Azure Sentinel - jasper-zanjani/azure GitHub Wiki

Azure Sentinel is a cloud-native SIEM and SOAR soluation that can collect data from many sources and present it to security analysts, who can run Kusto queries against the dataset.

Ingestion

Azure Sentinel can ingest data from on-premises devices using one of several types of connector, categorized by the type of data ingestion

• Native connectors integrate directly with other Microsoft security products, like Azure AD, M365, and Azure Security Center
• Direct connectors are configured from their source location, such as AWS CloudTrail, Azure Firewall, and Azure Front Door
• API connectors are implemented by security providers, like Azure Information Protection (AIP), Barracuda Web Application Firewall (WAF), and Microsoft WAF
• Agent-Based connectors, using the Log Analytics agent, make it possible to ingest data from any source that can stream logs in Common Event Format (CEF), such as Windows and Linux machines.

Analytic rules

Analytic rules are rules that users create to help detect threats and anomalies in an environment:

• Scheduled rules run on a predetermined schedule
• Microsoft Security
• Machine learning behavior analytic rules can (currently) only be created from templates provided by Microsoft using proprietary ML algorithms