Azure Sentinel - Frequently Asked Question

WH Question regarding Azure Sentinel.

1. What is Azure Sentinel
Its the Cloud Native SEIM tools which helps to provide the insights into the overall infrastructure. It has multiple data sources which can be connected. By default, it will be connect to the log analytics workbook. 

2. Does it has own set of data? 
No, all its analytics is based on the KUSTO Query which will be pre-written(git-hub), and run against the data which is already collected by log analytics. Further more, it can have Microsoft native data sources such as Active Directory Logs, or third party products such as Palo Alto, F5. 

3. How its differs from Azure Security Center? 
Azure Security Center is much more focus on providing the health/hygiene of the infrastructure. Its performed the calculation based on the points and presented. Once the recommendation are meet, it changes the score to the acceptable level. 

Where as Azure Sentinel is cloud native Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) tool. It primary job is to collect data from various sources, such as Log Analytics, third party data sources and perform data analytics based its intelligent powered by Machine Learning.

4. What is the prerequisites?
At least one Log Analytics Workspace, which works as the primary source of the information required for sentinel to operated. We can run custom code on those data sources to get the analytics and responses which meets needs.

5. What are the 4 pillars of Azure Sentinel?
Four pillars are Collect, Detect, Investigate and Respond.

6. What are the different data sources available?
I prefer to categorize it into 2, native data sources such as Azure Activity, System Center, Active Directory and third party sources such as Palo Alto, Check Point, F5 and others.

7. What is the easy data connector to test functionality?
If Azure Activity logs is the best way to start. Make sure its connect to the workspace.

8. What about connecting Azure Security Center?
Yes, we can do it but it required upgrade, Azure Security Center Standard is required. By default we will have free tier, which is provides continuous assessment and security recommendation along with Azure Secure Score. But, free tier can no be connect to as Data Source.

9. What is the easy ways to test?
We can start with Azure Activity Log and Syslog.

10. How to remove Sentinel?

  1. Navigate to the Log Analytics Workspace 
  2. Select Solution in the blade, 
  3. Click at "SecurityInsight(yourloganalyticsworkspaceaname) 
  4. Click at Delete. 










Comments

Post a Comment

Popular posts from this blog

Deploy Palo Alto in Azure

Image
There are many ways to deploy Palo Alto Firewall in Azure. Out of those options today I will discuss how Palo Alto can be configured to protect your Azure workload. This setup is suitable for Proof of Concept only. Planning-Includes Minimum Requirement - Without HA Logical Diagram:  Create Virtual Network Name: PAN-VNet Address Space: 10.0.0.0/16 Subnet Name: Management Subnet Address Space: 10.0.1.0/24 Subnet Name: Untrust Subnet Address Space: 10.0.2.0/24 Subnet Name: Trust Subnet Address Space: 10.0.3.0/24 Resource Group: PA-VNet    Subnet Spin Web Server Virtual Machine  Name: SecureWebServices Image: Windows Server 2016 Resource Group: Services Network: PAN-VNet Subnet: Trust Role: Web Server (IIS) Installed Change NSG rules of Web Server to accept request on port 80, if you wish to test the web request. However, later on, this behaviour will be controlled through firewall. Spin Palo Alto Firewall Virtual Machine Name: vmseries300 Im
Read more

Demystifying System and User Define Routes of Azure

Image
As Virtual Network is created, Azure automatically create its own route tables for that Virtual Network, so that all the packets which enters the virtual network can traverse within its address prefix and leave the subnet for its destination. These are known as the Default Routes . We can’t modify these routes; however, we can add our custom routes on top of default routes for the traffic leaving the subnet. These custome route is known as User Define Routes . In this case, we are modifying the default behaviour of packets routing but still the internal and external routing of packet is done by virtual network to ensure that our packets are never hijacked.  In another word, we are adding routes and requesting virtual network to routes traffic in the way we want. So far its not possible to route the traffic independently bypassing the Azure Virtual Network routing mechanism and for security reason I do not think this will ever be possible. Common Use Case of UDR:  Every bus
Read more

Azure Web App Vnet Integration - Hub and Spoke Scenario

Image
Integrating Web Apps with virtual network allows us to access the resources which is located within our private network space, however web apps will be still be accessible from internet. App Service Environment could be possible solution if you wish to make your Web App completely private. In this blog I will be discussing the 3 possible use cases. Integrate Web Apps with VNet and verify connectivity between Web App and a VM which is deployed within the same VNet.  Web App Integration in Hub and Spoke  Establish connectivity between On-Prem network and Azure Web App Use Case 1 - Simple We need to have the following things to meet the goal with use case 1. 1. Virtual Network - Ansible-vnet - Address Space -10.0.0.0/16 2. Provision a Gateway Subnet - Address Space - 10.0.1.0/24 3. Virtual Network Gateway - WebApp-GW : SKU - VpnGw1 4. Create Point to Site in WebApp-GW - Address Space : 172.16.201.0/24 5. Since, SKU - VpnGw1 is used, IKEv2 VPN should be unchecked. (
Read more