For the majority of organizations and businesses in today’s digital landscape, data security is paramount for cloud infrastructures. Also known as cybersecurity among IT professionals and system administrators, safeguarding critical systems and sensitive information from digital threats can be complicated and complex since it often involves large-scale and resource-intensive solution deployment. This does not mean that data security is out of reach, but corporations and organizations alike need to do their due diligence when deciding on a cloud-native security solution. This company can help.
If you are a business or large corporation that is finding cloud and data management to be a complex and arduous task, Microsoft Azure Sentinel is here to help. When you need to deal with operational processes, surfacing insights at scale, or investigating incidents, Microsoft Azure Sentinel is one of the top solutions for security at all levels for the modern enterprise and for mid-size businesses that are rapidly growing.
To better understand what data sources can be used by Microsoft Azure Sentinel, it’s fundamental to understand what Azure Sentinel is and how it operates.
The software consists of the following:
- Security Information and Event Management (SIEM)
- Security Orchestration, Automation, and Response (SOAR)
Microsoft Azure Sentinel is a cloud-native and scalable solution that delivers threat intelligence and security analytics across an organization. It offers a single control center dedicated to proactive hunting, threat response, alert detection, and threat visibility. With advanced SIEM/SOAR features and capabilities, Azure Sentinel keeps organizations protected and secured against a variety of cyber threats and attacks.
It also collects data at a large scale from different infrastructures, users, applications, and devices—both on-premises and in the cloud. Azure Sentinel ensures that security in Azure is more accessible and more scalable to manage. With modern AI and security innovations at its disposal, an organization’s IT infrastructure can benefit from real-time intelligent security analytics.
This allows IT professionals and system administrators to:
- Collect valuable data (whether on-premise or via cloud sources)
- Detect security risks using threats intelligence and analytical tools
- Respond more efficiently with automation and built-in processes
- Investigate suspicious activity with artificial intelligence (AI)
Being able to analyze large volumes of data across enterprise operations is a strategic advantage that Azure Sentinel is known for. With its aggregator capability, it can collect and compile data from every accessible source, such as system users, applications, servers, and devices that run on-premise or in the cloud. Furthermore, it includes built-in connectors for easy onboarding of popular security solutions.
To initiate the onboarding process, you first need to connect your data sources. Azure Sentinel has many connectors for Microsoft solutions that are available out-of-the-box and provide real-time integration.
Some of these connectors include the following:
- Microsoft 365 Defender, Microsoft Defender for Cloud, Office 365, and Microsoft Defender for IoT
- Azure Active Directory, Azure Activity, Azure Storage, Azure Key Vault, and Azure Kubernetes service
Once the onboarding process is complete and integrated with your company’s workspace, you can utilize data connectors to start inputting your data into Azure Sentinel.
For example, if you want a service-to-service connector that integrates data from Office 365, you can use Microsoft 365 Defender, Azure Active Directory (Azure AD), Microsoft Defender for Identity, and Microsoft Defender for Cloud Applications.
This data table lists supported Azure and third-party data source schemas.
|Type||Data Source||Log Analytics Tablename|
|Azure||Azure Active Directory||SigninEvents|
|Azure||Azure Active Directory||AuditLogs|
|Azure||Azure Active Directory||AzureActivity|
|Azure||Azure Key Vault||AzureDiagnostics|
|Network||Wire Data Solution||WireData|
|Network||NSG Flow Logs||AzureNetworkAnalytics|
The following table lists supported third-party vendors and their Syslog or Common Event Format (CEF)-mapping documentation for various supported log types, which contain CEF field mappings and sample logs for each category type.
|Type||Vendor||Product||Log Analytics Tablename|
|Network||Palo Alto||PAN OS||CommonSecurityLog|
|Network||Barracuda||Web Application Firewall||CommonSecurityLog|
|Network||Zscaler||Nano Streaming Service (NSS)||CommonSecurityLog|
|Network||Citrix||Web App Firewall||CommonSecurityLog|
|Host||Symantec||Symantec Endpoint Protection Manager (SEPM)||CommonSecurityLog|
- If you are unsure which data connectors will best serve your digital security framework, start by enabling all free data connectors
- Regarding your partner and custom data connectors, begin first by configuring Syslog and CEF connectors (with the highest priority first), including other Linux-based devices
- If at some point your data ingestion becomes too expensive, stop or filter the logs forward utilizing Azure Monitor Agent