Connect with us

Tech

Which Data Sources Can Be Used by Microsoft Azure Sentinel?

Published

on

For the majority of organizations and businesses in today’s digital landscape, data security is paramount for cloud infrastructures. Also known as cybersecurity among IT professionals and system administrators, safeguarding critical systems and sensitive information from digital threats can be complicated and complex since it often involves large-scale and resource-intensive solution deployment. This does not mean that data security is out of reach, but corporations and organizations alike need to do their due diligence when deciding on a cloud-native security solution. This company can help.

If you are a business or large corporation that is finding cloud and data management to be a complex and arduous task, Microsoft Azure Sentinel is here to help. When you need to deal with operational processes, surfacing insights at scale, or investigating incidents, Microsoft Azure Sentinel is one of the top solutions for security at all levels for the modern enterprise and for mid-size businesses that are rapidly growing.

What Is Microsoft Azure Sentinel?

To better understand what data sources can be used by Microsoft Azure Sentinel, it’s fundamental to understand what Azure Sentinel is and how it operates.

The software consists of the following:

  • Security Information and Event Management (SIEM)
  • Security Orchestration, Automation, and Response (SOAR)

Microsoft Azure Sentinel is a cloud-native and scalable solution that delivers threat intelligence and security analytics across an organization. It offers a single control center dedicated to proactive hunting, threat response, alert detection, and threat visibility. With advanced SIEM/SOAR features and capabilities, Azure Sentinel keeps organizations protected and secured against a variety of cyber threats and attacks.

It also collects data at a large scale from different infrastructures, users, applications, and devices—both on-premises and in the cloud. Azure Sentinel ensures that security in Azure is more accessible and more scalable to manage. With modern AI and security innovations at its disposal, an organization’s IT infrastructure can benefit from real-time intelligent security analytics.

This allows IT professionals and system administrators to:

  • Collect valuable data (whether on-premise or via cloud sources)
  • Detect security risks using threats intelligence and analytical tools
  • Respond more efficiently with automation and built-in processes
  • Investigate suspicious activity with artificial intelligence (AI)

Safeguarding Enterprise Data

Being able to analyze large volumes of data across enterprise operations is a strategic advantage that Azure Sentinel is known for. With its aggregator capability, it can collect and compile data from every accessible source, such as system users, applications, servers, and devices that run on-premise or in the cloud. Furthermore, it includes built-in connectors for easy onboarding of popular security solutions.

Onboarding Microsoft Sentinel for Your Enterprise or Business

To initiate the onboarding process, you first need to connect your data sources. Azure Sentinel has many connectors for Microsoft solutions that are available out-of-the-box and provide real-time integration.

Some of these connectors include the following:

  • Microsoft 365 Defender, Microsoft Defender for Cloud, Office 365, and Microsoft Defender for IoT
  • Azure Active Directory, Azure Activity, Azure Storage, Azure Key Vault, and Azure Kubernetes service

After the Onboarding Process

Once the onboarding process is complete and integrated with your company’s workspace, you can utilize data connectors to start inputting your data into Azure Sentinel.

For example, if you want a service-to-service connector that integrates data from Office 365, you can use Microsoft 365 Defender, Azure Active Directory (Azure AD), Microsoft Defender for Identity, and Microsoft Defender for Cloud Applications.

Azure Data Sources

This data table lists supported Azure and third-party data source schemas.

Type Data Source Log Analytics Tablename
Azure Azure Active Directory SigninEvents
Azure Azure Active Directory AuditLogs
Azure Azure Active Directory AzureActivity
Azure Office OfficeActivity
Azure Azure Key Vault AzureDiagnostics
Host Linux Syslog
Network IIS Logs W3CIISLog
Network VMinsights VMConnection
Network Wire Data Solution WireData
Network NSG Flow Logs AzureNetworkAnalytics

Vendor Data Sources from Third Parties

The following table lists supported third-party vendors and their Syslog or Common Event Format (CEF)-mapping documentation for various supported log types, which contain CEF field mappings and sample logs for each category type.

Type Vendor Product Log Analytics Tablename
Network Palo Alto PAN OS CommonSecurityLog
Network Check Point ALL CommonSecurityLog
Network Fortigate ALL CommonSecurityLog
Network Barracuda Web Application Firewall CommonSecurityLog
Network Cisco ASA CommonSecurityLog
Network Cisco Firepower CommonSecurityLog
Network Cisco Umbrella CommonSecurityLog
Network Cisco Meraki CommonSecurityLog
Network Zscaler Nano Streaming Service (NSS) CommonSecurityLog
Network F5 BigIP LTM CommonSecurityLog
Network F5 BigIP LTM CommonSecurityLog
Network Citrix Web App Firewall CommonSecurityLog
Host Symantec Symantec Endpoint Protection Manager (SEPM) CommonSecurityLog
Host TrendMicro All CommonSecurityLog

Data Collection Best Practices & Recommendations

  • If you are unsure which data connectors will best serve your digital security framework, start by enabling all free data connectors
  • Regarding your partner and custom data connectors, begin first by configuring Syslog and CEF connectors (with the highest priority first), including other Linux-based devices
  • If at some point your data ingestion becomes too expensive, stop or filter the logs forward utilizing Azure Monitor Agent
Click to comment

Leave a Reply

Your email address will not be published.

Copyright © 2020 - 2021 TechZimo.com, All rights reserved.