Microsoft recently introduced two monitoring tools for analytics in its cloud-based security service Microsoft Sentinel. The SentinelHealth and SentinelAudit functionality is now in public preview.
The tech giant wants to help security specialists better respond to potential threats in a timely manner. To this end, Microsoft is introducing a number of monitoring tools for the analytics rules for its cloud-based security tool Microsoft Sentinel. These tools should provide insight into the health and status of these specific rules and about the background of changes to these rules.
Functioning analytics rules
This way, security specialists, especially those specialists working in SOCs, can be sure that the analytics rules in Sentinel are functioning correctly and provide relevant information on which they can take action, a Microsoft specialist indicated to The Register.
In addition, with the tools now introduced, these employees can be aware of planned and unplanned changes to these rules for compliance reasons and the more effective protection against potential attacks.
SentinelHealth and SentinelAudit functionality
For this purpose, SentinalHealth functionality monitors the health of analytics rules. This ensures that they are functioning as expected. For this, data is collected do these rules run, whether they are not functioning and why and the tool collects events through search queries. All data from these logs is aggregated in Log Analytics in the SentinelHealth table.
The SentinelAudit functionality now added to Microsoft Sentinel is mainly to detect unauthorized changes to the rules. This is to prevent them from affecting security and to monitor who makes these changes.
Furthermore, the functionality records which rule was changed, what the settings were and are before and after the change, the IP address of the source and when the change was made. All this data is aggregated in the SentinelAudit table of Log Analytics.
Both functionalities are now in public preview.
Also read: Microsoft has more than 100 ransomware criminals in its sights