Microsoft Azure Sentinel is a cloud-native SIEM solution built by Microsoft in the Azure cloud. It allows Security professionals to detect, hunt, investigate and respond to threats.
Security information and event management (SIEM) technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards and reporting).https://www.gartner.com/en/information-technology/glossary/security-information-and-event-management-siem
Azure Sentinel works on top of Azure log analytics which is the storage resource that ingests and stores all the logs that you would like to query. Sentinel doesn’t do the logging side of the equation but rather is an effective ‘skin’ so you can easily create new rules and hunts that detect potential malicious activity on your, or your customers network.
Once alerts are raised they are raised under a single incident which can contain multiple alerts and at this point require investigation by a SOC, security operations team or anybody that does the monitoring for the business. Sentinel also includes hunting capabilities where potentially malicious activity can be hunted for in the logs that went under the radar. This is to detect threats and to improve alerting capabilities and all queries can be triggered at once within the Azure portal.
Log analytics overview
As previously mentioned Azure Log Analytics is the logging platform and is the place where all logs and ingested to are stored for a specific amount of time which is configurable, as standard with Azure Sentinel on top of the log analytics workspace there is a free 90 day retention although there is a separate cost for data ingest, see here for details about pricing.
Microsoft KQL Language
Within the log analytics workspace you will be able to traverse to the logs tabs which is where you can query all the logs ingested into the workspace by using the KQL language. Some fantastic resources to learn the KQL language can be found here and here, however if you have performed querying in other SIEM’s/logging solutions then the basics will be easy to pick-up.
While querying your logs you are also able to query logs across multiple workspaces. This can be done by going to the log analytics workspace and then the logs tabs where you will see select workspace in a blue box above where the tables have been populated. Note that if you traverse to the logs page via Azure Sentinel then this option will not be present. An alternative to this method is to include the log analytics workspaces in your query or by saving this query as a function that can be called in any queries and alerts.
Azure Function for looking across multiple workspaces for Security events (Windows OS events) - "union SecurityEvent, workspace("WorkspaceName").SecurityEvent, workspace("WorkspaceName").SecurityEvent"
For details around log ingestion I have created a separate blob page which goes into depth around this and can be found by clicking the following button.
Azure Sentinel contains a few different key areas within the portal
Incidents – Once an analytic rule that has been enabled and is triggered it will create a new incident in the queue or will add an alert to an existing incident. These incidents can then be investigated via the visual graph and a correlating log will be added to the ‘SecurityIncident’ & ‘SecurityAlert’ tables in the log analytics workspace. Note that only the details of the alert such as asset involved and corresponding log will be include in the log file under the ‘SecurityAlert’ table.
Hunting – Hunting is Microsoft’s solution for threat hunting in an environment and allows cyber Security experts to hunt for threats that were missed by analytic rules.
Analytic Rules – These rules are the SIEM alerting rules and the ‘bread and butter’ of Sentinel. The analytic rules are built using the KQL language and will trigger alerts and incidents if the rule is matched within the logs.
Workbooks – Workbooks are the dashboards within Azure where you are able to visualise your data however you would like. Visualisations like traditional pie charts, bar charts are all included but there are some more unique and interesting visualisations that can be utilised to improve the visibility on your data.
Data Connectors – Wanting to get started with Sentinel an onboard some logs? If so then data connectors are your go to. These prebuilt connectors by Microsoft allow you to connect your logs in easy to follow steps. Some of these connectors include, Windows OS Security logs, Palo Alto firewalls, Infoblox DHCP, Qualys, AWS Cloudtrail and 58 others (as of December 2020). Note that although some logs like Palo Alto and Cisco ASA’s are supported, you will still need to spin up your own CEF Forwarders where the logs are syslogged to and then sent over HTTPS to the log analytics API endpoint.
Playbooks – Playbooks are the SOAR capability Microsoft provide to enhance your response and alerting capabilities. It allows you to build up playbooks in a visual method through the Azure Portal to allow for repeatable and quick response.
For details around threat hunting and analytic rules I have created a separate blog pages which goes into depth around these and can be found by clicking the following buttons.
Community GitHub for Azure Sentinel which contains everything from alerting rules and queries to example workbooks that can be used.