How Sentinel Works

Posted May 29, 2024

By Sakharam Shinde 3 min read

Introduction

Microsoft Sentinel’s Core Capabilities can be broadly divided into 4 categories:
- Collect
- Monitor and Detect
- Investigate
- Respond

The first step is to collect the data using data connectors.
There are countless native data connectors and custom data connectors which can be deployed via logic apps.
Once your data sources are connected, you can visualize and monitor your data using workbooks.

Workbooks are best thought of as interactive dashboards with graphs, maps and other visualizations and they’re powered by kusto query language(KQL).
Watchlists collect data from external sources for correlation with events in your Sentinel environment.
Example:
- Importing user lists with privileged access or terminated employees using watchlists for detecting or preventing these users from logging into the network.
- Create watch lists to suppress alerts from a group of users such as those from authorized IPS that perform routine tasks that trigger alerts.

Sentinel’s own threat intelligence allows you to add your indicators of compromise (IOC’s) to a sentinel table.
Individual indicators can be added or removed and expired indicators are removed automatically.
Microsoft’s threat intelligence adds their own research and you can subscribe to threat intelligence feeds provided by open source communities or other security providers.
These feeds are usually set up using the API based connector

Sentinel provides out of the box built-in templates to help you create threat detection rules. Analytics rules created from these templates will search your environment and the alerts generated by these rules will automatically create incidents.
There are more than 200 built-in alert rules and a wizard lets you create your own analytics rules using kql.
Thresholds can even be set with alerts and alerts can also trigger playbooks.

You can hunt with Sentinels built in hunting queries that are used to proactively identify unusual activity.
You can launch Azure notebooks directly from Sentinel. Notebooks combine live code, graphics, visualizations and text.
You can choose from a gallery of built-in notebooks developed by our security analysts or import others from GitHub.

The incidents provides a complete list of incidents in your environment.
Incidents can be assigned to an analyst and the status can be tracked live and they can also trigger automated playbooks.
Automation rules help you triage these incidents and automation rules can suppress noisy incidents, triage or escalate new incidents in your environment.

They can call Playbook or more playbooks which are based on our Azure logic apps automate your responses to incidents.

Defender for Cloud is for protection and governance of azure including protecting hybrid workloads.
Sentinel is for monitoring all environments from any source to oversimplify.
Use Defender for cloud for monitoring your hybrid workloads, while Sentinel for monitoring incidents, alerts, telemetry and more.

Microsoft Sentinel uses role-based access controls (RBAC) to assign roles to users or groups.
- Sentinel Reader: Read and view data incidents, workbooks
- Sentinel Responder: Respond and manage incidents
- Sentinel Contributor: Create and edit workbooks analytics rules
- Sentinel Playbook Operator: List View and manually run your playbooks

Sentinel is an enrichment layer built on log analytics workspace.
You can collect data from the native data connectors and the defender suite.
You can configure diagnostic settings for Azure resources like SQL servers, Firewalls, Virtual Networks, NSG’s, Application Gateways, etc. to send those logs directly to the Sentinel workspace.
For virtual machines, you can also use extensions to deploy agents on Azure or non-Azure resources.
Partner connectors can also ingest data into Sentinel using Rest API.
Sentinel provides two main agents:
- Log Analytics Agent(MMA): Legacy Agent
- Azure Monitor Agent(AMA): Modern Agent

This post is licensed under CC BY 4.0 by the author.