Overview of Azure Sentinal
On 26th Sept, Microsoft announced 'Azure Sentinal' cloud-born SIEM in GA. Here below are some of the key facts, you must be aware of, related to security.
Azure Sentinal is a cloud-based SIEM build with AI & ML which analyzes the TBs of data in minutes and prompts you about any security-related inconsistency followed by defining actions. No matter your applications, users, servers, and devices are on the hybrid, on-prem or any cloud other than Azure, all can be integrated using built-in connectors. It enables you to bring your own insights, tailored detection, machine learning models, and threat intelligence.
You can configure alerts, playbooks, and logic app flows as your actions on detected threats.
Use cases
- In case, you have clients who have more interaction with government officials through their applications may have a threat of stealing data from malicious users.
- Accounts may be brute-forced for such tenants to gain privileged access.
Using SIEM as a service is more optimal than running on an on-prem infrastructure, including the high cost of software tools. Microsoft provides this as a 'pay as you go' service along with a requirement specific plan as 'capacity reservation tiers' (automatically scale resources and pay for what you chose, nearly 60% off and capacity can be updated month wise).
Key Aspects
- Can lower up event alerts by fusion technique like Yellow + Yellow as Red severity.
- Can work with O365, Active directory using Azure activity connectors at no extra cost.
Preview Results
Accenture was a part of the Microsoft preview client base and shared some of the use cases with Azure Sentinel. One of the clients integrated with AWS connector and they received an alert as 'MFA disabled for root account', they reacted pro-actively and determined the malicious user and activity.
Accenture's client SAP has its own data centre, Accenture integrated log analytics on Hana, and got an insight as someone changed the Windows SAP file, they drill down the defaulter in minutes.
Many others like 'RapidDeploy', and 'Insight' were also part of this preview access. I hope you find this helpful, refer to Azure Sentinal for more details.
