Microsoft Sentinel is a scalable, cloud-native solution that provides: Security information and event management (SIEM) Security orchestration, automation, and response (SOAR) Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise. With Microsoft Sentinel, you get a single solution for attack detection, threat visibility, proactive hunting, and threat response.
With the Microsoft Azure Sentinel Playbook app and Service app, you can better manage and ingest Incidents and Alerts in Azure Sentinel. ThreatConnect provides context on indicators and enables you to easily spot abnormal trends and patterns to act on them efficiently. Additionally, analysts working in Azure Sentinel can view real-time indicator enrichment, add indicators back into ThreatConnect, and record false positives. You can then tie your data to Playbooks to automate nearly any cybersecurity task and respond to threats faster directly from Azure Sentinel - as well as send data to other tools like your EDR or Network Security tools for alerting or blocking purposes. The following actions are available:
Create Incident Comment
Get Alert
Get Incident
List Alerts
List Incidents
Update Incident
These apps can be found in the ThreatConnect App Catalog under the names: Microsoft Azure Sentinel (Playbook), Microsoft Azure Sentinel (Custom Trigger)
The Polarity - Microsoft Sentinel integration enables analysts to quickly query indicators within Sentinel, allowing analysts to quickly make decisions. The Sentinel integration queries the threat intelligence and geo location information in Sentinel as well as enables analysts to add a Kusto Query, to query Sentinel logs.
Examples
Microsoft Sentinel Data Overview - Threat Intelligence
Summary Tags: When an analyst runs a search on an indicator with Microsoft Sentinel they will quickly be able to see the number of associated logs, geographic associations and if there is any threat intelligence about the indicators. Enabling them to quickly triage indicators.
Threat Intel Details: When drilling into the details of the integration analysts can quickly triage the threat intelligence information. Quickly being able to tell when the threat intel was created, where it came from the confidence of the threat and any associated tags.
Microsoft Sentinel Data Overview - Kusto Query Logs
Kusto Query Details: When drilling into the details of the integration, analysts can quickly see the associated logs in the Kusto Query Logs section of the integration details. Being able to tell exactly where the logs came from and any associated context coming from the query.
Note this data will vary depending on the query that has been set up for the integration.
Microsoft Sentinel Data Overview - Geo Location
Geo Location: When drilling into the details of the integration analysts can quickly see the geo location information if there is any associated with the indicator. Quickly being able to tell if there was where the indicator originated from.
