As the volume of security data continues to grow exponentially across increasing distributed digital estates, Microsoft is reinventing the economics of SIEM and delivering new ways to access and work with security data. We are making it easier than ever for your security analysts to access any data, over any timeframe to provide the most comprehensive and innovative threat hunting solution in the market.
Search + Analytics Over Any Data
As the first step on that journey, we are introducing new Basic Logs, which enable lower-cost collection of voluminous data sets, such as verbose network flow logs, in Microsoft Sentinel. This data, historically stored outside of the SIEM, is now easily available to your security analysts for ad hoc threat hunting and investigation – saving valuable time and removing blind spots. Basic Logs complement existing Analytics Logs, which require continuous monitoring, correlation, and advanced analysis to detect threats proactively.
In addition, we are adding an Archived Log option that enables you to store Basic and Analytics Logs at very low cost for up to 7 years. Retain more data for longer to enable threat hunting over greater timeframes and address increasing regulatory requirements for security log archiving.
To enable rapid threat hunting over your expanding security data set, we are also announcing a new experience that empowers analysts to easily search petabytes of security data (Basic, Analytics, Archived, and more coming soon) across long time horizons and delivers results within minutes. When relevant archived data is discovered, it can be easily restored to high performance cache to enable further analysis and investigation. Having this data at your fingertips is vital to combatting long running threats like Nobelium, which are becoming increasingly common. Our vision is to unify search across all security data stores, bringing together existing query support for Azure Data Explorer and searching across Azure Data Lake, as well as a broad set of data stores, including multi-cloud.
Beyond search, we are announcing general availability of Log Analytics workspace data export. Log Analytics data export enables continuous export of Microsoft Sentinel data to Azure Data Lake, making it possible for analysts to quickly and easily leverage massive security data sets to pinpoint security hot spots, breaches, and attacks. With data export, Microsoft Sentinel customers can leverage native integration with Azure Synapse, a high scale data warehouse run on the Azure cloud and combine Microsoft Sentinel data with multi-cloud datasets for endless number of data science driven SecOps scenarios. To get started, you can use the out-of-the-box notebook templates created by Microsoft security and data scientists. As an example, leverage Azure Synapse to hunt for anomalous behaviors, such as network beaconing patterns, building custom classifiers using your asset inventory to inform incident prioritization, develop custom baselines for threat detection, and much more. Learn more.
Data Collection + Transformation
We continue to add new capabilities to streamline the collection of data in Microsoft Sentinel, and today we are announcing important new capabilities for data collection and transformation as well as additional connectors and solutions in our Content Hub.
Expanded data collection rules allow you to transform data as it is ingested into Microsoft Sentinel using a subset of the familiar KQL query language. This enables you to extract fields and parse complex logs to align with your custom schema or our Advanced Security Information Model (ASIM), which is now built-in to Microsoft Sentinel. You can also obfuscate sensitive data for privacy and compliance, filter out unneeded fields or entire events to reduce costs, and add enrichments. Learn more about ASIM and ingestion-time transformations.
A new Codeless Connector Platform was recently released to enable partners, advanced users, and developers to create custom connectors, connect their data sources, and ingest data to Microsoft Sentinel by polling REST APIs. The Codeless Connector Platform provides support for new data connectors via ARM templates, API, or via a solution in the Microsoft Sentinel content hub.
Together these innovations are game changing for security operations teams. Security data is the backbone of intelligence for security operations and at Microsoft we are focused on tilting the scales towards the defenders.
In addition to our announcing our new, expanded approach to data, we continue to innovate on core threat hunting, detection, and incident response capabilities. New capabilities in these areas include:
As always, we are thrilled to help secure more businesses around the world with Microsoft Sentinel. I would like to invite you to try Microsoft Sentinel with our free trial and benefit from our offers available for you today. To learn more please visit our web page, read our documentation or reach us on Microsoft Sentinel Tech Community.
To enable Basic Logs and data transformation, sign up for public preview here.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.