Discover Microsoft Sentinel, a cloud native Security Information and Event Manager (SIEM) for your whole IT infrastructure. Highly scalable, it can eliminate additional security infrastructure setup and reduce management complexity thereby saving costs.

Introduction

The digital footprint of every organization is expanding rapidly, but along with this exponential digital growth come increasingly sophisticated cyberattacks.  It is now a major challenge for IT administration and security operations teams to protect their IT infrastructure, continuously monitor and analyse external cyber threats and come up with an appropriate response. Traditional SIEM (Security Information and Event Management) solutions are not flexible, scalable or cost effective enough in this modern security landscape.

What is Microsoft Sentinel?

Microsoft Sentinel is a cloud native SIEM for the entire Enterprise IT infrastructure. It is highly scalable, can eliminate additional security infrastructure setup, reduce complexity and save huge amounts of time and cost.

  • Collect – security data across your organization

Microsoft Sentinel collects and analyses data from varied sources (users, devices, applications, on-premise or multiple cloud platforms).

  • Detect – with vast threat intelligence

It can improve threat detection and facilitates proactive threat hunting, response and incident management.

  • Investigate – critical incidents guided by AI

Microsoft Sentinel provide insights using Threat Intelligence, with built in AI & Machine Learning (ML)

  • Respond – rapidly and automate protection

It allows the administrator to automate and orchestrate response and tasks thereby simplifying security operations and accelerating threat response.

Microsoft Sentinel diagram

If you’d like to find out more about Microsoft Sentinel for your organisation, then please contact us for a free discussion with one of our Certified Azure technical consultants:

Key Features

Azure or Microsoft Sentinel is a cloud native SIEM solution which brings together data, analytics, and workflows to unify and accelerate threat detection and response across your organisation. It provides a bird’s-eye view across your organisation for cyberthreat detection, investigation, response, and proactive hunting.

You can collect data from not just from on-premise servers, but also any cloud platforms, users, devices & applications. Using its inbuilt data connectors you can collect data at scale, detect previously undetected threats, and minimize false positives using Microsoft’s analytics and unparalleled threat intelligence and respond to threats rapidly using automation.

Pre-requisites to deploy Microsoft Sentinel

 There are some prerequisites that you will require to deploy Microsoft Sentinel, namely:

  • A Microsoft Entra ID license and tenant, and an Azure subscription are required to access Azure and deploy resources.
  • Relevant RBAC roles at subscription/resource group level
  • Log Analytics workspace is required to house the data that Microsoft Sentinel ingests and analyzes for detections, analytics, and other features.

 Getting started

 There are numerous data connectors that allow you to start ingesting data into Microsoft Sentinel with one of the below options:

  1. In-built Data Connectors
  2. Partner & Community supported Data Connectors
  3. REST API integration
  4. Data Integration using Azure Functions
  5. Syslog and Common Event Format (CEF)

Migrating to Microsoft Sentinel

 As we have already mentioned, legacy SIEM solutions are faced with several challenges:

  • Slow response to threats
  • Scaling challenges
  • Complex and Inefficient management
  • Manual analysis and response

Microsoft Sentinel addresses all the above challenges and provides a unified cloud native SIEM solution with low cost, highly scalable, efficient and proactive threat detection with AI enabled response.

A typical migration to Microsoft Sentinel would include the following steps – discovery, design, implement and operationalise.  At each stage there is a detailed set of actions to complete, and steps that include replicating detection rules from common cybersecurity tools such as ArcSight, Splunk, QRadar etc and ingesting historical data.

Key elements of Microsoft Sentinel

 Microsoft Sentinel is based on four core processes:

  1. Integrated Threat Intelligence
  2. Proactive hunting for threats
  3. Detect threats and analyze data
  4. Automation and response management

1.   Threat Intelligence integrations

Microsoft Sentinel gives you a few ways to use threat intelligence feeds to enhance your security analysts’ ability to detect and prioritize known threats

  • Use one of many available integrated threat intelligence platform (TIP) products.
  • Connect to TAXII servers to take advantage of any STIX-compatible threat intelligence source.
  • Connect directly to the Microsoft Defender Threat Intelligence feed.
  • Make use of any custom solutions that can communicate directly with the Threat Intelligence Upload Indicators API.
  • Connect to threat intelligence sources from playbooks to enrich incidents with threat intelligence information that can help direct investigation and response actions.

2.   Proactive hunting for threats

Microsoft Sentinel has powerful hunting search and query tools to hunt for security threats across your organization’s data sources.  Hunting queries, notebooks, and security tools guide you into asking the right questions to find issues in the data you already have on your network

3.   Detect threats and analyze data

After you have set up Microsoft Sentinel to collect data from across your organisation, you need to constantly dig through all that data to detect security threats to your environment. To accomplish this task, Microsoft Sentinel provides threat detection rules that run regularly, querying the collected data and analyzing it to discover threats. These rules come in a few different flavors and are collectively known as analytics rules. These rules generate alerts when they find what they’re looking for.

4.   Automation & Response management

Microsoft Sentinel, in addition to being a SIEM system, is also a platform for security orchestration, automation, and response (SOAR).  The two key components are:

  1. Automation rules
  2. Playbooks

Automation Rules

Automation rules are a way to centrally manage automation in Microsoft Sentinel.  Automation rules consist of Triggers, Conditions & Actions.  There is a wide array of preconfigured rules and templates available in the Microsoft Sentinel configuration menu.

Playbooks

The sheer volume of security alerts can be overwhelming. That’s where Microsoft Sentinel playbooks come in.  They can be used to run pre-configured sets of remediation actions to help automate and orchestrate your threat response. Run playbooks automatically, in response to specific alerts and incidents that trigger a configured automation rule, or manually and on-demand for a particular entity or alert. Bi-directional sync is available for Microsoft Sentinel incidents with other ticketing systems

Pricing

Microsoft Sentinel is billed for the volume of data stored in a Log Analytics workspace and analysed in Microsoft Sentinel and is ingested as three different types of logs – Analytics, Basic and Auxiliary.

Example per month costs, correct at the time of writing are given below, for up to date costs see: Microsoft Sentinel Pricing | Microsoft Azure

Analytics Logs include high value security data that reflect the status, usage, security posture and performance of your environment

This is billed per gigabyte (GB) and the cost is £4.08 per GB.

(Note: Reduced pricing is available for commitment tiers and you can check the pricing page for more details)

Basic Logs are usually verbose and contain a mix of high volume and low security value data without the full capabilities of analytics logs.  The cost is £0.86 per GB of data.

Auxiliary Logs: these are high volume, low fidelity logs (e.g. Network logs, Firewall logs) crucial for security investigations, hunting, or additional attack context.  Charged at £0.15 per GB

There are also some Microsoft Sentinel free data sources such as Azure activity logs, Office365 audit logs and alerts from Microsoft Defender applications.

If you’d like to find out more about Microsoft Sentinel, what tools and features are included, how pricing works, or ask for our support to implement it then please contact us for a free discussion with one of our Certified Azure technical consultants:

If you’ve enjoyed reading this Blog Post, then sign up to receive our monthly newsletter where we share new blogs, technical updates, product news, case studies, company updates, Microsoft and Cloud news (scroll down to the sign up block on this page)

We promise that we won’t share your email address with other business or parties, and will keep your details safe. You can choose to unsubscribe at any time.

Further Reading

Microsoft Sentinel overview

https://learn.microsoft.com/en-us/azure/sentinel/overview?tabs=azure-portal

Prerequisites

https://learn.microsoft.com/en-us/azure/sentinel/quickstart-onboard#prerequisites

Architecture

https://learn.microsoft.com/en-us/azure/sentinel/sample-workspace-designs

Onboarding

https://learn.microsoft.com/en-us/azure/sentinel/quickstart-onboard

Best Practices

https://learn.microsoft.com/en-us/azure/sentinel/best-practices

Plan your migration

https://learn.microsoft.com/en-us/azure/sentinel/migration

Data connectors

https://learn.microsoft.com/en-us/azure/sentinel/connect-data-sources?tabs=azure-portal

Threat intelligence

https://learn.microsoft.com/en-us/azure/sentinel/understand-threat-intelligence

Microsoft Sentinel Blog

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/bg-p/MicrosoftSentinelBlog

Pricing

https://azure.microsoft.com/en-us/pricing/details/microsoft-sentinel/

Training

https://learn.microsoft.com/en-us/credentials/applied-skills/configure-siem-security-operations-using-microsoft-sentinel/

https://learn.microsoft.com/en-us/azure/sentinel/skill-up-resources

Video Tutorials

Overview:  https://learn.microsoft.com/en-us/shows/azure-videos/azure-sentinel-video-overview?source=recommendations

Azure Sentinel Part 1:  https://learn.microsoft.com/en-us/shows/azure-videos/get-started-with-a-cloud-native-siem–azure-sentinel-part-1

Azure Sentinel Part 2:  https://learn.microsoft.com/en-us/shows/azure-videos/built-in-ai-to-detect-threats-faster–azure-sentinel-part-2

Azure Sentinel Part 3:  https://learn.microsoft.com/en-us/shows/azure-videos/investigate-and-automate-threat-responses–azure-sentinel-part-3

Published On: October 15th, 2024 / Categories: Azure / Tags: , , /

Contact our Microsoft specialists

Phone or email us to find out more – or book a free, no-obligation call with our technical consultants using the contact form.

“It’s great to work with the Compete366 team, the team members are really knowledgeable, helpful and responsive. No question is too difficult for them. They have really helped us to manage our Azure costs and ensure we have the right environment. When we bring a new customer on-board we can scale up immediately via the Azure portal and quickly make environments available to our customers.”

“We also find that there’s never a heavy sales pitch from them – they are technically focused and recommend what’s right for us.”

Paul Coyne, Rusada

“We had great support from the Compete366 AVD expert, who was really helpful, and guided me through options to tackle issues that arose.”

“The great thing about our AVD set up is that we have a custom set up for each project which Compete366 showed me how to do. And with the scalability and flexibility of AVD – we can meet clients’ expectations and get project users up and running more quickly.”

Amir Dangol, Senior IT Manager, Integrity

“We were immediately impressed with the advice that the Compete366 specialists in Azure Architecture were able to provide. This was all new to us and we really needed some external expertise that we could use to get our questions answered. The beauty of working with Compete366 is that we transferred our Azure consumption to them, and at the same time received all of their advice and guidance free of charge.”

Tim Entwistle, Head of Software Development, Herrco

“Working with Compete366 has been like extending our own team – they are extremely and easy to work with. Right from the outset, it was clear what was on offer – everything was presented to us in a straightforward and uncomplicated way. They also provided just the right level of challenge to our developers and saved us time and money by suggesting better ways to implement our infrastructure.”

Oliver Mackereth, Project Director, Hanse

“Compete366 were able to help us leverage some useful contacts in Microsoft. We really value the expert advice and guidance that they have offered us in setting up a highly scalable infrastructure. We are also setting in place a regular monthly meeting which will allow us to further refine our architecture and ensure we keep on track as our requirements grow and change.”

Matt Brocklehurst, Technical Director - AWOL Adventure

“I have been delighted with the migration, where my team worked very hard, supported by expert advice from Compete366, and achieved everything in the timescale we had set out. Compete 366 made sure that we didn’t make any expensive mistakes, and guided us through the process”

Darrell Cann, Managing Director, APEX
Jon Milward
Director

By submitting your details, you agree to be contacted.