Leveraging Microsoft Sentinel with Custom Test Cases

Back Download case

Location:

Ukraine

Industry:

Agriculture

Employees:

14,000+ employees

About the Customer:

Our client is one of the leaders in the European agricultural sector. They have a diverse network of fields, processing, and storage premises that enable the continuous supply of high-quality produce to 80 countries worldwide.

Business Challenge

As part of the global digitization strategy, our client aimed to enhance the already existing cybersecurity landscape. The company was looking for a service provider to assist with the deployment of a SIEM/SOAR system based on Microsoft Sentinel (formerly Azure Sentinel) and to leverage the business value of the solution.

To demonstrate the performance potential of Microsoft Sentinel to our client, it was necessary to:

Assess the capabilities of Microsoft Sentinel as a holistic SIEM/SOAR system
Reconfigure the current Microsoft Sentinel setup with maximum efficiency
Automate routine processes, such as incident reporting and investigation, utilizing the model powered by machine learning
Centralize signals from multiple enterprise systems under a single console
Ensure Microsoft Sentinel integration with an ITSM system, business applications, etc.

Assessing Microsoft Sentinel Capabilities for a Major Agricultural Company - case study image

Solution

After assessing the existing IT perimeter, our experts developed the high-level architecture and implementation strategy of the solution. To validate the Microsoft Sentinel capabilities, Infopulse created and executed four SIEM/SOAR test cases:

Detecting potential threats while using Microsoft Teams:
- Infopulse experts configured a set of analytical rules to monitor suspicious activity within the app, such as adding external users from anomalous organizations to a team or deleting multiple teams by a single user.
- Set up extensive data parsing and log collection via Logic Apps and Office 365 Management Activity API.
- Utilized interactive charts to visualize Microsoft Teams users’ interaction with external users.
Identifying corporate data leakage via emails:
- Set up an automated rule for Microsoft Sentinel to detect users forwarding multiple emails to the same external SMTP address.
- Developed an algorithm for scenario testing.
Rejecting potentially harmful files when they are uploaded to the corporate cloud storage:
- Configured an analytical rule to detect the uploading of potentially harmful executable files to common folders in SharePoint and OneDrive.
- Developed an algorithm for scenario testing.
- Confirmed successful rule execution with a simulated cyber threat.
Identifying potentially compromised accounts:
- Set up an analytical rule to identify cases of successful logins from IP addresses that tried to exploit blocked or disabled user accounts.
- Verified incident alerts according to the configured rule with a test scenario.

Assessing Microsoft Sentinel Capabilities for a Major Agricultural Company - case study scheme

Business Value

Test scenarios demonstrated the advantages and capabilities of Microsoft Sentinel as a cloud-native (SaaS) security system with a process automation functionality. Upon their successful execution, Infopulse provided our client with extensive recommendations on the further development of the cybersecurity system based on Microsoft Sentinel according to the current and future business demands.

Validating Microsoft Sentinel capabilities provided our client with the following tangible benefits:

Automated cybersecurity rules for the selected test cases that allow minimizing the human factor.
Successful integration of Microsoft Sentinel with Exchange, SharePoint, Teams, and other solutions such as Microsoft Threat Protection and firewalls.
Automated report generation via Microsoft Sentinel and Power BI.
The roadmap for the further implementation of Microsoft Sentinel with extended integration into the company’s IT infrastructure.
Estimated the reduced license costs for Microsoft Sentinel as a single SIEM & SOAR system.
A series of Q&A and learning sessions for the company’s security experts.

Satisfied with the results of the test cases, the Infopulse client now plans on the further implementation of Microsoft Sentinel.