Microsoft Sentinel 101: The Ultimate Guide for Better Security Posture
Having a complete view of your business’ digital landscape is vital in 2024.
Unconnected systems, legacy IT, growing incident volumes, and cyber talent shortages are just some of the things getting in the way. Your security team probably feels like its trying to protect your company with one arm tied behind its back.
To address these challenges, Microsoft Sentinel was designed to provide visibility into your estate, as well as automate security processes. Now you can defend and respond against cyber-attacks like never before.
What is Microsoft Sentinel?
At its core, Microsoft Sentinel is a cloud-based SIEM and SOAR solution. SIEM (Security Incident and Event Management) functionalities allow for the collection and analysis of security-related data, while SOAR (Security Orchestration, Automation and Response) capabilities focus on automation and coordinated response to security incidents. This combination of SIEM and SOAR gives users unprecedented customisation options, allowing for automated incident triage, swift investigation, and proactive threat hunting across vast digital estates.
- SIEM Capabilities: Sentinel excels in log ingestion and analysis, providing you with unparalleled visibility into security events across your infrastructure, devices, people, apps and more.
- SOAR Capabilities: Responding to incidents manually is now a thing of the past. Automation lies at the heart of Sentinel, enabling security teams to streamline incident response workflows and mitigate the overwhelming influx of alerts generated by disparate security solutions.
- Customisation and Flexibility: Sentinel gives you a high degree of customisation, allowing you to tailor the platform to your unique security requirements. From automating incident triage to conducting proactive threat hunting, Sentinel offers a versatile toolkit for any security professional.
- Cloud-Native Architecture: Built on Microsoft’s Azure cloud platform, Sentinel uses the scalability, reliability, and agility of cloud computing to deliver real-time threat intelligence and actionable insights.
- Incident Response Workflow: Sentinel adopts a structured approach to incident response, including detection, investigation, and remediation stages. By using machine learning and analytics, Sentinel accelerates threat detection and facilitates rapid response to security incidents.
4 fey features of Microsoft Sentinel
Businesses face the daunting task of monitoring and protecting vast amounts of data, spanning user and device activities, network traffic, and security events. Microsoft Sentinel answers this in 4 key ways: data collection, threat intelligence, threat analysis, and incident reponse. This enables businesses to gain comprehensive insights into threats, prioritise responses accordingly, and ensure compliance with regulatory standards.
- Data Collection: It collects data from various sources, including cloud environments, on-premises systems, and multiple clouds, ensuring comprehensive coverage across users, devices, applications, and infrastructure.
- Threat Detection: Using advanced analytics and Microsoft’s extensive threat intelligence, Sentinel can detect previously undetected threats and minimise false positives, enhancing the accuracy of threat detection.
- Threat Investigation: Using the latest AI tech, Sentinel enables efficient investigation of threats, tapping into years of cybersecurity expertise at Microsoft. This allows for the identification and analysis of suspicious activities at scale.
- Incident Response: Sentinel provides rapid incident response through built-in orchestration and automation of common tasks, enabling security teams to respond swiftly to security incidents and mitigate potential risks.
Understanding the components of Microsoft Sentinel
Let’s explore the key components of Microsoft Sentinel, including rules, logic apps, playbooks, workbooks, hunting queries, and incident management. By understanding how each component contributes to the overall security posture, you can fully realise the full capabilities of Microsoft Sentinel to strengthen your defences and mitigate cyber threats effectively.
- Rules: Rules in Microsoft Sentinel are used to detect specific security events or patterns in ingested data. These rules trigger alerts or initiate automated responses when predefined conditions are met. They play a crucial role in identifying potential security threats and enabling proactive threat detection.
- Logic Apps: Logic Apps are a part of Microsoft’s Azure integration services and are used in Sentinel for orchestrating automated responses to security incidents. They provide a visual designer for creating workflows that can connect various services and applications, allowing for seamless integration and automation of incident response processes.
- Playbooks: Playbooks in Microsoft Sentinel are collections of automated actions and procedures designed to respond to specific security incidents. They can include a sequence of steps such as gathering additional context, isolating affected systems, or notifying relevant stakeholders. Playbooks streamline incident response workflows and you to respond rapidly to security threats.
- Workbooks: Workbooks are customisable dashboards in Microsoft Sentinel that provide visualisations and insights into your security data. They allow your security analysts to create tailored views of yoursecurity posture, perform ad-hoc data analysis, and track key performance indicators (KPIs) related to security operations. Workbooks enhance situational awareness and facilitate data-driven decision-making.
- Hunting Queries: Hunting queries in Microsoft Sentinel are used to proactively search for potential security threats or anomalies within ingested data. They enable your security analysts to conduct targeted investigations and identify suspicious behaviour that may evade traditional detection mechanisms. Hunting queries help you to stay ahead of emerging threats and enhance threat hunting capabilities.
- Incident Management: Incident management capabilities in Microsoft Sentinel provide a structured approach to managing security incidents from detection to resolution. They include features for triaging alerts, assigning ownership, tracking investigation progress, and documenting remediation efforts. Incident management streamlines the incident response process and ensures accountability and visibility throughout the lifecycle of security incidents.
Overall, these components work together seamlessly in Microsoft Sentinel to help you to detect, investigate, and respond to security threats effectively, improving your overall security posture and resilience against cyber attacks.
Benefits of Microsoft Sentinel
The benefits of Microsoft Sentinel extend far beyond its feature set, offering tangible advantages to organisations of all sizes.
- Enhanced Threat Detection: Through the utilisation of analytics and access to Microsoft’s threat intelligence, Sentinel helps organisations to uncover threats that may have previously escaped detection. This heightened threat awareness not only improves overall security readiness but also minimises the risk of false positives, continuously refining threat identification processes.
- Streamlined Incident Response: Sentinel’s automation capabilities change incident response protocols by automating repetitive tasks and coordinating response actions. This automation not only accelerates response times but also helps security teams to proactively fight emerging risks, preventing potential security breaches before they escalate into significant incidents.
- Improved Visibility and Compliance: Thanks to its comprehensive logging capabilities and real-time monitoring features, Sentinel offers businesses greater visibility into their security operations. This heightened visibility ensures compliance with regulatory requirements and industry standards, ensuring that organisations maintain the necessary levels of security and data protection.
- Scalability and Flexibility: As a cloud-native solution, Sentinel is built for scalability. Organisations can seamlessly adapt and expand their security operations in response to evolving business needs and dynamic threat landscapes. This scalability ensures that businesses can effectively manage security requirements across diverse environments and estates.
- Intuitive User Experience: With its intuitive user interface and seamless integration with Micrsofot services, Sentinel delivers an exceptional user experience tailored to the needs of security analysts and end-users alike. This user-centric design allows for efficient collaboration, enables informed decision-making, and improves overall operational efficiency within the security operations centre (SOC) environment.
Data integration
Microsoft Sentinel has a growing content library that enable customers to ingest data, monitor, alert, hunt, investigate, respond, and connect with different products, platforms, and services.
After you onboard Microsoft Sentinel into your workspace, use data connectors to start integrating your sources of information into Sentinel. There are a few options when it comes to integration:
- Service-to-Service – the Microsoft ecosystem is the foundation on what products Microsoft Sentinel can monitor and support in integrations. These out-of-the-box (OOTB), service-to-service connectors such as Sharepoint, Exchange and Microsoft Teams provide usage telemetry, access requests, mass resource activity and many more components useful to a business for monitoring purposes.
- REST API Integrations – Most products that are in use today will come with a built-in set of APIs designed to retrieve log files and events of interest. These sources can then be retrieved via resources within Microsoft Azure ecosystem or by the product owner with log forwarding capabilities.
- Agent-based Integrations – There will be products within the expansive security and IT ecosystem that will require monitoring within Microsoft Sentinel. They typically would not include API and service-to-service integrations but may utilise logging protocols such as Common Event Format (CEF) and Syslog. Microsoft Sentinel can use these protocols to connect an agent to any data source that supports the protocol. Products such as Palo Alto and Fortinet also use this method of ingestion.
The following diagram displays how non-normalised data is translated into user friendly telemetry.
Data Aggregation
As Microsoft Sentinel ingests data from many sources, there comes the need to normalise and aggregate the data for faster and more effective analysis. To do this, you must understand each source, write and use unique sets of data for analytic rules, workbook and hunting queries for each type or schema.
Correlating between different types of data during an investigation and hunting can be difficult. This can make analysis less effective, especially during the time pressures of a security incident.
The Advanced Security Information Model (ASIM) mechanism aims to tackle these challenges and has been implemented as a layer located between the source and the user. As stated by Microsoft, “be strict in what you send, be flexible in what you accept.” This principle is what guides the model, transforming inconsistent source telemetry into user friendly data. The end output improves all artifacts that rely on this data.
Detection Engineering
Now that we have data ingesting into your environment it is time to put your Detection Engineering hat on. Microsoft Sentinel comes with a range of built in rule types that cover the products within its own ecosystem. Additionally, there are analytics that have been created by the community of product owners, like Salesforce. These are all available via the Microsoft Sentinel Content Hub.
These detections give us the ability to hunt and detect for more obvious attacks based on frameworks like MITRE ATT&CK, including: brute force attacks and password spraying attempts to more obscure Indicators of Compromise (IoCs) like credential harvesting and malicious C2 addresses. The following aims to summarise the available rule types within Microsoft Sentinel.
- Scheduled analytics are the most common rule type within Microsoft Sentinel and are most often used to surface events of interest such as Defense Evasion and Privilege Escalation tactics and many other tactics throughout the ATT&CK framework. There may be times where a larger amount data is required to generate a true-positive alert. You would typically use a scheduled query rule for this with a larger look-back period to encapsulate the data required by doing so increase the probability of a true-positive alert when configured correctly.
- Next on the list is NRT detections. These analytics are configured to monitor events and surface incidents in a matter of seconds rather than minutes, shortening the time to detection and potential resolution considerably. Materialising threats as they happen allows for analysing and responding to contain them to be a reality. They provide up-to-the-minute threat detection OOTB by executing the rule in intervals of one minute
- Fusion is Microsoft’s correlation engine, which is based on machine learning algorithms that can detect multistage attacks by combining detections, anomalous behaviours and suspicious activities that are observable throughout the various stages of the kill chain. Microsoft Sentinel comes with a fusion-rule enabled by default. This rule is an all-encompassing analytic that covers the Microsoft ecosystem, and at a push of a button can also include third party sources.
Machine Learning Engine
Microsoft Sentinel also comes with its own Machine Learning Engine, which combined with its built-in anomaly detections, creates a powerhouse of tools that brings immediate value OOTB when configured correctly. These detections were built with robustness in mind, correlating thousands of data sources, and millions of events to build a complete behavioural analysis of all users in an environment. The following summarises the two main anomaly focus areas.
- UEBA Anomalies: These detections aim to target the grey area between what is considered an obvious attack and what is considered innocent user activities. Using behavioural baselining all events are enriched with contextual and behavioural information, which is then considered suspicious if it falls outside of the ‘known’ and ‘accepted’ behaviour for the components involved.You may ask how it does this. Well, it breaks each event down into its components such as the user’s geo location, the user performing the action, the action itself, and the device performed on. This is all compared to the baseline and using ML models to determine whether it’s suspicious or not.
- Machine learning-based anomalies: Microsoft Sentinel OOTB comes with a library of analytic rule templates designed to detect anomalous behaviour within your environment. They may not correlate directly with a security incident, but they will provide contextual information for deeper analysis of activity within your environment.Events such as excessive data transfer may indicate a trend of C2 Data Exfiltration, which may have typically gone overlooked unless specifically crafting your own rule for this event. The major benefit of these anomaly detections is that they are customisable, from testing and production toggles to defining the device vendor for network based anomalies. The good news is that you have the freedom to configure these to your environments specifications.
Incident Investigation and Response
Now that we have established the ingestion and detection baseline, we need to look at how Microsoft Sentinel handles the investigation of incidents.
Microsoft Sentinel SIEM-based interface calls out for each specific use case, such as Analytics, Automation, Logs, Incidents, etc. Within the Incidents section, we can immediately gain insights into an environment’s noise, how active the environment is, how often analytics fire and how prone to ticket fatigue a Security Operations Center (SOC) managing this environment may become.
When an incident occurs and the respected analytic fires, Microsoft Sentinel flags a new record within the Incidents UI. The contextual information provided typically includes the severity and description of the analytic that fired, a collection of evidence such as the events and alerts and the information entities that were involved which can be anything from Usernames, Email addresses, IP Addresses, IoCs, etc.
Typically, you would have an analyst that would hunt for peculiar and interesting artifacts that aid the conclusion of an investigation along with gathering more insights into the user behaviour and any additional metrics that are valuable.
Microsoft Sentinel has taken this one step further and presented this contextual information in one centralised investigation blade. The following aims to summarise the key components of the dashboard.
- Alert information (with ATT&CK references): Basic information about the alert itself, including description and severity.
- Entities Involved: Basic information regarding the entities involved in the incident. This is directly related to the entity types that are configured within the analytic rule itself.
- Evidence: Basic information regarding the volume of events and alerts that have fired. This will be directly impacted by any groupings you may have enabled within the analytic configuration phase.
- Similar Incidents: Microsoft Sentinel performs alert correlation and entity correlation in case this or similar events and entities have been observed previously. This can be a powerful tool in analysing the root-cause of an event.
- Incident Timeline: Once correlation has been completed, this incident dashboard will display a series of incidents if they are linked. This gives immediate insights into the timeline of events leading up to compromise.
- UEBA Insights: Once UEBA has been configured correctly within your Microsoft Sentinel environment, all incidents will be provided contextual enrichment. UEBA gives the context of the users behaviour up until the first event that occurred. Behaviour such as login events, devices used, geo-location, etc. We can then build a better picture when analysing the incident timeline.
By combining the power of each of these components, we can build a bigger picture of the events that have occurred surrounding the incident and potential route causes as well.
Security Orchestration and Automation
Once incidents have come into Microsoft Sentinel, you may wonder what you can do to alleviate the manual work required by analysts to free up their time to be more proactive.
Automation! Without a doubt the most powerful tools available in Microsoft Sentinel is its SOAR capabilities. From automating responses for all or specific incidents to integrating external ticket management platforms such as Jira and ServiceNow or integrating threat intelligence feeds to enhance and enrich your monitoring.
One of the key usages of automation within Sentinel is the power to automate your SOCs lives, giving every user it impacts the freedom to refocus their workload – allowing for more effective and streamlined SOC operations. It does this through automation rules and playbooks.
Automation rules are the first line of defence in maximising your SOC’s efficiency, they are triggered off three main categories; when an incident is created, when an incident is updated and when an alert is created.
From here we can talk about the crème de la crème of Sentinel SOAR and that is Playbooks. These replace time-intensive actions that a person performs in their daily role. This time investment is often overlooked in traditional SIEM companies and will quickly become victim to their own inefficiencies.
Playbooks can help with these inefficiencies by reducing the time to completion, or in some cases, entirely removing the necessary human input to complete the task. Developing a playbook can be as simple or as complicated as it needs to be, and as there is no one design for a playbook.