CYBERDOM

Just another day of IR, Threat-Hunting & Microsoft Security

The Journey to Azure Sentinel (Deploy Azure Sentinel)

by · June 7, 2019

This post is a step-by-step guide to deploy Azure Sentinel with a quick overview and perspective about Microsoft SIEM and Azure Sentinel.

Microsoft’s new cloud-hosted security information and event management service roll out in a public preview, and Azure Sentinel is a Microsoft’s thoroughly modern SIEM.

Azure Sentinel is by far the most exciting announcement out of Redmond so far this year. Aside from that, what is Azure Sentinel? It’s a 100% cloud-based Security Information Event Management (SIEM) solution.

I’ve been referring to Log Analytics with Azure Security Center as Microsoft’s cloud SIEM solution, but Azure Sentinel allows you to collect logs from anywhere!!!

When you deploy Azure Sentinel, anything that ships common event format (CEF) logs can integrate with Azure Sentinel.

Post Contents Show

Azure Sentinel Overview & Perspective

Azure Sentinel does provide the advanced SIEM capabilities and dashboarding that many companies need, I really want you to understand the broader picture as Azure Sentinel, as a cloud security solution, is set to disrupt the SOC.

And with Microsoft owning and operating a big part of the technology you use every day in your workplace, along with making security a strategic investment and bet, I argue that they are becoming the biggest security company in the world.

Azure Sentinel and Security efforts

This is a central place to analyze your security data, across all parts of your environment. Cloud security solutions like Azure Sentinel are set to disrupt the SOC, Forrester concludes:

  • Data security from multi-cloud environments
  • Data security from on-premise environments
  • Log management and storage
  • Analyzing large data volumes
  • Threat hunting
  • Alert triage

Connecting Everything

One could lead to thinking that this will be an all Microsoft centered approach, but nothing is truer. While Microsoft has not confirmed this publicly, they are indeed working with other cloud vendors to get their security data programmatically.

If you take a look at the Data Connections section of the Azure Sentinel preview, you already see a placeholder section for connecting the AWS CloudTrail data soon, Palo Alto and more.

Intelligent Security Graph

The Intelligent Security Graph is a huge and center platform from Microsoft and is a game changer.

The intelligent security graph is a core piece of Azure Sentinel backend to grab the relevant information from other Microsoft services such as Azure ATP, Microsoft Defender ATP, Azure Security Center, etcetera.

But the most important is the Microsoft ecosystem with many (long list) vendors such as Palo Alto Networks, F5, Symantec, Fortinet, and Check Point, Anomali, Sailpoint, Ziften, and many others have joined the party recently to integrate their solutions into the intelligent security graph.

This integration allows Azure Sentinel to leverages that technical information to get events from the network. Great no?

Democratizing AI with Azure Sentinel

The making of automated machine learning (ML) was driven by Microsoft commitment to improve the productivity of data scientists and democratize AI. By simplifying machine learning, automated ML enables domain experts in the businesses to rapidly build and deploy machine learning solutions.

Azure Sentinel features calls FUSION, as Microsoft is looking to democratize Artificial Intelligence, they are making it easy to use machine learning as part of your triage.

Instead of sifting through a sea of alerts, and correlate alerts from different products manually, ML technologies will help you quickly get value from large amounts of security data you are ingesting and connect the dots for you.

Machine Learning in Azure Sentinel is built-in right from the beginning. We have thoughtfully designed the system with ML innovations aimed to make security analysts, security data scientists, and engineers productive. One such innovation is Azure Sentinel Fusion built specially to reduce alert fatigue.

Fusion uses graph powered machine learning algorithms to correlate between millions of lower fidelity anomalous activities from different products such as Azure AD Identity Protection, and Microsoft Cloud App Security, to combine them into a manageable number of interesting security cases.

For example, you can quickly detect a compromised account that was used in other platforms, and respond within a minutes with Azure Sentinel and Azure AD.

Deploy Azure Sentinel

Before we jump into Azure Sentinel configuration, data connectors and dashboards, let’s get go through the prerequisites quickly and other deploy phases.

I even cannot say to configure or deploy Azure Sentinel because its more activate and onboarding actions, and just the integration with other platform is something more serious. So let’s prepare the requirement and onboarding Azure Sentinel.

Prerequisites

  • Active Azure Subscription, if you don’t have one, create a free account before you begin
  • Log Analytics workspace. Learn how to create a Log Analytics workspace
  • To enable Azure Sentinel, you need contributor permissions to the subscription in which the Azure Sentinel workspace resides
  • To use Azure Sentinel, you need either contributor or reader permissions on the resource group that the workspace belongs to
  • Additional permissions may be needed to connect specific data sources

Prepare for Azure Sentinel

To deploy Azure Sentinel you need to prepare few requirements, configure additional security option and perform onboarding to the Azure Sentinel, the process is a simple action and provide a Modern SIEM.

Configure Log Analytics

  • Go to the Log Analytics workspaces in the Azure Portal
  • Create a new Log Analytics Workspace and configure the following settings:
    • Log Analytics Workspace
    • Subscription
    • Resource Group
    • Pricing Tier

Note: if you already have Workspace or resource group you can work with these settings, but my recommendation is to use a dedicated setting for Azure Sentinel.

Configure Azure Security Center

This is an optional action but its recommended and provides beneficial information, and if you’re using Azure Security Center its more relevant and must be configured.

To configure Azure Security Center for Azure Sentinel follows these actions:

  • Go to Azure Security Center portal blade
  • Note: If Azure Security Center isn’t enabled you need to enable it – Just click Enable
  • If it already enabled configure the following settings:
    • make sure Auto Provision is on
    • In Security Policy choose Edit Settings for a specific subscription
    • From Data Collection change the Workspace configuration to the Log Analytics workspace
    • Next, in Threat Detection choose the two options

That’s all, the basic requirements for Azure Sentinel are configured.

Deploy Azure Sentinel (Onboarding)

To onboard Azure Sentinel follow these steps:

  • On the Search bar or All Service find and choose the Azure Sentinel
  • From Azure Sentinel choose the relevant workspace

That’s all, the Azure Sentinel with basic settings is configured and from this point, we can connect everything and integrate with other platforms.

Post Configuration (Basic)

Once Azure Sentinel is configured with basic settings we can run into post configuration, such as Fusion, Connector, and others.

Enable Fusion

Fusion for Azure Sentinel uses ML to help reduce alert fatigue and false positives and to configure follow these actions:

  • Copy Subscription ID from the Azure Log Analytics
  • Open the Cloud Shell in the Azure Portal and enter the following command – including copy the subscription id:

az resource update --ids /subscriptions/{Subscription Guid}/resourceGroups/{Log analytics resource Group Name}/providers/Microsoft.OperationalInsights/workspaces/{Log analytics workspace Name}/providers/Microsoft.SecurityInsights/settings/Fusion --api-version 2019-01-01-preview --set properties.IsEnabled=true --subscription "{*****change to subscription guid*****}"

Summary

With a large array of tooling in Office 365 and EMS to monitor activity and useful reporting services from third-party vendors, you might be questioning the need for a separate service to collate security log information.

However, a common ask for many organizations is to collate this data into a SIEM solution rather than examine the data within Office 365. Azure Sentinel is a service that allows a multitude of log types from a variety of systems to be collected and analyzed in a way that will provide you with the bigger picture.

Next post will be focused on how to configure Cases, Dashboards, Notebooks, and Queries.

The Journey to Azure Sentinel (Deploy Azure Sentinel)

by · June 7, 2019

This post is a step-by-step guide to deploy Azure Sentinel with a quick overview and perspective about Microsoft SIEM and Azure Sentinel.

Microsoft’s new cloud-hosted security information and event management service roll out in a public preview, and Azure Sentinel is a Microsoft’s thoroughly modern SIEM.
Azure Sentinel is by far the most exciting announcement out of Redmond so far this year. Aside from that, what is Azure Sentinel? It’s a 100% cloud-based Security Information Event Management (SIEM) solution.
I’ve been referring to Log Analytics with Azure Security Center as Microsoft’s cloud SIEM solution, but Azure Sentinel allows you to collect logs from anywhere!!!
When you deploy Azure Sentinel, anything that ships common event format (CEF) logs can integrate with Azure Sentinel.

Azure Sentinel Overview & Perspective

Azure Sentinel does provide the advanced SIEM capabilities and dashboarding that many companies need, I really want you to understand the broader picture as Azure Sentinel, as a cloud security solution, is set to disrupt the SOC.
And with Microsoft owning and operating a big part of the technology you use every day in your workplace, along with making security a strategic investment and bet, I argue that they are becoming the biggest security company in the world.

Azure Sentinel and Security efforts

This is a central place to analyze your security data, across all parts of your environment. Cloud security solutions like Azure Sentinel are set to disrupt the SOC, Forrester concludes:

  • Data security from multi-cloud environments
  • Data security from on-premise environments
  • Log management and storage
  • Analyzing large data volumes
  • Threat hunting
  • Alert triage

Connecting Everything

One could lead to thinking that this will be an all Microsoft centered approach, but nothing is truer. While Microsoft has not confirmed this publicly, they are indeed working with other cloud vendors to get their security data programmatically.
If you take a look at the Data Connections section of the Azure Sentinel preview, you already see a placeholder section for connecting the AWS CloudTrail data soon, Palo Alto and more.

Intelligent Security Graph

The Intelligent Security Graph is a huge and center platform from Microsoft and is a game changer.

The intelligent security graph is a core piece of Azure Sentinel backend to grab the relevant information from other Microsoft services such as Azure ATP, Microsoft Defender ATP, Azure Security Center, etcetera.

But the most important is the Microsoft ecosystem with many (long list) vendors such as Palo Alto Networks, F5, Symantec, Fortinet, and Check Point, Anomali, Sailpoint, Ziften, and many others have joined the party recently to integrate their solutions into the intelligent security graph.
This integration allows Azure Sentinel to leverages that technical information to get events from the network. Great no?

Democratizing AI with Azure Sentinel

The making of automated machine learning (ML) was driven by Microsoft commitment to improve the productivity of data scientists and democratize AI. By simplifying machine learning, automated ML enables domain experts in the businesses to rapidly build and deploy machine learning solutions.
Azure Sentinel features calls FUSION, as Microsoft is looking to democratize Artificial Intelligence, they are making it easy to use machine learning as part of your triage.
Instead of sifting through a sea of alerts, and correlate alerts from different products manually, ML technologies will help you quickly get value from large amounts of security data you are ingesting and connect the dots for you.
Machine Learning in Azure Sentinel is built-in right from the beginning. We have thoughtfully designed the system with ML innovations aimed to make security analysts, security data scientists, and engineers productive. One such innovation is Azure Sentinel Fusion built specially to reduce alert fatigue.
Fusion uses graph powered machine learning algorithms to correlate between millions of lower fidelity anomalous activities from different products such as Azure AD Identity Protection, and Microsoft Cloud App Security, to combine them into a manageable number of interesting security cases.
For example, you can quickly detect a compromised account that was used in other platforms, and respond within a minutes with Azure Sentinel and Azure AD.

Deploy Azure Sentinel

Before we jump into Azure Sentinel configuration, data connectors and dashboards, let’s get go through the prerequisites quickly and other deploy phases.
I even cannot say to configure or deploy Azure Sentinel because its more activate and onboarding actions, and just the integration with other platform is something more serious. So let’s prepare the requirement and onboarding Azure Sentinel.

Prerequisites

  • Active Azure Subscription, if you don’t have one, create a free account before you begin
  • Log Analytics workspace. Learn how to create a Log Analytics workspace
  • To enable Azure Sentinel, you need contributor permissions to the subscription in which the Azure Sentinel workspace resides
  • To use Azure Sentinel, you need either contributor or reader permissions on the resource group that the workspace belongs to
  • Additional permissions may be needed to connect specific data sources

Prepare for Azure Sentinel

To deploy Azure Sentinel you need to prepare few requirements, configure additional security option and perform onboarding to the Azure Sentinel, the process is a simple action and provide a Modern SIEM.

Configure Log Analytics

  • Go to the Log Analytics workspaces in the Azure Portal
  • Create a new Log Analytics Workspace and configure the following settings:
    • Log Analytics Workspace
    • Subscription
    • Resource Group
    • Pricing Tier


Note: if you already have Workspace or resource group you can work with these settings, but my recommendation is to use a dedicated setting for Azure Sentinel.

Configure Azure Security Center

This is an optional action but its recommended and provides beneficial information, and if you’re using Azure Security Center its more relevant and must be configured.
To configure Azure Security Center for Azure Sentinel follows these actions:

  • Go to Azure Security Center portal blade
  • Note: If Azure Security Center isn’t enabled you need to enable it – Just click Enable
  • If it already enabled configure the following settings:
    • make sure Auto Provision is on
    • In Security Policy choose Edit Settings for a specific subscription
    • From Data Collection change the Workspace configuration to the Log Analytics workspace
    • Next, in Threat Detection choose the two options


That’s all, the basic requirements for Azure Sentinel are configured.

Deploy Azure Sentinel (Onboarding)

To onboard Azure Sentinel follow these steps:

  • On the Search bar or All Service find and choose the Azure Sentinel
  • From Azure Sentinel choose the relevant workspace


That’s all, the Azure Sentinel with basic settings is configured and from this point, we can connect everything and integrate with other platforms.

Post Configuration (Basic)

Once Azure Sentinel is configured with basic settings we can run into post configuration, such as Fusion, Connector, and others.

Enable Fusion

Fusion for Azure Sentinel uses ML to help reduce alert fatigue and false positives and to configure follow these actions:

  • Copy Subscription ID from the Azure Log Analytics
  • Open the Cloud Shell in the Azure Portal and enter the following command – including copy the subscription id:

az resource update --ids /subscriptions/{Subscription Guid}/resourceGroups/{Log analytics resource Group Name}/providers/Microsoft.OperationalInsights/workspaces/{Log analytics workspace Name}/providers/Microsoft.SecurityInsights/settings/Fusion --api-version 2019-01-01-preview --set properties.IsEnabled=true --subscription "{*****change to subscription guid*****}"

Summary

With a large array of tooling in Office 365 and EMS to monitor activity and useful reporting services from third-party vendors, you might be questioning the need for a separate service to collate security log information.
However, a common ask for many organizations is to collate this data into a SIEM solution rather than examine the data within Office 365. Azure Sentinel is a service that allows a multitude of log types from a variety of systems to be collected and analyzed in a way that will provide you with the bigger picture.
Next post will be focused on how to configure Cases, Dashboards, Notebooks, and Queries.

Tags:

You may also like...

Leave a Reply

error: Content is Protected !!
%d bloggers like this: