Cloud Security | Sentinel And Defender

Cloud Security | Sentinel And Defender

An overview of both Sentinel and Defender as part of my stream logs to EventHub project.

Yahya Abulhaj's photo
Yahya Abulhaj
ยทAug 2, 2022ยท

3 min read

Subscribe to my newsletter and never miss my upcoming articles

Play this article

Table of contents

  • Microsoft Sentinel
  • Scenarios
  • Defender

Microsoft Sentinel

Overview

Azure Sentinel is a cloud-native SIEM & SOAR solution that collects data from multiple sources to provide a comprehensive picture of what is going on in your organization.

  • Sentinel is a SIEM (Security Information and Event Management)
    ๐Ÿ‘‰ Investigate, Find threats, Incidents, alerts..
  • Sentinel is a SOAR (Security Orchestration automation response tool)
    ๐Ÿ‘‰Reacting to SIEM.

SIEM๐Ÿ‘‰ Find Things
SOAR๐Ÿ‘‰ Do Something About it

Architecture

3.png

Sentinel is built on top of an analytics workspace, with a machine learning layer added (Intelligence Threat) to investigate and find things clearly and meaningfully in these massive amounts of data.

Core components

1- Data Connectors

Data connectors are responsible for managing the libraries and configurations required for hosts to connect to various data sources. A data connector includes the type, URI, authentication method, and all libraries required to access the data source.

Enable a Data Connector

2- Analytics (Rules)

Analytics rules scan your environment for certain events or groups of events, notify you when particular event thresholds or criteria are met, create incidents for your SOC to analyze and triage, and respond to threats with automated monitoring and remediation procedures.

You can select from a variety of assault categories in the Tactics and tactics field to categorize the rule. These are based on the MITRE ATT&CK framework's strategies and tactics.

3- Playbooks ( for automation)

Takes you to create a custom LogicApp. Or you can relay on the sentinel repo to find a template and do the a logicapp for you.

4- WorkBooks

Workbooks have a wide range of applications, from simple data presentation to complex graphing and resource investigation maps.

5- Hunting (look for something)

Query and get insights using KQL Run the desired KQL and get results to improve your insights on the data.

6- Notebooks

Query and get insights using ML Built on top of Jupiter Notebooks, a pattern to look for things, security informations. Write machine learning in various programming languages such as Python.

Sentinel Pricing


Scenarios

  • Use Azure Event Hub to Continuous export of high severity alerts and retrieval from 3rd party SIEM solution
  • Use Diagnostics settings in azure AD and stream to an event hub to Generate alerts from Azure Active Directory

Defender

4.png

Azure Defender (CSPM) can be thought of as an upgrade to Azure Security Center (ASC), a dashboard available in the Azure portal that provides an overview of all of your assets in Azure and non-Azure environments, as well as a set of scores and recommendations to properly secure them.

Azure Sentinel includes a wide range of data connectors. Among them is Azure Defender.

Connect Microsoft Defender for Cloud alerts to Microsoft Sentinel

Defender comes in a variety of flavors depending on the application; some of them are listed below.

  • Microsoft Defender for Cloud (Azure Security Center)
  • Microsoft Defender for Office 365
  • Microsoft Defender for Identity
  • Microsoft Defender for Endpoint

Microsoft Defender for Cloud pricing

Your first step should be with connecting to the data sources that you require. Give it atleast 60 minutes in order to start hunting and looking for insights on the workbooks created.

Honestly, Sentinel is a really powerfull tool for anyone wishing to get more aware and improve his/her work ethics along the way.


I'd been debating a color for this one for a while and couldn't come up with anything creative, haha, I'm including it anyway. Renew & Stay Certified (17).gif

ย 
Share this