Microsoft Sentinel

Microsoft Sentinel is a cloud-native Security Information & Event Management (SIEM) platform hosted on the Azure cloud that provides centralized alerting, orchestration, automation, and detection capabilities to support incident response, threat hunting, and investigations. Microsoft Sentinel has connectors to integrate with over 100 Microsoft and 3rd party sources to collect their data in Azure Log Analytics, define Alerting Rules with canned Kusto Query Log (KQL) queries, and allow Microsoft Sentinel to group like-alerts together and create comprehensive incidents.

With integrations in Microsoft Defender XDR, customers can converge their Microsoft Defender incident management with Sentinel’s. This provides a single plane to gather high fidelity alerting data, manage incidents, and assign users to work the incidents as they escalate.

Query integrations with Microsoft Sentinel to retrieve these incidents and their related alerts with simple Entity-based searches:

  • Email Address: Look up assignees by their email address. This field is normalized to `assignee.email_addr` within the Query Data Model (QDM) normalization, and maps to the `owner.email` field in the Sentinel incident.
  • User Name: Look up assignees by their User Principal Name (UPN), if different from the email. This field is normalized to `assignee.name` within the QDM normalization, and maps to the `owner.userPrincipalName` field in the Sentinel incident.

This allows SOC managers or assigned analysts themselves to check who is assigned what work, and the status of the various Incidents. Additionally, using the Summary Insights view, you can view every single Incident from Sentinel and pivot-to-search from the identified Entities within them.

Microsoft Sentinel incidents are normalized to the Incident Finding Class within the Query Data Model which maps over metadata information such as title, description, assignment information, severity, status, and relevant correlation IDs back to Sentinel. Additionally, every single related Alert’s metadata is annotated in the Related Finding Info array. Using other Query Connectors, an analyst, engineer, or SOC manager could easily pivot to the lower level alerts, view the implicated artifacts or devices, and attain high-fidelity and normalized data.

For example, the analyst could obtain the following context:

  • Search for Incidents assigned to themselves or others
  • View related Alerting data for Incidents, regardless of what contributed them, be it Sentinel custom analytics rules, Sentinel connector packs, or Defender XDR Incidents created from Defender for Endpoint or Defender for Cloud Apps alerting rules.

To integrate Microsoft Sentinel Incidents see integration documentation here. The integration will normalize data pulled from AWS WAFv2 into Query’s OCSF based QDM (Query Data Model).