Let’s start off by getting the acronym explained, SIEM or Security Incidents and Events management have become a crucial technology applied either as a software service cloud platform or as a virtual Server in your Infrastructure. Its main goal is to take logs from all your crucial systems and correlate them into meaningful useful prioritized alerts to help your organization teams make a well-informed decision about ensuring the right action is always taken at the right time.
It is “SIEM” but its also a “SOAR” Security Orchestration Automation and Response which is a system that does exactly what it says. Azure Sentinel allows you to collect logs from anywhere literally. Any technology that ships Common Event Format (CEF) logs over port 514 can integrate with Azure Sentinel. It can also connect to via data connectors to a lot of sources.
The capability to take action on triggered events is how this next generation product excels. Setting up Sentinal is quick and easily done on your Tennant and is literally done in 10 minutes. You can then integrate with your environment and progress to the exciting stuff which is the logic Apps or which create playbooks that take action based on triggers.
These are just like Microsoft Flow and require not deep skill in an area as they are set up in a manner just like the name Logic apps sounds, “using Logic”. Think about comparing it to services like “IFTT” or “If that then this” which is used for all our smart lighting or other smart products we love deploying around our homes.
It’s as easy as that without hours or days of system administration that lacks visibility or perceived value delivery in time spent. With a product like this, you can get cracking and start to demonstrate the platform’s capability in the first week. Any smart and tuned in exec these days are interested in value delivery from money spent and this platform has the ability to protect your informational assets with visual incident response capability.
Create an Automated Threat Response easily like this.
So what should you enable it for?
Think about everything that generates logs from infrastructure servers and components, applications, sites including software as service applications. You will not want everything but plan your research to include only the important feeds. If you were deploying a monitoring solution 5 years ago what would you think about in the first place in monitoring a windows server? It would be CPU, RAM, Disk, and Network performance for example and you would want alerts based on various factors. Now think about these, think about security audit logs that relate to access, privilege escalation, changes or modifications, data transfers, and file deletions. This should give you an idea and the list is long but it’s not going to need tons of bandwidth to make a list of crucial systems with a list of what matters most to collate logs for analysis in the Log Analytics workspace.
With Sentinal you can go pay as you go and cap the spend by a setting or purchase capacity reservations with a minimum reservation of 100gbps daily log consumption with 31-day retention will firmly straighten any organization’s security posture.
I have tried the product myself now and can definitely say it’s one of Microsofts really good products of 2019, they are rocking into the security scene but all their products do add up and turn out quite expensive therefore it’s important to choose the right ones that as always must align with your organizations strategic business goals.
Originally published at https://www.linkedin.com.