Introducing Azure Sentinel

Updated: Feb 17

In March 2020 Microsoft launched Azure Sentinel, a 100% cloud-native SIEM with direct support for a whole slew of 3rd-party devices and cloud solutions, and syslog support for stuff that might otherwise prove tougher to integrate.

Microsoft really didn’t have a product offering in the SIEM space until late 2019, but we were starting to see tooling in place to support SIEM integration in products like Cloud App Security, Defender for Endpoint, and even Azure Security Center.

But I've heard a few questions around SIEM integrations as far back as 2015. Back then, the answer was Advanced Threat Analytics, an on-premises component of the Enterprise Mobility & Security cloud product. It was an odd fit in the EM+S space, but ATA was designed to be undetectable to attackers by running off port-mirroring on domain controllers. The idea was low-key brilliant: everything you do on a domain-joined system asks permission from a DC, so just quietly copy traffic from a DC to a device on a parallel network and analyze it. ATA had behavior analytics and would quietly profile your users, reporting when they did odd stuff. Well that was great - but configuration was complicated, VM support was iffy, and it evolved slowly to just being another system on the same production network. Still a good idea, but muted. And it was never truly a proper SIEM, anyway. Oh and it went off support last month.

I’ve done a bunch of SIEM deployments, and never ever did I expect to be able to do one end-to-end in half a day, from setting up the Azure subscription, to connecting the various data sources, to configuring workbooks and behavioral analytics, advanced rules and alerts. Granted, my demo environment was probably simpler than yours, but if the goal is to begin ingesting data and see immediate value, it’s hard to argue in favor of setting up a whole bunch of infrastructure on-premise when you can literally just... turn it on.

Sentinel has changed the game for me, and apparently it’s changing the game for customers with regulatory concerns, and in a way that I hadn’t foreseen. Azure Active Directory does a great job securing access to identities and apps, but it doesn’t do a great job tracking its efforts. Audit logs are purged after 30 days, and that’s not acceptable for government contractors and CMMC, health providers and HIPAA, or financial services organizations and FISMA, SOX, and PCI DSS. But Sentinel provides a simple audit log retention mechanism for the entire Microsoft 365 experience that solves all of these issues with the flip of a switch, and free for the first 90 days, with only negligible cost thereafter.

And while it can run like any SIEM and consume SYSLOG data from anything, Microsoft has spent a lot of time and effort building customized connectors for some of the most popular devices and cloud services. In fact, when I first had the idea to present on Azure Sentinel, there were only about 50 connectors available. When I presented the Azure Sentinel webinar last month, that number had grown to the low 80’s, and as of the time of writing this entry, it’s in the mid 90’s, with 53 named vendors’ solutions.

What’s really nice about these pre-baked connectors is they take most of the configuration challenges out of deploying the product. So whereas you may have previously set your SIEM to be a syslog destination, captured some traffic, applied some filters, built some rules, tested, and then built some dashboards, Azure Sentinel does most of this work for you. Want to monitor some AWS? Cool, then you probably also want to light up a couple of relevant workbooks and monitor for some specific attack vectors. All of that is baked into the connector, so you can get to work…letting Azure Sentinel do the work of analyzing logs.

Recent Forrester studies back up my claims of speed to deployment, and augment with tremendous cost savings and significant improvement of the signal-to-noise ratio, with a 201% ROI and a 79% decrease in false positives over 3 years. Did I mention I got it up and running in half a day? Seriously: crazy fast.

And the incidents that Azure Sentinel detects, just like the incidents detected in the Microsoft 365 Defender space, are linked back to the dashboards and control surfaces where administrators can make relevant and meaningful changes, so there’s no gap between the SecOps and operations teams.

Incidents can be assessed in investigations (or sent to orchestration for automatic remediation if that’s your jam) that provide rich interactive maps with insights and timelines and all sorts of cool visuals. Honestly, it’s more fun to do the investigations manually because it feels like you’re living in a sci-fi movie!

Getting fancier, we can then set up security notebooks that leverage Machine Learning, feed in Threat Intelligence signals and entity behavior analytics, and compare our results against custom watchlists to tailor our SecOps to really specifically meet the needs of our organization.

So let’s recap: 0 infrastructure, 90+ native connectors (with free ingestion of Office 365 data), crazy fast deployment, cheap storage options, significant reduction in false positives and 3-month payoff overall? There’s almost no reason NOT to try it.

By: Adrian Amos