Select Page

Azure Sentinel Training- Sentinel SIEM- A Complete Guide

Table of Contents

  1. Introduction
  2. What is SIEM and SOAR? 
  3. What is Azure Sentinel?
  4. Azure Sentinel Pricing
  5. Log Analytics and Azure Sentinel Overview
  6. Deep Dive and Deployment
    1. Workspace
    2. Data Connectors
    3. Analytics Rules
    4. Hunting Rules
    5. Workbooks
    6. Automation
    7. Threat Intelligence
    8. Entity Behavior
  7. Extra sources of Information

1. Introduction

Everything resides on the Internet now a days, whether it is some private photos or intellectual company information. With all of the benefits in the world that Internet has brought us, it came with lots of threats and dangers as well. Cyberthreats and Cybersecurity has become one of the most hot topics where large organizations spend millions and billions of Dollars just to stay protected out there. Hackers attack every 39 seconds i.e  2,244 times a day. 300,000+ new malware is created every day. Cybercrime is more profitable than the global illegal drug trade. The averge data breach now costs up to $3.92 million. 80% of hackers say “Humans are the most responsible for security breaches”. 43% of cyberatttacks target small businesses. On average, companies take about 197 days to identity and 69 days to contain a breach. Hackers steal 75 identities every second.

Microsoft Alone Spends around 1 Billion Dollars on just Security. Global Cybersecurity spending has been predicted to exceed 1 Trillion $ as per this Magazine Aritcle.  All this spending is just done to secure ourselves from the threat out there. There is atleast 1,200 Petabytes ( 1.2 Million Terabytes ) sum total of data stored in just between Google, Amazon, Microsoft and Facebook. It is impossible to manually look at all that data all the time and keep it secure. This is where a SIEM and a SOAR solution comes in and helps us stay secure.

cyberthreat trends

2. What is SIEM and SOAR?

It is impossible for a company or an individual to manually keep a check on all the logs that are getting generated daily. Security Information and Event Management (SIEM) solutions play an imporatant role in capturing all the data and offering a comprehensive view of an enterprise’s information security.

SIEM combines two technologies:- Security Information Management (SIM) and Security Event Management (SEM). SIM collects all the data and logs to conduct analysis and reports on cybersecurity threats and events. SEM is real-time monitoring and conducts co-relation between all the logs and events.

what is siem siem process

SOAR is an acronym for Security Orchestration, Automation and Response. SIEM generates endless number of alerts and incidents. It is really tough for the security analysts to manually look into them and manage all the cases. SOAR helps the organizations to design workflows and introduce playbooks to respond to security threats. They provide the automation capability that is much needed in today’s world to be efficient.

Some of the SIEM and SOAR solutions out there are:-

  1. Azure Sentinel
  2. LogRhthm
  3. Splunk
  4. LogPoint
  5. FireEye
  6. Exabeam

In this post we will be deep diving into Microsoft Azure Sentinel.

 

3. What is Azure Sentinel?

Azure Sentinel is Microsoft’s Security Infromation Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. It is scalable and cloud-native. Azure Sentinel provide smart security analytics and threat intelligence across the organization. It provides a single hub for threat visibility, alert detection, threat response and proactive hunting. Azure Sentinel provides advance SIEM and SOAR capabilities that every organization need to be secure out there. It is able to collect data at cloud scale across all devices, applications, users and infrastructure, both in multiple clouds and on-premise. 

What is azure sentinel

4. Azure Sentinel Pricing

Let’s just answer one of the most important questions before we proceed on how to deploy and work with it- How much does Azure Sentinel Costs?

There is no upfront cost, no terminations fees and you only pay for what you use. To simplify, Azure Sentinel the tool itself does not cost anything. The cost that is associated with it is based on Data ingestion. That means you only pay for what you want to ingest.

The Pay-As-You-Go pricing is $2.40 per GB-ingested.

There is Free Trial that you can take advantage of. It can be enabled at no additional cost for the first 31 days. Beyond that you will be charges on Pay-As-You-Go pricing model.

There are lots of promotions and discounts available as well:

CapacityPriceDiscount
100 GB per Day$120 per day50%
200 GB per Day$216 per day55%
300 GB per day$312 per day57%
400 GB per Day$400 per day58%
500 GB per Day$480 per day60%
More than 500 GB per Day$480 per day + $96 per day for each 100GB increment after 500 GB.60%

One of the most important initiative that Microsoft took for Azure Sentinel, is that there is no cost for data ingested from the following sources: Azure Activity Logs, Office 365 audit Logs (includes Sharepoint, Exchange and One Drive) and alerts from Microsoft Defender products (Azure Defender, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint), Azure Security Center, Microsoft Cloud App Security and Azure Information Protection can be ingested at no additional cost into both Azure Sentinel and Azure Monitor Log Analytics.

For More information please refer: https://azure.microsoft.com/en-ca/pricing/details/azure-sentinel/

5. Log Analytics and Azure Sentinel Overview

Azure Log Analytics is Microsoft’s OMS (Operations Management Suit) solution which ingests data from your cloud and on-prem resources. It is the primary tool for interactively analysing and editing log queries. Azure Sentinel is a tool that is build on top of Log Analytics. Log Analytics is the base of azure sentinel. Log Analytics gathers all the data and with Azure Sentinel we are able to analyse and secure our environment by constantly investigating that data.

6. Deployment and Deep Dive

Now its time to deep dive into Azure Sentinel, how it works and how to deploy it. We will be starting with how to create a workspace and a brief overview of the dashboard.

1. Workspace

We will be using a Microsoft’s test demo environment for our walkthrough. The first and foremost step is to create a Log analytics workspace if you don’t have one. 

Login to portal.azure.com

Search for Azure Sentinel > Click on Create > Create new workspace ( If you already have a log analytics workspace you will see it here ) > Select your subscription and Resource Group.

Azure Sentinel deep dive
Azure Sentinel deep dive

Once a workspace is created you will see the following Azure Sentinel Dashboard ( In your case it won’t have any data at the moment ) 

At first if you are completely new to Azure Sentinel it can look overwhelming but don’t worry, let’s go over each element that you see over in the dashboard.

Azure Sentinel deep dive

On the top most part of the window we see “Last 24 hours”. This is the timeframe that this dashboard is showing events and incidents of, in this case 24 hours. We can change this timeframe to 7 days or 30 days and also put custom time as well. Below that we see total number of events that occured. Have in mind that these are not total number of incidents that occured but just events and logs. On its right we see total number of incidents and their status. 

Here on the top left side we have Total number of events over time and date. With total number of alerts, total Performance metrics logs that are ingested, security events (ingested from servers, have a look at this blog for an idea Security Events) and others. Below that we have Potential malicious events found in the environment with location. On right top cornor we have the recent incidents that occured in the workspace. Below that we have data source anomalies and findings which we can deep dive into as well.

2. Data Connectors

Once we have a workspace in place, the first and foremost things to setup are the data connectors. We need data to start flowing into sentinel before we can start analysing them. Microsoft has done a great job of making this process really easy, even for most of the 3rd party data connectors. Let’s start with the free data ingestion connectors i.e Azure Active Directory and Office 365.

azure sentinel data connectors

From the Azure Sentinel Dashboard select > Data Connectors from the left panel > Look for Azure Active Directory and select > From bottom right cornor click on Open Connectors Page.  

aZure sentinel data connectors

Once there you will have the full details and the data that is gonna be ingested. On the left panel you will see the description about the connector. Below that it shows the Data Types which are greyed out at the moment. Once they are connected they turn green ( which is a good indicator to check health ). On the right panel it shows us the Prerequisites in terms of permissions we need to make any changes. Below we see the configurations. Its as simple as it looks, just click the ticket mark and apply changes and that data will start flowing to your sentinel Workspace. And like this you can connect all the data connectors that you want to see getting ingested from. To see how to ingest security events from the on-prem servers and enable auditing of Account and group membership changes review this article: Security Events

To review the list of all 3rd party connectors please view the following page:

Azure sentinel Connectors

3. Analytic Rules

Analytic rules are set of KQL ( Kusto Query Language ) queries which are scheduled to run and have a set lookback period. Whenever the analytic rule finds any output it creates a corresponding incident of the severity as specified by the rule. This is where the analysis comes in. With all the data that we have, analytic rules constantly run and look towards all that data and finds information that is really useful. To put this to context let’s go over how to add analytic rules and what to look for.

azure sentinel analytic rules

Lets start from the left side. First Select Analytics from the Left pane. You will be at “Active Rules” Tab and for start there will be nothing as we havn’t added any analytic rule yet. From the middle window at top select “Rule Templates”. These are all the rules that come from Microsoft and also Github community. When we select an analytic rule in our case “User account enabled and disabled within 10 minutes” > On right panel we see all the description and details associated with that particular rule. On top we see Severity i.e “Medium” and rule type as “Scheduled”.

There are 2 types of rules that can be created.

1. Scheduled Rules:

These are the rules which have a set rule frequency i.e Run query every 1 day ( Can be set to anything ) and also Rule Period ( Last 1 Day of data etc ). There is a threshold that we can set ( Trigger alert if query returns more than 0 results ). We can also group the incidents being generated together. There is capability of setting up automation response ( playbooks ) as well.

2. Microsoft incident Creation Rules:

These are the rules which generate incident based on incident generation from other microsoft security sources such as Identity Protection, Microsoft Cloud App Security, Microsoft Defender ATP etc. Note: These type of rules do not have the ability to set automated response. So, you will not be able to get alerted on these incidents. Although, there is an Automation module in preview which can be used to run playbooks whenever these incidents are generated.

To create a new analytic rule we go into the “Templates” blade under analytic rule tab> Then we select the rule that we want to add. Once selected we just hit Create Rule from botthom right cornor of the screen as shown in above image. This will open another window with all the information associated with the rule. We would have the following tabs:

General: This tab shows the Name, Description, Tactics, Sevverity and Status of the rule. We can modify all the things over here. Make sure the status is enabled and we set the severity according to our requirements.

Set Rule Logic: This tab review the query results ( Whenever the query runs what results are shown ), Alert Enrichment ( We have the ability to map entities generated by the rules to appropriate fields available. This enables Azure Sentinel to recognize and classify the data in these fields for further analysis), Query scheduling ( here we specify when do we want the query to run and what should be the lookup data be), Alert Threshold ( A threshold to set on alert to only create an incident when number of query results are greater than this number ), Event Grouping ( We can groups all events according to our needs ) This is indeed one of the most useful tab when it comes to optimization of the rules.

Incident Settings: This is the other most important tab to configure under analytic rules. It has the following options: Incident Settings ( Azure Sentinel alerts can be grouped together into an Incident that should be looked into. ) and Alert Grouping ( Set how the alerts that are triggered by this analytics rule, are grouped into incidents.
Grouping alerts into incidents provides the context you need to respond and reduces the noise from single alerts. )

Automated Response: This is the tab where we can select the playbook that we need it to run whenever an incident is generated. Remember: To enable playbooks to trigger automatically it is important to select the playbook under this tab for each analytic rule that we want it to run.

azure sentinel analytic rules

4. Hunting Rules

Time to go over Hunting Rules. In simple terms, hunting rules are same as analytic rules i.e set of pre-defined KQL queries. The only difference is that hunting rules unlike analytic rules do not create incidents and are not scheduled to run over time. Although the benefit here is we can run all queries at once and view the results which makes a great technique for hunting and looking behind the scenes of the environment.  

azure sentinel hunting queries

We have the ability to click on the “star” icon beside every rule to book mark it. With this ability we can keep the important rules on top. We can also change them into analytic rules if we want them to run over a scheduled period. We can view the data sources, the total results and tactics associated with each rule. Sentinel whenever onboarded comes with a number of hunting rules by default. If we need to add more we can import from Github.

5. Workbooks

Workbooks is one of the most important feature of Azure Sentinel. In normal terms, they are logs presented in a form of graphs and tables. This makes it easier to proactively check the environment quickly rather than manually typing in big log queries. Azure Sentinel has around 90-100 templates in place for almost all kinds of table data schemes including 3rd party sources. 

azure sentinel ninja guide

To add new workbooks go to Azure Sentinel Dashboard> Workbooks from left menu > Search for the workbook you are looking for > click on save from bottom right corner.
It will save the workbook in the “My Workbooks” tab where you can view them easily and also edit and customize them.
Some of the workbooks I personally make sure to check are:

  1. Azure AD Audit Logs
  2. Azure AD Audit, Activity  and Sign-in Logs
  3. Azure AD Sign-in Logs
  4. Azure Key Vault Security
  5. Cybersecurity Maturity Model Certification ( CMMC )
  6. Insecure Protocols
  7. Workspace Audit

These workbooks are much more beneficial than we imagine. Doing a weekly or monthly proactive check on the data can make our investigations much more thorough and deep. 

6. Automation

Any time we are working with a SIEM product, it is really crucial to filter out the noise and reduce the manual intervention as much as we can so we can focus on the critical and important alerts. Microsoft has done a good job in providing this with the “Automation” capability in Azure Sentinel.

azure_sentinel_Automation

To setup Automation > Go to Azure Sentinel Dashboard> Select Automation > Configure permissions. 

You need to explicitly give permissions for automation rules to run playbooks. Automation rules allow you to centrally manage all the automation of incident handling. Automation rules streamline automation use in Azure Sentinel and enable you to simplify complex workflows for your incident orchestration processes. Automation rules are triggered by the creation of incidents. You can set conditions to govern when actions will run, based on the incident and entity details and on analytics rules. You can also set the order of actions and the rule’s expiration time.

azure_sentinel_automation_setup

7. Threat Intelligence

There are huge number of cyber attacks and campaigns that happen on a daily basis. Lots of large organizations, communities and Microsoft monitors them and saves the ip addresses, domains, hashes through which the attacks come from. This helps us monitor them in our environment for footprints. With Threat Intelligence ability in Azure Sentinel we are able to add these known malicious IP Addresses, Malwares, Botnets, Hashes and domains. Analytic Rules are configured through which they are investigated in the environment every 4-6 hours depending upon the schedule we set them to. Anytime these are found it creates a medium severity incident for us to look into.

Microsoft also provides a connector through which we are able to ingest all the known botnets and ip’s saved by Microsoft which makes our environment more secure. The connector is called Microsoft Threat Intelligence. Some other platforms where we can ingest data from into Azure Sentinel are: Palo Alto Networks MindMeld, MISP.

Azure Sentinel integrates with Microsoft Graph Security API data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send threat indicators to Azure Sentinel from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MindMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, and file hashes.

7. Extra Sources of Information

Some other websites which can be useful to learn more about Azure Sentinel:

  1.  Azure Sentinel Pricing
  2. 3rd Party Connectors Grand List
  3. Microsoft Sentinel Documentation

Adding more as when released.

About me

Samant is an Microsoft Security Consultant currently working at Softlanding in Vancouver, Ca. Microsoft Certified DevOPS Engineer and Microsoft Certified O365 Enterprise Administrator Expert. Carry extensive experience working with Microsoft Security Stack with clients ranging from small to large scale. Proficient in deploying, managing, tuning and analysing Microsoft Azure Sentinel as a SIEM and a SOAR, Microsoft Defender ATP, Azure ATP and Microsoft Cloud App Security.
Built and created automations around deploying and managing of infrastructure, security, cloud with powershell, python, java script and REST API.

Following are the Certifications: 

How to Deploy Anti-Ransomware Kill Switch on File Server

Login To the file server as admin. Open Server Manager and install the File server Resource Manager role if not installed. After installing Reboot the server. Once up, open powershell as admin and run the following script. # DeployCryptoBlocker.ps1 # Version: 1.1...

How to Track Active Directory Account and Group Membership Changes?

Audit Active Directory Account and Group Membership Changes To Azure Sentinel Currently Microsoft Azure Sentinel does not ingest Active Directory User Account and Group Membership changes and audit.  The recent connector “Security Events” is built in to ingest...

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Posts

How to Deploy Anti-Ransomware Kill Switch on File Server

How to Deploy Anti-Ransomware Kill Switch on File Server

Login To the file server as admin. Open Server Manager and install the File server Resource Manager role if not installed. After installing Reboot the server. Once up, open powershell as admin and run the following script. # DeployCryptoBlocker.ps1 # Version: 1.1...

Let’s Learn Together

If you are facing any issues or roadblocks and need assistance in troubleshooting  the issue, feel free to leave a message.