Security capabilities of Microsoft Sentinel

https://docs.microsoft.com/en-us/learn/modules/describe-security-capabilities-of-azure-sentinel/

  • Scalable

  • Cloud native

  • Security Information and Event Management (SIEM)

  • Security Orchestration, Automation and Response (SOAR)

  • Single solution

    • Alert detection
    • Threat visibility
    • Proactive hunting
    • Threat response

    Collect security data from all users, devices, applications and infrastructure on-premises and in cloud

    Detect threats

    Investigate critical incidents with AI support

    Respond rapidly and automate protection

Connect Sentinel to your data

  • Provides real-time integration
  • Microsoft 365 Defender
  • Microsoft 365 sources such as Office 365, Azure AD, Microsoft Defender for ID (formerly ATP) and Microsoft Cloud App Security
  • Data is ingested into Sentinel using data connectors
    • Syslog
    • Windows Event Logs
    • Common Event Format (CEF)
    • Trusted Automated eXchange of Indicator Information (TAXII)
    • Azure
    • AWS services

Workbooks

  • Monitor the data provided from the data sources
  • Data analysis
  • Visual reports
  • Create custom workbooks
  • Built-in templates

Analytics

  • Built-in analytics alerts

Manage incidents in Microsoft Sentinel

  • Incident is created when an alert is triggered
  • Standard incident management tasks such as changing status or assignment to resources
  • Mapping feature to see incidents accross the organization

Security automation and orchestration

  • Automate security operations
  • Integrates with Azure Logic Apps to create automated workflows or playbooks in response to events

Playbooks

  • Collection of procedures that can help automated and orchestrate a response to an incident
  • Run manually or when triggered by an event
  • Based on Azure Logic Apps

Investigation

  • Understand the scope of a potential security threat and find a root cause
  • Choose an entity on the interactive graph

Hunting

  • Search and query tool
  • Based on MITRE Attack framework
  • Proactively hunt for security threats before an alert is triggered

Integrated threat protection

  • Extended Detection and Response (XDR)
  • Uses Microsoft 365 Defender and Microsoft Defender for Cloud

image


Sentinel costs

https://docs.microsoft.com/en-us/learn/modules/describe-security-capabilities-of-azure-sentinel/4-understand-sentinel-costs

  • Data is stored in an Azure Monitor Log Analytics workspace
  • Billing is based on the volume of data ingested and stored
  • Two ways to pay
    • Capacity reservations bills you a fixed fee based on a selected tier
    • PAYG billed per GiB of data in the workspace
Last modified July 21, 2024: update (e2ae86c)