What is Microsoft Sentinel?

Take SIEM and SOAR Further than Ever Before, with Scalable, Cloud-Native Intelligent Security and Analytics from Microsoft Azure Sentinel

Once upon a time, keeping data safe meant keeping it close. But with the advent and subsequent proliferation of cloud computing, that mindset has changed. Today, as much as 60% of all corporate data is stored in the cloud, and more potentially sensitive information makes the journey from on- to off-premises every day. Unfortunately, increased cloud use doesn’t necessarily mean increased cloud trust – approximately 60% of IT and security leaders are not fully confident in their organization’s ability to secure vital cloud access.

The sad truth is that whether it’s on-site or in the cloud, business data is under constant attack from increasingly sophisticated cyber threats. At the same time, there’s so much at stake: Loss of revenue, exposure of customer information, reduction in business capabilities, reputational damage, and legal penalties for failing to meet regulatory standards are all very real consequences for even minor breaches. As such, organizations in all industries need effective solutions for instantly detecting and managing threat anomalies in all of their forms and across their entire attack surface.

Microsoft Azure Sentinel is designed to meet these needs.

What is Azure Sentinel?

Microsoft Azure Sentinel (recently renamed Microsoft Sentinel) is a security information and event management (SIEM) system that is also a platform for security orchestration, automation, and response (SOAR). The Azure SIEM/SOAR solution is an enterprise-wide approach to data security, offering a birds-eye view of every part of your business, delivering intelligent security analytics for optimal attack detection, threat visibility, proactive hunting, and threat response.

Fully cloud-native and capable of scaling to match any organization’s changing needs, Azure Sentinel is the culmination of decades worth of data-security experience, applying advanced AI capabilities to empower modern organizations with faster, smarter large-scale intelligence – without the need for in-house infrastructure development or maintenance costs.

What Does Azure Sentinel Do?

Microsoft Sentinel is a comprehensive approach to protecting your company’s data. This single solution aggregates data from all sources across the entire enterprise, including applications, users, servers, and on-premises and cloud-based devices.

In other words, Azure Sentinel is a fully integrated security solution, capable of the following functions:

Collecting Data
Every part of your business produces data, and fully understanding that data is central to building a strong security posture. Azure Sentinel collects data from every data source, using the Log Analytics tool to store relevant events and other information for detailed analysis.

Detecting Threats
Placing your data under a microscope, Azure Sentinel applies Microsoft Analytics backed by constantly-evolving threat intelligence to identify any undetected threats or suspicious activity within the system while minimizing the chance of encountering false positives. When potential risks are detected, security teams are immediately notified and threats are categorized and listed for assignment and investigation.

Investigating Threats
Microsoft Sentinel allows you to go on the offensive, hunting for suspicious activities and investigating threats through detailed data analysis correlated across multiple sources. AI-enhanced capabilities make it possible to scale threat investigation to any sized business.

Responding to Threats
When your data is under attack, every second counts. Azure Sentinel includes automation options and built-in orchestration, for immediate threat response capabilities.

What are the Elements of Azure Sentinel?

Although Microsoft Sentinel is a single, comprehensive security-intelligence solution, it is comprised of several different components. These nine primary elements include:

Analytics
Advanced analytics in Azure Sentinel uses the Kust Query Language (KQL) to allow users to create their own customized alter conditions. Alerts are grouped into ‘incidents’ representing possible threats for investigation and resolution, reducing the overall number of alerts that need to be reviewed by IT security teams.

Cases
Based on user-defined analytics, Microsoft Sentinel collects all relevant investigation evidence into specific cases, containing one or more alerts.

Community
Microsoft Sentinel has a dedicated and thriving community, centered on the GitHub Azure Sentinel community page. This community includes vital resources for detections based on a variety of data sources, along with security playbooks, hunting queries, and more.

Dashboards
Data visualization is a major element of Azure Sentinel; built-in dashboards allow users to easily review aggregate data insights at a glance.

Data Connectors
As a part of the greater Microsoft ecosystem, Sentinel integrates seamlessly with other Microsoft and Microsoft-partner solutions and products. This allows data to be shared and ingested throughout multiple systems.

Hunting
Azure Sentinel uses proactive threat analysis enhanced with AI and the machine-learning capabilities of KQL to detect anomalous behavior and improve its effectiveness over time.

Notebooks
Built-in integrations with Jupyter Notebook provide direct access to valuable libraries and modules for embedded analytics, data analysis, machine learning, and visualization. This expands usability and increases the potential applications of collected and stored data.

Playbooks
When alerts occur, knowing what steps to take can make all the difference. Microsoft Sentinel includes playbooks detailing exactly what actions need to be taken in response to specific security alerts. Azure Logic Apps further improve flexibility and customization by allowing users to automate and orchestrate relevant response tasks and workflows.

Workspace
Microsoft Azure Sentinel groups data and configuration information from different sources into containers called Log Analytics Workspaces. These Workspaces include data-storage location information, data isolation based on user access rights, and more.

What Threats are Countered by Azure Sentinel?

As a comprehensive, one-stop SIEM/SOAR solution, Microsoft Sentinel is effective in detecting, investigating, and responding to the full spectrum of threat actors and cyber attacks. But while Sentinel provides reliable protection from phishing attacks, botnets, malware, and more, it may be even more vital in countering some of the newest and most innovative threats.

Microsoft Sentinel is a viable solution for:

Credential Stuffing
Security experts continue to admonish users to vary their passwords. That said, many continue to use the same passwords to access various devices and accounts, and are at particular risk of bot-driven credential attacks aimed at stealing login credentials. Sentinel identifies the tell-tale signs of credential stuffing and other identity attacks, locking out threat actors and alerting response teams.

Remote Work Attacks
With new remote-work and hybrid-office employee expectations following the COVID-19 pandemic, vital business data is no longer exclusive to business networks and devices. Azure Sentinel extends vital security capabilities to remote work locations, protecting data where it’s most vulnerable.

Double Extortion Ransomware
One of the greatest risks to data security is the double extortion ransomware attack where cybercriminals take control of an organization’s systems and demand payment in exchange for returning access to the rightful owners. Microsoft Sentinel uses a correlation engine based on scalable machine learning algorithms to determine whether security alerts are related to possible ransomware activity.

Microsoft with Ontinue

As a premier Microsoft security partner, Ontinue’s ION MXDR incorporates Microsoft Azure Sentinel to take detection and response beyond detention and response. Backed by extensive experience and ongoing excellence, we can give you the resources, tools, and support you need to protect your data – no matter where you keep it.

Mitigate threats and resolve attacks before they happen, and get the most out of your Microsoft Security Stack, data science and DevOps, and cloud automation and AI. Contact us to learn more about how Ontinue, in conjunction with Microsoft Sentinel, can help your business combat cyber attacks.