Book Image

Microsoft Sentinel in Action - Second Edition

By : Richard Diver, Gary Bushey, John Perkins
Book Image

Microsoft Sentinel in Action - Second Edition

By: Richard Diver, Gary Bushey, John Perkins

Overview of this book

Microsoft Sentinel is a security information and event management (SIEM) tool developed by Microsoft that helps you integrate cloud security and artificial intelligence (AI). This book will teach you how to implement Microsoft Sentinel and understand how it can help detect security incidents in your environment with integrated AI, threat analysis, and built-in and community-driven logic. The first part of this book will introduce you to Microsoft Sentinel and Log Analytics, then move on to understanding data collection and management, as well as how to create effective Microsoft Sentinel queries to detect anomalous behaviors and activity patterns. The next part will focus on useful features, such as entity behavior analytics and Microsoft Sentinel playbooks, along with exploring the new bi-directional connector for ServiceNow. In the next part, you’ll be learning how to develop solutions that automate responses needed to handle security incidents and find out more about the latest developments in security, techniques to enhance your cloud security architecture, and explore how you can contribute to the security community. By the end of this book, you’ll have learned how to implement Microsoft Sentinel to fit your needs and protect your environment from cyber threats and other security issues.
Table of Contents (23 chapters)
1
Section 1: Design and Implementation
4
Section 2: Data Connectors, Management, and Queries
9
Section 3: Security Threat Hunting
15
Section 4: Integration and Automation
18
Section 5: Operational Guidance

Chapter 13: ServiceNow Integration for Alert and Case Management

Microsoft Sentinel is a powerful solution for gathering logs, enriching those logs with threat intelligence, and discovering threats across your environment. However, this is only part of the technology stack required to run a Security Operations Center (SOC). When a security alert is raised in Microsoft Sentinel, the SOC may need assistance from several other teams to investigate the issue, mitigate the threat, and remediate any impact caused. There also may be other security alert sources that do not flow through Sentinel and the SOC needs to correlate those alerts with Sentinel alerts before processing all the alerts in one location. Organizations require a solution to bridge these people and technologies together.

There are multiple solutions available for this bridging of SOC technologies and processes, with JIRA, ZenDesk, and ServiceNow being among the more commonly utilized solutions.

This chapter will...