Microsoft Sentinel
Presentation
For
Cloud SIEM Solution

SIEM Defined
Security information and event
management, SIEM for short, is a
solution that helps organizations
detect, analyze, and respond to
security threats before they harm
business operations.
SIEM, pronounced “sim,” combines both
security information management (SIM)
and security event management (SEM)
into one security management system.
SIEM technology collects event log
data from a range of sources,
identifies activity that deviates from
the norm with real-time analysis, and
takes appropriate action.
In short, SIEM gives organizations
visibility into activity within their
network so they can respond swiftly to
potential cyberattacks and meet
compliance requirements.
How do SIEM tools work?
SIEM tools collect, aggregate, and analyze
volumes of data from an organization’s
applications, devices, servers, and users in
real-time so security teams can detect and
block attacks. SIEM tools use predetermined
rules to help security teams define threats
and generate alerts.
SIEM capabilities and use cases
SIEM systems vary in their
capabilities but generally offer
these core functions:
• Log management: SIEM systems
gather vast amounts of data in
one place, organize it, and then
determine if it shows signs of a
threat, attack, or breach.
• Event correlation: The data is
then sorted to identify
relationships and patterns to
quickly detect and respond to
potential threats.
• Incident monitoring and
response: SIEM technology
monitors security incidents
across an organization’s network
and provides alerts and audits
of all activity related to an
incident.
Benefit of using a SIEM
SIEM tools offer many benefits that can help strengthen an
organization’s overall security posture, including:
• A central view of potential threats
• Real-time threat identification and response
• Advanced threat intelligence
• Regulatory compliance auditing and reporting
• Greater transparency monitoring users, applications, and
devices

Collect
Microsoft Services
Apps, users,
infrastructure
Public clouds
Security solutions
Visibility
Dashboard
Analyze
and detect
Machine
Learning, UEBA
Investigate
and hunt
Pre-defined queries,
Azure Notebook
Automate and
Orchestrate Response
Playbooks
Enrichment
Data ingestion Data repository Data search
Azure Monitor
Integrate
ServiceNow
Other tools
Community
How it works

Microsoft Sentinel
Optimize security operations with cloud-native SIEM powered by AI and automation
Collect data at
cloud scale
Stay ahead of
threats
Streamline
investigation with
incident insights
Accelerate
response and save
time by automating
common tasks
Microsoft Sentinel capabilities

Collect data at cloud scale
Easily connect your logs with Microsoft Sentinel using built-in data connectors—
across all users, devices, apps, and infrastructure—on-premises and in multiple
clouds.

After you onboard Microsoft Sentinel into your workspace, you can use data connectors to start ingesting your data into
Microsoft Sentinel. Microsoft Sentinel comes with many out of the box connectors for Microsoft services, which you can
integrate in real time. For example, the Microsoft 365 Defender connector is a service-to-service connector that integrates
data from Office 365, Azure Active Directory (Azure AD), Microsoft Defender for Identity, and Microsoft Defender for Cloud
Apps.
You can also enable built-in connectors to the broader security ecosystem for non-Microsoft products. For example, you can

Stay ahead of threats
Gain more contextual and behavioral information for threat hunting,
investigation, and response using built-in entity behavioral analytics and
machine learning.
Identifying threats inside your organization and their potential impact - whether a compromised entity or a malicious insider
- has always been a time-consuming and labor-intensive process. Sifting through alerts, connecting the dots, and active
hunting all add up to massive amounts of time and effort expended with minimal returns, and the possibility of sophisticated
threats simply evading discovery. Particularly elusive threats like zero-day, targeted, and advanced persistent threats can be
the most dangerous to your organization, making their detection all the more critical.
The UEBA capability in Microsoft Sentinel eliminates the drudgery from your analysts’ workloads and the uncertainty from their
efforts, and delivers high-fidelity, actionable intelligence, so they can focus on investigation and remediation.

Streamline investigation with incident insights
Visualize full scope of an attack, investigate related alerts, and search historical data.
When you come across a user account, a hostname / IP address, or an Azure resource in an incident investigation, you may decide you want to
know more about it. For example, you might want to know its activity history, whether it's appeared in other alerts or incidents, whether it's
done anything unexpected or out of character, and so on. In short, you want information that can help you determine what sort of threat these
entities represent and guide your investigation accordingly.

Streamline investigation with incident insights
The Timeline
The timeline is a major part of contribution to behavior analytics in Microsoft Sentinel. It presents a story about entity-related events, helping
you understand the entity's activity within a specific time frame.

Accelerate response and save time
by automating common tasks
Triage incidents rapidly with automation rules and automate workflows with built-in playbooks increasing security operations center (SOC) efficiency.
Microsoft Sentinel as a SOAR solution
The problem
SIEM/SOC teams are typically inundated with security alerts and incidents on a regular basis, at volumes so large that available personnel are overwhelmed. This
results all too often in situations where many alerts are ignored and many incidents aren't investigated, leaving the organization vulnerable to attacks that go
unnoticed.

Accelerate response and save time
by automating common tasks
The solution
Microsoft Sentinel, in addition to being a Security Information and Event Management (SIEM) system, is also a platform for Security Orchestration, Automation,
and Response (SOAR). One of its primary purposes is to automate any recurring and predictable enrichment, response, and remediation tasks that are the
responsibility of your Security Operations Center and personnel (SOC/SecOps), freeing up time and resources for more in-depth investigation of, and hunting for,
advanced threats. Automation takes a few different forms in Microsoft Sentinel, from automation rules that centrally manage the automation of incident handling
and response, to playbooks that run predetermined sequences of actions to provide powerful and flexible advanced automation to your threat response tasks.
A- Automation rules
Automation rules allow users to centrally manage the automation of incident handling. Besides assign playbooks to incidents and alerts, and to automate
responses for multiple analytics rules at once, automatically tag, assign, or close incidents without the need for playbooks, create lists of tasks for your analysts to
perform when triaging, investigating, and remediating incidents, and control the order of actions that are executed. This capability complex workflows for your
incident orchestration processes.
B- Playbooks
A playbook is a collection of response and remediation actions and logic that can be run from Microsoft Sentinel as a routine. A playbook can help automate and
orchestrate your threat response.

“Microsoft roars into the security analytics market…
The vendor’s entry into the security analytics space captivated
security buyers. Microsoft’s bold move to allow the ingestion
of Microsoft Azure and Microsoft Office 365 activity logs into
Sentinel at no cost makes the solution attractive to enterprises
invested in Azure and Microsoft 365.”
- The Forrester Wave™: Security Analytics Platforms, Q4 2022 report
The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not
endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

An end-to-end solution for security operations

Visibility

Collect security data at cloud scale from any source
Azure + Microsoft 365
Security Alerts, Activity Data
Collectors
CEF, Syslog, Windows, Linux
TAXII + Microsoft graph
Threat Indicators
APIs
Custom Logs
Proven log platform with more than 10 petabytes of daily ingestion

Integrate out-of-the-box
with your existing tools
in Azure, on-premises,
or in other clouds
150+ out-of-the-box integrations,
with more on the way

Get interactive dashboards for powerful insights
 Choose from a gallery of workbooks
 Customize or create your own
workbooks using queries
 Take advantage
of rich visualization options
 Gain insight into one
or more data sources

Analytics

Leverage extensive library of detections
or build your own
 Choose from more than 100 built-in
analytics rules
 Correlate events with your threat
intelligence and now with Microsoft URL
intelligence + network data

Improve insider and unknown threat detection
with User and Entity Behavior Analytics
 Use behavioral insights to detect
anomalies, understand the relative
sensitivity of entities, and evaluate
potential impact
 Get baseline behavioral profiles
of entities across time and peer
group horizons
Powered by the proven Microsoft User and
Entity Behavior Analytics (UEBA) engine

Behavior Analytics
What is User and Entity Behavior Analytics (UEBA)?
As Microsoft Sentinel collects logs and alerts from all of its connected data sources, it analyzes them and builds baseline behavioral profiles of your organization’s
entities (such as users, hosts, IP addresses, and applications) across time and peer group horizon. Using a variety of techniques and machine learning capabilities,
Microsoft Sentinel can then identify anomalous activity and help you determine if an asset has been compromised. Not only that, but it can also figure out the relative
sensitivity of particular assets, identify peer groups of assets, and evaluate the potential impact of any given compromised asset (its “blast radius”). Armed with this
information, you can effectively prioritize your investigation and incident handling.
UEBA analytics architecture

Behavior Analytics
Security-driven analytics
Inspired by Gartner’s paradigm for UEBA solutions, Microsoft Sentinel provides an
"outside-in" approach, based on three frames of reference:
•Use cases: By prioritizing for relevant attack vectors and scenarios based on
security research aligned with the MITRE ATT&CK framework of tactics,
techniques, and sub-techniques that puts various entities as victims, perpetrators,
or pivot points in the kill chain; Microsoft Sentinel focuses specifically on the most
valuable logs each data source can provide.
•Data Sources: While first and foremost supporting Azure data sources,
Microsoft Sentinel thoughtfully selects third-party data sources to provide data
that matches our threat scenarios.
•Analytics: Using various machine learning (ML) algorithms, Microsoft Sentinel
identifies anomalous activities and presents evidence clearly and concisely in the
form of contextual enrichments, some examples of which appear below.

Behavior Analytics
Microsoft Sentinel presents artifacts that help your security analysts get a clear understanding of anomalous activities in context, and in comparison with the user's
baseline profile. Actions performed by a user (or a host, or an address) are evaluated contextually, where a "true" outcome indicates an identified anomaly:
• across geographical locations, devices, and environments.
• across time and frequency horizons (compared to user's own history).
• as compared to peers' behavior.
• as compared to organization's behavior.
The user entity information that Microsoft Sentinel uses to build its user profiles comes from your Azure Active Directory. When you enable UEBA, it
synchronizes your Azure Active Directory with Microsoft Sentinel, storing the information in an internal database visible through the IdentityInfo table in
Log Analytics.
Scoring
Each activity is scored with “Investigation Priority Score” – which determine the probability of a specific user performing a specific activity, based on
behavioral learning of the user and their peers. Activities identified as the most abnormal receive the highest scores (on a scale of 0-10).

Hunting

Start hunting over security data with fast,
flexible queries
 Run built-in threat hunting queries—no
prior query experience required
 Integrate hunting and investigations

Intelligence

Monitor and manage threat intelligence
 Create, view, search, filter, sort, and tag
all your threat indicators in a single pane
 Use alert metrics to help understand top
threats targeting your organization
 Use automation playbooks for leading
threat intelligence providers to enrich alerts

Use Watchlists to integrate business insights
 Create collections of data for threat
hunting and detection (e.g. restricted IPs,
trusted systems, critical assets, risky users,
vulnerable hosts)

Incidents

Visualize the entire attack to determine scope
and impact
 Navigate the relationships between
related alerts, bookmarks, and entities
 Expand the scope using exploration queries
 Gain deep insights into related entities—users,
domains, and more
80% reduction in investigation
effort compared to legacy SIEMs1

Automation

Respond rapidly with built-in orchestration
and automation
Build automated and
scalable playbooks that
integrate across tools
Security products
Ticketing systems
(ServiceNow)
Additional tools

Automate and orchestrate security operations
using integrated Azure Logic Apps
 Build automated and scalable playbooks
that integrate across tools
 Choose from a library of samples
 Create your own playbooks
using 200+ built-in connectors
 Trigger a playbook from an alert
or incident investigation

Thank you