so scalable) SIEM (Security Information event management) and SOAR (Security Orchestration Automated Response) solution.
SIEM - Real-time analysis of security alerts/logs
SOAR - Automate responses to security threats
In short, Azure Sentinel is jacked up Eye of Sauron looking over everything that happens, flagging hobbits that look like Frodo (security alerts) and automatically responding with orcs (quarantine, block, escalation etc.).
It works by doing 4 main things:
Connect to Collect
First things first you need to start connecting you security resources to Azure Sentinel, obviously it being a Microsoft product the Microsoft integrations are readily available but when it comes to non-MS stuff you can connect these via common event formats (e.g. Syslog).
More info on Microsoft and external service connections here as I'm not writing a tutorial.
Detect the sneaky hobbitses
As Azure Sentinel is using the wonderful thing of Machine learning and user analytics, it detects threats fast.
- Based on the your security analytic rules, when a match is detected, Azure Sentinel sends the alerts to Azure ATP.
- Azure ATP checks which user entities are related to the alerts, and calculates the investigation priority for those users.
- Azure ATP then recalculates the score of the users after it is enriched with data from your analytics rules for Azure Sentinel.
All of this information then get's populated into a pretty dashboard. Giving you the likes of Events and alerts overtime, potential malicious events, recent cases and data source anomalies.
"The Dark Lord was suddenly aware of him, and his Eye piercing all shadows looked across the plain to the door that he had made; and the magnitude of his own folly was revealed to him in a blinding flash, and all the devices of his enemies were at last laid bare. Then his wrath blazed in consuming flame, but his fear rose like a vast black smoke to choke him. For he knew his deadly peril and the thread upon which his doom now hung."
Investigate using the Nazgul's
When Sauron found out where Frodo was he would send out the air-bourne Nazgul's to investigate and hunt him down, in this case Azure Sentinel has deep investigation tools to turnover rocks, understand the scope and find potential route causes.
The above initially started from an alert of a failed login attempt from a user on a specific host. Next Azure Sentinel analysed the data associated with the user to find additional insights and related alerts bringing up notifications of suspicious Powershell script's, odd sign-in's and mass downloads from said user bringing fall scope of what occurred to help paint a bigger picture.
Begin the hunt
Investigating alerts is reactive, but organisations should be proactive about security also.
Azure Sentinel has a 'Hunting' feature (yes the option is actually called Hunting) where you can run powerful queries both built-in or bespoke to scour the mountains of data you have for anomalies, suspicious activity and more.
There is a lot more information with respect to queries but it all goes over my head so click here for more info.
Automation so you can lay back
Built on the foundation of Azure Logic Apps you are able to orchestrate automated responses based on rules you have set.
Alert in Azure Sentinel?
- Create record in ServiceNow
- Post message in Security Teams Channel
- Send Approval Email
- Block user in Azure AD
- Block IP on Firewall
- Etc.
These procedures are known as security playbooks which are used in response to an alert, they are highly customisable to most scenarios. More info here :)
Power in numbers - Community
Aragorn: "If by my life or death I can protect you, I will. You have my sword…
Legolas: …and you have my bow…
Gimli: …and my axe."
GitHub of course: Repository
Remember...
GTM Expert! Founder/CEO Full Throttle Falato Leads - 25 years of Enterprise Sales Experience - Lead Generation Automation, US Air Force Veteran, Brazilian Jiu Jitsu Black Belt, Muay Thai, Saxophonist, Scuba Diver
5 个月Chris, thanks for sharing! I am hosting a live monthly roundtable every first Wednesday at 11am EST to trade tips and tricks on how to build effective revenue strategies. I would love to have you be one of my special guests! We will review topics such as: -LinkedIn Automation: Using Groups and Events as anchors -Email Automation: How to safely send thousands of emails and what the new Google and Yahoo mail limitations mean -How to use thought leadership and MasterMind events to drive top-of-funnel -Content Creation: What drives meetings to be booked, how to use ChatGPT and Gemini effectively Please join us by using this link to register: https://forms.gle/iDmeyWKyLn5iTyti8
Senior Product Marketing Manager @ Silverfort | Cybersecurity Expert & Evangelist | Product Advocate | Sales Enabler | Storyteller | Championing AI-Driven Security Solutions | Ex-Microsoft
4 年love it!!
Director of Cybersecurity Sales
5 年Dan Bolton
Head of marketing focused on customer engagement.
5 年Fantastic article; how you incorporated the LotR made it somewhat easier to comprehend to a not-so tech-savvy person!
Strategic Data & AI Lead @ Microsoft | Retail Transformation | Empowering Retail with Gen-AI & Analytics
6 年Very well put together! Loved the Lord of the Rings references throughout.