“For new users, the biggest challenge will be learning how best to use the technology and data connections to produce the security protection they need.”
Microsoft Azure Sentinel is a security information event management solution hosted in the Azure public cloud. It integrates with Microsoft’s portfolio of security products, which enables you to send security data into a common Azure Sentinel workspace-essentially a big bucket of information. There, you can tell Azure Sentinel how to query the data, apply analytical rules to it, and trigger alerts and other actions.
With Azure Sentinel, you can correlate data, create thresholds, create alarms, and integrate the tool with a ticketing system. In that way, if Azure Sentinel identifies an incident, it can immediately turn it into a ticket that goes to the first-line security operations center (SOC) so that the analysts can investigate and respond. You can also orchestrate and automate responses to alerts and automate playbooks.
Azure Sentinel is native to the Microsoft security ecosystem, but it also integrates with Amazon Web Services (AWS). For example, application programming interfaces enable you to configure Azure Sentinel to consume AWS CloudTrail and Amazon GuardDuty logs. Microsoft is adding integrations with other cloud providers as well.
This is an excerpt from 7 Experts on Implementing Azure Sentinel. This eBook was generously sponsored by BlueVoyant.