Microsoft Azure – Introduction to Azure Sentinel
In this article, we will get an overview of Microsoft Azure Sentinel and its functionalities. Azure Sentinel helps you to detect, alert on, investigate, and resolve security incidents quickly for your Azure infrastructure.
Let’s take a look at what it is and how to use it. In the Azure portal, we can get to Azure Sentinel by searching for it in the search bar.
But before we can use it, we need to add it to an Azure Log Analytics Workspace. Currently, we don’t have one yet as shown below:
To create a workspace, we will first need to give the workspace a name and we’ll select an existing resource group. We’ll also change the location of the workspace.
This will create a workspace for us and now we need to Add Azure Sentinel.
The below image shows the Azure Sentinel dashboard. It can collect data from many sources and analyze that for security incidents and threats. It provides tools to investigate the data, create alerts, and mitigate security threats.
Let’s start by connecting a data source. There are many data sources to connect to out of the box. Microsoft data sources and for party ones like Amazon Web Services. Let’s connect our Active Directory.
Connecting it is really simple, we just need to click both the Connect buttons and it is done.
So now as Azure Sentinel has access to data from Azure Active Directory. After a while, you’ll see that there are more events here and maybe some incidents, although there aren’t any yet for our current subscription.
We can visualize the data in dashboards. Here, we can choose out of many pre-built dashboards, like this Azure Active Directory Audit Logs dashboard. Let’s install that and let’s take a look at it.
This shows all sorts of interesting graphs about ourAzure Active Directory activity.
You can use tools like dashboards to gain more insights into your security data. Azure Sentinel provides more tools to analyze data and identify security incidents. You can hunt for them with queries as shown below:
You can also use Azure notebooks to mangle the data and identify threats.
You can also set up alerts for certain events and incidents. This helps you to act quickly if something happens.
You can also automate your mitigation response with playbooks. Playbooks are Azure Logic Apps that contain a workflow to do something based on security information. Playbooks have options like sending an e-mail when there is a new recommendation in Azure Security Center.
Application and infrastructure security is extremely important to get right. Azure Sentinel provides a threat detection and mitigation service, it helps you to detect incidents and threats when they happen and helps you to solve them as effectively as possible.