Some of the objectives of a Security Operations Center (SOC) team include monitoring, detecting, analyzing, preventing and responding to security incidents. Detecting security incidents is only achieved by analyzing events generated by the environment in question. The tool used for incident management is called a SIEM (Security Incident and Event Management).
There are several SIEM companies that grant a huge array of functionalities, a few of them are; Splunk, IBM QRadar, LogPoint, Arcsight, LogRhythm NextGen SIEM, Azure Sentinel.
Over my Cybersecurity learning curve/ journey, I have had the opportunity to operate Splunk, IBM QRadar and Azure Sentinel and I must say Sentinel has stolen my heart!!
In this article I would be talking about what it is about Sentinel I believe gives it an edge and why it is the future of SIEMs.
Sentinel is Microsoft's cloud-based SIEM that is deployed in an Azure tenant and accessed via the Azure portal. For organizations that have Azure as their primary cloud platform, it goes without saying that Sentinel is easy to activate and integrate, being a service natively built for the cloud. Sentinel enjoys the advantage of elastic storage and computing, as these are inbuilt functionalities with Azure.
Now let us take a look at some of the reasons why I think Sentinel is clear;
Keep track of Logs
Threat hunting and identifying incidents are paramount in keeping an organization secure. These can only be achieved by being able to tell the story of all processes and operations that go on in the organizations network. Logs tell that story. However, these logs often get cumbersome and complex very quickly. Log Analytics Workspace (LAW) is a prerequisite to deploying Sentinel. LAW makes it easy to sort and keep track of logs with its simple and user friendly UI.
SOAR
That's right, Sentinel is a SOAR too. For my readers who don't know, SOAR means Security Orchestration, Automation and Response. Sentinel has a functionality called "Playbooks", and are powered by Azure Logic Apps. Playbooks are a sequence of procedures that can be run in response to a security alert. These are procedures that would typically be carried out by Security Analysts. Playbooks can be configured to run automatically or manually, depending on the kind of alert in need of response.
Threat Intelligence
In Security Operations, identifying threats within your environment as early as possible is one of the primary objectives. When any artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware is observed within your environment, an alert is sent to the users. These are known as Indicators of Compromise (IoCs). Microsoft Sentinels comes with an inbuilt functionality to facilitate powering analytical rules that will trigger threat detection and alerting. Currently there are about 140 OOTB alert rules that come with Azure Sentinel.
Enhanced Machine Learning
As a Security Analyst you may know that false positives pose a major hindrance to effective threat detection and response. False positives are misrepresented security alerts, indicating there is a threat when in reality, there isn’t. These non-malicious alerts increase noise for security teams and may cause them to miss actual malicious threats. As of 2021 Microsoft introduced enhanced Machine Learning algorithms to help mitigate this challenge.
Conclusion
I would like to conclude by saying Microsoft Sentinel is still a relatively new tool as compared to its counterparts and so constantly evolving. Microsoft has made a ton of resources available at the Sentinel Community and its Github Repository. I can only say I am excited for the limitless possibilities that this brings to the field of Cybersecurity.
Subsequently I would be writing on some Labs I have participated in as well as getting started in KQL, so than you for reading, bye for now and see you on the next one.
