Scribd Logo
Upload

Welcome to Scribd!

  • Technical Overview: Azure Sentinel Level 400

    Uploaded by

    Xp rience
    36 views40 pages
    This document provides a technical overview of Azure Sentinel: - Azure Sentinel is a cloud-native security information and event management (SIEM) solution that provides visibility, detection, investigation, and response across cloud and on-premises environments. - It collects security data from various sources, uses built-in analytics and machine learning to detect threats, and enables security investigations and automated responses through integration with other security tools. - Key advantages include auto-scaling to handle large data volumes, easy collection of data from cloud sources, and leveraging Microsoft's security expertise through built-in analytics, machine learning models, and integration with other Microsoft security products.

    Original Description:

    az

    Original Title

    AZ-Sentinel

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides a technical overview of Azure Sentinel: - Azure Sentinel is a cloud-native security information and event management (SIEM) solution that provides visibility, detection, investigation, and response across cloud and on-premises environments. - It collects security data from various sources, uses built-in analytics and machine learning to detect threats, and enables security investigations and automated responses through integration with other security tools. - Key advantages include auto-scaling to handle large data volumes, easy collection of data from cloud sources, and leveraging Microsoft's security expertise through built-in analytics, machine learning models, and integration with other Microsoft security products.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    36 views40 pages

    Technical Overview: Azure Sentinel Level 400

    Uploaded by

    Xp rience
    This document provides a technical overview of Azure Sentinel: - Azure Sentinel is a cloud-native security information and event management (SIEM) solution that provides visibility, detection, investigation, and response across cloud and on-premises environments. - It collects security data from various sources, uses built-in analytics and machine learning to detect threats, and enables security investigations and automated responses through integration with other security tools. - Key advantages include auto-scaling to handle large data volumes, easy collection of data from cloud sources, and leveraging Microsoft's security expertise through built-in analytics, machine learning models, and integration with other Microsoft security products.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 40

    Azure Sentinel Level 400

    Module 1
    Technical Overview
    • In this module you will learn
    Overview What Azure Sentinel is, its key
    advantages and core features.

    Pre-
    • None. Start here.
    requisites
    A cloud SIEM For the Cloud And for on premises
    Security
    Operations Team

    Cloud + Artificial Intelligence


    Delivers instant value to Scales to support your Uses AI and automation to
    your defenders growing digital estate improve effectiveness
    No brainer Advantages

    • Auto-scales
    • Easy collection from cloud sources
    • Avoid sending cloud telemetry
    downstream
    A SIEM native • Key log sources are free
    to the cloud
    But there is more!

    • DevOps deployment and


    enforcement
    • Distributed
    • Cloud native-schema
    Microsoft Security Advantage

    ▪ $1B

    ▪ 3500+

    ▪ Trillions of
    Collect Detect Investigate Respond

    Visibility Analytics Hunting Incidents Automation


    Collection
    Collect security data at cloud scale from any source

    AWS, Other Clouds


    Customer’s Tenant & SaaS Apps

    Azure Sentinel
    Data store
    Automation
    User interface
    Rules
    Machine learning
    Search & investigation

    On Premises
    CEF/Syslog
    connector

    (Optional)
    Collector Custom
    Proxy Connectors

    Branch Office HTTPS


    CEF or Syslog
    connector
    WEF
    Logstash Connector

    Syslog (TLS, TCP, UDP)


    WEC
    agent agent

    OS events, DNS, Windows FW, DHCP


    The Syslog and CEF grand list
    Collecting logs from
    Microsoft Services & Apps
    The Agent: Collecting from
    on-prem and IaaS server
    Custom Connectors
    Visualization
    Choose from a gallery of workbooks

    Customize or create your own


    workbooks using queries

    Take advantage of rich visualization


    options

    Gain insight into one or more data


    sources
    Analytics
    Choose from more than 100 built-in
    analytics rules

    Customize and create your own rules


    using KQL queries

    Correlate events with your threat


    intelligence and now with Microsoft
    URL intelligence

    Trigger automated playbooks


    Use built–in models – no ML experience
    required
    Detects anomalies using transferred learning
    Fuses data sources to detect threats that span
    the kill chain
    Simply connect your data and learning begins

    Bring your own ML models (coming soon)


    Incidents
    Use incident to collect related alerts,
    events, and bookmarks

    Manage assignments and track status

    Add tags and comments

    Integrate with your ticketing system


    Navigate the relationships between
    related alerts, bookmarks, and entities

    Expand the scope using exploration


    queries

    View a timeline of related alerts, events,


    and bookmarks

    Gain deep insights into related entities –


    users, domains, and more
    Configure URL Entities in analytics rules

    Automatically trigger URL detonation

    Enrich alerts with Verdicts, Final URLs and


    Screen Shots (e.g. for phishing sites)
    Hunting
    Run built-in threat hunting queries -
    no prior query experience required

    Customize and create your own


    hunting queries using KQL

    Integrate hunting and investigations


    Search using free text or fields

    Tabulate your data

    Visualize query results

    Automatically detect and plot


    anomalies in data
    Bookmark notable data

    Start an investigation from a


    bookmark or add to an existing
    incident

    Monitor a live stream of new threat


    related activity
    Run in the Azure cloud

    Save as sharable HTML/JSON

    Query Azure Sentinel data

    Bring external data sources

    Use your language of choice - Python,


    SQL, KQL, R, …
    Automation
    Build automated and scalable
    playbooks that integrate across tools

    Choose from a library of samples

    Create your own playbooks using 200+


    built-in connectors

    Trigger a playbook from an alert or


    incident investigation
    Incident Management Enrichment + Investigation Remediation

    Assign an Incident to an Analyst Lookup Geo for an IP Block an IP Address


    Open a Ticket (ServiceNow/Jira) Trigger Defender ATP Investigation Block User Access
    Keep Incident Status in Sync Send Validation Email to User Trigger Conditional Access
    Post in a Teams or Slack Channel Isolate Machine
    Start Create Azure Sentinel Connect
    Microsoft Azure trial instance data sources

    To learn more, visit https://aka.ms/AzureSentinel


    Tech Community
    User Voice
    Webinars Github

    AzureSentinel@microsoft.com

    Tech Blogs

    You might also like