Microsoft teases how it'll make Sentinel a bit easier to monitor and audit
For those relying on this cloud-based security thing
It's difficult for security teams to quickly respond to potential threats if the data coming in and the detection rules around it are off.
Given that, Microsoft is rolling out monitoring tools for analytics rules in its Sentinel cloud-based security service offering that can deliver information about the health and status of the rules and about the nature of changes made to a rule.
"It is important for SOC engineers to ensure their detection rules are functioning correctly and producing relevant with actionable information," says Jeremy Tan, senior product manager for Sentinel. "Besides that, SOC engineers need to be aware of any planned or unplanned changes made to the rules to ensure compliance and integrity of effective defense."
There are two parts of the Microsoft rejig: the first involves monitoring the health of the analytic rules. This ensures the rules are functioning as expected. For example, is Sentinel running queries every five minutes, as programmed? Did the automation and analytics rules run as planned?
The health log collects such data how the analytics rules are running, whether they failed and why, and events captured by queries, with all the logs pull together into the SentinelHealth table in Log Analytics.
The audit monitoring capability is aimed at detecting unauthorized changes that could compromise security, capturing who made changes to an analytics rule, which rule was changed, the settings before and after the change, the source IP, and when the change was made.
Those logs are collected in the SentinelAudit table in Log Analytics.
Both the SentinelHealth and SentinelAudit tables are in public preview.
- Multi-factor auth fatigue is real – and it's why you may be in the headlines next
- Microsoft tries again to ignite interest in DevOps cloud security
- Microsoft rolls out stealthy updates for 365 Apps
- Security pros get ability to manually add incidents to Microsoft Sentinel
"If you're expecting to see particular incidents in your queue but you don't, you want to know whether the rule ran but didn't find anything (or enough things), or didn't run at all," Microsoft wrote about the health log.
Regarding auditing, if an SOC team didn't get the expected results form the analytics rule and there weren't any health issues, "you want to see if any unplanned changes were made to the rule, and if so, what changes were made, by whom, from where, and when," the vendor wrote.
The cloud-native Sentinel service is all about enterprise security analytics and threat intelligence, delivering security information and event management (SIEM) and security orchestration, automation, and response (SOAR) services.
Sentinel is designed to help organizations with everything from attack detection to threat hunting and response. ®