Book Image

Microsoft Sentinel in Action - Second Edition

By : Richard Diver, Gary Bushey, John Perkins

Book Image

Microsoft Sentinel in Action - Second Edition

By: Richard Diver, Gary Bushey, John Perkins

Overview of this book

Microsoft Sentinel is a security information and event management (SIEM) tool developed by Microsoft that helps you integrate cloud security and artificial intelligence (AI). This book will teach you how to implement Microsoft Sentinel and understand how it can help detect security incidents in your environment with integrated AI, threat analysis, and built-in and community-driven logic. The first part of this book will introduce you to Microsoft Sentinel and Log Analytics, then move on to understanding data collection and management, as well as how to create effective Microsoft Sentinel queries to detect anomalous behaviors and activity patterns. The next part will focus on useful features, such as entity behavior analytics and Microsoft Sentinel playbooks, along with exploring the new bi-directional connector for ServiceNow. In the next part, you’ll be learning how to develop solutions that automate responses needed to handle security incidents and find out more about the latest developments in security, techniques to enhance your cloud security architecture, and explore how you can contribute to the security community. By the end of this book, you’ll have learned how to implement Microsoft Sentinel to fit your needs and protect your environment from cyber threats and other security issues.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Share Your Thoughts

Section 1: Design and Implementation

Section 1: Design and Implementation

Free Chapter

Chapter 1: Getting Started with Microsoft Sentinel

Chapter 1: Getting Started with Microsoft Sentinel

The current cloud security landscape

The cloud security reference framework

SOC platform components

Mapping the SOC architecture

Security solution integrations

Cloud platform integrations

Private infrastructure integrations

Service pricing for Microsoft Sentinel

Scenario mapping

Further reading

Chapter 2: Azure Monitor – Introduction to Log Analytics

Chapter 2: Azure Monitor – Introduction to Log Analytics

Technical requirements

Introduction to Azure Monitor Log Analytics

Creating a workspace using the portal

Creating a workspace using PowerShell or the CLI

Managing permissions for the workspace

Enabling Microsoft Sentinel

Exploring the Microsoft Sentinel Overview page

Connecting your first data source

Advanced settings for Log Analytics

Further reading

Section 2: Data Connectors, Management, and Queries

Section 2: Data Connectors, Management, and Queries

Chapter 3: Managing and Collecting Data

Chapter 3: Managing and Collecting Data

Choosing data that matters

Understanding connectors

Configuring Microsoft Sentinel connectors

Configuring Log Analytics storage options

Reviewing alternative storage options

Further reading

Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel

Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel

Introduction to TI

Understanding STIX and TAXII

Choosing the right intel feeds for your needs

Implementing TI connectors

Further reading

Chapter 5: Using the Kusto Query Language (KQL)

Chapter 5: Using the Kusto Query Language (KQL)

Running KQL queries

Introduction to KQL commands

Query statements

Scalar functions

String operators

Further reading

Chapter 6: Microsoft Sentinel Logs and Writing Queries

Chapter 6: Microsoft Sentinel Logs and Writing Queries

An introduction to the Microsoft Sentinel Logs page

Navigating through the Logs page

Writing a query

Further reading

Section 3: Security Threat Hunting

Section 3: Security Threat Hunting

Chapter 7: Creating Analytic Rules

Chapter 7: Creating Analytic Rules

An introduction to Microsoft Sentinel Analytics

Creating an analytic rule

Managing analytic rules

Further reading

Chapter 8: Creating and Using Workbooks

Chapter 8: Creating and Using Workbooks

An overview of the Workbooks page

Walking through an existing workbook

Creating workbooks

Editing a workbook

Managing workbooks

Workbook step types

Further reading

Chapter 9: Incident Management

Chapter 9: Incident Management

Using the Microsoft Sentinel Incidents page

Exploring the full details page

Investigating an incident

Further reading

Chapter 10: Configuring and Using Entity Behavior

Chapter 10: Configuring and Using Entity Behavior

Introduction to Microsoft Sentinel Entity behavior

Enabling Entity behavior

Overview of the Entity behavior page

Overview of the Entity behavior details page

Creating Entity behavior queries

Further reading

Chapter 11: Threat Hunting in Microsoft Sentinel

Chapter 11: Threat Hunting in Microsoft Sentinel

Introducing the Microsoft Sentinel Hunting page

Working with Microsoft Sentinel hunting queries

Working with livestream

Working with bookmarks

Using Microsoft Sentinel notebooks

Creating a workspace

Performing a hunt

Further reading

Section 4: Integration and Automation

Section 4: Integration and Automation

Chapter 12: Creating Playbooks and Automation

Chapter 12: Creating Playbooks and Automation

Introduction to Microsoft Sentinel playbooks

Introduction to Microsoft Sentinel Automation

Adding a new automation rule

Playbook pricing

Types of playbooks

Overview of the Microsoft Sentinel connector

Exploring the Playbooks tab

Logic app settings page

Creating a new playbook

Using the Logic Apps Designer page

Creating a simple Microsoft Sentinel playbook

Further reading

Chapter 13: ServiceNow Integration for Alert and Case Management

Chapter 13: ServiceNow Integration for Alert and Case Management

A brief history of Microsoft Sentinel and ServiceNow integration

Steps to integrate Microsoft Sentinel with ServiceNow

Section 5: Operational Guidance

Section 5: Operational Guidance

Chapter 14: Operational Tasks for Microsoft Sentinel

Chapter 14: Operational Tasks for Microsoft Sentinel

Dividing SOC duties

Operational tasks for SOC engineers

Operational tasks for SOC analysts

Chapter 15: Constant Learning and Community Contribution

Chapter 15: Constant Learning and Community Contribution

Official resources from Microsoft

Resources for SOC operations

Specific components and supporting technologies

Assessments

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Chapter 3: Managing and Collecting Data

One of the primary purposes of a Security Information and Event Management (SIEM) solution is to centralize the storage and analysis of security events across a diverse range of products that provide protection across your organization's IT infrastructure. To do this, the solution needs to connect to those data sources, pull the data into a central store, and manage the life cycle of that data to ensure it is available for analysis and ongoing investigations.

In this chapter, we will review the types of data that are most interesting and useful for security operations, and then explore the functionality available to connect to multiple data sources and ingest that data into Microsoft Sentinel by storing it in the Log Analytics workspace. Once the data is ingested, we need to ensure the appropriate configuration for data retention to maximize the ability to hunt for events and other security information, while also ensuring the cost of...