This video talks about ways to improve the security with Azure Sentinel.
Azure Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security orchestration automated response) solution.
The video describes how Azure Sentinel offers intelligent analytics and also threat intelligence to offer a single solution. At 0:12, Scott Hanselman states that with Azure Sentinel, one can automate security operations to reduce incident response times.
Identifying Incidence Responses
At 1:15, Ms. Sarah Young states that Microsoft takes care of the entire infrastructure of Azure Sentinel. She further begins to explain how Sentinel reacts to all incidents. When questioned by Mr. Scott Hanselman, she states that Azure Sentinel takes care of all the different security incidents in the environment and looks for anomalies.
At 2:21, she explains that Azure Sentinel has a Github with recommended detections to identify incidents, that can be configured to meet the needs of customers. At 3:21, she states that SIEM solutions are tricky and require upfront work. This has been made easy with Azure Sentinel.
At 3:42, she points out where she had already set up the Log Analytics workspace. She begins to demonstrate how the sentinel gets created on top of the analytics workspace at 4:10. With the help of the interactive user environment, it becomes very easy in creating the sentinel for the chosen workspaces.
At 4:55 she emphasizes that parsers can be written which would help in connecting services to Azure Sentinel. Sarah then displays the various connectors that are already created at 5:10. She demonstrates how to connect Azure AD, by just clicking the connection button and signing with the azure logs.
Security alerts from Azure Sentinel
At 6:09, Sarah explains that anyone who knows log analytics, as well as Kusto, will find working with the Azure Sentinel extremely easy.
From 7:30 she further adds that with Azure Sentinel, data doesn’t get duplicated, Sentinel can be directed to read the stores of products, like Security Centre, without importing the data. She further continues that there might be many logs from different scenarios like multiple sign-ins within a particular time frame.
At 8:22, she adds that all this information comes out as an alert. At 9:20 she briefs that Sentinel takes the list from all different sources and correlated them to look for security incidents.
At 10:11, Sarah demonstrates the creation of a playbook, ways to create the trigger and how the Azure Sentinel Alert happens. These are created with Logic Apps, so you don’t need to be a programmer to build them, and she further adds that this comes with 250-300 different connectors. At 11:51, she points out the screen where the alerts of all categories get displayed.
Further, she shows ways to create different types of security alert through the different connectors at 12:55. Sarah concludes that the playbook gets attached to a detection trigger. On successful running of the Sentinel, the logs with threats, the severity, and other information are provided in the form of alerts.