Azure Sentinel – the Smart SIEM SOAR Solution
Updated: Mar 31, 2021
Today, we hear new buzzwords every day, specially in the IT world. Cybersecurity isn’t immune to this, considering how fast things are changing these days.
If you haven’t heard about SOAR yet, let me introduce to the latest and greatest in automated cybersecurity. SOAR stands for Security Orchestration, Automation and Response. This, thankfully, isn’t just a buzzword. It’s the next step in the direction towards proactive, responsive, intelligent and automated cybersecurity.
More details on SOAR from this InfoSec Institute blog.
That’s a lot of adjectives you might say, but they all apply provided you pick the right tool.
The days of hackers manually trying every known trick in their books are gone. Vulnerabilities are bought and sold in the dark web, along with credentials and the tools to exploit these. The bad guys, I am afraid, always try to stay one step ahead. They are using automated tools running hundreds and thousands of scans, attacks, and reconnaissance using the power of the cloud. And it’s not just the lone hackers you need to be worried about. State actors are increasingly targeting both public and private organizations to edge over each other.
Add to the mix AI (Artificial Intelligence) and ML (Machine Learning), you really have to question yourself if you are still relying on cybersecurity tools which are not proactive, responsive, intelligent and automated.
This is where Microsoft’s Azure Sentinel comes in. It’s a cloud native smart SIEM (Security Information and Event Management) solution which combines the power of the Cloud, Microsoft’s immense ever-increasing knowledge of security threats (Microsoft Intelligent Security Graph) and Logic Apps (no code drag and drop functions) to provide a SOAR solution that harnesses the power of analytics, AI and ML to automate your cybersecurity.
Here’s a list of things you get with Azure Sentinel:
Workbooks – Generate awesome interactive reports in real time with the ability to export these to CSVs or even Power BI if you so wish so
Playbooks – No/low code drag and drop Logic Apps which help you react to any security alerts or incidents in real time. You even have 200+ connectors to work with other tools like email providers, ITSM services, or plain old web hooks.
Analytics – Sentinel uses Azure Monitor at the back, so you can run increasing powerful queries to correlate data from across your organization using KQL (Kusto Query Language)
Threat hunting – based on the MITRE framework
Investigate - Guided help with Azure AI and Intelligent Security Graph to investigate security incidents.
In my opinion, the last one is the biggest benefit because Microsoft provides to ability to ingest security data from many security providers, and considering its reach, you have a higher chance of being protected from those pesky zero day vulnerabilities. The system learns from one tenant and recognizes the same pattern being executed in another, alerting you and potentially stopping it in its tracks.
You have access to hundreds of templates and ready-built solutions in all areas of the solution readily available from Azure portal to chose from. And if that doesn’t meet your needs, the Azure Sentinel GitHub community has even more, GitHub.
We like what we do here at Zephon, and we are staunch believers in cybersecurity education, so if you have questions on how Microsoft Azure Sentinel can help you, add a comment below or reach us out here.