How can Azure Sentinel be used for the implementation of ISO Controls A.12.4 (Logging and monitoring) and A.16 (Information security incident management)?

Note: Relevant to controls A.12.4 and A.16  

Keeping track of your security incidentsdocumenting them, scaling them, and deciding remediation for those incidents is a big hassle. There are many solutions that would counter each of these problems specifically but Microsoft’s SIEM solution, Azure Sentinel is one that counters them all. 

How does Azure Sentinel collect and log security incidents? 

If you are one who has shifted all cloud applications and services to Azure, getting started is pretty easy. However, if you haven’t, it’s still far from difficult. The first step in order to use Azure Sentinel would be to create a log analytics workspace. Azure has a specific way of connecting to your resources which in the Microsoft language we would call “connectors”. There is a variety of connectors available ranging from database connectors to server connectors and all sorts of multipurpose connectors. After finding a connector you would use that connector and connect to your resource(Azure has a set of instructions within each connector and how to use it). Great! Your workspace now collects incident logs! 

How do we monitor incidents within Azure Sentinel? 

When we open a workspace using Azure Sentinel. The backend AI automatically sorts the logs that are collected. These logs can be extracted as documents in preferred formats or can be viewed graphically through charts. Alongside, you can also define a certain log as an alert so that you can be alerted whenever a certain security incident occurs. The query tools provided by Azure Sentinel(they work on KQL) also help in extracting certain incidents and viewing them specifically.  

How can we use Azure Sentinel to learn from incidents? 

Azure Sentinel has machine learning and analysis features that give you the exact description of what type of attack you might be facing. Along with this, there is also an incident investigation feature that helps you get directly into the incident and the events and other incidents surrounding it. The AI involved in the process is extremely sufficient and gives you an idea of how to remediate based on the incident situation. 

What happens after all this? 

A great feature of Azure Sentinel is the autonomous ability that it gives. You can enable your alerts such that if an incident occurs the response is taken care of and is already predefined. You can control how and what you want to do after a specific alert comes in. This greatly decreases the human effort involved in taking care of the incident. 

Azure Sentinel is a great tool for incident management and event logging which are significantly important controls in information security frameworks. It’s considered an all in one tool that takes care of logging, reporting, documenting, monitoring, investigating, and remediating incidents within your environment. With proper implementation, it can prove to be very helpful in securing your virtual workspace. 

Leave a Comment