To keep our effort down and your risk low we will start by keeping things small, we’ll setup your SIEM install to ingest data from:

• Office 365
• Azure AD sign in logs

These two sources work well together and should start to provide some interesting information.

We’ll ensure you’re able to understand and use the Sentinel SIEM user portal to:

• Hunt for security events
• Detect and perform incident investigations
• Monitor Sentinel health
• Use visualisations to review security data
• See how scheduled analytics rules function, how then can detect a wide range of events
• Recognise the different systems that can connect and have data ingested
• Understand how automations can be driven
• See how active threat feeds can be ingested to give you the benefit of external botnets to proactively detect threats

Sentinel is Microsoft’s Security Event and Incident Management (SIEM) offering, it takes security telemetry from almost any source and using scheduled analytics rules to inspect the security telemetry for suspicious events.

SIEM solution feature normally include:

• Collect data at scale from a wide array of security platforms
• Detect security events using ingested data
• Facilitate the investigation processes
• Often include a method of responding to threats automatically, this is known as Security Orchestration, Automation, And Response (SOAR) 

Many vendors of SIEM solutions and they’re becoming an increasingly popular approach to coordinating large amounts of data and also security solutions such as 

Sentinel includes several ways of detecting 

An example of security telemetry would be your Azure or on-premise Active Directory sign-in logs which show details such as failures, successes, IP addresses, locations and services accessed and authentication methods.

There are many examples of a suspicious events, some good examples are:
1) multiple failed sign in’s followed by a success which may indicate a successful brute force attack
2) a user account being used to successfully sign in at significantly different locations within a shit time frame possible indicating what’s known as ‘impossible travel’.

Look at Sentinel as the hub of your security architecture, it will ingest and orchestrate solutions such as:

• Azure and on-premise Active Directory
• Azure and on-premise firewalls
• Anti-Virus and Anti-Malware Solutions
• File storage platforms
• Server and client operating systems
• Email
• File storage, SharePoint Online
• Teams
• Web filters
• Vulnerability assessment tools
• Loads more…..

Anything you want really, but let’s start with some examples:

• Visualise your security telemetry to interested stakeholders…. a governance team will be interested in sign-in failures, a network or server team will be interest in statistics showing firewall attack detections.
• Create alerts to warn of risky situations such as mass password harvesting attempts.
• Use alerts as a guide showing you what areas security need strengthening, a spike failed logins from malicious actors may indicate you need to review and strengthen your identity controls.
• Automatically respond to threats by adding in firewall blocks from detected attacks or suspending user accounts that appear to be at risk.

This will be a short project which will explain the many Sentinel benefits, we will also provide upskilling to ensure you understand the service, we’ll then perform the install and you can suddenly benefit from a more comprehensive and centralised view of your security events. 

In summary:

• We describe the PoC, whats involved, benefits, outcomes
• We sign an NDA for data privacy reasons
• You provide us with the access we need
• We install the service
• The service is handed over to the client team
• We drop in once a week for a short review of what’s being detected
• After 30 days we can remove the solution or leave it running (your choice)

A Sentinel MITRE ATT&CK rule may detect events and identify them as connected (read this great article) we can now use Sentinel to trigger automations such as:

• Disabling server local administration access or elevated access events
• Apply more restrictive firewall settings to prevent spread
• Enforce a more intrusive anti-virus/anti-malware response
• Restrict inbound and outbound traffic to avoid further infection or spread

A Sentinel MITRE ATT&CK rule may detect events and identify them as connected (read this great article) we can now use Sentinel to trigger automations such as:

• Disabling server local administration access or elevated access events
• Apply more restrictive firewall settings to prevent spread
• Enforce a more intrusive anti-virus/anti-malware response
• Restrict inbound and outbound traffic to avoid further infection or spread

No, the solution is hosted within your own Azure subscription

We’re more than happy to answer any concerns during during the pilot phase as long as time is kept to a reasonable amount.

If it’s agreed something of serious concern is occurring then we can help, charges would be at our normal professional service rate.