SlideShare ist ein Scribd-Unternehmen logo

Azure Sentinel Tips

Mario Worwell
Mario Worwell

Tips and Best practices for Microsoft's Cloud SIEM Tool: Azure Sentinel

Technologie
1 von 9
Downloaden Sie, um offline zu lesen
Little About Azure Sentinel Azure Sentinel It Analyzes Log Data It Automates Threat Response It Leverages AI and ML ● Built-in machine learning Behavioral analytics helps you detect, investigate, and remediate cybersecurity threats It’s Customizable Azure Sentinel is a cloud-native SIEM used to collect, store, and analyze Security-related data. This is done by connecting your Data Sources to Azure Sentinel. This makes finding threats and anolomies both faster and easier ● Azure Sentinel uses Analytic Rules to generate alerts via Log Analytics ● Automation Runbooks can be used to automatically respond to and send alerts to adminstrators when threats are detected. ● You can create, edit, and customize your own Analytics Rues to detect threats specific to your environment.
Azure Sentinel Data Sources Connect your data to Azure Sentinel. SC-200 Azure Sentinel AWS/GCP via Cloud-Trail Azure Active Directory audit logs and sign-in logs. Web App Firewall Firewall and connection logs.. SQL Database Logs database and audit logs . Kubernetes Service Office 365 audit logs and sign-in logs. You can see the full list of data sources HERE.
Azure Sentinel Workbooks SC-200 Azure Sentinel provides several ready-to-use templates that you can use to create your own Workbooks and then modify them as needed. Visit the Azure Sentinel Github Repository for out-of-the-box detections, exploration queries, hunting queries, workbooks, playbooks and more to improve the security of your environment. ● Most of the Data connectors in Azure Sentinel come with their own pre-built workbooks. ● You can get better insight into the data being ingested, by using Tables and Visualizations. They offer better insights into your data using bar and pie charts. ● You can also create your own workbooks from scratch, instead of using the predefined templates. From the Workbooks page in Sentinel, you can: ● Add a New workbook ● Review your saved workbooks ● Download workbook templates
SC-200     Defender For Endpoint Defender For Identity Defender For Office 365 Azure Sentinel Microsoft Cloud App Security. Azure Sentinel / M365 Defender Microsoft 365 Defender connects easily to Azure Sentinel and provides a purpose-driven user interface to mitigate threats detected by Microsoft 365 Defender. The Microsoft 365 Defender family of products include: ● Microsoft Defender for Endpoint ● Microsoft Defender for Identity ● Microsoft Defender for Office 365 ● Microsoft Cloud App Security Once connecting each of these services to Sentinel, any alerts will be sent to the SecurityAlerts table in Sentinel. From there, you can generate an Incident. Another connector - Microsoft 365 Defender - allows for the raw normalized data to be ingested by Azure Sentinel. Currently, only Microsoft Defender for Endpoint data is configurable in the Microsoft 365 Defender connector. You must decide if you want Microsoft 365 Defender products alerts in Azure Sentinel. Examples of Alerts include: ● A potentially malicious URL click was detected ● Email messages containing malware removed after delivery ● Email messages containing phish URLs removed after delivery ● Email reported by the user as malware or phish ● Suspicious email sending patterns detected ● User restricted from sending email The Microsoft 365 Defender connector lets you stream advanced hunting logs from Microsoft 365 Defender into Azure Sentinel. ● With the integration of Microsoft Defender for Endpoint into the Microsoft 365 Defender security umbrella, you can collect your Microsoft Defender for Endpoint advanced hunting events using the Use the Microsoft 365 Defender connector to stream your hunting events straight into your purpose-built tables in Azure Sentinel. The tables are built on the same schema that is used in the Microsoft 365 Defender portal, giving you complete access to the full set of advanced hunting logs and allowing you to do the following: ● Additionally, you can Easily copy your Microsoft Defender ATP advanced hunting queries into Azure Sentinel. ● ● Use the raw event logs to provide more insights for your alerts, hunting, and investigation, and correlate events with data from other data sources in Azure Sentinel. Microsoft 365 Defender
Azure Sentinel Threat Hunting SC-200 KQL Built-In Queries Custom Queries Live streams are based on Queries but are presented in real time. You can adjust the streaming options to display only the log info that you care about. Live Streams You can use KQL(Kustom Query Language) in Sentinel to hunt for security threats in your environment. You can filter through large amounts of data and security sources to identify potential threats or track down known and/or expected threats.You can find the Built-In Queries on the Sentinel “Hunting” page. Azure Sentinel uses the MITRE ATT&CK framework to categorize and order queries by tactics. ATT&CK is a knowledge base of tactics and techniques that are used and observed in the global threat landscape. You can use MITRE ATT&CK to develop your threat-hunting models. Refine your threat hunting by using Custom Queries. You can modify an existing Query and modify a query and display the results in real time. You can then save them for further use. Bookmarks Bookmarks help you to hunt for threats by saving the queries that you’ve run or identified as relevant. This saves administrative time and improves threat hunting efforts. You can also record your findings observations by adding notes and tags. Bookmarked data is visible and readily available for you and/or your Team.
Azure Sentinel Notebooks SC-200 Visualization/Graphic s Data Processing/Analysis Stats & Numerical Computing Machine/Deep Learning Notebooks come packaged with Azure Sentinel. Some of these notebooks are built for a specific scenario and can be used as-is. Others are samples that are meant to illustrate the techniques and features of Sentinel Notebooks. You can also import/deploy Notebooks from the Azure Sentinel Community GitHub. Notebooks have two components: 1. The browser-based interface where you enter and run queries and code and where the execution results are displayed. 2. The kernel, which is responsible for parsing and executing the code itself. The Azure Sentinel notebooks make use of many security-focused Python libraries, Including:
Azure Sentinel Playbooks 1 2 3 4 5 ● You can create security playbooks in Sentinel to automatically respond to alerts. ● You create them by using Logic Apps, which run in response to a pre-configured alert. ● You can run these security playbooks manually in response to your investigation of an incident or you can configure an alert to run them automatically(automation playbook). A trigger is an event that occurs when a specific set of conditions is satisfied. Triggers activate automatically when conditions are met. For example, a security incident occurs in Azure Sentinel, which is a trigger for an automated action. Playbooks need to be attached to an analytics rule to automate incedent responses. You can use the Automated Response section in the analytics rule to select a playbook to run automatically when the alert is generated. For more information on how to create analytics rule, see the "Threat detection with Azure Sentinel analytics" module. Check out a list of sample Azure Sentinel Playbooks HERE. An action is an operation that performs a task in the Logic Apps workflow. Actions run when a trigger activates, another action completes, or a condition is met. SC-200
Azure Sentinel Incident Management SC-200 Find and Remediate Security Threats For Example: You recently noticed that a significant number of VMs were deleted from your Azure subscription. Due to a recent alert, you decide to implement an analytics rule to create an incident when someone deletes an existing VM. You can then investigate the incident to determine the details, and close the incident when you're finished. -Incident Management is the process of incident investigation. -This includes creation, in-depth investigation, and then resolution. -You can use Sentinel to review detailed incident information, assign an incident owner, set and maintain incident severity, and manage incident status. Most incidents are generated because of an analytics rule ALERT. Examples of Alerts include: ● Detection of suspicious files. ● Detection of suspicious user activities. ● Attempted elevation of privilege. ● Analytics rules generate alerts, based on either KQL queries or direct connection to Microsoft Security solutions such as Azure Security Center or Microsoft Defender 365. If you enable alert grouping, Azure Sentinel includes any related alert evidence for the incident.riv
Azure Sentinel Logs Collect the right data for Analysis Use Azure Sentinel Connectors to connect your data sources and collect log data. The Data Connectors page displays a growing list of connectors provided by Azure Sentinel. Examples include: ● Microsoft/Azure Services - The connectors for Microsoft and Azure-related services include (but are not limited to): ● Azure Active Directory - audit logs and sign-in logs - See who is signing in, when, from where, and how by analyzing your sign-in data. ● Azure AD Identity Protection - Further auditing and investigation of privileged accounts and what they’re being used for. ● Azure Security Center - Alerts from Azure Defender solutions ● Cloud App Security - See what risks and vulnerabilities are present in your cloud/web apps. ● Office 365 You can use the Log Analytics Data Collector API to send log data to the Azure Sentinel Log Analytics workspace.

Empfohlen

Modernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelModernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelCheah Eng Soon
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelDavid J Rosenthal
 
Introduction to Azure Sentinel
Introduction to Azure SentinelIntroduction to Azure Sentinel
Introduction to Azure Sentinelarnaudlh
 
7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure Sentinel7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure SentinelMighty Guides, Inc.
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure SentinelCheah Eng Soon
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinelMarius Sandbu
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure SentinelBGA Cyber Security
 
Azure Sentinel.pptx
Azure Sentinel.pptxAzure Sentinel.pptx
Azure Sentinel.pptxMohit Chhabra
 

Empfohlen

Modernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelModernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelCheah Eng Soon
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelDavid J Rosenthal
 
Introduction to Azure Sentinel
Introduction to Azure SentinelIntroduction to Azure Sentinel
Introduction to Azure Sentinelarnaudlh
 
7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure Sentinel7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure SentinelMighty Guides, Inc.
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure SentinelCheah Eng Soon
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinelMarius Sandbu
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure SentinelBGA Cyber Security
 
Azure Sentinel.pptx
Azure Sentinel.pptxAzure Sentinel.pptx
Azure Sentinel.pptxMohit Chhabra
 
Journey to Azure Sentinel
Journey to Azure SentinelJourney to Azure Sentinel
Journey to Azure SentinelCheah Eng Soon
 
introduction to Azure Sentinel
introduction to Azure Sentinelintroduction to Azure Sentinel
introduction to Azure SentinelRobert Crane
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxAmrMousa51
 
Threat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure SentinelThreat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure SentinelAshwin Patil, GCIH, GCIA, GCFE
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityBruno Capuano
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and ComplianceDavid J Rosenthal
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure SentinelKumton Suttiraksiri
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptxAjit Wadhawan
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security OverviewRobert Crane
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
Getting Started with Azure Sentinel
Getting Started with Azure SentinelGetting Started with Azure Sentinel
Getting Started with Azure SentinelSamik Roy
 
Microsoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdfMicrosoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdfKranthi Aragonda
 
Microsoft Defender for Endpoint Overview.pptx
Microsoft Defender for Endpoint Overview.pptxMicrosoft Defender for Endpoint Overview.pptx
Microsoft Defender for Endpoint Overview.pptxBenAissaTaher1
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud SecurityAlert Logic
 
7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 DefenderMighty Guides, Inc.
 
Microsoft Sentinel and Its Components.pptx
Microsoft Sentinel and Its Components.pptxMicrosoft Sentinel and Its Components.pptx
Microsoft Sentinel and Its Components.pptxInfosectrain3
 
SC-900 Capabilities of Microsoft Security Solutions
SC-900 Capabilities of Microsoft Security SolutionsSC-900 Capabilities of Microsoft Security Solutions
SC-900 Capabilities of Microsoft Security SolutionsFredBrandonAuthorMCP
 

Weitere ähnliche Inhalte

Was ist angesagt?

Journey to Azure Sentinel
Journey to Azure SentinelJourney to Azure Sentinel
Journey to Azure SentinelCheah Eng Soon
 
introduction to Azure Sentinel
introduction to Azure Sentinelintroduction to Azure Sentinel
introduction to Azure SentinelRobert Crane
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxAmrMousa51
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityBruno Capuano
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and ComplianceDavid J Rosenthal
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security OverviewRobert Crane
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
Getting Started with Azure Sentinel
Getting Started with Azure SentinelGetting Started with Azure Sentinel
Getting Started with Azure SentinelSamik Roy
 
Microsoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdfMicrosoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdfKranthi Aragonda
 
Microsoft Defender for Endpoint Overview.pptx
Microsoft Defender for Endpoint Overview.pptxMicrosoft Defender for Endpoint Overview.pptx
Microsoft Defender for Endpoint Overview.pptxBenAissaTaher1
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud SecurityAlert Logic
 
7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 DefenderMighty Guides, Inc.
 

Was ist angesagt? (20)

Journey to Azure Sentinel
Journey to Azure SentinelJourney to Azure Sentinel
Journey to Azure Sentinel
 
introduction to Azure Sentinel
introduction to Azure Sentinelintroduction to Azure Sentinel
introduction to Azure Sentinel
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
 
Threat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure SentinelThreat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure Sentinel
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and Compliance
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure Sentinel
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
Microsoft 365 Security Overview
Microsoft 365 Security OverviewMicrosoft 365 Security Overview
Microsoft 365 Security Overview
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access management
 
Getting Started with Azure Sentinel
Getting Started with Azure SentinelGetting Started with Azure Sentinel
Getting Started with Azure Sentinel
 
Microsoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdfMicrosoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdf
 
Microsoft Defender for Endpoint Overview.pptx
Microsoft Defender for Endpoint Overview.pptxMicrosoft Defender for Endpoint Overview.pptx
Microsoft Defender for Endpoint Overview.pptx
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
 
7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender
 

Ähnlich wie Azure Sentinel Tips

Microsoft Sentinel and Its Components.pptx
Microsoft Sentinel and Its Components.pptxMicrosoft Sentinel and Its Components.pptx
Microsoft Sentinel and Its Components.pptxInfosectrain3
 
SC-900 Capabilities of Microsoft Security Solutions
SC-900 Capabilities of Microsoft Security SolutionsSC-900 Capabilities of Microsoft Security Solutions
SC-900 Capabilities of Microsoft Security SolutionsFredBrandonAuthorMCP
 
Azure Sentinel with Office 365
Azure Sentinel with Office 365Azure Sentinel with Office 365
Azure Sentinel with Office 365Cheah Eng Soon
 
Adam ochs sentinel
Adam ochs sentinelAdam ochs sentinel
Adam ochs sentinelAdam Ochs
 
07 - Defend Against Threats with SIEM Plus XDR Workshop - Microsoft Sentinel ...
07 - Defend Against Threats with SIEM Plus XDR Workshop - Microsoft Sentinel ...07 - Defend Against Threats with SIEM Plus XDR Workshop - Microsoft Sentinel ...
07 - Defend Against Threats with SIEM Plus XDR Workshop - Microsoft Sentinel ...carlitocabana
 
Remediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinelRemediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinelSamik Roy
 
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...Planning and implementing. Unveiling the advanced technology of Microsoft Azu...
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...Prometix Pty Ltd
 
Cloudbrew 2019 - Threat hunting with the Microsoft Cloud
Cloudbrew 2019 - Threat hunting with the Microsoft CloudCloudbrew 2019 - Threat hunting with the Microsoft Cloud
Cloudbrew 2019 - Threat hunting with the Microsoft CloudTom Janetscheck
 
Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Matt Soseman
 
Using m365 defender to protect against solorigate
Using m365 defender to protect against solorigateUsing m365 defender to protect against solorigate
Using m365 defender to protect against solorigateMatt Soseman
 
Protect Office 365 with Azure Sentinel
Protect Office 365 with Azure SentinelProtect Office 365 with Azure Sentinel
Protect Office 365 with Azure SentinelNanddeep Nachan
 
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...azuredayit
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
Nicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterNicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterMicrosoft Österreich
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security CenterMicrosoft
 
ExpertsLiveNL - Post Breach Security with ATA or ATP
ExpertsLiveNL - Post Breach Security with ATA or ATPExpertsLiveNL - Post Breach Security with ATA or ATP
ExpertsLiveNL - Post Breach Security with ATA or ATPTim De Keukelaere
 
Azure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfAzure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfChristopher Doman
 
03_Azure Security Center_GAB2019
03_Azure Security Center_GAB201903_Azure Security Center_GAB2019
03_Azure Security Center_GAB2019Kumton Suttiraksiri
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Research
 

Ähnlich wie Azure Sentinel Tips (20)

Microsoft Sentinel and Its Components.pptx
Microsoft Sentinel and Its Components.pptxMicrosoft Sentinel and Its Components.pptx
Microsoft Sentinel and Its Components.pptx
 
SC-900 Capabilities of Microsoft Security Solutions
SC-900 Capabilities of Microsoft Security SolutionsSC-900 Capabilities of Microsoft Security Solutions
SC-900 Capabilities of Microsoft Security Solutions
 
Azure Sentinel with Office 365
Azure Sentinel with Office 365Azure Sentinel with Office 365
Azure Sentinel with Office 365
 
Adam ochs sentinel
Adam ochs sentinelAdam ochs sentinel
Adam ochs sentinel
 
07 - Defend Against Threats with SIEM Plus XDR Workshop - Microsoft Sentinel ...
07 - Defend Against Threats with SIEM Plus XDR Workshop - Microsoft Sentinel ...07 - Defend Against Threats with SIEM Plus XDR Workshop - Microsoft Sentinel ...
07 - Defend Against Threats with SIEM Plus XDR Workshop - Microsoft Sentinel ...
 
Remediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinelRemediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinel
 
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...Planning and implementing. Unveiling the advanced technology of Microsoft Azu...
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...
 
Cloudbrew 2019 - Threat hunting with the Microsoft Cloud
Cloudbrew 2019 - Threat hunting with the Microsoft CloudCloudbrew 2019 - Threat hunting with the Microsoft Cloud
Cloudbrew 2019 - Threat hunting with the Microsoft Cloud
 
Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck
 
Using m365 defender to protect against solorigate
Using m365 defender to protect against solorigateUsing m365 defender to protect against solorigate
Using m365 defender to protect against solorigate
 
Protect Office 365 with Azure Sentinel
Protect Office 365 with Azure SentinelProtect Office 365 with Azure Sentinel
Protect Office 365 with Azure Sentinel
 
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
 
Nicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security CenterNicholas DiCola | Secure your IT resources with Azure Security Center
Nicholas DiCola | Secure your IT resources with Azure Security Center
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security Center
 
ExpertsLiveNL - Post Breach Security with ATA or ATP
ExpertsLiveNL - Post Breach Security with ATA or ATPExpertsLiveNL - Post Breach Security with ATA or ATP
ExpertsLiveNL - Post Breach Security with ATA or ATP
 
Azure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfAzure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdf
 
03_Azure Security Center_GAB2019
03_Azure Security Center_GAB201903_Azure Security Center_GAB2019
03_Azure Security Center_GAB2019
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
 
L400-P1 Overview.pdf
L400-P1 Overview.pdfL400-P1 Overview.pdf
L400-P1 Overview.pdf
 

Mehr von Mario Worwell

Azure Data Loss Prevention
Azure Data Loss PreventionAzure Data Loss Prevention
Azure Data Loss PreventionMario Worwell
 
Microsoft Teams Security and Roles
Microsoft Teams Security and RolesMicrosoft Teams Security and Roles
Microsoft Teams Security and RolesMario Worwell
 
Azure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity ManagementAzure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity ManagementMario Worwell
 
Azure AD Synchronization Data Flow
Azure AD Synchronization Data FlowAzure AD Synchronization Data Flow
Azure AD Synchronization Data FlowMario Worwell
 
Exchange Role Based Access using Role Groups
Exchange Role Based Access using Role GroupsExchange Role Based Access using Role Groups
Exchange Role Based Access using Role GroupsMario Worwell
 
Red forest Design ESAE
Red forest Design ESAERed forest Design ESAE
Red forest Design ESAEMario Worwell
 

Mehr von Mario Worwell (6)

Azure Data Loss Prevention
Azure Data Loss PreventionAzure Data Loss Prevention
Azure Data Loss Prevention
 
Microsoft Teams Security and Roles
Microsoft Teams Security and RolesMicrosoft Teams Security and Roles
Microsoft Teams Security and Roles
 
Azure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity ManagementAzure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity Management
 
Azure AD Synchronization Data Flow
Azure AD Synchronization Data FlowAzure AD Synchronization Data Flow
Azure AD Synchronization Data Flow
 
Exchange Role Based Access using Role Groups
Exchange Role Based Access using Role GroupsExchange Role Based Access using Role Groups
Exchange Role Based Access using Role Groups
 
Red forest Design ESAE
Red forest Design ESAERed forest Design ESAE
Red forest Design ESAE
 

Kürzlich hochgeladen

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 

Azure Sentinel Tips

  • 1. Little About Azure Sentinel Azure Sentinel It Analyzes Log Data It Automates Threat Response It Leverages AI and ML ● Built-in machine learning Behavioral analytics helps you detect, investigate, and remediate cybersecurity threats It’s Customizable Azure Sentinel is a cloud-native SIEM used to collect, store, and analyze Security-related data. This is done by connecting your Data Sources to Azure Sentinel. This makes finding threats and anolomies both faster and easier ● Azure Sentinel uses Analytic Rules to generate alerts via Log Analytics ● Automation Runbooks can be used to automatically respond to and send alerts to adminstrators when threats are detected. ● You can create, edit, and customize your own Analytics Rues to detect threats specific to your environment.
  • 2. Azure Sentinel Data Sources Connect your data to Azure Sentinel. SC-200 Azure Sentinel AWS/GCP via Cloud-Trail Azure Active Directory audit logs and sign-in logs. Web App Firewall Firewall and connection logs.. SQL Database Logs database and audit logs . Kubernetes Service Office 365 audit logs and sign-in logs. You can see the full list of data sources HERE.
  • 3. Azure Sentinel Workbooks SC-200 Azure Sentinel provides several ready-to-use templates that you can use to create your own Workbooks and then modify them as needed. Visit the Azure Sentinel Github Repository for out-of-the-box detections, exploration queries, hunting queries, workbooks, playbooks and more to improve the security of your environment. ● Most of the Data connectors in Azure Sentinel come with their own pre-built workbooks. ● You can get better insight into the data being ingested, by using Tables and Visualizations. They offer better insights into your data using bar and pie charts. ● You can also create your own workbooks from scratch, instead of using the predefined templates. From the Workbooks page in Sentinel, you can: ● Add a New workbook ● Review your saved workbooks ● Download workbook templates
  • 4. SC-200     Defender For Endpoint Defender For Identity Defender For Office 365 Azure Sentinel Microsoft Cloud App Security. Azure Sentinel / M365 Defender Microsoft 365 Defender connects easily to Azure Sentinel and provides a purpose-driven user interface to mitigate threats detected by Microsoft 365 Defender. The Microsoft 365 Defender family of products include: ● Microsoft Defender for Endpoint ● Microsoft Defender for Identity ● Microsoft Defender for Office 365 ● Microsoft Cloud App Security Once connecting each of these services to Sentinel, any alerts will be sent to the SecurityAlerts table in Sentinel. From there, you can generate an Incident. Another connector - Microsoft 365 Defender - allows for the raw normalized data to be ingested by Azure Sentinel. Currently, only Microsoft Defender for Endpoint data is configurable in the Microsoft 365 Defender connector. You must decide if you want Microsoft 365 Defender products alerts in Azure Sentinel. Examples of Alerts include: ● A potentially malicious URL click was detected ● Email messages containing malware removed after delivery ● Email messages containing phish URLs removed after delivery ● Email reported by the user as malware or phish ● Suspicious email sending patterns detected ● User restricted from sending email The Microsoft 365 Defender connector lets you stream advanced hunting logs from Microsoft 365 Defender into Azure Sentinel. ● With the integration of Microsoft Defender for Endpoint into the Microsoft 365 Defender security umbrella, you can collect your Microsoft Defender for Endpoint advanced hunting events using the Use the Microsoft 365 Defender connector to stream your hunting events straight into your purpose-built tables in Azure Sentinel. The tables are built on the same schema that is used in the Microsoft 365 Defender portal, giving you complete access to the full set of advanced hunting logs and allowing you to do the following: ● Additionally, you can Easily copy your Microsoft Defender ATP advanced hunting queries into Azure Sentinel. ● ● Use the raw event logs to provide more insights for your alerts, hunting, and investigation, and correlate events with data from other data sources in Azure Sentinel. Microsoft 365 Defender
  • 5. Azure Sentinel Threat Hunting SC-200 KQL Built-In Queries Custom Queries Live streams are based on Queries but are presented in real time. You can adjust the streaming options to display only the log info that you care about. Live Streams You can use KQL(Kustom Query Language) in Sentinel to hunt for security threats in your environment. You can filter through large amounts of data and security sources to identify potential threats or track down known and/or expected threats.You can find the Built-In Queries on the Sentinel “Hunting” page. Azure Sentinel uses the MITRE ATT&CK framework to categorize and order queries by tactics. ATT&CK is a knowledge base of tactics and techniques that are used and observed in the global threat landscape. You can use MITRE ATT&CK to develop your threat-hunting models. Refine your threat hunting by using Custom Queries. You can modify an existing Query and modify a query and display the results in real time. You can then save them for further use. Bookmarks Bookmarks help you to hunt for threats by saving the queries that you’ve run or identified as relevant. This saves administrative time and improves threat hunting efforts. You can also record your findings observations by adding notes and tags. Bookmarked data is visible and readily available for you and/or your Team.
  • 6. Azure Sentinel Notebooks SC-200 Visualization/Graphic s Data Processing/Analysis Stats & Numerical Computing Machine/Deep Learning Notebooks come packaged with Azure Sentinel. Some of these notebooks are built for a specific scenario and can be used as-is. Others are samples that are meant to illustrate the techniques and features of Sentinel Notebooks. You can also import/deploy Notebooks from the Azure Sentinel Community GitHub. Notebooks have two components: 1. The browser-based interface where you enter and run queries and code and where the execution results are displayed. 2. The kernel, which is responsible for parsing and executing the code itself. The Azure Sentinel notebooks make use of many security-focused Python libraries, Including:
  • 7. Azure Sentinel Playbooks 1 2 3 4 5 ● You can create security playbooks in Sentinel to automatically respond to alerts. ● You create them by using Logic Apps, which run in response to a pre-configured alert. ● You can run these security playbooks manually in response to your investigation of an incident or you can configure an alert to run them automatically(automation playbook). A trigger is an event that occurs when a specific set of conditions is satisfied. Triggers activate automatically when conditions are met. For example, a security incident occurs in Azure Sentinel, which is a trigger for an automated action. Playbooks need to be attached to an analytics rule to automate incedent responses. You can use the Automated Response section in the analytics rule to select a playbook to run automatically when the alert is generated. For more information on how to create analytics rule, see the "Threat detection with Azure Sentinel analytics" module. Check out a list of sample Azure Sentinel Playbooks HERE. An action is an operation that performs a task in the Logic Apps workflow. Actions run when a trigger activates, another action completes, or a condition is met. SC-200
  • 8. Azure Sentinel Incident Management SC-200 Find and Remediate Security Threats For Example: You recently noticed that a significant number of VMs were deleted from your Azure subscription. Due to a recent alert, you decide to implement an analytics rule to create an incident when someone deletes an existing VM. You can then investigate the incident to determine the details, and close the incident when you're finished. -Incident Management is the process of incident investigation. -This includes creation, in-depth investigation, and then resolution. -You can use Sentinel to review detailed incident information, assign an incident owner, set and maintain incident severity, and manage incident status. Most incidents are generated because of an analytics rule ALERT. Examples of Alerts include: ● Detection of suspicious files. ● Detection of suspicious user activities. ● Attempted elevation of privilege. ● Analytics rules generate alerts, based on either KQL queries or direct connection to Microsoft Security solutions such as Azure Security Center or Microsoft Defender 365. If you enable alert grouping, Azure Sentinel includes any related alert evidence for the incident.riv
  • 9. Azure Sentinel Logs Collect the right data for Analysis Use Azure Sentinel Connectors to connect your data sources and collect log data. The Data Connectors page displays a growing list of connectors provided by Azure Sentinel. Examples include: ● Microsoft/Azure Services - The connectors for Microsoft and Azure-related services include (but are not limited to): ● Azure Active Directory - audit logs and sign-in logs - See who is signing in, when, from where, and how by analyzing your sign-in data. ● Azure AD Identity Protection - Further auditing and investigation of privileged accounts and what they’re being used for. ● Azure Security Center - Alerts from Azure Defender solutions ● Cloud App Security - See what risks and vulnerabilities are present in your cloud/web apps. ● Office 365 You can use the Log Analytics Data Collector API to send log data to the Azure Sentinel Log Analytics workspace.