Microsoft Solutions

SIEM, SOAR and XDR are three Microsoft solutions that provide Security Information Event Manager, Security Orchestration and Automation Response, and Extended Detection and Response. The SIEM is the main system for log aggregation and alert generation. For SOAR it looks through events and analyzes them to get automated responses to alerts or suspicious events. The XDR is a system in which integrates the threat detection and response from security sources in the enterprise like cloud or networking devices.

SIEM

A SIEM is a Security Information Event Manager and is responsible for log aggregation along with some alerts that can be generated in a SIEM. There were two different systems that the SIEM replaced, which were the SIM and the SEM. The SIM was the Security Information Management which collected log files to identify security events that are suspicious. The SEM was the Security Event Management which provides log aggregation on events that were related to security software and hardware like firewalls, IDS, and IPS systems.

The main SIEM application for Microsoft is Azure Sentinel which is more of a Security Operations Center (SOC) type of application. Azure Sentinel provides this log aggregation along with analysis, log correlation and data analysis for visualization and log retention.

SOAR and XDR

SOAR is the Security Orchestration and Automation Response that works with a SIEM system like Azure Sentinel. This is to provide security orchestration by collating the logs from a SIEM to provide an automated response by using AI and Machine Learning. This augments the SOC team and provides automated responses for more mundane and trivial log detections. Freeing up the SOC team will result in a better detection and response time.

XDR is Extended Detection and Response which allows a response to more elaborate threat detection using both the SIEM and SOAR system to provide for XDR. This is for better mean time to respond for the SOC team. The XDR also correlates Threat Intelligence and Security System logs in the mix for better SOC Operations giving the team a better chance to detect threats while reducing false positives.

Conclusion

I am using this as a blog post instead of an article. I need to work on my expertise more on the Microsoft Security applications to do a better job for my blog. I am going to be doing the Aaron W. DeJong IT Articles still and might work more on the articles for Microsoft Security concepts. This blog is going to be more on the computer networking or Cisco side of the IT House.

I will be working on more content and will update the blog on Friday for this one and aaronwdejong.net. This will allow me to complete to blog posts on a day that I normally do the aaronwdejong.net blog.