A large retailer is currently using Azure Sentinel SIEM as its core cybersecurity analytics monitoring tool. There are several log sources running in Azure Cloud, including Azure PaaS and IaaS resources, on-premises infrastructure, and numerous SaaS applications used by the finance department. The current volume of ingested log is 125 GB/day and the retailer is using capacity reservation for 100 GB/day for both Log Analytics and Azure Sentinel.
Retailer is subject to Payment Card Industry (PCI) data security standard (DSS) regulatory
compliance and, therefore, has a log retention requirement of 90 days online and 1 year offline. While investigating other options for extended retention, the company decided to extend the online retention period in Log Analytics to 365 days, paying an additional $3,500/month. Based on East U.S. Azure Region, the company currently pays a combined fee of $15,515/month.
Availability of less costly storage options such as Azure Blob Storage or Cosmos DB are good ones to consider to meet compliance requirements. Our experience from performing cost analysis exercises shows that most organizations below 100 GB/day of data ingestion often choose to retain data in Log Analytics, primarily to maintain advanced security capabilities present in Log Analytics and Azure Sentinel. Capacity reservations are of great benefit once your organization is beyond 100 GB/day, but for larger ingestion and retention requirements, alternative storage options should be considered.
Traditional security software uses predefined rules to detect threats. While this can be an effective method when applied to known threats, it is not as effective when new types of risks emerge. Azure Sentinel uses machine learning to profile users, entities, and the environment, detecting attacks that might not be caught using predefined methodologies. This means you can empower Tier 1 analysts to focus their efforts less on sifting through mountains of data and more on highlighting relevant incidents. To make it simple, Azure Sentinel provides built-in templates out of the box. These templates are designed by Microsoft security experts and analysts based on known threats, common attack vectors, and signature patterns of suspicious activity. They allow you to apply advanced analytics without the need
to build your own machine learning models or become a data science expert. By enabling these templates, you will automatically be alerted to anomalies that could indicate an attack. You can also customize them to search for or filter out types of activity that are specific to your enterprise.
To view all the out-of-the-box detection templates available in Azure Sentinel, go to Analytics and then Rule templates. This tab contains all the Azure Sentinel built-in rules.
Azure Sentinel comes with four types of rules built in.
● Microsoft security: Automatically create Azure Sentinel incidents from the alerts generated in other Microsoft security solutions in real time.
● Fusion: Correlate many low-fidelity alerts and events across multiple products into high-fidelity and actionable incidents.
● Machine learning behavioral analytics: Detect threats based on anomalies in user behavior.
● Scheduled: Deploy scheduled queries written by Microsoft security experts
To use a built-in template, click on Create rule.(Note that your rule options will be determined by your data sources.)
This opens the rule creation wizard, based on the selected template. All the details are automatically filled in. For Scheduled rules or Microsoft security rules, you can customize the logic to better suit your organization, or create additional rules based on the built-in template. The new rule appears in the Active rules tab.
In the following example, a pattern of anomalous sign-in activity. Azure Sentinel has applied behavioral analytics based on machine learning to identify the anomaly
You can use Azure Sentinel in a number of ways to investigate and respond. For example,you can explore your security data and detected issues using built-in workbooks,
which are collections of visualizations that make it easy to get a bird’s eye view of your enterprise security posture.You can also create playbooks to automatically
respond to threats.Finally, you can use investigation tools to explore incidents and better understand the most effective response. We will look at some of these tools in section three of this guide.