Scribd
Upload
72 views

09 March Azure Sentinel

Uploaded by

Sitaram Joshi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
72 views

09 March Azure Sentinel

Uploaded by

Sitaram Joshi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 42

Good Morning and

welcome to

Microsoft’s Drumbeat
Session on

Modernizing Security
Operations

With: Jatinder Kumar


20 years & over 300+ Ent project exp. | MBA
(University Topper - UK) | AWS Architect | Azure
Specialist | MCSE x 3| MCT | RHCE | CCNA |
CCNP | Palo Alto … and I guess few more………

LinkedIn: https://www.linkedin.com/in/kjatin/
Agenda
A.Current challenges of Security
Operations
B.What Microsoft is doing to solve it
• Introduction to SIEM
• Data Collection, Detection,
Investigation and Response.

Time: 10am-5pm
Quiz Winner: Branded Msoft Water Bottle 5 people. 5 question
Lab Winner: Microsoft Jacket.
Skills Shortage / Limited Staff

Budget Availability

Current Challenges Lack of Documented Processes


Faced by SecOps
Teams Uncertainty about the mission

Pinning hope on technology

New Technology: The Projected Total Economic Impact™ Of The Microsoft Teams Platform, a Forrester Consulting study commissioned by Microsoft, June 2020
Technical Overview : SIEM / SEM / SIM

• In this module you will learn What Azure


Overview Sentinel is, its key advantages and core
features.

Pre-requisites
None. Start here.
A cloud SIEM For the Cloud And for on premises
Delivers instant value to Scales to support your Uses AI and automationto
your defenders growing digital estate improve effectiveness
No brainer Advantages

• Auto-scales
• Easy collection from cloud sources
• Key log sources are free

A SIEM native to
the cloud
But there is more!

• DevOps deployment and


enforcement
• Distributed
• Cloud native-schema
Microsoft Security Advantage

▪ $1B

▪ 3500+

▪ Trillions of
Collect Detect Investigate Respond

Visibility Analytics Hunting Incidents Automation


Collection
Collect security data at cloud scale from any
source AWS, Other
Customer’s Clouds
Tenant & SaaS Apps

Azure Sentinel
Data store
Automation
User interface
Rules
Machine learning
Search & investigation

On Premises
CEF/Syslog
connector

(Optional)
Collector Custom
Proxy Connectors

Branch Office HTT


PS
CEF or
Syslog
connector WEF
Logstash Connector

Syslog (TLS, TCP, UDP)


WE
C age age
nt nt

OS events, DNS, Windows FW, DHCP


The Syslog and CEF
grand list
Collecting logs from
Microsoft Services &
Apps
The Agent:
Collecting from on-
prem and IaaS server
Custom Connectors
Visualization
Choose from a gallery of workbooks

Customize or create your own


workbooks using queries

Take advantage of rich visualization


options

Gain insight into one or more data


sources
Analytics
Choose from more than 100 built-in
analytics rules

Customize and create your own rules


using KQL queries

Correlate events with your threat


intelligence and now with Microsoft
URL intelligence

Trigger automated playbooks


Use built–in models – no ML experience
required
Detects anomalies using transferred learning
Fuses data sources to detect threats that span
the kill chain
Simply connect your data and learning begins

Bring your own ML models (coming soon)


Incidents
Use incident to collect related
alerts, events, and bookmarks

Manage assignments and track

status Add tags and comments

Integrate with your ticketing system


Navigate the relationships between
related alerts, bookmarks, and
entities

Expand the scope using


exploration queries

View a timeline of related alerts,


events, and bookmarks

Gain deep insights into related


entities –
users, domains, and more
Configure URL Entities in analytics
rules

Automatically trigger URL detonation

Enrich alerts with Verdicts, Final URLs


and Screen Shots (e.g. for phishing
sites)
Hunting
Run built-in threat hunting queries -
no prior query experience required

Customize and create your own


hunting queries using KQL

Integrate hunting and investigations


Search using free text or fields

Tabulate your data

Visualize query results

Automatically detect and plot


anomalies in data
Bookmark notable data

Start an investigation from a


bookmark or add to an
existing incident

Monitor a live stream of new


threat related activity
Run in the Azure cloud

Save as sharable HTML/JSON

Query Azure Sentinel data

Bring external data sources

Use your language of choice - Python,


SQL, KQL, R, …
Automation
Build automated and scalable
playbooks that integrate across tools

Choose from a library of samples

Create your own playbooks using 200+


built-in connectors

Trigger a playbook from an alert or


incident investigation
Incident Management Enrichment + Investigation Remediation

Assign an Incident to an Analyst Block an IP Address Block


Open a Ticket (ServiceNow/Jira) User Access
Lookup Geo for an IP Trigger
Keep Incident Status in Sync Post Trigger Conditional Access
Defender ATP Investigation
in a Teams or Slack Channel Isolate Machine
Send Validation Email to User
Start Create Azure Sentinel Connect
Microsoft Azure trial instance data sources

To learn more, visit https://aka.ms/AzureSentinel


Tech
Community
Webinars User Voice
Github

Tech AzureSentinel@microsof
Blogs t.com
• https://techcommunity.microsoft.com/t5/azure-sentinel/help-for-security-
operations-centers-facing-new-challenges/ba-p/1278903
• https://www.microsoft.com/security/blog/security-operations/
• https://blog.johnjoyner.net/using-azure-sentinel-how-much-does-it-cost/
• https://docs.microsoft.com/en-us/azure/sentinel/overview
• https://github.com/Azure/Azure-Sentinel
• Videos:
• https://www.youtube.com/watch?v=2RuMhCmva4E Part : 1
• https://www.youtube.com/watch?v=DqUeQFgue-M Part : 2
• https://www.youtube.com/watch?v=rBPfDUOqkQo&t Part : 3
• https://youtu.be/EA-6YbU5qss Demo

You might also like