Cloud Security | Sentinel And Defender

Cloud Security | Sentinel And Defender

An overview of both Sentinel and Defender as part of my stream logs to EventHub project.

Yahya Abulhaj's photo
Yahya Abulhaj
ยทAug 2, 2022ยท

4 min read

Subscribe to my newsletter and never miss my upcoming articles

Play this article

Table of contents

Microsoft Sentinel

Overview

Azure Sentinel is a cloud-native SIEM & SOAR solution that collects data from multiple sources to provide a comprehensive picture of what is going on in your organization.

  • Sentinel is a SIEM (Security Information and Event Management)
    ๐Ÿ‘‰ Investigate, Find threats, Incidents, alerts..
  • Sentinel is a SOAR (Security Orchestration automation response tool)
    ๐Ÿ‘‰Reacting to SIEM.

SIEM๐Ÿ‘‰ Find Things
SOAR๐Ÿ‘‰ Do Something About it

Architecture

3.png

Sentinel is built on top of an analytics workspace, with a machine learning layer added (Intelligence Threat) to investigate and find things clearly and meaningfully in these massive amounts of data.

Core components

1- Data Connectors

Data connectors are responsible for managing the libraries and configurations required for hosts to connect to various data sources. A data connector includes the type, URI, authentication method, and all libraries required to access the data source.

Enable a Data Connector

2- Analytics (Rules)

Analytics rules scan your environment for certain events or groups of events, notify you when particular event thresholds or criteria are met, create incidents for your SOC to analyze and triage, and respond to threats with automated monitoring and remediation procedures.

You can select from a variety of assault categories in the Tactics and tactics field to categorize the rule. These are based on the MITRE ATT&CK framework's strategies and tactics.

3- Playbooks ( for automation)

Takes you to create a custom LogicApp. Or you can relay on the sentinel repo to find a template and do the a logicapp for you.

4- WorkBooks

Workbooks have a wide range of applications, from simple data presentation to complex graphing and resource investigation maps.

5- Hunting (look for something)

Query and get insights using KQL Run the desired KQL and get results to improve your insights on the data.

6- Notebooks

Query and get insights using ML Built on top of Jupiter Notebooks, a pattern to look for things, security informations. Write machine learning in various programming languages such as Python.

Sentinel Pricing


Scenarios

  • Use Azure Event Hub to Continuous export of high severity alerts and retrieval from 3rd party SIEM solution
  • Use Diagnostics settings in azure AD and stream to an event hub to Generate alerts from Azure Active Directory

Defender

4.png

Azure Defender (CSPM) can be thought of as an upgrade to Azure Security Center (ASC), a dashboard available in the Azure portal that provides an overview of all of your assets in Azure and non-Azure environments, as well as a set of scores and recommendations to properly secure them.

Azure Sentinel includes a wide range of data connectors. Among them is Azure Defender.

Connect Microsoft Defender for Cloud alerts to Microsoft Sentinel

Defender comes in a variety of flavors depending on the application; some of them are listed below.

  • Microsoft Defender for Cloud (Azure Security Center)
  • Microsoft Defender for Office 365
  • Microsoft Defender for Identity
  • Microsoft Defender for Endpoint

Microsoft Defender for Cloud pricing


Project: EventHub

Sending logs and establishing monitoring use cases with Sentinel/Defender.

About

As part of getting started on this project, I've also considered studying for the Microsoft Operations Analyst Associate exam. It was good, and I passed it. If you feel the same way, Check the materials I used to prepare.

Let's go

Decision tree: Determine how many workspaces are required for this project โ“

The Objective ๐Ÿฅ…

A: Send logs to Sentinel

Sentinel Migration:

Tasks:

Task1๐Ÿ“:

  • Configuring log ingestion from Sharepoint
  • Putting the ingestion into production and validating the correlation of the logs.

  • Configuring log ingestion from Teams
  • Putting the ingestion into production and validating the correlation of the logs.

    Monitor Logs from Azure Sentinel (Sharepoint, Teams)


Task2๐Ÿ“:

  • Configuring log ingestion from Dynamics 365 Sales
  • Putting the ingestion into production and validating the correlation of the logs.

  • Configuring log ingestion from Power Apps
  • Putting the ingestion into production and validating the correlation of the log.

Office 365 Management API data into Azure Sentinel


Task3๐Ÿ“:

  • Configuring log ingestion from AAD
  • Putting the ingestion into production and validating the correlation of the logs.

  • Configuring log ingestion from Azure SQL Managed Instance
  • Putting the ingestion into production and validating the correlation of the logs.

B: Develop surveillance use cases

SIEM โ€“ USE CASE WRITING GUIDE

Check the MITRE ATT&CKยฎ framework. from here.

I'd been debating a color for this one for a while and couldn't come up with anything creative, haha, I'm including it anyway. Renew & Stay Certified (17).gif

ย 
Share this