Try Azure Sentinel Alongside Your Existing SIEM

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

If you’re using an on-prem SIEM today, you know that as your organization grows, so will the need for supporting infrastructure in your SIEM. Azure Sentinel, the first truly cloud native SIEM, helps eliminate security infrastructure set-up & maintenance, and elastically scales to meet your organization’s needs. Making the switch to a new SIEM is a big change – instead, try out Azure Sentinel by connecting your organization’s data, and you will immediately be able to gain insights into your environment: see detections in action, utilize industry-leading machine learning models to cut down on noise, and respond with detailed investigations & automated responses.

Get started with a free Proof of Concept (PoC) of Azure Sentinel today in four easy steps:

  1. Set up Azure Sentinel
  2. Connect Microsoft cloud data sources for free
  3. Utilize expert-written rules
  4. Investigate alerts & incidents


1) Set-Up Azure Sentinel

No need for complex deployments or integrations. Azure Sentinel is already available in the Azure portal and takes just a few clicks to set-up. Azure Sentinel is powered by Azure Monitor, the common log aggregator & querying tool for all applications within Azure.

  • Already have an active Azure subscription? Start here to onboard Sentinel to your instance.
  • Not using Azure, yet? No problem - sign up here for a free account Once you’ve created an account, follow the same steps above.


2) Connect your data sources

Azure Sentinel can connect to a variety of Microsoft and external sources, enabling you to monitor what matters most to your organization. Azure Sentinel’s connectors allow you to ingest data easily, without complex custom integrations or professional services.

Get your PoC started with five key connectors, providing you with correlated insights across sources. Connecting these data sources to Azure Sentinel is free, takes just a few clicks and will provide instant visibility into your environment:

Not using Microsoft cloud products, or want to connect more data to your Azure Sentinel PoC? Azure Sentinel supports both CEF and SYSLOG, enabling you to integrate virtually any log source. Additionally, Azure Sentinel provides insights beyond the Microsoft ecosystem with out-of-the-box connectors for key partners, including network appliances and other cloud services (AWS, Cisco, Palo Alto, and more).


3) Utilize Microsoft’s expert-written rules

Azure Sentinel’s detection platform correlates across log sources, to identify indicators of compromise early and cut down your team’s time to insights. Azure Sentinel’s rule-based detections are powered by the Microsoft Threat Intelligence Center (MSTIC), an industry leader in identifying & understanding emerging trends in the threat landscape. Now, your organization can benefit from their expertise, through detections & rules natively included in Sentinel.

MSTIC has written rules for the most popular data sources, including those recommended for a PoC – utilize Microsoft’s security expertise today to ensure your team is looking at relevant alerts from Day 1. The Azure Sentinel Github repository is constantly updated by the MSTIC team and the greater Sentinel community, providing critical detections for newly emerging threats.

Many of these rules are available already within the Analytics tab of Azure Sentinel. We recommend adding these rule-based detections to your PoC:

You can use these rules out of the box, or customize them for your PoC (see here for detailed instructions on how to customize alerts). Additionally, Azure Sentinel’s flexible detection platform also allows you to save time by using expert-written rules, or bringing over detections previously written for your existing SIEM. You can also convert Sigma rules for use in Azure Sentinel, or write your own custom queries. All Azure Sentinel queries are based on KQL, the query language powering Azure Monitor (Get Started With KQL).


4) Investigate within Azure Sentinel, or send alerts back to your current SIEM

Once you have configured log sources and rules, Azure Sentinel will begin to generate Incidents. You can view Incidents and investigate them directly within Azure Sentinel, where the data-rich Incident page will walk you through what events raised the initial alert, as well as related insights.

Enrich the insights you get with Azure Sentinel by bringing in alerts from your current SIEM. Azure Sentinel’s built-in machine learning models can help reduce the false positives you’re seeing in your current SIEM, and enable your security team focus on only the alerts that matter. You can connect your existing SIEM to Azure Sentinel in two ways:

  • If your current SIEM uses CEF for alerts or events, Azure Sentinel has a native CEF connector (instructions here)
  • If you are using a log forwarder, utilize the Logstash connector for Log Analytics to forward logs to Azure Sentinel (instructions and connector)

If your team is more comfortable working within your existing SIEM, Microsoft Security Graph API can serve to connect Azure Sentinel to your current toolset. Security Graph API allows you to integrate Microsoft alerts into numerous 3rd party tools, including other SIEMs. From a cost-perspective, we recommend you forward only Sentinel alerts to your existing SIEM. See here for the full list of security solutions Security Graph API supports.


Ready to see what else Azure Sentinel can do for your Security team?

Within this PoC, Azure Sentinel can automate incident responses and cut down on false positives with industry-leading machine learning models – ultimately saving your SecOps team valuable time. Go beyond rule-based detections and manual investigations with these advanced features, all available with your PoC:

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.