Coffee Break: Integrating the Security Monitoring MP into Microsoft Sentinel

Bruce Cullen / Cameron Fuller / Nathan Gau / Rod Trent

In this Coffee Break webinar, a panel of four experts showcase the new Security Monitoring Management Pack for Microsoft Sentinel. They discuss where it came from, what it can be used for, and most importantly, why Microsoft Sentinel and SCOM make a good pair.

How did it all come about?

Fun fact: the Security MP for Microsoft Sentinel was born at no other than our very own SCOMathon!

“Nathan was presenting on his Security Monitoring MP at SCOMathon, and I immediately saw that we needed it in Sentinel,” said Cameron Fuller.

“I reached out to him to see how we could get it into Sentinel, then realised I needed somebody who had a stronger degree of chops in Azure Sentinel than I possessed. So, I contacted Rod.”

What is the Security Monitoring MP?

The idea first surfaced in 2015 when Nathan attended the security courses at an internal Microsoft tech conference. “Attending these courses as a SCOM guy, I quickly discovered that Event Logs were an untapped source of security intel. SCOM is really good at parsing logs, as that’s what it was made to do,” said Nathan.

And thus, the first sealed version was released in 2017.

The management pack’s goal was to find the breadcrumbs consistent with attacks. It eventually evolved into security best practices, detecting legacy protocols and GPO changes, giving the security team visibility over what the operations team was doing and clearing logs.

Here are some other things it detects:

“SCOM wasn’t the best analytics tool for everything. With Sentinel, we could start correlating some things that SCOM couldn’t do.”

What is Azure Sentinel?

Azure Sentinel is a modern Security Information Event Management (SIEM) system + Security Orchestration, Automation and Remediation (SOAR).

It offers visibility across the entire digital estate and automation of routine tasks. It is built on top of Azure Monitor, Log Analytics, Logic Apps, Jupyter notebooks etc., and focuses on security events.

At its base, it is a log aggregator. Just like SCOM, it is a central store for log files from every source – the cloud, on-prem and multi-cloud – and injects them into Azure so we can analyse it specifically for security occurrences.

The difference between this tool and tools like Splunk, is that Sentinel has true cloud capability – because it has its own cloud. And this translates into a difference in cost, speed and ease of use. 

Why does it make sense to send this data from SCOM to Azure Sentinel?

SCOM gives Sentinel an additional means to get on-prem data. Here, it works as both a filter and a forwarder.

Using SCOM as a filter to gather on-prem data gives you the following benefits:

This solution also allows you to forward useful data directly into Sentinel instead of putting it into SCOM. You can then do correlation that is difficult to do within SCOM. The MP effectively activates SCOM’s syslog capabilities, which is hugely beneficial given that Windows Event Forwarding (WEF) & syslog capabilities are currently difficult to implement.

Why send it to Sentinel in particular?

SCOM is a powerhouse of an event collection source, but for security events it isn’t so ideal, because of the overhead it puts on the data warehouse. Moreover, SCOM doesn’t have data aggregation capabilities.

With the help of this MP, Sentinel addresses these issues, which makes SCOM and Sentinel the perfect match from a Security perspective.

Why should a SCOM admin care about this news?

The Security MP is great for existing SCOM environments as it supplies new capabilities that are truly needed, plus makes SCOM more “sticky” with security teams. This includes:

Download the Management Pack here: https://aka.ms/SentinelHybrid