What this book covers
Chapter 1, Getting Started with Microsoft Sentinel, includes an overview of the cloud security architecture as we see it today. This information lays a foundation for understanding what a modern Security Operations Center (SOC) is and why Microsoft Sentinel plays a key role. We will focus on the specific components needed to create a SOC platform and how Microsoft Sentinel brings all the data together to provide a central analysis and action capability.
Chapter 2, Azure Monitor – Introduction to Log Analytics , focuses on the creation of the Azure Log Analytics workspace, which is where we store all the log data for Microsoft Sentinel to analyze. This is an important first step in configuring Microsoft Sentinel.
Chapter 3, Managing and Collecting Data, teaches you how to collect data, manage the data to prevent overspend, and query the data for useful information as part of your threat hunting and other security activities.
Chapter 4, Integrating Threat Intelligence with Microsoft Sentinel, explains the options available for adding threat intelligence feeds to Microsoft Sentinel to enable the security team to have a greater understanding of the potential threats against their environment. Threat intelligence feeds add contextual information to the data gathered from logs across the organization.
Chapter 5, Using the Kusto Query Language, provides an introduction to the Kusto Query Language (KQL) and has some sample queries for you to work out for yourself.
Chapter 6, Microsoft Sentinel Logs and Writing Queries, expands on the skills learned in Chapter 5, Using the Kusto Query Language, to create useful Microsoft Sentinel queries to discover anomalous behaviors and patterns of activity.
Chapter 7, Creating Analytic Rules, teaches you how to take KQL queries and use them to create Microsoft Sentinel analytic rules to create incidents.
Chapter 8, Creating and Using Workbooks, explains the concept of workbooks, how to use workbook templates, how to edit an existing workbook, and how to create your own workbook.
Chapter 9, Incident Management, discusses Microsoft Sentinel incidents, what they are, how to manage them, and how to investigate them.
Chapter 10, Configuring and Using Entity Behavior, teaches you another way of obtaining more information about your incident by using Entity behavior.
Chapter 11, Threat Hunting in Microsoft Sentinel, discusses Microsoft Sentinel hunting queries and how to use them and touches upon Jupyter notebooks.
Chapter 12, Creating Playbooks and Automation, provides an overview of Microsoft Sentinel playbooks and will discuss using the Microsoft Sentinel trigger and actions to perform automations.
Chapter 13, ServiceNow Integration for Alerts and Case Management, expands upon what was learned in Chapter 12, Creating Playbooks and Automation, to provide a step-by-step guide on how to create a workflow that creates a ServiceNow ticket from an Microsoft Sentinel alert. These same steps could be modified to work with any ticketing agent.
Chapter 14, Operational Tasks for Microsoft Sentinel, will provide some operational guidance on various tasks that should be performed daily, weekly, monthly, and as needed.
Chapter 15, Constant Learning and Community Contribution, will finish the book by offering guidance on where to get the latest information and how to contribute to the community that is growing to support the development and sharing of security-related information and techniques.