Q&A about Microsoft Sentinel
Hi Jack, as you’re aware it is Cyber Security Awareness Month! Please could you help provide some insight about Microsoft’s Sentinel product, as we typically use this as the core platform for our SOC Services?
Firstly, could you explain what Sentinel is, and what is the elevator pitch for its use?
Microsoft Sentinel is what is known as a SIEM, a Security Information and Event Management platform. Think of Sentinel as your 24/7 smart security assistant. It’s like having a security guard who never sleeps, continuously watches your systems, spots threats before they escalate, and depending on how it has been configured, can even act automatically to stop them. Because it’s in the cloud, it’s scalable and easy to integrate with the stuff you already use, especially the Microsoft suite of services such as Azure, Intune, and Defender. Due to that, it’s quicker to implement and configure compared to most other SIEMs.
Will Sentinel alert the analyst to suspicious activity?
Sentinel’s bread and butter is alerting analysts to concerning activity, it is its primary purpose. To get more technical, Sentinel generates ‘incidents’ through routine KQL queries, which is Microsoft’s version of SQL. KQL is used for querying databases. In the case of Sentinel, these databases contain operational or security-related information that is updated every second, with each entry being an event.
The KQL queries run on a schedule set by the SOC, and hunt for specific events within these databases, sometimes even cross-referencing to find activities that are suspicious. These generate a corresponding alert and incident for the active analyst to investigate. Information about affected entities is compiled within the incident, providing quick, useful information to the analyst.
Depending on how its set up, certain incidents can be configured to trigger automation actions, such as disabling accounts, resetting passwords, or messaging users.
How can Sentinel help Security Analysts?
Sentinel helps security analysts like us by cutting through the noise, allowing us to automate threat detection and fine-tune detection rules so that we don’t have to investigate millions of benign alerts. It shows all these alerts on one pane, so we know which incidents need to be tackled first. The concentrated amount of information also extends to the reporting side, where graphs, statistics and reports can be generated at will over any given time period to inform of any emerging trends and to keep senior management in the loop.
Can Sentinel be configured to meet the specific needs of the organisation or am I constrained by what is in the box?
It’s completely up to the SOC in how Sentinel is set up. It works brilliantly out of the box, and Microsoft have done a great job compiling an array of analytic rules, data connectors, workbooks and playbooks within its Content Hub so that detailed security information can be pulled from Sentinel right from the start.
Despite it being SaaS, the amount of configuration options available to those that want a more tailored experience can be overwhelming. Microsoft even puts out exams focused on Sentinel and Defender with how intricate it can be. This is to say that custom logs can be ingested into the solution, analytics rule details can be tuned, and thanks to the native integration with Power/Logic apps, automation can be performed across the entire Azure estate.
Does Sentinel learn about the patterns of threat about your organisation?
Sentinel itself is not a machine learning solution, but does come with some behaviour analysis capabilities. Notably though, User Entity and Behaviour Analytics (UEBA) is a snap-on service for Sentinel. UEBA builds a baseline of behavioural profiles for users, hosts, IP addresses, etc, and then uses information from this profile to identify anomalous activity to provide additional insight into whether an asset might have been compromised. This information can be used in tandem with standard KQL queries, allowing more granular tuning opportunities.
Can you offer some advice on becoming proficient in Sentinel, based on your journey?
A lot of self-learning actually! It’s the classic quandary where to use Sentinel, you need to be proficient in it, but to be proficient in it you must use it. During a previous role, I got permission to have read access to Sentinel and did a lot of passive research, as well as doing the relevant Microsoft certifications to reinforce that knowledge, including the Microsoft Security Operations Analyst (SC-200) certification.
After working with another SIEM at another company for a few years, I joined up with BlueSOC, and was let loose on the engineering side of Sentinel, finally being able to put years of theory to the test. Since then, I’ve developed a plethora of custom KQL queries and associated automation, implemented solutions to ingest a variety of data sources such as syslog, as well as actually analysing all incidents coming in daily.
If you had one Microsoft wish what would you like Sentinel to do that isn’t on the product roadmap?
I doubt it’s technically possible, but if Microsoft was somehow able to conjure up a way for outdated KQL queries with custom tuning to keep that tuning between Content Hub updates, it would save me hours of time trying to read the necessary code!
Who knows, maybe Copilot for Security will be able to help with that eventually.
If you would like to use Microsoft Sentinel to detect malicious activity in your environment then BlueSOC would love to help. Please get in touch!
