“Azure Sentinel automatically performs the analytical work on alerts and provides a clear, straightforward presentation of the incident history and event relationships.”
The most important part of implementing Microsoft Azure Sentinel is knowing your objectives because Azure Sentinel differs from traditional security information event management (SIEM) tools in two key ways:
• Sentinel is smart. Many companies that use SIEM tools know their traditional role as security data aggregators. The SIEM system collects raw logs and provides the data to analysts in the security operations center, who look at that data and use other analytical tools to determine its meaning. Azure Sentinel automatically performs the analytical work on alerts and provides a clear, straightforward presentation of the incident history and event relationships. It does a lot of the analytical work for analysts. An analyst can choose an incident off the Azure Sentinel incident list and within seconds have a complete view of what happened.
• Azure Sentinel also provides security orchestration and automated response. These features enable you to build automated playbooks into your Azure Sentinel implementation. Azure Sentinel has no preconfigured playbooks. Instead, you use the tool’s analytical rules, triggers, and logic apps to create your own playbooks based on your requirements. You can then run these playbooks manually or automatically. Playbooks make Azure Sentinel a powerful security automation tool.
This is an excerpt from 7 Experts on Implementing Azure Sentinel. This eBook was generously sponsored by BlueVoyant.