Azure Sentinel: Bringing Together SIEM and SOAR
Tuesday 2nd March 2021 | 3 minute read
Intelligent Security Information and Event Management (SIEM) is genuinely useful. The ability to ingest and analyse every event and alert from your IT estate is essential. And the ability to filter out white noise automatically using Microsoft Azure Sentinel is invaluable.
But as the IT estate becomes increasingly complex, the number of alerts being generated from your SIEM will continue to grow. By uniting Security Orchestration, Automation and Response (SOAR) and SIEM capabilities, Azure Sentinel takes security provisions to the next level.
Playbooks, automation and orchestration
In order to accelerate and improve responses to security incidents, the security team needs to build out a framework to define the investigatory and resolution process. They will need to define a series of steps that template how an issue is remediated.
By standardising processes, it becomes much easier to track progress of an issue under investigation. And with the assistance of Azure Sentinel playbooks, you can automate some of the early stages of resolution. One example of this could be:
- The Azure Sentinel SIEM engine detects suspicious an anomalous login that could indicate compromised user credentials or a breach.
- The alert is raised to your security team and the integrated SOAR functionality can perform a number of automated tasks, including:
- Create a new ticket in the IT service management (ITSM) platform and automatically assigned to an engineer for further investigation. An instant message is also sent to the relevant group in Microsoft Teams to ensure the analyst and their manager are aware.
- Following analysis, the compromised user account playbook is triggered. The suspicious user account is disabled at the Active Directory level, immediately restricting access to resources on-premise and in the Azure cloud.
- The playbook adds the user’s ID and sign-in IP address to the SIEM’s Watchlist.
- Any future activity from that account or address will raise an alert requesting immediate investigation.
- The malicious IP address can be blocked on the firewalls to prevent further traffic.
Within seconds, Azure Sentinel has managed to contain a potential security breach. The seamless transition between SIEM to SOAR and the application of custom playbooks will dramatically simplify and speed up the process of responding to an incident.
Azure Sentinel provides more than 200 connectors for executing commands on third party systems. The Logic Apps platform interfaces with popular third-party systems like ServiceNow, SAP, PostgreSQL, Teradata, IBM DB2 and SQL Server. Commands can also be submitted via the native SFTP-SSH connector.
Azure Sentinel also offers custom APIs that are used to build out connectors for other line-of-business systems. If the application supports REST or SOAP, commands can be issued direct from Sentinel as part of your SOAR response.
Significant time and resource savings
By uniting SIEM and SOAR in a single platform, Azure Sentinel can help strengthen the overall security posture for the entire IT estate. It also offers several benefits:
- Faster security responses - Azure Sentinel uses Machine Learning and Artificial Intelligence to analyse hundreds of thousands of events every day, reducing the window during which systems are at risk.
- Standardised responses – Using playbooks to automate responses will ensure that issues are dealt with in an ordered, predictable way.
- Reduced resource overheads – Allowing Azure Sentinel playbooks to automate initial low-level activities frees the security team to focus on more complex issues.
- Total estate coverage – With support for custom connectors, Azure Sentinel can not only detect issues from all the assets across your IT estate but can also be used as a basis for developing playbook solutions to automate responses for them.