Microsoft Azure Sentinel provides intelligent security analytics at the enterprise level to keep pace with an exponential growth in security data, improve outcomes and reduce costs. Microsoft has designed this SIEM to deliver instant value on end-to-end security operations with high agility through automatic data scalability and efficiency through automation. With its thirty-two out-of-the-box data connectors, Azure Sentinel collects data at cloud-scale and supports integration for virtually any source. Microsoft adds new connectors almost daily.
Analytic rules guide threat detection and there are more than one hundred customizable options built into the platform. Subscribers may use KQL queries to create or customize rules. By fusing data sources that can then detect threats along the entire kill chain, built-in machine learning supports the analytics engine and increases catch rates without increasing alert noise.
Azure Sentinel detects all rule violations, classifies them as incidents and then populates them into highly interactive workbooks (dashboards). Analysts can either create workbooks from scratch or select from a gallery of customizable options. We find that these dashboards lack some of the graphic design elements and visuals we have seen with other products. However, we still believe that the dashboards give sufficient insight into and an overview of, data sources.
Flexible query options make investigating and threat hunting quick and easy. As with rule creation, security teams can create or customize queries by leveraging KQL. However, less experienced analysts may feel more comfortable leveraging the platform’s built-in threat hunting queries. The dashboard visualizes the entire process of an attack, giving a timeline, support descriptions and a relationship view of correlated data points. This array of information helps experts determine the scope and impact of an identified threat. In order to expedite attack responses, the platform offers automation and orchestration in addition to manual remediation. The Azure Sentinel community drives these automated responses, providing a library of resources on detections, queries and workbooks.
Jupyter notebooks helps generate reports. We could not launch notebooks, however and determined that their use is neither intuitive nor well documented.
We believe that Microsoft Azure Sentinel remains an underdeveloped SIEM, lacking the polish and refinement we see with some other solutions. However, Microsoft’s unmatched global reputation reminds us that we can always expect quality security software and solutions from them. This SIEM simply needs time to develop and mature and with some work on clarity and the simplicity of the interface, it will become a powerhouse in the future.
Pricing starts at $2 per GB ingested and Log Analytics start at $2.30 per GB. These prices include 24/7 access to billing and subscription support, online self-help, documentation, knowledgebase, FAQ list and support forums for the duration of the Microsoft Azure account. We had some issues with overall function and our experience with support initially frustrated us and lead to some misunderstandings about the nature of our issue. Eventually, Microsoft did guide us to a resolution. Azure Community does link to GitHub for community-created scripts, but this section will also need some time to develop. Non-security professionals may stumble with its navigation. Additional support options are available for a fee.
Tested by: Tom Weil