New Course Enquiry: 9513167997 9108318017

CATEGORIES
  • Certification based courses
  • Job-oriented Trainings
  • Vendor based training
View All Courses
Sign InSign In
img

Microsoft Azure Sentinel Architecture in IT Security : A Complete Overview

July 20, 2023 60

Microsoft Azure Sentinel Architecture in IT Security 

 

An introduction to the Azure Sentinel architecture, its initial configuration, and components. 

There is a high demand in the market for a tool that can collect data from various sources, do the correlation, and report the information in a single dashboard.

Azure Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration and Automated Response ) technology from Microsoft. It uses built-in AI to perform alert detection, threat visibility, threat response, and proactive hunting. 

Azure Sentinel analyzes large volumes of data across an organization with the help of its Logic Apps and Log Analytics. It has advanced machine learning capabilities, which can identify security threats, and suspicious activities, responding to them easily.  

Microsoft Azure Sentinel do the following tasks:

  • Collect data from cloud scale across all the devices, applications, users, and infrastructure. For both on-premises and in multiple clouds.
  • Identify previously undetected security threats and lowers the false positives using artificial intelligence. 
  • Investigate threat vectors with and detect suspicious activities at scale
  • Fast response to incidents with built-in security automation and orchestration of  tasks.

Read about What is Log4j vulnerability issue – how to detect and fix it…

Azure Sentinel Architecture

As Azure is a SIEM and SOAR solution is part of Microsoft, the first thing to do is to take an Azure subscription for the deployment. Azure Sentinel performs the data collection from the different sources that you configure and store these events in your preferred Log Analytics workspace. For this, you can use an existing workspace or create a new one. However, it is suggested that you have a fixed workspace for Azure Sentinel data storage as its investigations and alerts do not work across different workspaces. You should have at least as contributor permission as possible for the subscription in accordance with the fixed workspace.

 

azure sentinel architecture

azure sentinel architecture

Now let us understand about Azure Sentinel’s architecture. 

1. Collect Data:

Azure Sentinel can collect data on-premises and in multiple cloud environments from all users, applications, devices, and infrastructure. It has an easy graphical interface for connecting to security sources. Since there are various connectors that have real-time integrations, Azure Sentinel also has built-in third-party product (non-Microsoft Solutions) and service interfaces. Moreover, Azure Sentinel can connect to the relevant data sources via REST-API, Common Event Format (CEF), or Syslog. 

The following are the services that can be integrated directly via out-of-the-box:

  • Azure Activity, 
  • Microsoft Defender for Identity,
  • Azure DDoS Protection,
  • Azure Active Directory, 
  • Azure Web Application Firewall
  • Office 365, 
  • Azure AD Identity Protection, 
  • Azure Firewall, 
  • Azure Security Center, 
  • Amazon Web Services – CloudTrail, 
  • Cloud App Security, and 
  • other Microsoft solutions.

Other data sources not given in the list can also be easily connected to Azure Sentinel using an agent. The Syslog protocol is used to allow for real-time log streaming. In the Azure Sentinel architecture, the Agent function‘s component Log Analytics Agent,  converts CEF-formatted logs into a Log Analytics format that is compatible. 

Some of the examples of external solutions supported by Azure Sentinel via agents are;

  • Linux servers, 
  • DNS servers, 
  • Azure Stack VMs, and
  • DLP systems 

 

2. Detect Threats:

Azure Sentinel is used to detect threats and lowers false positives using analytics and threat intelligence from Microsoft. Azure Analytics plays an important role in correlating alerts with the security identified issues.

Azure Sentinel comes with built-in templates for threat detection and its automated responses. Moreover Azure Sentinel also allows creating custom rules. The four built-in templates are listed below:

  • Microsoft Security Templates- This template generates a real-time flow of alerts by other security products of Microsoft.
  • Fusion Template- It employs scalable machine learning techniques to convert a large number of events and alerts from different products into actionable incidents.
  • Machine Learning Behavioural Analytics Template – They are built on only one rule by Microsoft’s proprietary Machine Learning Algorithms. The users have no access to the time it takes to run or the logic’s underlying workings of the template
  • Scheduled Templates- It allows users to see the logic of the query and make adjustments based on the needs. These are the analytics rules based on built-in queries. This can also be customized to develop new rules.

 

3. Suspicious Activity Investigation:

Microsoft Azure Sentinel architecture workings can detect and track suspicious behaviours across the enterprise. By the MITRE framework, it helps lower noise and identify security threats. To detect suspicious activity, Azure Sentinel architecture uses its buitl-in AI to detect threats before an alert is triggered. 

  • Create Bookmarks

You can bookmark the data or events that you come across in the searching process. It is so that you can review it later. Then, create an incident for investigation’s for later.

  • Automate investigations with notebooks

Notebooks are the same as playbooks as both offer step-by-step guides which are used to keep tracking of your searches and rescue operations. The notebook’s work is to compile all the processes ongoing in the hunting process into a reusable playbook. And that is then shared with other team members.

  • Built-in Queries

It is an important feature to help you out of the tables and the query language by Microsoft. You can also develop new queries or modify old ones to improve your detecting methods..

  • Intelligent Query Language

It is built on top of a query language best suited for hunting threats.

 

4. Respond

Azure Sentinel can handle built-in orchestration incidents seamlessly and swiftly, and routine and repetitive activities may be readily automated. It can use playbooks to create easier security orchestration. When an event occurs, it can also create tickets in ServiceNow, Jira, and other systems.

 

Must read about QRadar tool and its architecture in detail.

 

Components of Azure Sentinel Architecture

 

azure architecture architecture

azure architecture components

 

The components are presented below:

  • Dashboards: Built-in dashboards in Azure Sentinel provides data visualization for the connected data sources. This enables you to investigate in depth of the events generated by those services.
  • Cases: A case is a collection of all the relevant incidents for a specific investigation. It can contain one or multiple alerts. And these are based on the analytics that you define. 
  • Hunting: This is a powerful tool in Azure’s architecture for security analysts who need to investigate security threats. The searching capabilities of hunting tools are powered by Kusto Query Language (KQL). 
  • Notebooks: By integrating with notebooks, the tool increases the scope of the data that was collected. The notebooks feature combines a collection of libraries programmatically for visualization, machine learning, and data analysis.
  • Data Connectors: Built-in connectors present in Azure Sentinel tool helps facilitate data ingestion from Microsoft. 
  • Playbooks: A Playbook is an aggregation of procedures that is executed automatically when an alert is triggered by Microsoft Sentinel. Playbooks leverage Azure Logic Apps, which help you automate and orchestrate tasks/workflows. 
  • Analytics: The analytics allows you to create custom alerts using KQL (Kusto Query Language). 
  • Community: The Community page is at GitHub. The Azure Sentinel community page contains detections based on various types of data sources to create alerts and respond to threats in your environment. The Azure Sentinel Community page also contains playbooks, hunting query samples, and other artefacts. 
  • Workspace: A Log Analytics workspace of Azure Sentinel is a container that includes complete data and configuration information. The tool uses containers to store the information aggregated from various data sources. 

Also read about our blog on Splunk Career – the pathway to MNC jobs.

Conclusion:

In this blog, we have completed discussing Microsoft Azure Sentinel architecture, its core capabilities, and the components. For more details about Azure Sentinel training, Kindly visit Virtual Azure Course with lab-access.

 

You can find our trainings at your city also:

Azure Sentinel Training in Bangalore , Azure Sentinel Training in Bhopal , Azure Sentinel Training in Bhubaneswar , Azure Sentinel Training in Chandigarh , Azure Sentinel Training in Chennai , Azure Sentinel Training in Delhi , Azure Sentinel Training in Gurgaon , Azure Sentinel Training in Hyderabad , Azure Sentinel Training in Pune.