Azure Sentinel is a cloud-based  security information event management (SIEM) and security orchestrator automated response (SOAR)  providing you security analytics and threats intelligence from a single point.

During the preview, Azure Sentinel is free of charge. Final pricing will be announced at a later stage; data import from Office 365 is free.

To start using it and evaluate it, connect to  https://aka.ms/microsoftazuresentinel with your Azure administrator account start the creation of Azure Sentinel Workspace

image

You can also search for Azure Sentinel from your Azure portal

image

You can then either connect to an existing Azure Log Analytic workspace or create a new one

NOTE the default workspaces created by Azure Security Center are not available and can not be used with Sentinel

image

Once Azure Sentinel is connected to the Log Analytic you can connect to your data sources – both from cloud services and on-premises system.

image

Select the data source from the available connectors – from Microsoft to Amazon Web Services, Fortinet or Cisco.

image

The configuration of each connector depends off course of the product/solution you are connecting to

If you are using an existing Log Analytics workspace you may already have some data imported. In this case the connector is showing Configure instead of Not Connected

image

If you select a connector already connected. you may go to the configuration to see if additional recommendations are available – for example my Azure Active Directory connector told me to install 2 additional dashboards: Azure AD Audit logs and Azure AD Sign-in logs

After you have connected your data sources you can start using the Overview, Dashboards or Queries (Hunting) to get security insights

imageimageimage

You can then setup automated response using Notebooks or Playbooks

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.