Content

Microsoft Azure Sentinel

Microsoft Azure Sentinel provides intelligent security analytics at the enterprise level to keep pace with an exponential growth in security data, improve outcomes and reduce costs. Microsoft has designed this SIEM to deliver instant value on end-to-end security operations with high agility through automatic data scalability and efficiency through automation. With its thirty-two out-of-the-box data connectors, Azure Sentinel collects data at cloud-scale and supports integration for virtually any source. Microsoft adds new connectors almost daily.

Analytic rules guide threat detection and there are more than one hundred customizable options built into the platform. Subscribers may use KQL queries to create or customize rules. By fusing data sources that can then detect threats along the entire kill chain, built-in machine learning supports the analytics engine and increases catch rates without increasing alert noise.

Azure Sentinel detects all rule violations, classifies them as incidents and then populates them into highly interactive workbooks (dashboards). Analysts can either create workbooks from scratch or select from a gallery of customizable options. We find that these dashboards lack some of the graphic design elements and visuals we have seen with other products. However, we still believe that the dashboards give sufficient insight into and an overview of, data sources.

Flexible query options make investigating and threat hunting quick and easy. As with rule creation, security teams can create or customize queries by leveraging KQL. However, less experienced analysts may feel more comfortable leveraging the platform’s built-in threat hunting queries. The dashboard visualizes the entire process of an attack, giving a timeline, support descriptions and a relationship view of correlated data points. This array of information helps experts determine the scope and impact of an identified threat. In order to expedite attack responses, the platform offers automation and orchestration in addition to manual remediation. The Azure Sentinel community drives these automated responses, providing a library of resources on detections, queries and workbooks.

Jupyter notebooks helps generate reports. We could not launch notebooks, however and determined that their use is neither intuitive nor well documented.

We believe that Microsoft Azure Sentinel remains an underdeveloped SIEM, lacking the polish and refinement we see with some other solutions. However, Microsoft’s unmatched global reputation reminds us that we can always expect quality security software and solutions from them. This SIEM simply needs time to develop and mature and with some work on clarity and the simplicity of the interface, it will become a powerhouse in the future.

Pricing starts at $2 per GB ingested and Log Analytics start at $2.30 per GB. These prices include 24/7 access to billing and subscription support, online self-help, documentation, knowledgebase, FAQ list and support forums for the duration of the Microsoft Azure account. We had some issues with overall function and our experience with support initially frustrated us and lead to some misunderstandings about the nature of our issue. Eventually, Microsoft did guide us to a resolution. Azure Community does link to GitHub for community-created scripts, but this section will also need some time to develop. Non-security professionals may stumble with its navigation. Additional support options are available for a fee.

Tested by: Tom Weil

Product title
Microsoft Azure Sentinel
Product info
Vendor: Microsoft Contact: https://aka.ms/AzureSentinel Price: $2.30 per GB
Strength
There are 32 out-of-the-box data connectors to support virtually any data source integration.
Weakness
We had some issues with the overall functionality and support took a while to understand and resolve the issues. This is lacking some of the polish and refinement we see with other solutions.
Verdict
This SIEM simply needs time to develop and mature and with some work on clarity and the simplicity of the interface, will become a powerhouse in the future.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds