Sentinel Review

Microsoft Sentinel is our SIEM that we use across three different environments. Our corporate environment, our commercial cloud environment, and our FedRAMP authorized government environment within the Azure gov portal. It is our primary source for all of the security related logs that we are collecting in order to actually do our jobs. And then we are also starting to expand using it for our SOAR capabilities as well. We were previously only using it as mostly a log source and searching, and then now we are also using the features for orchestration and response as well.

There's a couple of different Microsoft services that we can use the Azure to Azure connectors where it's very easy to set up, including we actually have custom alerting that we do in Defender for endpoint because storing the data in Sentinel is a little bit too cost prohibitive to us. We also ingest information from, for instance, defender for alts, defender for cloud apps. There's a whole bunch of different things within the Microsoft Suite that are automatically ingested. We also ingest from Palo Alto firewalls. That has been less, I wish I didn't have to maintain a SIS log server for that, but that's not Microsoft's fault. That's partially on how Palo Alto integrates with that. And then the third one is we've got a couple of custom data sources that we needed to create ingestion functions for because the vendor did not support a way to get the data into Sentinel, one of which is Fastly Signal Sciences. And actually that is one of the reasons why I'm moving away from that product is because the integration has not been great.

Yes. So there's the custom alerts that are generated as part of the tool. I would love to actually pilot security copilot, it demoed well. I just have not gotten a chance to actually give it the focus that it needs, but this is an area of improvement that I want. I would like to take advantage of that. It's mostly the learning that goes into, there's new preview rules that are AI generated or AI augmented in some way, especially for things like Defender for Endpoint. We're just starting to explore a lot of those and it is basically a key part of my 2025 and beyond strategy on, I have to use this as a force multiplier because there's just no way we can keep up any other way.

Most of it ends up being on Endpoint, so using the tools within Defender for Endpoint, but those also integrate very well with Sentinel. We get some information for Defender for Identity. I'm expecting to get more from that now due to some changes we made with our Microsoft licensing. Previously we were limited by, we were using an E3 license now and we didn't have a bunch of the extra built-in products or the extra products that E5 gets you. Now we do. So I'm expecting to see more there in that space.