High-level Walk-Through: How Azure Sentinel achieves SIEM workflow
1. Connect data providers to Azure Sentinel (Data connectors menus):
- Common identity and access providers like Azure Active Directory and Office 365, syslog, DNS, Security Events, and Azure Activity
- Additional (premium or optional) Microsoft security components like Azure ATP, Azure Security Center, Azure Information Protection
- Other cloud providers like AWS CloudTrail
- Enterprise security vendors: Palo Alto Networks, Cisco ASA, Check Point, Fortinet, F5, Symantec ICDX, and Barracuda
Many of these data providers will already exist in your Azure or on-premises estates. It’s just a matter of also connecting them to Azure Sentinel. Examples: Connect Azure Security Center (ASC) = ASC keeps working as before and now events are included in Azure Sentinel. Another example: Connect Log Analytics workspace = all workspace solutions work as before, plus the workspace is co-purposed for Azure Sentinel. Until the Azure Sentinel preview period is over, there are little or no additional charges to connect existing data sources to Sentinel.
2. Use the Hunting feature of Azure Sentinel Threat management to identify queries that produce results of interest, like “Summary of failed user logins by reason”. (See Figure 3.) The pre-populated queries get you starting on creating your own valuable Kusto-based queries customized for your environment.
Figure 3 – The Hunting feature helps you craft very specific queries that only return data when you want a case created