Deciding which Security Information and Event Management (SIEM) solution to use requires closely examining the benefits of each. If you’re considering Managed Microsoft Sentinel, two advantages it offers are machine learning and threat intelligence integration. Let’s briefly examine both.
Machine Learning
Machine learning (ML) is a major component of Microsoft Sentinel. Its algorithms can recognize potential danger by progressively but quickly learning what sort of data you process and from where it originates.
Ready-to-Run ML
Sentinel installs with pre-packaged ML detection models suitable for various needs. And you can be sure the models will train themselves to adapt to the demands of your digital environment.
Customized ML
However, if your IT team has experience with ML, you may want to build custom detection models specific to your company. If so, you can begin from scratch or modify existing models. Microsoft supplies a Bring Your Machine Learning (BYO-ML) platform for do-it-yourselfers. Included are sample notebooks you can use to train your ML models safely. Using sample data eliminates the fear of corrupting production data during testing. The beauty of the flexibility of Sentinel is the option to teach an algorithm to avoid false positives. For example, you may have a situation unique to your work environment that is safe but would represent a danger for most other companies. Training your model not to flag specific data can save your IT investigative team hours of unnecessary work.
Threat Intelligence Integration
Your network may have a large number of threat indicators. And you’ve seen fit to collect them using a threat intelligence platform. You can then funnel those threat indicators into an SIEM solution like Microsoft Sentinel. Sentinel logs the threats and allows you to manage them at your convenience. The Sentinel dashboard also includes additional information from entries on GeoLocation and WhoIs.GeoLocation can give you a country of origin or organization behind the threat. WhoIs will tell you who registered the domain.
Threat Indicator Templates
Sentinel uses templates to analyze threat intelligence and automatically issue security alerts. You can specify how often the system should compare your data against the templates. These templates are sensitive to selected characteristics found in URLs, email, domains, IP addresses, and file hashes. The programming compares your incoming data against recognized suspicious behavior. If the data fits the profile, Sentinel issues an alert. You can augment the pre-existing templates with any additional analytics rules you desire. The built-in templates will suffice most of the time, but Sentinel’s flexibility is valuable when you have niche security concerns.
Data Presentation and Reports
Any alert generates a new entry under Incidents. The incident log then presents the security concerns your team should investigate. The Sentinel Threat Intelligence workbook offers aggregated threat intelligence in an easy-to-read visual format. But if you prefer to see the data presented differently, Sentinel allows you to modify the format. Your team can produce its security reports with Sentinel’s ready-to-use report templates. But you can also design new ones or customize ones shared on GitHub.On Git-Hub, look for Azure Monitor report templates. Sentinel workbooks are an adaptation of the popular Azure Monitor workbooks.
