Security capabilities of Microsoft Sentinel
2 minute read
https://docs.microsoft.com/en-us/learn/modules/describe-security-capabilities-of-azure-sentinel/
Scalable
Cloud native
Security Information and Event Management (SIEM)
Security Orchestration, Automation and Response (SOAR)
Single solution
- Alert detection
- Threat visibility
- Proactive hunting
- Threat response
Collect security data from all users, devices, applications and infrastructure on-premises and in cloud
Detect threats
Investigate critical incidents with AI support
Respond rapidly and automate protection
Connect Sentinel to your data
- Provides real-time integration
- Microsoft 365 Defender
- Microsoft 365 sources such as Office 365, Azure AD, Microsoft Defender for ID (formerly ATP) and Microsoft Cloud App Security
- Data is ingested into Sentinel using data connectors
- Syslog
- Windows Event Logs
- Common Event Format (CEF)
- Trusted Automated eXchange of Indicator Information (TAXII)
- Azure
- AWS services
Workbooks
- Monitor the data provided from the data sources
- Data analysis
- Visual reports
- Create custom workbooks
- Built-in templates
Analytics
- Built-in analytics alerts
Manage incidents in Microsoft Sentinel
- Incident is created when an alert is triggered
- Standard incident management tasks such as changing status or assignment to resources
- Mapping feature to see incidents accross the organization
Security automation and orchestration
- Automate security operations
- Integrates with Azure Logic Apps to create automated workflows or playbooks in response to events
Playbooks
- Collection of procedures that can help automated and orchestrate a response to an incident
- Run manually or when triggered by an event
- Based on Azure Logic Apps
Investigation
- Understand the scope of a potential security threat and find a root cause
- Choose an entity on the interactive graph
Hunting
- Search and query tool
- Based on MITRE Attack framework
- Proactively hunt for security threats before an alert is triggered
Integrated threat protection
- Extended Detection and Response (XDR)
- Uses Microsoft 365 Defender and Microsoft Defender for Cloud
Sentinel costs
- Data is stored in an Azure Monitor Log Analytics workspace
- Billing is based on the volume of data ingested and stored
- Two ways to pay
- Capacity reservations bills you a fixed fee based on a selected tier
- PAYG billed per GiB of data in the workspace
Last modified July 21, 2024: update (e2ae86c)