Protecting the modern enterprise from increasing cyberthreats requires a modern approach to SecOps – an approach powered by intelligence and automation. Security operations teams simply cannot scale to meet today’s security challenges, resulting in overworked security analysts, unaddressed security alerts, and undetected threats. By empowering SecOps teams to work smarter, not harder; Microsoft Sentinel can enable them to stay ahead of emerging threats and respond more quickly to attacks.
Unified SIEM + SOAR with Microsoft Sentinel
Microsoft Sentinel brings together data, analytics, and workflows to unify and accelerate threat detection and response across your entire digital estate. With in-built security orchestration, automation, and response (SOAR) capabilities, along with built-in user and entity behavior analytics (UEBA) and threat intelligence (TI), customers get a complete solution for SecOps that is both easy and powerful -- at a fraction of the cost and hassle of standalone SIEM and SOAR solutions. Microsoft Sentinel offers:
- AI-Powered Incident Response: Automatically correlate alerts and anomalies using ML-based fusion to find hidden threats and create prioritized incidents. Enrich incidents with user and entity behavioral insights and intelligence. Search across all your data, including archived logs, and add related events to an incident. Use the investigation graph to discover relationships between alerts, events and entities, and leverage the incident timeline to quickly understand the full attack story.
- Integrated Threat Intelligence: Bring your own TI or leverage Microsoft and RiskIQ TI to detect threats, prioritize investigations, and speed response. Create, view, search, filter, sort, and tag all your threat indicators to easily track top threats targeting your organization.
- Smart Automation Workflows: Centrally manage automated incident response across your security operations center (SOC) by creating ordered workflows containing a mix of built-in actions (prioritize, assign, close and tag incident) and playbooks. Leverage hundreds of out-of-the-box playbook templates to integrate with your IT and security systems or create your own using a visual playbook designer. Trigger playbooks automatically when an incident is created or on demand during an investigation.
- Incident Case Management: Unify incident management across multiple workspaces and orgs. Manage incident assignments, track status and comments, and maintain full audit and RBAC on any action taken. Collaborate easily with bi-directional Microsoft Teams integration, and integrate with ServiceNow, Jira and other tools.
- SOC performance tracking and measurement: Track important metrics and KPIs (MTTR and MTTA) with the out-of-the-box SOC efficiency workbook. New workbooks can be created and customized with many visual options, exported to facilitate reporting and can used for tracking across multiple workspaces and orgs.
New SOAR Capabilities
Continuing our journey, we are happy to announce new SOAR capabilities now available in Microsoft Sentinel.
- Similar Incidents (Public Preview). Gain visibility into incidents that are similar to the one you are investigating to help map the true scope of an attack, find incidents to be used as reference, or find other analysts investigating similar incidents – all helping reduce the time it takes to resolve and respond. Incidents are ranked by similarity using a proprietary algorithm that leverages entity and rule context.
- Additional options for triggering automation (Public Preview). Trigger an automation workflow and playbooks when an incident is updated. This new capability allows you to continue the orchestration even as the incident evolves and will support changing the severity if a high value asset becomes involved, notifying relevant analysts when incidents are assigned/updated by email or Teams, or blocking new IP addresses in a firewall as new IPs are added to the attack. In addition, a new manual incident trigger allows analysts to run incident playbooks on demand, simplifies testing of new flows and allows analysts to view the run history of automation on an incident.
- LogicApp standard support (Public Preview). Use the new and powerful version of the LogicApp platform, which offers benefits such as fixed pricing, single apps with multiple workflows, easier API connections management, native network capabilities such VNet and private endpoints support, built-in CI/CD features, better Visual Studio integration, a new version of the Logic Apps designer and more.
- Relate alert to incident (Public preview). Add or remove an alert from an incident as part of the investigation process. This feature can be used from the investigation graph or incorporated into playbooks to create smart correlations between alerts as information about large, complex attacks is revealed.
- 100 workspaces/tenant support for incidents management (GA). View incidents across up to 100 (previously 30) Microsoft Sentinel workspaces, thus extending incident management for distributed organizations, partners, and MSPs.
An empowered SecOps Team
Microsoft Sentinel customers are realizing material gains in SOC efficiency by leveraging the SOAR capabilities above, freeing up SOC personnel for more in-depth investigation and hunting for advanced threats. Microsoft Sentinel is helping customers:
- Focus on real threats with AI that reduces false positives by 79%1
- Automatically resolve 30% of incidents
- Reduce mean time to respond (MTTR) from hours to minutes
Source:1The Total Economic Impact™ Of Microsoft Sentinel
Microsoft is committed to empowering our customers with security tools and platforms to enable critical protection for your organization and users. To learn more about Microsoft Sentinel + SOAR please refer to:
- Microsoft Sentinel: https://aka.ms/microsoftsentinel
- SOAR in Microsoft Sentinel: Introduction to automation in Microsoft Sentinel | Microsoft Docs
- Learn More: Microsoft Sentinel documentation | Microsoft Docs
- SIEM + SOAR infographic: Optimizing SecOps with Microsoft Sentinel
- Customer Success Stories: https://customers.microsoft.com/
Together we can make the world a safer place.