Skip to content

Microsoft Sentinel – increased levels of functionalities to an already mature technology

Microsoft logo

Microsoft Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) solution from Microsoft.

Microsoft Sentinel is not a new technology, but the development of the platform and the increase of functionalities makes mentioning it worthwhile.
The whole feature set of Microsoft Sentinel is developed to simplify security operations and speed up threat response with integrated automation and orchestration of common tasks and workflows. Their focus is mainly on:

1. Resource efficiency

Azure Sentinel makes it possible for organizations to automate many of the administrative tasks traditionally performed by SOC analyst. This frees up additional time for those analysts to do investigation, threat hunting, or work on enhancements.

2. Incident Response efficiency

The playbooks for automated response provide a prerecorded way of dealing with an incident with consistency in response from any security analyst. This guarantees a significant reduction in MTTR (mean time to restore) with average resolution times of minutes compared to hours with legacy security monitoring solutions.

3. Cost Efficiency

Azure Sentinel’s flexible, consumption-based pricing, avoids the requirement for long-term contracts and alleviates the limits of the capacity of on-premise resources like storage capacity.

How has Microsoft invested in Sentinel?

Over the past year, Microsoft has invested heavily in the unified integration capabilities. Here are some examples:

Microsoft 365 Defender Integration

The advantage of the integration with Microsoft 365 Defender and the Microsoft Defender stack is that it provides a unified way to manage risk in the digital landscape under a single umbrella. Incidents, schema, and alerts can be shared between Microsoft Sentinel and Microsoft 365 Defender, providing a holistic view with a seamless drill-down for context, which improves the analysis and speed to respond to possible incidents.

Next to that, the automation rules for alerts have received new functions which allow us to centrally manage the running of playbooks with more flexibility.

Azure Logic Powered Playbooks

Azure Logic Apps power “playbooks” are a sequence of procedures that can be run in response to a security alert. Playbooks can help to speed up response actions that would typically be undertaken by security analysts. These can be triggered manually or set to run automatically when specific alerts are triggered. These automation rules allow for a more intuitive construction of Security Orchestration and Automated Response (SOAR) activities, providing the ability to build combinations of playbook runs and incident updates (severity, ownership, status etc.) to match the required output.

Microsoft Purview Integration

Another nice feature is the integration of Microsoft Purview Data loss prevention alerts and incidents into Sentinel. As such you can view the alerts about possible data loss in the same view as the Microsoft 365 Defender incident queue, which allows you to refine the incident scope, without the need to switch screens.

Is Microsoft Sentinel limited to Azure Cloud resources?

We often encounter a common misconception among security executives and practitioners that Microsoft Sentinel can only be used for Azure Cloud resources.

Although this might have been the case at the start, Microsoft Sentinel allows to ingest and correlate data from a wide range of log sources located in a variety of cloud platforms (Azure, AWS, and Google Cloud), on-premises networks and compute infrastructure, 3rd party security tools (including firewalls), or software as a service (SaaS) applications.

And Microsoft keeps on making significant improvements, for example on log collection: it is now possible to send custom-format logs from any data source to the Log Analytics workspace, and store those logs either in certain specific standard tables or in custom-formatted tables that you create. This gives the advantage that the visibility of Sentinel is extended over a larger scope than just the Azure environment.

Nowadays, all security incidents tend to be compared to the MITRE attack framework. This is a framework that outlines all tactics and techniques of an adversary. Microsoft Sentinel now provides a new MITRE page, which highlights the MITRE tactic and technique coverage you currently have, and can configure, for your organization.

Microsoft Sentinel is firmly integrated into the Microsoft Azure ecosystem, making it an excellent choice for organizations already leveraging the power of Azure in combination with the use of other cloud service providers such as AWS and Google Cloud platform.

How can I learn more?

If you’d like to know more about the Microsoft services offered by Devoteam, please visit https://mcloud.devoteam.com/.

This article is a part of a greater series centred around the technologies and themes found within the first edition of the Devoteam TechRadar. To read further into these topics, please download the TechRadar.