Archive for the ‘Siem’ Tag

First look on the new Azure Sentinel cloud-native with Azure Notebooks free service #Jupyter #SIEM #SIEMaaS #Azure #Sentinel   2 comments

Azure Sentinel is Microsoft’s cloud-native SIEM that provides intelligent security analytics for your entire enterprise at cloud scale.
This SIEM as a Service (SIEMaaS) solution is designed as a cloud-based security-monitoring platform that leverages the power of the cloud for analytics and detections.

https://azure.microsoft.com/en-us/services/azure-sentinel/

there is a good video  https://www.youtube.com/watch?v=XXZp6LQZSJU&feature=youtu.be 

Limitless cloud speed and scale
Azure Sentinel is the first SIEM built into a public cloud platform to help your security analysts focus on what really matters.

Easily connect your data sources
Azure Sentinel provides simple and easy integration with signals and intelligence from security solutions whether they are on premises, in Azure, or in other clouds.
Azure Sentinel provides seamless integration with Microsoft 365, Azure, and other Microsoft products, including Microsoft’s security products.

Detect suspicious activities in your organization
Azure Sentinel fuses together unique machine learning algorithms, world-class security research, and the breadth and depth of the critical security data available to Microsoft as a major enterprise vendor. Azure Sentinel helps you detect both known and unknown attack vectors, detecting threats across all stages of the kill chain.

Investigate and remediate breaches
Azure Sentinel gives you visibility into all the entities involved in an alert and provides a simple and instinctive UI to investigate the detection, helping you easily understand the scope of the breach.
To cut down on the volume of alerts you get, Azure Sentinel automatically investigates alerts to help you determine what action to take, enabling you to move from alert to remediation in minutes, at scale.
Leveraging the power of Logic Apps, Azure Sentinel helps you respond to incidents instantly, using built-in orchestration and automation playbooks.

Joining the Preview program give you the enable option and you will need some configuration in the Azure portal. Overall a great overview in the new dash boarding. one thing is I need more screens to show all this.

Azure Sentinel cloud-native Azure Notebooks  Azure Sentinel cloud-native Azure Notebooks

You will need a workspace I you have already one you can use this or just create a new one

Azure Sentinel cloud-native Azure Notebooks

I’ll pick my current one as all my VM’s are reporting into this.

Azure Sentinel cloud-native Azure Notebooks  

Now we can install the add-on for data collection, there is already a big list.

Azure Sentinel cloud-native Azure Notebooks

As I already had a workspace there is already some content to use, at this point I don’t have any incidents, so no cases and alerts

Azure Sentinel cloud-native Azure Notebooks

I think this is a grate feature the “hunting” predefined query’s ready to run and adjustable to your need.

Azure Sentinel cloud-native Azure Notebooks

Reuse the custom query, for better adjustment in your site.

Azure Sentinel cloud-native Azure Notebooks

You can find more samples on github https://github.com/Azure/Azure-Sentinel

Azure Sentinel cloud-native Azure Notebooks

Also the Azure Notebooks for Azure Sentinel is a new option, create your Project in Jupyter

 

image

Azure Notebooks for Azure Sentinel

What is Azure Notebooks?

Azure Notebooks is a free hosted service to develop and run Jupyter notebooks in the cloud with no installation. Jupyter is an open source project that lets you easily combine markdown text, executable code (Python, R, and F#), persistent data, graphics, and visualizations onto a single, sharable canvas called a notebook.

How do Azure Notebooks work?

Interactive Azure Notebooks provides security insights and actions to investigate anomalies and hunt for malicious behaviors. Each Azure Notebook is purpose-built with a self-contained workflow for a specific use case. Visualizations are included in each Azure Notebook for faster data exploration and threat hunting. Click on the button below to clone our prebuilt investigation and hunting Azure Notebooks into projects that belong to you. Modify and tailor your projects to your environment. Either run the Azure Notebooks for free or, for better performance, run them on a dedicated virtual host. Click here to learn more.

Using the Notebooks locally or in other environments

Azure Sentinel will provision notebooks and supporting modules for you in Azure Notebooks. You can also download the notebooks and modules and use them locally in a supported Python environment (Anaconda is recommended) or another notebook hosting environment such as Azure Databricks or a JupyterHub environment that supports Python 3.6 or later.

 

image 

With the import a copy will be made from the Github to your own repository to get you started.

image 

this take some time after this the project page is opening for you.

image

You can check the samples and adjust them for your needs

image 

Checking the Logs in the Azure Sentinel will give you a nice dashboard with all the content. I have limited amount of data in this so no big lines or exceptions.

image

A Sample dashboard with the infrastructure query in Azure Sentinel

A Sample dashboard with the infrastructure query in Azure Sentinel

A Sample dashboard with the infrastructure query in Azure Sentinel

A Sample dashboard with the infrastructure query in Azure Sentinel

A Sample dashboard with the general overview query in Azure Sentinel

A Sample dashboard with the infrastructure query in Azure Sentinel

Some are based on multiple pages, big screens are needed or smaller fonts but overall this is a nice addition to the Azure Family.

A Sample dashboard with the infrastructure query in Azure Sentinel

Azure Sentinel will take some time to get this running and configuring but once there is data you will see a very nice new tool that can help you to solve your problems in Azure better an quickly.

See and stop threats before they cause harm, with SIEM reinvented for a modern world. Azure Sentinel is your birds-eye view across the enterprise. Put the cloud and large-scale intelligence from decades of Microsoft security experience to work. Make your threat detection and response smarter and faster with artificial intelligence (AI). Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted February 28, 2019 by Robert Smit [MVP] in Azure

Tagged with ,

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: