Book Image

Microsoft Sentinel in Action - Second Edition

By : Richard Diver, Gary Bushey, John Perkins
Book Image

Microsoft Sentinel in Action - Second Edition

By: Richard Diver, Gary Bushey, John Perkins

Overview of this book

Microsoft Sentinel is a security information and event management (SIEM) tool developed by Microsoft that helps you integrate cloud security and artificial intelligence (AI). This book will teach you how to implement Microsoft Sentinel and understand how it can help detect security incidents in your environment with integrated AI, threat analysis, and built-in and community-driven logic. The first part of this book will introduce you to Microsoft Sentinel and Log Analytics, then move on to understanding data collection and management, as well as how to create effective Microsoft Sentinel queries to detect anomalous behaviors and activity patterns. The next part will focus on useful features, such as entity behavior analytics and Microsoft Sentinel playbooks, along with exploring the new bi-directional connector for ServiceNow. In the next part, you’ll be learning how to develop solutions that automate responses needed to handle security incidents and find out more about the latest developments in security, techniques to enhance your cloud security architecture, and explore how you can contribute to the security community. By the end of this book, you’ll have learned how to implement Microsoft Sentinel to fit your needs and protect your environment from cyber threats and other security issues.

Related Content you might be interested in

Current Title:

Small book image
Microsoft Sentinel in Action - Second Edition
Richard Diver | Gary Bushey | John Perkins
Feb, 2022 | 478 pages
Small book image
Security Orchestration, Automation, and Response for Security Analysts
Benjamin Kovacevic
Jul, 2023 | 338 pages
Small book image
Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide
Joe Anich | Trevor Stuart
Mar, 2022 | 288 pages
Small book image
Mastering Azure Security,
Mustafa Toroman | Tom Janetscheck
Apr, 2022 | 320 pages
Table of Contents (23 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Section 1: Design and Implementation
Section 1: Design and Implementation
Free Chapter
2
Chapter 1: Getting Started with Microsoft Sentinel
Chapter 1: Getting Started with Microsoft Sentinel
The current cloud security landscape
The cloud security reference framework
SOC platform components
Mapping the SOC architecture
Security solution integrations
Cloud platform integrations
Private infrastructure integrations
Service pricing for Microsoft Sentinel
Scenario mapping
Summary
Questions
Further reading
3
Chapter 2: Azure Monitor – Introduction to Log Analytics
Chapter 2: Azure Monitor – Introduction to Log Analytics
Technical requirements
Introduction to Azure Monitor Log Analytics
Creating a workspace using the portal
Creating a workspace using PowerShell or the CLI
Managing permissions for the workspace
Enabling Microsoft Sentinel
Exploring the Microsoft Sentinel Overview page
Connecting your first data source
Advanced settings for Log Analytics
Summary
Questions
Further reading
4
Section 2: Data Connectors, Management, and Queries
Section 2: Data Connectors, Management, and Queries
5
Chapter 3: Managing and Collecting Data
Chapter 3: Managing and Collecting Data
Choosing data that matters
Understanding connectors
Configuring Microsoft Sentinel connectors
Configuring Log Analytics storage options
Reviewing alternative storage options
Summary
Questions
Further reading
6
Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel
Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel
Introduction to TI
Understanding STIX and TAXII
Choosing the right intel feeds for your needs
Implementing TI connectors
Summary
Questions
Further reading
7
Chapter 5: Using the Kusto Query Language (KQL)
Chapter 5: Using the Kusto Query Language (KQL)
Running KQL queries
Introduction to KQL commands
Query statements
Scalar functions
String operators
Summary
Questions
Further reading
8
Chapter 6: Microsoft Sentinel Logs and Writing Queries
Chapter 6: Microsoft Sentinel Logs and Writing Queries
An introduction to the Microsoft Sentinel Logs page
Navigating through the Logs page
Writing a query
Summary
Questions
Further reading
9
Section 3: Security Threat Hunting
Section 3: Security Threat Hunting
10
Chapter 7: Creating Analytic Rules
Chapter 7: Creating Analytic Rules
An introduction to Microsoft Sentinel Analytics
Creating an analytic rule
Managing analytic rules
Summary
Questions
Further reading
11
Chapter 8: Creating and Using Workbooks
Chapter 8: Creating and Using Workbooks
An overview of the Workbooks page
Walking through an existing workbook
Creating workbooks
Editing a workbook
Managing workbooks
Workbook step types
Summary
Questions
Further reading
12
Chapter 9: Incident Management
Chapter 9: Incident Management
Using the Microsoft Sentinel Incidents page
Exploring the full details page
Investigating an incident
Summary
Questions
Further reading
13
Chapter 10: Configuring and Using Entity Behavior
Chapter 10: Configuring and Using Entity Behavior
Introduction to Microsoft Sentinel Entity behavior
Enabling Entity behavior
Overview of the Entity behavior page
Overview of the Entity behavior details page
Creating Entity behavior queries
Summary
Questions
Further reading
14
Chapter 11: Threat Hunting in Microsoft Sentinel
Chapter 11: Threat Hunting in Microsoft Sentinel
Introducing the Microsoft Sentinel Hunting page
Working with Microsoft Sentinel hunting queries
Working with livestream
Working with bookmarks
Using Microsoft Sentinel notebooks
Creating a workspace
Performing a hunt
Summary
Questions
Further reading
15
Section 4: Integration and Automation
Section 4: Integration and Automation
16
Chapter 12: Creating Playbooks and Automation
Chapter 12: Creating Playbooks and Automation
Introduction to Microsoft Sentinel playbooks
Introduction to Microsoft Sentinel Automation
Adding a new automation rule
Playbook pricing
Types of playbooks
Overview of the Microsoft Sentinel connector
Exploring the Playbooks tab
Logic app settings page
Creating a new playbook
Using the Logic Apps Designer page
Creating a simple Microsoft Sentinel playbook
Summary
Questions
Further reading
17
Chapter 13: ServiceNow Integration for Alert and Case Management
Chapter 13: ServiceNow Integration for Alert and Case Management
A brief history of Microsoft Sentinel and ServiceNow integration
Steps to integrate Microsoft Sentinel with ServiceNow
Summary
18
Section 5: Operational Guidance
Section 5: Operational Guidance
19
Chapter 14: Operational Tasks for Microsoft Sentinel
Chapter 14: Operational Tasks for Microsoft Sentinel
Dividing SOC duties
Operational tasks for SOC engineers
Operational tasks for SOC analysts
Summary
Questions
20
Chapter 15: Constant Learning and Community Contribution
Chapter 15: Constant Learning and Community Contribution
Official resources from Microsoft
Resources for SOC operations
Using GitHub
Specific components and supporting technologies
Summary
21
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 14
Why subscribe?
22
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Security solution integrations

Microsoft Sentinel is designed to work with multiple security solutions, not just those that are developed by Microsoft.

At the most basic level, log collection and analysis are possible from any system that can transmit its logs via the Syslog collectors. More detailed logs are available from those that support CEF-encoded Syslog endpoints that share Windows event logs. The preferred method, however, is to have direct integration via APIs to enable two-way communication and help to manage the integrated solutions. More details relating to these options are included in Chapter 3, Managing and Collecting Data.

Common Event Format (CEF)

CEF is an industry-standard format applied to Syslog messages, used by most security vendors to ensure commonality between platforms. Microsoft Sentinel provides integrations to easily run analytics and queries across CEF data. For a full list of Microsoft Sentinel CEF source configurations, review the article at https://aka.ms/SentinelGrandlist.

Microsoft is continually developing integration options. At the time of writing, the list of integrated third-party solution providers includes the following:

Table 1.1 – Data connector list of companies

Table 1.1 – Data connector list of companies

As you can see from this list, many of the top security vendors are available directly in the portal. Microsoft Sentinel provides the ability to connect to a range of security data sources with built-in connectors, ingest the log data, and display dashboards using pre-defined workbooks.

Previous Section
End of Section 6
Next Section