Book Image

Microsoft Sentinel in Action - Second Edition

By : Richard Diver, Gary Bushey, John Perkins

Book Image

Microsoft Sentinel in Action - Second Edition

By: Richard Diver, Gary Bushey, John Perkins

Overview of this book

Microsoft Sentinel is a security information and event management (SIEM) tool developed by Microsoft that helps you integrate cloud security and artificial intelligence (AI). This book will teach you how to implement Microsoft Sentinel and understand how it can help detect security incidents in your environment with integrated AI, threat analysis, and built-in and community-driven logic. The first part of this book will introduce you to Microsoft Sentinel and Log Analytics, then move on to understanding data collection and management, as well as how to create effective Microsoft Sentinel queries to detect anomalous behaviors and activity patterns. The next part will focus on useful features, such as entity behavior analytics and Microsoft Sentinel playbooks, along with exploring the new bi-directional connector for ServiceNow. In the next part, you’ll be learning how to develop solutions that automate responses needed to handle security incidents and find out more about the latest developments in security, techniques to enhance your cloud security architecture, and explore how you can contribute to the security community. By the end of this book, you’ll have learned how to implement Microsoft Sentinel to fit your needs and protect your environment from cyber threats and other security issues.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Share Your Thoughts

Section 1: Design and Implementation

Section 1: Design and Implementation

Free Chapter

Chapter 1: Getting Started with Microsoft Sentinel

Chapter 1: Getting Started with Microsoft Sentinel

The current cloud security landscape

The cloud security reference framework

SOC platform components

Mapping the SOC architecture

Security solution integrations

Cloud platform integrations

Private infrastructure integrations

Service pricing for Microsoft Sentinel

Scenario mapping

Further reading

Chapter 2: Azure Monitor – Introduction to Log Analytics

Chapter 2: Azure Monitor – Introduction to Log Analytics

Technical requirements

Introduction to Azure Monitor Log Analytics

Creating a workspace using the portal

Creating a workspace using PowerShell or the CLI

Managing permissions for the workspace

Enabling Microsoft Sentinel

Exploring the Microsoft Sentinel Overview page

Connecting your first data source

Advanced settings for Log Analytics

Further reading

Section 2: Data Connectors, Management, and Queries

Section 2: Data Connectors, Management, and Queries

Chapter 3: Managing and Collecting Data

Chapter 3: Managing and Collecting Data

Choosing data that matters

Understanding connectors

Configuring Microsoft Sentinel connectors

Configuring Log Analytics storage options

Reviewing alternative storage options

Further reading

Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel

Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel

Introduction to TI

Understanding STIX and TAXII

Choosing the right intel feeds for your needs

Implementing TI connectors

Further reading

Chapter 5: Using the Kusto Query Language (KQL)

Chapter 5: Using the Kusto Query Language (KQL)

Running KQL queries

Introduction to KQL commands

Query statements

Scalar functions

String operators

Further reading

Chapter 6: Microsoft Sentinel Logs and Writing Queries

Chapter 6: Microsoft Sentinel Logs and Writing Queries

An introduction to the Microsoft Sentinel Logs page

Navigating through the Logs page

Writing a query

Further reading

Section 3: Security Threat Hunting

Section 3: Security Threat Hunting

Chapter 7: Creating Analytic Rules

Chapter 7: Creating Analytic Rules

An introduction to Microsoft Sentinel Analytics

Creating an analytic rule

Managing analytic rules

Further reading

Chapter 8: Creating and Using Workbooks

Chapter 8: Creating and Using Workbooks

An overview of the Workbooks page

Walking through an existing workbook

Creating workbooks

Editing a workbook

Managing workbooks

Workbook step types

Further reading

Chapter 9: Incident Management

Chapter 9: Incident Management

Using the Microsoft Sentinel Incidents page

Exploring the full details page

Investigating an incident

Further reading

Chapter 10: Configuring and Using Entity Behavior

Chapter 10: Configuring and Using Entity Behavior

Introduction to Microsoft Sentinel Entity behavior

Enabling Entity behavior

Overview of the Entity behavior page

Overview of the Entity behavior details page

Creating Entity behavior queries

Further reading

Chapter 11: Threat Hunting in Microsoft Sentinel

Chapter 11: Threat Hunting in Microsoft Sentinel

Introducing the Microsoft Sentinel Hunting page

Working with Microsoft Sentinel hunting queries

Working with livestream

Working with bookmarks

Using Microsoft Sentinel notebooks

Creating a workspace

Performing a hunt

Further reading

Section 4: Integration and Automation

Section 4: Integration and Automation

Chapter 12: Creating Playbooks and Automation

Chapter 12: Creating Playbooks and Automation

Introduction to Microsoft Sentinel playbooks

Introduction to Microsoft Sentinel Automation

Adding a new automation rule

Playbook pricing

Types of playbooks

Overview of the Microsoft Sentinel connector

Exploring the Playbooks tab

Logic app settings page

Creating a new playbook

Using the Logic Apps Designer page

Creating a simple Microsoft Sentinel playbook

Further reading

Chapter 13: ServiceNow Integration for Alert and Case Management

Chapter 13: ServiceNow Integration for Alert and Case Management

A brief history of Microsoft Sentinel and ServiceNow integration

Steps to integrate Microsoft Sentinel with ServiceNow

Section 5: Operational Guidance

Section 5: Operational Guidance

Chapter 14: Operational Tasks for Microsoft Sentinel

Chapter 14: Operational Tasks for Microsoft Sentinel

Dividing SOC duties

Operational tasks for SOC engineers

Operational tasks for SOC analysts

Chapter 15: Constant Learning and Community Contribution

Chapter 15: Constant Learning and Community Contribution

Official resources from Microsoft

Resources for SOC operations

Specific components and supporting technologies

Assessments

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

SOC platform components

As described earlier, the SOC platform includes a range of technologies to assist with the proactive and reactive procedures carried out by various teams. Each of these solutions should help the SOC analysts to perform their duties at the most efficient level to ensure a high degree of protection, detection, and remediation.

The core components of the SOC include log management and SIEM, SOAR, vulnerability management, threat intelligence, and incident response. All these components are addressed by the deployment of Microsoft Sentinel. Additional solutions will be required, and integrated, for other SOC platform capabilities such as intrusion prevention/detection, file integrity monitoring, and disaster recovery.

An SOC deployment using Microsoft Sentinel comprises the following components:

Azure Monitor Log Analytics workspaces are created for data collection and analysis. These were originally created to ensure a cloud-scale log management solution for both cloud-based and physical data center-based workloads. Once the data is collected, a range of solutions can then be applied to analyze the data for health, performance, and security considerations. Some solutions were created by Microsoft, and others were created by partners.
Microsoft Sentinel was developed to address the need for a cloud-native solution as an alternative to existing server-based SIEM solutions that have become a mainstay of security and compliance over the last decade. Microsoft Sentinel is built upon the existing services of Azure Monitor and Log Analytics. It is also integrated with other services such as Logic Apps and Azure Data Explorer.
The popularity of cloud services provides some key advantages, including reduced storage costs, rapid scale compute, automated service maintenance, and continuous improvement as Microsoft creates new capabilities based on customer and partner feedback.
One of the immediate benefits of deploying Microsoft Sentinel is rapid enablement without the need for costly investment in the supporting infrastructure, such as servers, storage, and complex licensing. The Microsoft Sentinel service is charged based on data consumption, per gigabyte per month. This allows the initial deployment to start small and grow as needed until full-scale deployment and maturity can be achieved.
Ongoing maintenance is also simplified as there are no servers to maintain or licenses to renew. You will want to ensure regular optimization of the solution by reviewing the data ingestion and retention for relevance and suitability. This will keep costs reasonable and improve the quality of data used for threat hunting.
Logic Apps provides integration with a vast array of enterprise solutions, ensuring workflows are connected across the multiple cloud platforms and to existing on-premises solutions. This is a core part of the integration and automation (SOAR) capabilities of the platform.

Logic Apps is a standards-based solution that provides a robust set of capabilities. You can also use third-party SOAR solutions if you have already invested in one of those platforms.

The SOC platform components are a starting point, but there may be several other services you will want to deploy in your SOC implementation. In the next section, we will look at an approach to mapping the SOC architecture's current state and requirements.