The Sentinel Awakens: Microsoft Sentinel Introduction

Microsoft Sentinel is a cloud-native security information and event management (SIEM) system that provides real-time threat detection and response as well as Security orchestration, automation and response (SOAR). It is a powerful tool that allows security teams to collect, analyze, and act on security data from multiple sources. In this blog post, we will provide a gentle introduction to Microsoft Sentinel, its features, and how it can help organizations stay secure.

Welcome to Part 1 in this new Microsoft Sentinel blog series. This series will cover the humble basics of the Sentinel platform and over the course of 3 parts showcase how the basics can be configured with an eventual goal of integration.

Below you’ll find all parts of this blog series.

• The Sentinel Awakens: Microsoft Sentinel Introduction
• Feeding the Beast: Data Ingestion with Microsoft Sentinel
• Sentinel Teams Up: Integrations with Microsoft Teams

What is Microsoft Sentinel?

Microsoft Sentinel provides a unified view of security data from multiple sources, including Azure, Office 365, and third-party products. Sentinel uses advanced analytics and machine learning to identify threats and automate incident response, enabling security teams to focus on high-priority tasks.

Features of Microsoft Sentinel

1. Threat detection: Microsoft Sentinel uses machine learning and advanced analytics to identify threats across an organization’s infrastructure. It provides real-time visibility into security events, enabling security teams to respond quickly to incidents.
2. Incident response: Sentinel provides automated incident response capabilities that help security teams respond to incidents quickly and efficiently. It can automate tasks such as isolating infected systems, blocking malicious traffic, and notifying stakeholders.
3. Data integration: Sentinel integrates with a wide range of data sources, including Azure, Office 365, and third-party products such as Amazon Web Services (AWS) and on-premise Active Directory (AD). It can collect data from logs, network traffic, and endpoints, providing a comprehensive view of an organization’s security posture.
4. Customization: Sentinel allows security teams to customize their security policies and alert rules to meet their specific needs. It also provides a range of pre-built dashboards and reports that help teams track their security performance.

Advanced Features of Microsoft Sentinel

Microsoft Sentinel also offers other powerful features, including playbooks, Kusto Query Language (KQL), and workbooks. Playbooks allow security teams to automate and orchestrate incident response activities, while KQL provides a flexible query language for analyzing security data. Workbooks provide a customizable interface for visualizing and analyzing security data. By using playbooks, KQL, and workbooks in conjunction with Microsoft Sentinel’s data integration and threat detection capabilities, security teams can gain deep insights into their security posture and respond to threats more effectively. These features make Microsoft Sentinel a comprehensive and versatile security solution that can meet the needs of organizations of all sizes and complexities.

How can Microsoft Sentinel help organizations stay secure?

1. Real-time threat detection: Microsoft Sentinel provides real-time visibility into security events, enabling security teams to identify and respond to threats quickly.
2. Automation: Sentinel automates many security tasks, such as incident response, enabling security teams to focus on high-priority tasks.
3. Comprehensive data collection: Sentinel collects data from multiple sources, providing a comprehensive view of an organization’s security posture.
4. Customization: Sentinel allows organizations to customize their security policies and alert rules to meet their specific needs.
5. Integration with other Microsoft products: Sentinel integrates with other Microsoft products, such as Azure and Office 365, providing a seamless experience for security teams. This can include Teams integrations utilizing Azure Logic Apps for powerful functionality (more details can be found in an upcoming blog post).

Want to get started? Let’s setup a Sentinel Workspace

1. Microsoft Sentinel is built on top of an Azure Log Analytics workspace. You can think of Sentinel as an additional set of features built on top of Log Analytics. With this in mind let’s get started by logging in to an Azure tenant with appropriate administrative credentials and finding the Microsoft Sentinel Azure service by searching for it. Once opened let’s create a new workspace by clicking on ‘Create’:

2. Next, create a new Log Analytics workspace to add Sentinel to:

3. Fill out the required subscription and instance information and Review + Create the Log Analytics workspace and wait for the deployment to finish:

4. Once the deployment has finished the new workspace should appear on the list to choose from for deploying Sentinel. Select it and proceed to add Sentinel to it and wait for the deployment to finish:

5. You’re done! Sentinel has been deployed. Next up is ingesting data into it so it can start analyzing but that will be in a future blog post.

Want to know more? We’re doing a thesis on Sentinel!

This Master thesis aims to address the need for a simplified approach to set up detection and automated response for common security threats on cloud and hybrid systems using Microsoft Sentinel. We are still looking for a few companies that are eager to contribute to this research with limited spots available.

Pre-requisites:
– Pre-existing SOC team with dedicated technical members
– Pre-existing SIEM/SOAR solution
– Does not have to be a Danish company

Reach out to us if you’re interested in a collaboration with us. Presentation slide can be found below and contact information can be found in the side profiles.

Conclusion

Microsoft Sentinel is a powerful SIEM solution that helps organizations detect, investigate, and respond to threats across their infrastructure. It provides real-time threat detection, automated incident response, and comprehensive data collection, enabling security teams to stay on top of their security posture. With its customization options and integration with other Microsoft products, Sentinel provides a seamless experience for security teams. Organizations looking to stay secure in today’s threat landscape should consider implementing Microsoft Sentinel as part of their security strategy.