Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Microsoft Sentinel in Action
  • Table Of Contents Toc
Microsoft Sentinel in Action

Microsoft Sentinel in Action - Second Edition

By : Richard Diver, Gary Bushey
4.7 (3)
Buy this Book
close
close
Microsoft Sentinel in Action

Microsoft Sentinel in Action

4.7 (3)
By: Richard Diver, Gary Bushey
Buy this Book

Overview of this book

Microsoft Sentinel is a security information and event management (SIEM) tool developed by Microsoft that helps you integrate cloud security and artificial intelligence (AI). This book will teach you how to implement Microsoft Sentinel and understand how it can help detect security incidents in your environment with integrated AI, threat analysis, and built-in and community-driven logic. The first part of this book will introduce you to Microsoft Sentinel and Log Analytics, then move on to understanding data collection and management, as well as how to create effective Microsoft Sentinel queries to detect anomalous behaviors and activity patterns. The next part will focus on useful features, such as entity behavior analytics and Microsoft Sentinel playbooks, along with exploring the new bi-directional connector for ServiceNow. In the next part, you’ll be learning how to develop solutions that automate responses needed to handle security incidents and find out more about the latest developments in security, techniques to enhance your cloud security architecture, and explore how you can contribute to the security community. By the end of this book, you’ll have learned how to implement Microsoft Sentinel to fit your needs and protect your environment from cyber threats and other security issues.
Table of Contents (23 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Download the color images
Icon
Conventions used
Icon
Get in touch
Icon
Share Your Thoughts
1
Section 1: Design and Implementation
Icon
Section 1: Design and Implementation
Lock Free Chapter
2
Chapter 1: Getting Started with Microsoft Sentinel
Icon
Chapter 1: Getting Started with Microsoft Sentinel
Icon
The current cloud security landscape
Icon
The cloud security reference framework
Icon
SOC platform components
Icon
Mapping the SOC architecture
Icon
Security solution integrations
Icon
Cloud platform integrations
Icon
Private infrastructure integrations
Icon
Service pricing for Microsoft Sentinel
Icon
Scenario mapping
Icon
Summary
Icon
Questions
Icon
Further reading
3
Chapter 2: Azure Monitor – Introduction to Log Analytics
Icon
Chapter 2: Azure Monitor – Introduction to Log Analytics
Icon
Technical requirements
Icon
Introduction to Azure Monitor Log Analytics
Icon
Creating a workspace using the portal
Icon
Creating a workspace using PowerShell or the CLI
Icon
Managing permissions for the workspace
Icon
Enabling Microsoft Sentinel
Icon
Exploring the Microsoft Sentinel Overview page
Icon
Connecting your first data source
Icon
Advanced settings for Log Analytics
Icon
Summary
Icon
Questions
Icon
Further reading
4
Section 2: Data Connectors, Management, and Queries
Icon
Section 2: Data Connectors, Management, and Queries
5
Chapter 3: Managing and Collecting Data
Icon
Chapter 3: Managing and Collecting Data
Icon
Choosing data that matters
Icon
Understanding connectors
Icon
Configuring Microsoft Sentinel connectors
Icon
Configuring Log Analytics storage options
Icon
Reviewing alternative storage options
Icon
Summary
Icon
Questions
Icon
Further reading
6
Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel
Icon
Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel
Icon
Introduction to TI
Icon
Understanding STIX and TAXII
Icon
Choosing the right intel feeds for your needs
Icon
Implementing TI connectors
Icon
Summary
Icon
Questions
Icon
Further reading
7
Chapter 5: Using the Kusto Query Language (KQL)
chevron up
Icon
Chapter 5: Using the Kusto Query Language (KQL)
Icon
Running KQL queries
Icon
Introduction to KQL commands
Icon
Query statements
Icon
Scalar functions
Icon
String operators
Icon
Summary
Icon
Questions
Icon
Further reading
8
Chapter 6: Microsoft Sentinel Logs and Writing Queries
Icon
Chapter 6: Microsoft Sentinel Logs and Writing Queries
Icon
An introduction to the Microsoft Sentinel Logs page
Icon
Navigating through the Logs page
Icon
Writing a query
Icon
Summary
Icon
Questions
Icon
Further reading
9
Section 3: Security Threat Hunting
Icon
Section 3: Security Threat Hunting
10
Chapter 7: Creating Analytic Rules
Icon
Chapter 7: Creating Analytic Rules
Icon
An introduction to Microsoft Sentinel Analytics
Icon
Creating an analytic rule
Icon
Managing analytic rules
Icon
Summary
Icon
Questions
Icon
Further reading
11
Chapter 8: Creating and Using Workbooks
Icon
Chapter 8: Creating and Using Workbooks
Icon
An overview of the Workbooks page
Icon
Walking through an existing workbook
Icon
Creating workbooks
Icon
Editing a workbook
Icon
Managing workbooks
Icon
Workbook step types
Icon
Summary
Icon
Questions
Icon
Further reading
12
Chapter 9: Incident Management
Icon
Chapter 9: Incident Management
Icon
Using the Microsoft Sentinel Incidents page
Icon
Exploring the full details page
Icon
Investigating an incident
Icon
Summary
Icon
Questions
Icon
Further reading
13
Chapter 10: Configuring and Using Entity Behavior
Icon
Chapter 10: Configuring and Using Entity Behavior
Icon
Introduction to Microsoft Sentinel Entity behavior
Icon
Enabling Entity behavior
Icon
Overview of the Entity behavior page
Icon
Overview of the Entity behavior details page
Icon
Creating Entity behavior queries
Icon
Summary
Icon
Questions
Icon
Further reading
14
Chapter 11: Threat Hunting in Microsoft Sentinel
Icon
Chapter 11: Threat Hunting in Microsoft Sentinel
Icon
Introducing the Microsoft Sentinel Hunting page
Icon
Working with Microsoft Sentinel hunting queries
Icon
Working with livestream
Icon
Working with bookmarks
Icon
Using Microsoft Sentinel notebooks
Icon
Creating a workspace
Icon
Performing a hunt
Icon
Summary
Icon
Questions
Icon
Further reading
15
Section 4: Integration and Automation
Icon
Section 4: Integration and Automation
16
Chapter 12: Creating Playbooks and Automation
Icon
Chapter 12: Creating Playbooks and Automation
Icon
Introduction to Microsoft Sentinel playbooks
Icon
Introduction to Microsoft Sentinel Automation
Icon
Adding a new automation rule
Icon
Playbook pricing
Icon
Types of playbooks
Icon
Overview of the Microsoft Sentinel connector
Icon
Exploring the Playbooks tab
Icon
Logic app settings page
Icon
Creating a new playbook
Icon
Using the Logic Apps Designer page
Icon
Creating a simple Microsoft Sentinel playbook
Icon
Summary
Icon
Questions
Icon
Further reading
17
Chapter 13: ServiceNow Integration for Alert and Case Management
Icon
Chapter 13: ServiceNow Integration for Alert and Case Management
Icon
A brief history of Microsoft Sentinel and ServiceNow integration
Icon
Steps to integrate Microsoft Sentinel with ServiceNow
Icon
Summary
18
Section 5: Operational Guidance
Icon
Section 5: Operational Guidance
19
Chapter 14: Operational Tasks for Microsoft Sentinel
Icon
Chapter 14: Operational Tasks for Microsoft Sentinel
Icon
Dividing SOC duties
Icon
Operational tasks for SOC engineers
Icon
Operational tasks for SOC analysts
Icon
Summary
Icon
Questions
20
Chapter 15: Constant Learning and Community Contribution
Icon
Chapter 15: Constant Learning and Community Contribution
Icon
Official resources from Microsoft
Icon
Resources for SOC operations
Icon
Using GitHub
Icon
Specific components and supporting technologies
Icon
Summary
21
Assessments
Icon
Chapter 1
Icon
Chapter 2
Icon
Chapter 3
Icon
Chapter 4
Icon
Chapter 5
Icon
Chapter 6
Icon
Chapter 7
Icon
Chapter 8
Icon
Chapter 9
Icon
Chapter 10
Icon
Chapter 11
Icon
Chapter 12
Icon
Chapter 14
Icon
Why subscribe?
22
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Packt is searching for authors like you
Icon
Share Your Thoughts

Query statements

Query statements in KQL produce tables that can be used in other parts of the query and must end with a semicolon (;). These commands, of which we will only discuss the let command here, will return entire tables that are all returned by the query. Keep in mind that a table can consist of a single row and a single column, in which case it acts as a constant in other languages.

The let statement

The let statement allows you to create a new variable that can be used in later computations. It is different than extend or project in that it can create more than just a column – it can create another table if desired.

So, if I want to create a table that contains all the StormEvents for only NORTH CAROLINA, I can use the following commands. Note the ; at the end of the let statement since it is indeed a separate statement:

let NCEvents = StormEvents
| where State == "NORTH CAROLINA";
NCEvents

The let statement can also be used to define constants...

CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Microsoft Sentinel in Action
End of Section 7
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon