Book Image

Learn Azure Sentinel

By : Richard Diver, Gary Bushey
Book Image

Learn Azure Sentinel

By: Richard Diver, Gary Bushey

Overview of this book

Azure Sentinel is a Security Information and Event Management (SIEM) tool developed by Microsoft to integrate cloud security and artificial intelligence (AI). Azure Sentinel not only helps clients identify security issues in their environment, but also uses automation to help resolve these issues. With this book, you’ll implement Azure Sentinel and understand how it can help find security incidents in your environment with integrated artificial intelligence, threat analysis, and built-in and community-driven logic. This book starts with an introduction to Azure Sentinel and Log Analytics. You’ll get to grips with data collection and management, before learning how to create effective Azure Sentinel queries to detect anomalous behaviors and patterns of activity. As you make progress, you’ll understand how to develop solutions that automate the responses required to handle security incidents. Finally, you’ll grasp the latest developments in security, discover techniques to enhance your cloud security architecture, and explore how you can contribute to the security community. By the end of this book, you’ll have learned how to implement Azure Sentinel to fit your needs and be able to protect your environment from cyber threats and other security issues.

Related Content you might be interested in

Current Title:

Small book image
Learn Azure Sentinel
Richard Diver | Gary Bushey
Apr, 2020 | 422 pages
Small book image
Security Orchestration, Automation, and Response for Security Analysts
Benjamin Kovacevic
Jul, 2023 | 338 pages
Small book image
Mastering Azure Security,
Mustafa Toroman | Tom Janetscheck
Apr, 2022 | 320 pages
Small book image
Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide
Joe Anich | Trevor Stuart
Mar, 2022 | 288 pages
Table of Contents (22 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Reviews
1
Section 1: Design and Implementation
Section 1: Design and Implementation
Free Chapter
2
Chapter 1: Getting Started with Azure Sentinel
Chapter 1: Getting Started with Azure Sentinel
The current cloud security landscape
The cloud security reference framework
SOC platform components
Mapping the SOC architecture
Security solution integrations
Cloud platform integrations
Private infrastructure integrations
Service pricing for Azure Sentinel
Scenario mapping
Summary
Questions
Further reading
3
Chapter 2: Azure Monitor – Log Analytics
Chapter 2: Azure Monitor – Log Analytics
Technical requirements
Introduction to Azure Monitor Log Analytics
Managing the permissions of the workspace
Enabling Azure Sentinel
Exploring the Azure Sentinel Overview page
Advanced settings for Log Analytics
Summary
Questions
Further reading
4
Section 2: Data Connectors, Management, and Queries
Section 2: Data Connectors, Management, and Queries
5
Chapter 3: Managing and Collecting Data
Chapter 3: Managing and Collecting Data
Choosing data that matters
Understanding connectors
Configuring Azure Sentinel connectors
Configuring Log Analytics storage options
Summary
Questions
Further reading
6
Chapter 4: Integrating Threat Intelligence
Chapter 4: Integrating Threat Intelligence
Introduction to TI
Understanding STIX and TAXII
Choosing the right intel feeds for your needs
Implementing TI connectors
Summary
Questions
Further reading
7
Chapter 5: Using the Kusto Query Language (KQL)
Chapter 5: Using the Kusto Query Language (KQL)
Running KQL queries
Introduction to KQL commands
Summary
Questions
Further reading
8
Chapter 6: Azure Sentinel Logs and Writing Queries
Chapter 6: Azure Sentinel Logs and Writing Queries
An introduction to the Azure Sentinel Logs page
Navigating through the Logs page
Writing a query
Summary
Questions
Further reading
9
Section 3: Security Threat Hunting
Section 3: Security Threat Hunting
10
Chapter 7: Creating Analytic Rules
Chapter 7: Creating Analytic Rules
An introduction to Azure Sentinel Analytics
Creating an analytic rule
Managing analytic rules
Summary
Questions
Further reading
11
Chapter 8:Introducing Workbooks
Chapter 8:Introducing Workbooks
An overview of the Workbooks page
Walking through an existing workbook
Creating workbooks
Editing a workbook
Managing workbooks
Workbook step types
Summary
Questions
Further reading
12
Chapter 9:Incident Management
Chapter 9:Incident Management
Using the Azure Sentinel Incidents page
Exploring the full details page
Investigating an incident
Summary
Questions
Further reading
13
Chapter 10: Threat Hunting in Azure Sentinel
Chapter 10: Threat Hunting in Azure Sentinel
Introducing the Azure Sentinel Hunting page
Working with Azure Sentinel Hunting queries
Working with Livestream
Working with bookmarks
Using Azure Sentinel Notebooks
Performing a hunt
Summary
Questions
Further reading
14
Section 4: Integration and Automation
Section 4: Integration and Automation
15
Chapter 11: Creating Playbooks and Logic Apps
Chapter 11: Creating Playbooks and Logic Apps
Introduction to Azure Sentinel playbooks
Playbook pricing
Overview of the Azure Sentinel connector
Exploring the Playbooks page
Logic Apps settings page
Creating a new playbook
Using the Logic Apps Designer page
Creating a simple Azure Sentinel playbook
Summary
Questions
Further reading
16
Chapter 12: ServiceNow Integration
Chapter 12: ServiceNow Integration
Overview of Azure Sentinel alerts
Overview of IT Service Management (ITSM)
Logging in to ServiceNow
Creating a playbook to trigger a ticket in ServiceNow
Summary
Questions
Further reading
17
Section 5: Operational Guidance
Section 5: Operational Guidance
18
Chapter 13: Operational Tasks for Azure Sentinel
Chapter 13: Operational Tasks for Azure Sentinel
Dividing SOC duties
Operational tasks for SOC engineers
Operational tasks for SOC analysts
Summary
Questions
19
Chapter 14: Constant Learning and Community Contribution
Chapter 14: Constant Learning and Community Contribution
Official resources from Microsoft
Resources for SOC operations
Using GitHub
Specific components and supporting technologies
Summary
20
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
21
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

What this book covers

Chapter 1, Getting Started with Azure Sentinel, will give an overview of Azure Sentinel, including coverage of the current cloud landscape, the cloud security reference framework, Security Operations Center (SOC) platform components, and how to map the architecture. You will also learn about integrating on-premises infrastructure into Azure Sentinel as well as how Azure Sentinel is priced.

Chapter 2, Azure Monitor Log Analytics, will cover Azure Monitor Log Analytics, including planning your Log Analytics instance, how to create a new instance, and how to attach an instance to Azure Sentinel. You will also learn about the advanced settings for Log Analytics and about the Azure Sentinel overview page.

Chapter 3, Data Collection and Management, will explain how to determine what data you need to ingest into Azure Sentinel and how to connect to various data sources to get that information. You will also learn how to adjust data retention plans and how data retention is priced.

Chapter 4, Integrating Threat Intelligence, will introduce you to threat intelligence and how to ingest different threat intelligence feeds into Azure Sentinel.

Chapter 5, Using the Kusto Query Language (KQL), will discuss Kusto Query Language (KQL) and will explain out how to write your own queries.

Chapter 6, Azure Sentinel Logs and Writing Queries, will introduce you to Azure Sentinel’s Logs page and will teach you how to use it to start writing your KQL queries against the data you have ingested.

Chapter 7, Creating Analytic Rules, will teach you how to create analytic rules that will search for anomalies in your environment. It will discuss analytic rule templates and how you can use them to create your own rules as well as how to create them from scratch.

Chapter 8, Introducing Workbooks, will cover Azure Sentinel’s workbook page, workbook templates, and how you can create a workbook from a template or from scratch.

Chapter 9, Incident Management, will explain how to manage incidents that your analytic rules create. You will learn about the incident page, how to view an incident’s full details, and how to start investigating an incident using Azure Sentinel’s Investigate GUI interface.

Chapter 10, Threat Hunting in Azure Sentinel, will introduce you to Azure Sentinel’s Hunting page, which will allow you to start your threat hunting activities. It will also briefly discuss Azure Notebook, which is Azure’s hosted Jupyter resource. There will also be a discussion of the steps needed to perform your investigation.

Chapter 11, Creating Playbooks and Logic Apps, will introduce you to Azure Sentinel’s playbooks and explain how they relate to Logic Apps. You will learn about the logic app Azure Sentinel connector and go through a walk-through about creating your own playbook.

Chapter 12, ServiceNow Integration, will provide an introduction to Information Technology Service Management (ITSM), the ServiceNow application, and how to create a simple Azure Sentinel playbook to create a new ticket in ServiceNow using information from your Azure Sentinel incident.

Chapter 13, Operational Tasks for Azure Sentinel, will cover the steps needed to keep your Azure Sentinel instance running smoothly. The steps will be broken up between your SOC analytics and your SOC engineers, as each have different aspects of Azure Sentinel that they will be responsible for.

Chapter 14, Constant Learning and Community Contribution, contains a list of various places you can go to continuing learning about Azure Sentinel and its supporting resources, including Logic Apps, Jupyter Notebook, KQL, and Fusion.

Previous Section
Next Section