COVID-19 is forcing many organizations to adapt almost overnight to the new reality of social distancing and orders to stay home. As organizations act quickly to enable remote workers, students, customers, and other constituents, many are turning to cloud services and platforms for solutions. For many organizations, this includes enabling new cloud technologies or significantly increasing use of existing solutions almost overnight.
For Security Operations Centers tasked with protecting organizations, this can create significant challenges. First, logs and security data from newly deployed cloud services need to be collected and analyzed to identify and investigate potential threats. For some, connecting and scaling on-premises Security Information and Event Management (SIEM) systems to support new cloud data sources can be very difficult, especially if new hardware is required. Second, SOC teams will need to quickly adapt their detection and response efforts to support cloud solutions that are either new or that have become increasingly critical. Our team is here to help.
To that end, Azure Sentinel will provide the following:
- Guidance on how to quickly start collecting cloud security data
- Ability to ingest many cloud data sources for free in Azure Sentinel
- 30-day free trial for new customers, which includes free ingestion of all security data
- Built-in workbooks, hunting queries, analytics rules, and more to help gain insights from this data right away
- Proactive monitoring of new COVID-19 related threats by Microsoft security experts and development of new Azure Sentinel detections
Rapid, low cost cloud data collection
If you aren’t already using Azure Sentinel, it only takes a few minutes to set up in the Azure portal. There is no cost for creating an Azure Sentinel workspace; you only pay for the data you ingest. A free 30-day trial combined with a number of free cloud data sources will help keep your costs down – more on that later. With Azure Sentinel, there is no hardware to procure, configure, or manage and the service will scale automatically as you add new data sources.
In Azure Sentinel, you will find a gallery of data connectors which simplify the process of collecting data from a variety of sources. There are connectors for Microsoft 365 and Azure, as well as other clouds services, along with networks, endpoints, and more. With the correct permissions, you can enable the Microsoft 365 and Azure data sources in a single click. Other cloud data sources, like AWS, require minimal additional configuration. For data sources that do not have a connector in Azure Sentinel yet, data ingestion may be supported via Azure Logic Apps and Azure Functions.
Connect cloud data sources
We recommend you start by connecting activity and audit logs from your cloud services. If you have security solutions deployed for these services, enable those as well. You can augment this with network or other data sources at a later date. For a complete list of built-in data connectors see the documentation. For information about connecting other data sources, see this blog post.
The chart below provides information about the most common cloud data sources.
| How to Connect | Cost |
Microsoft 365 and Azure Logs |
|
|
Azure Activity Logs | Data Connector | Free |
Office 365 SharePoint Activity and Exchange Admin Activity Logs | Data Connector | Free |
Azure Active Directory Sign-in and Audit Logs | Data Connector | See pricing |
Azure Application Gateway WAF | Data Connector | See pricing |
Azure Information Protection Logs | Data Connector | See pricing |
Microsoft Cloud App Security ShadowIT Logs | Data Connector | See pricing |
Office 365 Teams activity Logs | Data Connector in Progress, Use an Azure Function for Now | See pricing |
Microsoft Security Solutions |
|
|
Azure Advanced Threat Protection Alerts | Data Connector | Free |
Azure AD Identity Protection Alerts | Data Connector | Free |
Azure Information Protection Alerts | Data Connector | Free |
Azure Security Center Alerts | Data Connector | Free |
Azure Security Center for IoT Alerts | Data Connector | Free |
Microsoft Cloud App Security Alerts | Data Connector | Free |
Microsoft Defender Advanced Threat Protection Alerts | Data Connector | Free |
Other Cloud Services |
|
|
Amazon Web Services (CloudTrail logs) | Data Connector | Free through June, 2020 |
Google Cloud Platform | Data Connector in Progress, Use Custom Connectors for Now | See pricing |
Note: For new Azure Sentinel customers, any data source can be ingested for the first 30 days at no charge. Azure Monitor Log Analytics charges may apply. See the pricing page to learn more.
Additional deployment assistance and guidance
We have compiled a comprehensive list of docs, blogs, and other resources to help you get started with Azure Sentinel. And, we are here to help you! You can get additional guidance and assistance through the Microsoft FastTrack program. If you encounter technical issues, you can reach out to customer support: Microsoft Support or Microsoft Premier Support.
Adapting to new data sources and emerging threats
Gain insights into threats using your cloud data
Once your data is flowing into Azure Sentinel, you can begin using it to identify and investigate potential threats. A combination of workbooks (interactive dashboards), hunting queries, analytics rules templates, and even Jupyter notebook samples are available out of the box to help you quickly visualize and analyze your data in Azure Sentinel. For sources with built-in data connectors, you can easily access these related assets from the ‘next steps’ tab for each connector, or from within the Workbooks, Hunting, Notebooks, and Analytics blades.
A couple of recent blog posts highlight scenarios that may be particularly relevant today. With many organizations taking an increased dependence on Microsoft Teams for communications and document sharing, this blog details how to use Azure Sentinel to protect Microsoft Teams. The other blog I recommend provides an example of hunting over AWS log using Azure Sentinel.
New COVID-19 Threats
Security analysts from the Microsoft Threat Intelligence Center (MSTIC) are continuously monitoring the threat landscape to identify new threats. When new threats are identified, MSTIC builds analytics rules and Jupyter notebooks samples for Azure Sentinel customers can use to hunt for these threats in their environments. They recently released a guided hunting notebook for COVID-19 themed threats, and will continue to leverage their unique insights and intelligence to help you protect against emerging threats in Azure Sentinel.
In addition, MSTIC is working closely with specialized groups like the Microsoft Threat Protection Intelligence Team. Earlier this week, the two teams partnered on guidance to help essential services protect against popular ransomware attacks, which are known to target the healthcare industry.
Call to action for the Azure Sentinel community
Our team is committed to helping customers enable critical protections for their organizations and users during these challenging times, but we cannot do it alone. We have an amazing community of Threat Hunters that share their expertise by contributing workbooks, queries, analytics, notebooks, automation playbooks and so much more on our GitHub. Thank you for those who have already contributed. We hope other community members will do the same. Here are some examples of areas where you can help include:
- Parsers and functions for cloud data sources not already supported by built-in data connectors
- Hunting queries, analytics, and Jupyter notebooks to detect emerging threats designed to capitalize on COVID-19 fears or target remote workers and cloud applications
- Playbooks to automatically remediate the above threats
Together, we hope to minimize risks to organizations and users. Please stay in touch on our TechCommunity forum and blog. Personally, I will try to keep you posted on twitter (@sarahfender) as well.
Sarah Fender, on behalf of the entire Azure Sentinel product team