You're reading from Microsoft Sentinel in Action Architect, design, implement, and operate Microsoft Sentinel as the core of your security solutions

Product type Paperback

Published in Feb 2022

Publisher Packt

ISBN-13 9781801815536

Length 478 pages

Edition 2nd Edition

Tools

Azure Functions

Concepts

Cybersecurity

Authors (2):

Richard Diver

Gary Bushey

View More author details

Table of Contents (23) Chapters

Preface

1. Section 1: Design and Implementation

2. Chapter 1: Getting Started with Microsoft Sentinel FREE CHAPTER

3. Chapter 2: Azure Monitor – Introduction to Log Analytics

4. Section 2: Data Connectors, Management, and Queries

5. Chapter 3: Managing and Collecting Data

6. Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel

7. Chapter 5: Using the Kusto Query Language (KQL)

8. Chapter 6: Microsoft Sentinel Logs and Writing Queries

9. Section 3: Security Threat Hunting

10. Chapter 7: Creating Analytic Rules

11. Chapter 8: Creating and Using Workbooks

12. Chapter 9: Incident Management

13. Chapter 10: Configuring and Using Entity Behavior

14. Chapter 11: Threat Hunting in Microsoft Sentinel

15. Section 4: Integration and Automation

16. Chapter 12: Creating Playbooks and Automation

17. Chapter 13: ServiceNow Integration for Alert and Case Management

18. Section 5: Operational Guidance

19. Chapter 14: Operational Tasks for Microsoft Sentinel

20. Chapter 15: Constant Learning and Community Contribution

21. Assessments

22. Other Books You May Enjoy

Cloud platform integrations

One of the key reasons you might be planning to deploy Microsoft Sentinel is to manage the security of your cloud platform deployments. Instead of sending logs from the cloud provider to an on-premises SIEM solution, you will likely want to keep that data off your local network, to save on bandwidth usage and storage costs.

Let's now look at how some of these platforms can be integrated with Microsoft Sentinel.

Integrating with Amazon Web Services (AWS)

AWS provides API access to most features across the platform, which enables Microsoft Sentinel to be a rich integration solution. The following list provides some of the common resources that should be integrated with Microsoft Sentinel if enabled in an AWS account(s):

AWS CloudTrail logs provide insights into AWS user activities, including failed sign-in attempts, IP addresses, regions, user agents, and identity types, as well as potentially malicious user activities with assumed roles.
AWS CloudTrail logs also provide network-related resource activities, including the creation, update, and deletion of security groups, network access control lists (ACLs) and routes, gateways, elastic load balancers, Virtual Private Cloud (VPC), subnets, and network interfaces.

Some resources deployed within an AWS account(s) can be configured to send logs directly to Microsoft Sentinel (such as Windows event logs). You may also deploy a log collector (Syslog, CEF, or Logstash) within an AWS account(s) to centralize the log collection, the same as you would for a private data center.

Integrating with Google Cloud Platform (GCP)

Google provides API access to most features of both GCP and the G Suite solution. G Suite Connector is currently in development. If you are managing either a G Suite or a GCP instance and want to use Microsoft Sentinel to secure them, you should consider the following options (until a fully supported connector is available):

REST API—this feature is still in development; when released, it will allow you to create your own investigation queries.
Deploy a CASB solution that can interact with GCP logs, control session access, and forward relevant information to Microsoft Sentinel.
Deploy a log collector such as Syslog, CEF, or Logstash. Ensure that all deployed resources can forward their logs via the log collector to Microsoft Sentinel.

Integrating with Microsoft Azure

The Microsoft Azure platform provides direct integration with many Microsoft security solutions, and more are being added every month:

Azure Active Directory, for collecting audit and sign-in logs to gather insights about app usage, Conditional Access policies, legacy authentication, self-service password reset usage, and the management of users, groups, roles, and apps.
Azure Active Directory Identity Protection, which provides user and sign-in risk events and vulnerabilities, with the ability to remediate these risks immediately.
Azure Activity, for insights into subscription-level events such as Azure Resource Manager, service health, write operations on resources, and the status of activities performed in Azure.
Azure DDoS Protection, for the protection of web services that could be susceptible to attack through DDoS.
Microsoft Defender, the integrated CWPP for security management across Azure, AWS, GCP, and hybrid deployments.
Microsoft Defender for IoT, for insights into the IoT and OT networks with recommendations based on the severity of the risk.
Azure Firewall, the managed, cloud-based network security service to protect Azure Virtual Networks.
Microsoft Information Protection, to classify and optionally protect sensitive information.
Azure Key Vault, for securely storing and accessing secrets including API keys, passwords, certificates, or cryptographic keys.
Azure Kubernetes Service (AKS), an open source, fully managed container orchestration service to manage and deploy Docker containers.
Azure SQL Database, a fully managed PaaS database engine. This connector lets you stream the audit and diagnostic logs into Microsoft Sentinel.
An Azure storage account, a cloud solution for modern data storage scenarios.
DNS, to improve investigations for clients that try to resolve malicious domain names, talkative DNS clients, and other DNS health-related events.
Dynamics 365, for insights into admin, user, and support activities on this platform.
Microsoft 365 Defender, a consolidation of multiple connectors (Endpoint, Identity, Office 365, and Microsoft Cloud App Security (MCAS)).
Microsoft Defender for Cloud Apps, to gain visibility into connected cloud apps (SaaS), cloud services (IaaS and PaaS), and an analysis of firewall and proxy logs.
Microsoft Defender for Endpoint, a security platform designed to prevent, detect, investigate, and respond to advanced threats across all client devices.
Microsoft Defender for Identity, to gain visibility of the events and user analytics on Active Directory domain controllers.
Microsoft Defender for Office 365, to provide insights into ongoing user activities, such as file downloads, access requests, changes to group events, and mailbox activity. This solution also protects advanced attacks in emails (such as phishing and whaling), Teams, SharePoint Online, and OneDrive for Business.
Threat intelligence – TAXII, a service to ingest TAXII v2.0- and v2.1-compatible data sources to enable monitoring, alerting, and hunting using threat intelligence.
Microsoft threat intelligence platforms, for integration with the Microsoft Graph Security API data sources: This connector is used to send threat indicators from Microsoft and third-party threat intelligence platforms.
Windows Firewall, if enabled on your servers and clients (recommended).
Azure WAF, to protect applications from common web vulnerabilities such as SQL injection and cross-site scripting.

Microsoft makes many of these log sources available to Microsoft Sentinel for no additional log storage charges, which could provide a significant cost saving when considering other SIEM tool options.

Other cloud platforms will provide similar capabilities, so review the options as part of your ongoing due diligence across your infrastructure and security landscape.

Whichever cloud platforms you choose to deploy, we encourage you to consider deploying suitable CWPP and CSPM solutions to provide additional protections against misconfiguration and compliance violations. These solutions can then forward events to Microsoft Sentinel for central reporting, alerting, and remediation.

In the next section, we will look at how you can integrate with private or on-premises infrastructure to ensure full coverage of your IT estate.