What is Microsoft Sentinel? Everything you need to know to get started with Microsoft’s cloud SIEM

Security is a key focus for today’s organisations and ensuring visibility across the entire cloud and on-premises infrastructure is critical.

Organisations tell us that creating a single view of their cyber security and telemetry data – coupled with providing meaningful insights and alerts – is often a hugely complex task that involves deploying large, resource-intensive solutions.

Managing these solutions to ensure they are quick to surface insights at scale is also difficult, and having the operational processes in place to respond to and investigate incidents is often a vital step that security staff struggle to stay on top of.

Microsoft Sentinel has been designed to help you address these challenges.

In this blog, we’ll demonstrate the power of Microsoft Sentinel and how it can defend and respond against even the most sophisticated of attacks.

Microsoft Sentinel – What is it and what does it do?

Microsoft Sentinel is Microsoft’s cloud-native security information and event management (SIEM) AND security orchestration automated response (SOAR) solution all in one!

It brings together the latest in security innovation and advanced AI to provide near real-time intelligent security analytics for a bird’s-eye view over your entire enterprise’s IT estate.

With Sentinel you can consume security related data from almost any source – not just sources inside your Microsoft tenant! This removes the need to manage multiple pieces of complex and costly infrastructure components – whilst providing a cloud platform solution that can easily scale to your needs.

Sentinel uses machine learning and AI models to surface important insights based on data consumed through a wide catalogue of data connectors. This includes native connections to all key Microsoft sources, together with a range of native 3rd party connectors which includes technologies from AWS, Symantec, Barracuda, Cisco, and many others.

The solution analyses in excess of 6.5 trillion signals daily to provide unparalleled threat intelligence. This, coupled with the ability to filter millions of signals into meaningful dashboard alerts, provides comprehensive hunting and investigative capabilities – enabling you to expedite your response to potential attacks.

Sentinel also integrates with a wide range of systems – providing the option to automate your incident response activities, thereby allowing you to orchestrate your activities in an efficient and effective manner.

4 key security pillars

Put simply, Microsoft Sentinel enables you to:

How to enable Sentinel in your environment

Enabling Sentinel in your environment is simple, all you need is the following:

• An active Azure subscription.
• A Log Analytics workspace.

Once you have that, you can browse to Sentinel within the Azure portal to deploy – then you are ready to begin adding your data connectors.

You can enable Sentinel on new Azure Monitor Log Analytics workspaces and both data ingestion and Sentinel charges are waived for the first 31 days (up to 10GB of log data per day). It’s worth noting you are limited to a 20-workspace limit per Azure tenant, but it should be more than sufficient to get a feel for the platform.

For existing workspaces, only the Sentinel charges are waived during this 31-day trial. Also, any charges related to additional automation or bring-your-own machine learning still apply.

Currently, there are several Microsoft data connectors that are available out-of-the-box and these provide near real-time integration, including, Office 365, Azure AD, Microsoft 365 Defender and Defender for Cloud Apps.

Sentinel also provides over 100 out-of-the-box data connectors for non-Microsoft solutions, including AWS, Barracuda, Cisco, and Symantec. Sentinel additionally provides support for generic connectors allowing you to send data via Windows Firewall, Syslog, REST API, or common event format (CEF), enabling you to send information from any data source. So, it’s very flexible to your infrastructure.

Once your data connectors are enabled, Sentinel will begin analysing and reporting on potential threats within your environment using the built-in alert rules.

However, the real power of Microsoft Sentinel is the ability to write custom alert rules and automated playbooks to help detect and remediate threats in real-time. These custom alert rules and playbooks allow you to tailor Sentinel to protect your organisation against any specific threats it faces.

Microsoft Sentinel in action – A typical scenario…

In this example, an organisation’s Azure AD Connect instance has been compromised and their credentials have been exfiltrated. We will investigate this attack and highlight how Microsoft Sentinel could have been used to alert and mitigate this attack at different points of the cyber kill chain.

The cyber kill chain is a series of 8 steps that trace an attack from reconnaissance to data exploitation – enhancing our understanding of the timeline of a cyber-attack.

We will be focusing on the alerting and remediation response against reconnaissance, intrusion and exfiltration.

Why target Azure AD Connect?

For those unaware of Azure AD Connect (AAD Connect), it is a tool that allows organisations to connect their on-premises Active Directory with their Azure Active Directory environment. The most common authentication configurations for AAD Connect are via Password Hash Sync (PHS) or Pass Through Authentication (PTA).

Password Hash Sync operates by synchronising the hashed passwords that sits on Active Directory with Azure Active Directory, allowing users to sign into cloud services using their on-premises credentials. Whereas Pass Through Authentication allows users to sign into cloud services using their on-premises credentials by forwarding authentication requests to an on-premises Active Directory server.

Both these configurations deal with the management of an organisation’s credentials, as such it is often a valuable target for attackers. Hence it is vital that the AAD Connect service, and the server it sits on is protected to prevent the compromise of credentials.

Reconnaissance

The first step of the cyber kill chain is reconnaissance. Research shows that up to 60% of an attacker’s time is spent investigating an organisation and their infrastructure before they begin their attack. So, while reconnaissance is not a threat nor is it an exploit. It is important to remember that reconnaissance is the first step on the path to a cyber-attack. As such it is vital to respond to such threats when they occur.

The most common form of reconnaissance is the use of port scanning to fingerprint servers and identify what OS is in use and potentially what services are running. With this information, attackers will exploit known vulnerabilities or use a password spray attack to attempt to gain a foothold in the system.

Using Microsoft Sentinel, we can create a custom alert rule that will react when it detects potential port scanning and trigger a playbook to remediate the threat.

To respond to this alert, we can create an automated playbook which is built using the Logic Apps framework available in Azure. Logic Apps uses a simple drag and drop interface to build a series of tasks to execute.

The advantage of Logic Apps is they can be used to build complex workflows that would normally take up valuable time of an organisation’s IT personnel – thus reducing the amount of time spent on trivial, repetitive tasks.

Intrusion

An ever-growing form of intrusion that many organisations face, is the password spray attack. This is a type of attack where an attacker will attempt to gain access into a system using default or commonly used credentials.

Attackers are also increasingly using lists of the most common passwords to gain access to systems. According to the NCSC, over 75% of organisations had passwords that feature in the top 1,000 most commonly used passwords. So, it’s no surprise that password spray attacks are becoming commonplace!

Attackers are unlikely to attempt to sign into an account manually from their own IP address, instead they’ll attempt to automate the task using botnets. Hence when an alert is raised for an unusual sign-in, we can look up the IP address of the sign-in alert and check whether it came from a known botnet, block the user from signing in and raise a ticket in Service Now to notify IT personnel of a potential account breach.

While most workflows can be created using the basic building blocks providing in Logic Apps, a more complex workflow is sometimes required. In this case we can’t easily create a Logic App to compare the IP address of the alert against a list of known botnets. However, Logic Apps allows us to integrate with Functions Apps, which are small blocks of custom code that can be run. As a result, we can create Logic App that can perform more complex tasks.

Exfiltration

Once an attacker has gained initial access in a network, they will be looking for ways to extract data from a system. In our fictitious example, the attacker has gained access to a local administrator account and is now looking to export all the user credentials stored in the Active Directory.

As the attacker has breached the server which hosts the AAD Connect service, they can compromise the built-in service account which AAD Connect uses to perform its synchronisation, an attack method commonly referred to as DCSync. It impersonates a Domain Controller and can request password data from the target Domain Controller.

Within the Microsoft security stack, Azure Advanced Threat Protection has out-of-the-box detection for DCSync attacks. However, many security teams face the problem of having to navigate the different dashboards for each Microsoft security solution they have deployed, such as Microsoft Defender ATP, Azure ATP, and CAS.

In the past, this has meant that time was wasted navigating between different dashboards and consoles with slower response times and potentially missed threats and correlations.

With the introduction of Microsoft Sentinel, an organisation can now view threats and alerts across their entire IT estate. They can also take advantage of incidents within Sentinel to correlate alerts and entities across all data sources to add contextual information that is meaningful to the investigation process.

Conclusion

In conclusion, Microsoft Sentinel is a powerful SIEM fit for the modern technological landscape. It provides a bird’s-eye view of your entire IT estate along with smart analytics supported by advanced artificial intelligence to help detect and respond to threats in near real-time.

As seen in the examples in this blog, Sentinel can integrate seamlessly with your pre-existing Microsoft and non-Microsoft infrastructure, while still providing you the control to customise Sentinel to match your security requirements.

This all contributes toward defending your organisation against the ever-growing cyber security threats of this modern world. Microsoft Sentinel’s use of automated playbooks can also increase the productivity of IT and support personnel by reducing the amount of trivial and time-consuming remediation tasks required, all while increasing response times to incidents.

Key takeaways

Next steps