With SIEM tools becoming more advanced and user-friendly, Microsoft Sentinel is one of the newest to join the scene but has taken the world by storm with its advanced features and out-of-the-box features. But what is Microsoft Sentinel, and how does it work? In today’s blog post, we take a look at everything Sentinel to give you the best-unbiased overview.
What is Microsoft Sentinel?
Microsoft Sentinel (previously known as Azure Sentinel) is a scalable cloud-based SIEM and SOAR tool developed by Microsoft in 2019. Microsoft Sentinel allows subscription owners to deploy the tool via. Log Analytics Workspace and can collect, collate, and report on specific activities as any typical SIEM. The SOAR element on Microsoft Sentinel leverage Azure Power Apps to integrate into other tools and performs automated actions based on set criteria.
Microsoft as of June 2022 is a leader in SIEM tools according to Gartner exceeding the ability to execute over all other SIEM tools.
Why is Microsoft Sentinel important?
With Microsoft equating to just under 30% (as of August 2022) for all operating systems, and an estimated 83% (according to TechRepublic) of all businesses using some kind of Microsoft tool (such as Office 365, Azure etc.) – there is a clear reason why Microsoft needed a security tool to wrap it all up.
Microsoft Sentinel has over 120+ out-of-the-box (OOTB) connectors that allow for security admins and analysts to essentially one-click connections for all security event logs. These connections are not all needed, but for businesses that use the Microsoft stack, then Sentinel can integrate within just minutes to give you a clearer picture of your estate from a security perspective.
SIEMs are often really expensive and in most cases need quite a lot of admin work to get set up and working as expected, but as far as simplicity is concerned, Sentinel is still a leader in this. Microsoft Sentinel can be set up using their very extensive guides, or via. A 3rd party is one of the fastest SIEM tools to set up. Not only this, but the connectors (or integrations) are easy to implement leading to ease of setup.
Not only this, but Microsoft Sentinel also allows you to implement easy-to-create detection rules and SOAR (Security Orchestration Automated Response) straight out of the box. It’s worth noting that Sentinel is one of the newest SIEM platforms, and have an extensive roadmap of features requested by the community.
Getting Started with Microsoft Sentinel: A Beginners Guide
Sentinel can be quite daunting at first glance, as although it’s very user-friendly, there are a lot of tabs, a lot of “things”, and not much context around it. Microsoft does provide some pretty nice guides for this, but here is our breakdown of each tab, what it does, and how you can use it as a beginner-friendly guide.
Overview (Homepage Default View)
The overview page is the default home view you will see when you load up Microsoft Sentinel. This changes very frequently both from data your receive but also as Microsoft updates this very frequently to make it better. This will help you give you a very basic overview of what’s occurring in your environment.
Logs (in Microsoft Sentinel)
Logs are one of the biggest (and personally most used) tabs within Microsoft Sentinel, where you are able to search, investigate, and parse all event logs that are coming into your Sentinel instance. This is the activity repository that you can use to aid in investigations or to find information. Some searches are pre-built but are all written in KQL (Kusto Query Language).
News & Guides
It pretty much is what it says on the tin, any news that Microsoft publishes around security or Sentinel, but mostly good for Sentinel/Microsoft-based guides, such as how-tos and best practices.
The most commonly used tab within Sentinel is where all alerts/incidents are raised. In short, any events that are processed and match the “Detection Rules” (analytics rules) will be raised as an incident – which is quite simply an alert. These alerts are stored here, can be modified/used here and will likely be where you’ll spend all your time.
Workbooks (in Microsoft Sentinel)
Workbooks are types of queries that display in a report format. These are both pre-built and customer but are quite easy to build as it leverages JSON and KQL (Kusto) to make some very advanced reports, aka Workbooks.
Threat Hunting is another element of Sentinel that allows you to create (or use their defaults) threat hunts that can be run repeatedly, or automatically. This is a fairly new section to Sentinel and it does help speed up some typical SOC activities.
Data Connectors (Integrations)
Data connectors are the out-the-box integrations that Microsoft have provided. In this list are all your typical and well-known connectors, however, you will also see some not so easy to configure ones such as syslog forwarding and old-school event forwarding. This list is around 120+ long at the time of writing, but more “marketplace” content is available.
Analytics (Detection Rules)
The “Analytics” tab within Sentinel is actually what they call their detection rules. These analytic rules are simply scripted KQL with event mapping, timings, and rules which are essentially very specific filters. When these filters (or rules) are matched by the events coming into Sentinel, they can then act as an escalation point, which in most cases allows an incident to be raised within the “Incidents” tab.
Azure Automation directly taps into Microsoft Sentinel and allows you to create one-press automation rules that will make analyst/analysis life easier. Not only this but we can create pretty advanced automation rules using Power Apps, which will long-term help you react to real-life security threats.
Should you need to access or review any Sentinel, or workspace settings in relation to Sentinel then typically the settings page is there for that. There is a wide range of tabs here, too many to cover in this blog.
Key Features of Microsoft Sentinel
Sentinel is packed with features and is continuing to grow, but the list of the main features that Sentinel offers.
- Collects Data from Multiple Sources before storing on the Cloud (or elsewhere).
- Detect both known and unknown threats.
- Investigate alerts using AI and Machine Learning.
- Using SOAR for almost immediate incident
How to setup Microsoft Sentinel
The setup of Microsoft Sentinel is actually one of the simplest, which includes both the start-to-finish of setting up Microsoft Sentinel but also enabling the connectors and integrations. Whilst this is quite simple, it is a lengthy process too.
We have written a specific guide on How to set up Microsoft Sentinel here, so please feel to take a look through and see what you think!
Microsoft Sentinel vs other SIEM tools: Which is best?
I have used several SIEM tools over the years, mostly IBMs QRadar, and Splunk, however, I have really high hopes for Sentinel. With Microsoft Sentinel being one of the newest, they are already an industry leader in their own right.
My only concern around Microsoft Sentinel at the moment is around reliability. Over the last 2-months (at the time of writing), our Azure Sentinel instance has had 3 outages which have prevented us from monitoring the service, therefore leaving a big hole within our security posture.
Although these were temporary, this was way too frequent, and the time to resolve was dier (nearly a full day). I should stress that the 9-10 months prior to this have been fine for the most part, but more recently we’ve had these unacceptable issues.
We have written up a guide around the best SIEM tools to use, however, if you’re looking for a cloud-based, scalable and easy-to-use/setup SIEM, Sentinel does take the cake on that one.
Read More: 68 Cybersecurity Terms you Should Know
Common Use Cases for Sentinel
Sentinel is a vast SIEM tool that will have hundreds if not thousands of use cases for you and your business, depending on what you would want to use Sentinel for. Some of the most common use cases for Sentinel are specifically around the Microsoft stack, so this will be a little biased.
1. Microsoft Defender Alerting
The chances are, if you have Microsoft O365 deployed within your business, then you may also have Microsoft Defender. Defender is a Windows-native anti-virus developed by Microsoft, which has made strides towards being one of the better AVs available.
These alerts are only ever raised within Defender, and the detection rules from Defender cannot be edited very much, therefore having Defender to raise alerts from the Defender portal into Sentinel allows for much easier triage, investigation, and closure. Not to mention that Microsoft has 8 out the box detection rules, just for Defender. This also packages in the other Defender types, such as MCAS, Defender for Endpoint, Defender for O365 etc.
2. Enhanced Security Reporting from Microsoft Sentinel
Although it might take a little bit of time for you to make a report using KQL (the native language used for reporting and detection rule building), you can make some pretty advanced security reports straight out of Sentinel. These are called “Workbooks”, and are extremely easy to use once set up.
I personally use Workbooks for all my stat reporting, and it works a dream once it was set up.
3. User and Entity Behaviour Analytics
If you’ve got your userbase on Microsoft (either via. Microsoft Office, or through Azure AD/Active Directory) then Microsoft baked-in UEBA is an incredible asset for you. Microsoft Sentinel is able to collate events and can help you detect on anomalous activity from multiple tools and give you one, very detailed verdict or alert on a user account.
4. Azure/Microsoft Services Single-Pane
For me, I was using around 9 security tools, which meant 9 different dashboards and admin portals to use which quite frankly was both annoying and time-consuming to use. Sentinel alleviated that for me, where we were able to implement all of our technologies including that of Microsoft’s own tools – but also some 3rd party ones too such as DarkTrace and Sophos giving us a single-pane for all of our security tools. Plus, we were able to create detection rules and automated actions to get the most out of Azure and Microsoft Sentinel.
Our Thoughts: Is Microsoft Sentinel the right choice for your Organization?
Back in 2020 when we first implemented Microsoft Sentinel, my expectations were not great but over time I’ve realized that Sentinel is a much better SIEM tool than it used to be. If you are using the Microsoft stack already (both Microsoft tools/products or Azure), then Microsoft Sentinel will likely offer you a much fuller picture of your security landscape.
In short, other SIEMs will do the same job, but if you already have the infrastructure setup, there are not many reasons to avoid Microsoft Sentinel – the main one being the cost of log ingestion and ongoing service costs for the workspace.