A Monthly Insight Into What’s New in the World of Microsoft Sentinel

It is no secret that I am a big fan of Microsoft Sentinel. I work with it daily and spend part of my free time writing blogs about it. I truly believe that Microsoft Sentinel is a solution that can benefit many organizations because of its low setup complexity and pricing structure (if you use it correctly).

This new Practical 365 series is called ‘Practical Sentinel’ and it joins the two existing ‘Practical’ series: Practical PowerShell and Practical Protection. The goal of this series is to discuss new features, provide notes from the field, and give tips on how to optimize your Sentinel usage.

In this article, I take a step back and review how Microsoft positions Sentinel, what capabilities the product includes and what it does well. Sentinel is Microsoft’s ‘Cloud-native SIEM and SOAR’ tool – but what does that mean?

Cloud Native

Microsoft markets Sentinel as a cloud-native product. But what does that mean and what are the advantages to you?

The ‘Cloud-native’ message means two things.

  • It is built on the Azure platform-as-a-service component. It doesn’t require you to spin up any computing resources. All of the computing and storage is handled by Azure and billing happens through your Azure subscriptions.
  • It uses Azure-native components in the background. Sentinel isn’t anything new, it just adds capabilities on top of existing Azure resources such as Log Analytics and Azure Logic Apps.

Additionally, Sentinel integrates well with other services within the Azure ecosystem and supports automation using the existing Azure Management API. Every action that you can take in the portal, is also available using the API.

SIEM & SOAR

While Microsoft positions Sentinel primarily as a SIEM system, it also contains some SOAR capabilities.

SIEM stands for security information and event management and is a system to centralize logs into a single place to create a single pane of glass. This means a SIEM has the option to ingest (add) data, provide a way to query it, and generate alerts based on the data using a query language.

SOAR means Security Orchestration, Automation, and Response. To put these capabilities into the Sentinel context, Sentinel can respond and manage two alerts, both manually and in an automated system. SOAR capabilities mean that automation acts based on input originating from the SIEM. Within Sentinel, playbooks are the basis for automation. Playbooks are based on the existing ‘Azure Logic Apps’ resources within the Azure platform. If you are interested in an introduction into the automation part, this article is a great read.

What Does Sentinel Do Well?

There are a couple of things that Sentinel does well that make it a great SIEM and SOAR product.

  • Quick Deployment
    • There is no dependency on computing to be set up before it can be deployed. Sentinel can be up and running in a matter of minutes.
  • Microsoft Integrations
    • Because Sentinel is part of the Microsoft eco-system, it has native integrations for many products that Microsoft 365 customers use: Easy to set up data connectors and unified RBAC using existing Azure investments.
  • Interesting Pricing Structure
    • Microsoft likes it if you use other Microsoft products and thus offers discounts if you ingest Microsoft logs such as Entra ID, Microsoft 365, and Microsoft Defender XDR. If you use a basic set of logs, the price will be less than $100 per month for an environment of around 2000 users.
  • Active Community
    • There is a whole community around Sentinel. At every Microsoft event, there are talks, people contribute to GitHub, and every week a ton of blog posts are released.

What is Sentinel Lacking?

Sentinel isn’t perfect and there are a couple of things that other products do better:

  • Large Volumes of Data
    • Sentinel can get expensive if you don’t keep a close eye on data usage when ingesting high-volume logs such as networking data. While improvements have been made in terms of basic and archive logs, Sentinel doesn’t scale as well as other SIEMs.
  • Advanced Correlation of Alerts
    • There is no easy way to generate a ‘risk profile’ for a user that increases based on the incidents they generate. We have ‘User Entity Behavior Analytics’, but it’s not where it should be as it lacks an intelligent risk profile that uses both raw data and alerts generated from different systems.
  • Incident Management
    • While Sentinel provides the option for you to handle incidents, the capabilities are not as developed compared to other SOAR tools. There is a lack of flexibility and customization. Most of the organizations I have worked with use a third-party SOAR tool to overcome these limitations.
  • AI/ML Capabilities
    • Sentinel boasts AI capabilities called Fusion to detect anomalies across all data. In reality, I have never seen a useful incident during my three years running Sentinel deployment across many customers worldwide. The AI capabilities seem to be an empty box.
  • Dependency on the Azure Tenant
    • One downside, inherent to the Azure ecosystem, is that your entire SecOps process is linked to your Entra ID tenant. If you are locked out of your tenant completely, there is no way to investigate security threats. While there are mitigating factors, it is something to be aware of.
  • Log Management Inconsistencies  
    • Sentinel has several capabilities that allow you to control your data, such as data transformation rules. This feature allows you to rename/remove certain columns before they are added into Sentinel, however, this is not available for every table within Sentinel. This means you are not fully in control.
    • The same can be said for the ingestion of Azure-specific logs, some resources such as an Azure Firewall allow you to scope ingestion based on certain categories while other products do not boast this capability.

Let’s Get Started

I am excited to take you along on this journey to understand and exploit Sentinel better. My goal is to focus on Sentinel to provide insights on where its strengths lie and how you can benefit. If you have any requests for topics you want to see discussed, feel free to drop a comment or reach out to me directly via LinkedIn.

In the next installment, we will begin with checking out the newly released Unified SecOps Platform and see what added value it brings (if any).

About the Author

Thijs Lecomte

Thijs is a security consultant out of Belgium, working at The Collective, an MSSP with a Microsoft-focused Security Operations Center. His work consists out of leading the SOC team and implementing Microsoft Security solutions (such as Microsoft Sentinel and Defender) as a consultant. He is an MVP in the Security category and is a regular speaker at events and user groups. His best-known publication is as co-author of the 'Microsoft 365 Security for the IT Pro' ebook.

Leave a Reply