5 Test Use Cases of Microsoft Sentinel to Implement SIEM and SOAR

SIEM and SOAR Converged: Their Mutual Benefits for Businesses

When SOAR appeared on the horizon in 2015, ten years after SIEM’s ascend, many mistakenly considered SOAR as the next evolution step to replace the tool. However, functioning in synergy, these solutions become a vital part of incident resolution management. While SIEM is a threat data collector and analyzer, SOAR operates on the SIEM’s analyzed intel, prioritizing and handling threats, taking a load of ever-growing routine tasks off a SOC team. Operating together, these tools can help not only to resolve but also prevent incidents from happening.

How SIEM and SOAR Work Together

Source

It is the automation of repetitive manual tasks that SOAR adds to SIEM capabilities, allowing it to connect data from various systems and achieve higher visibility of security alerts. Abbreviation of SOAR covers three technologies – SIRP, SOA, and TIP. 

Read more about their capabilities in a related blog article by Infopulse “SIEM & SOAR Tools: A Gentle Guide to Selecting the Right Solution”.

Both SIEM and SOAR systems can function autonomously. However, it is their convergence – where SIEM’s job finishes, SOAR picks up – that empowers SOC teams with:

• Streamlined alert management processes – 54% of cybersecurity pros say that SIEM triage is now among the key SOAR use cases
• Accelerated threat discovery and enhanced threat intelligence (57% choose SOAR to enable effective threat intelligence program)
• Reduced mean time to resolution – 70% consider this as the main reason to invest in modern SOAR/SIEM solutions
• Less overhead due to automated repetitive manual tasks performed by SOC.

Microsoft Sentinel as a Response to Traditional SIEM Limitations

In one of the latest SIEM surveys, 96% of decision-makers say that their threat detection has strengthened, however, only 15% are completely satisfied with their security posture after the SIEM adoption. The need for SOAR companionship came mostly from the limitations of a traditional SIEM:

• Excessive alerts made 24% of security specialists leave high-priority alerts unnoticed while spending too much time and resources on false-positive alerts.
• Almost 50% observe slow querying that most often stems from a reliance on their legacy tech stack and traditional SIEM’s on-premises infrastructure.
• Inability to scale operations in a legacy SIEM with the growth of data ingestion volumes.
• Operational overhead (33%) and allocation of high-value labor to routine administrative and maintenance tasks, both sprouting from insufficient automation.

To overcome those limitations, many security teams lean towards the implementation of SaaS solutions, like Microsoft Sentinel, that already combines both SIEM and SOAR functionalities, enriched with AI and numerous Microsoft and non-Microsoft connectors. In 2020, Forrester studied the economic impact of Microsoft Sentinel on those companies that switched from their traditional on-premises SIEM solution to an all-in-one cloud-native SIEM and SOAR solution. For the surveyed companies, having a modern Microsoft Sentinel was 48% more cost-effective than their legacy SIEM.

A case in point: when Infopulse helped a client, one of the largest supermarket chains, to decide on a suitable SIEM/SOAR solution that had to meet their security management requirements, our experts made a detailed assessment and comparison of Microsoft Sentinel’s cloud-native capabilities with the available hybrid solutions. Microsoft Sentinel demonstrated more advantages due to its tight integration with other cloud services and its cloud-based security powered by machine learning analytics. When using Microsoft Sentinel as a SIEM/SOAR system, the client can minimize the total cost of ownership of SOAR that does not require a license as a dedicated solution or payments until automation activities are completed.

Comparing Microsoft Sentinel with a Traditional Hybrid/On-Prem Solution

If you are already considering Microsoft Sentinel implementation, then you should check some best practices for the flawless adoption in our other blog article “Microsoft Sentinel: How to Ensure Seamless Integration and Optimize Your SOC Licensing Costs”.

Five Test Use Cases of Microsoft Sentinel

Another best practice we recommend following is performing test use cases to assess and validate the capabilities of Microsoft Sentinel for your business and define the most winning scenario of the solution implementation into the existing cybersecurity system. For example, Infopulse developed four test cases for a major agricultural company to validate the effectiveness of the solution in regard to their business demands and demonstrate Microsoft Sentinel’s advantages as a single SIEM/SOAR solution. Among them are many automation options for repetitive tasks, decreased license costs, and a roadmap for further integration with the client’s cybersecurity system. 

In this blog post, we have gathered the most common test use cases that allow showing Microsoft Sentinel’s SIEM and SOAR capabilities as a cloud-native solution and ways to implement them.

1. Multiple Password Resets by User

This test scenario suggests steps needed to automate password resets or MFA requests when a user account is suspected to be compromised. With Microsoft Sentinel’s SOAR capabilities, it is easier to fully automate common activities needed to rapidly react to unauthorized access.

2. Detection of Events Based on Indicators of Compromise

Indicators of compromise (IoCs) are forensic intel, the evidence security specialists gather to detect malicious activities that can lead to possible security attacks, data breaches, or other threats compromising the security of existing IT infrastructure. Testing IoCs inclusion into a Microsoft SIEM/SOAR system will most likely demonstrate its potential to act rapidly upon threats and enable remediation scenarios.

3. Identifying Non-Typical Activities of Privileged Accounts

Timely detecting potential threats or abnormal behavior patterns of privileged users whose essential role is to administer the company’s IT infrastructure, software, and critical business systems can help avert critical sensitive data loss and system breaches.

4. Identify Potentially Malicious Scenarios of Using Microsoft Teams

While digital collaboration and communication have become the most requested trends these years, 75% of organizations have deployed Microsoft Teams without integrating security practices. Even more, only 25% actually removed guest users, while the rest faced the risk of being exposed to potential threats not doing so. Obviously, organizations must automate some routine activities like the external users automatic removal not to deal with security incidents in the future.

This use case focuses on testing how Microsoft Sentinel manages the security of digital collaboration in Microsoft Teams, specifically the ability to connect safely with external users.

5. Identifying Dangerous Activities with Files on SharePoint / OneDrive Coming from New IP Addresses

This test scenario allows assessing Microsoft Sentinel’s SIEM/SOAR ability to check and ensure the security of SharePoint / OneDrive data received from new IP addresses.

Conclusion

While SIEM and SOAR are quite different in their purposes, they perfectly complement each other and can be implemented as part of a single solution such as Microsoft Sentinel that allows using the best of both worlds. When comparing this solution with the traditional SIEM system, you can see how many gaps the latter may have in regard to costs and operational capabilities. Before implementing Microsoft Sentinel, you can check its validity by applying the specific test use cases that we describe in this article. And if you are ready for getting started with a consolidated SIEM and SOAR solution, please check a dedicated Microsoft Sentinel service we offer together with our profound expertise in this solution implementation.