Visualise Attacks with Azure Sentinel
Azure Sentinel is a cloud native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution that leverages pre-built data connectors to connect to a range of security solutions. It then allows you to process that data for investigation and response. Being cloud native there is no infrastructure to manage and integration with other cloud services (especially Microsoft 365 and Azure) is extremely easy. In this blog, I’ll be walking through some simple steps to get started with the best feature of Azure Sentinel, visualising incidents and attacks.
Scenario
Our fictitious organisation has just setup Azure sentinel and is looking to get a better grip on security by providing a single view to investigate data from multiple security solutions. As identity is now considered the primary security perimeter, connecting up Azure AD seems a good place to start. The organisation has Azure AD Premium P2 license, so I setup a data connector to Azure Active Directory (AAD) Identity Protection to leverage its automated risk detection.