Azure DevOps Shorts: Azure Sentinel and AKS

Microsoft · December 9, 2020

Having insight into what security threats exist for your applications is paramount for reliability. Microsoft Azure continues to make a commitment to protecting your solutions in the cloud with security services and products for users. Just a few of the tools you may use to protect your resources on Azure are Security Center, Azure DDoS Protection, and Azure Sentinel.

What is Azure Sentinel?

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

See and stop threats before they cause harm, with Security Information and Event Software (SIEM) reinvented for a modern world. Azure Sentinel is your birds-eye view across the enterprise. Put the cloud and large-scale intelligence from decades of Microsoft security experience to work. Make your threat detection and response smarter and faster with artificial intelligence (AI). Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs.

Azure Kubernetes Services provides users with a unified control plane to work with their Kubernetes clusters. By utilizing the power of the AKS platform and the security scans of Azure Sentinel, you can ensure a more secure environment for your applications. In this short from the DevOps Lab, Damian Brady and Sarah Young show how you can scan for vulnerabilities on your Kubernetes clusters using Azure Sentinel.

More on Azure Sentinel

You can create custom analytics rules to help you search for the types of threats and anomalies that are suspicious in your environment. The rule makes sure you are notified right away, so that you can triage, investigate, and remediate the threats.

To on-board Azure Sentinel, you first need to enable Azure Sentinel, and then connect your data sources. Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, Microsoft 365 sources (including Office 365), Azure AD, Microsoft Defender for Identity (formerly Azure ATP), Microsoft Cloud App Security, Azure Defender alerts from Azure Security Center, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use Common Event Format (CEF), Syslog or REST-API to connect your data sources with Azure Sentinel.

After you connect your data sources, choose from a gallery of expertly created workbooks that surface insights based on your data. These workbooks can be easily customized to your needs.

Once you have connected your data sources to Azure Sentinel, you’ll want to be notified when something suspicious occurs. That’s why Azure Sentinel provides out-of-the-box, built-in templates to help you create threat detection rules. These templates were designed by Microsoft’s team of security experts and analysts based on known threats, common attack vectors, and suspicious activity escalation chains. Rules created from these templates will automatically search across your environment for any activity that looks suspicious. Many of the templates can be customized to search for activities, or filter them out, according to your needs. The alerts generated by these rules will create incidents that you can assign and investigate in your environment.

Learn More: