Azure Sentinel

Overview

Azure Sentinel is a scalable, cloud-native security information and event management (SIEM) solution that provides intelligent security analytics and threat intelligence across the enterprise. It helps detect, investigate, and respond to threats, providing a comprehensive view of your security posture.

Core Functionality

1. Onboard Data Sources: Connect your data sources to Azure Sentinel using built-in connectors, including Azure services like Microsoft Entra ID, Azure Activity, and Azure Storage, as well as non-Microsoft solutions using common event format (CEF), Syslog, or REST-API.
2. Create Analytics Rules: Set up analytics rules to detect threats and generate alerts. Use built-in rules or create custom rules using Kusto Query Language (KQL) to tailor threat detection to your specific needs.
3. Investigate Incidents: Use Azure Sentinel’s investigation tools to analyze and visualize the full scope of an attack, including entity behavior analytics, incident timelines, and interactive investigation graphs.
4. Automate Response: Implement playbooks using Azure Logic Apps to automate response actions, reducing the time to respond to incidents and ensuring consistent handling of threats.
5. Proactive Threat Hunting: Utilize Azure Sentinel’s hunting capabilities to proactively search for threats across your environment. Leverage built-in hunting queries and create custom queries to identify suspicious activities.

Pricing

Azure Sentinel offers a pay-as-you-go pricing model, allowing you to optimize costs by only paying for the data you ingest and analyze. Certain Microsoft sources offer free data ingestion, contributing to cost-efficiency.

References

• Azure Sentinel Overview
• Azure Sentinel Quickstart