Episode 2: Microsoft Sentinel: Modules - Beginner

Episode 2: Microsoft Sentinel: Modules - Beginner

Hareesh GM Hareesh GM

Hareesh GM

Published Jun 23, 2023
+ Follow

MS Sentinel is a cloud based SIEM/SOAR system that can be used by Security Operations Team.

Sentinel will do the following that serves the purpose of SIEM/SOAR:

  • Get security insights across the enterprise by collecting data from virtually any source.
  • Detect and investigate threats quickly by using built-in machine learning and Microsoft threat intelligence.
  • Automate threat responses by using playbooks and by integrating Azure Logic Apps.

No alt text provided for this image

Data Connectors:

  • Primary work of Data Connectors is to Ingest the data from data source into Sentinel for further processing and monitoring.

No alt text provided for this image
Data Connectors Page

Log Retention:

  • The ingested data from data sources needs to be stored in specific storage for all reporting and customization.
  • They are stored in LAW(Log Analytics Workspace). Using LAW is to enable KQL(Kusto Query Language) to query the data in our desired outputs.

No alt text provided for this image

Workbook:

  • They are used to visualize your data inside Microsoft Sentinel(Dashboard). The backend of workbooks are all about KQL queries.
  • Customizing the KQL query or writing your own queries will get you the results apart from the inbuilt functionalities.  

Analytics Reports:

  • To get notified when something suspicious happens in the environment, analytics reports are required. There are certain built-in analytics report which can be used/customized by editing them.

Recommended by LinkedIn

Turning Disconnected Security Signals into Application-Level Intelligence
Turning Disconnected Security Signals into…
Nousheef Cholaykkil 4 months ago
Investigating a Hacked PhpMyAdmin Database With The Elastic Stack | TryHackMe Slingshot
Investigating a Hacked PhpMyAdmin Database With The…
Motasem Hamdan 1 year ago
Suricata Log Parsing using jq [DL Series-7]
Suricata Log Parsing using jq [DL Series-7]
Gibin K John 1 year ago
No alt text provided for this image
Analytics

Threat Hunting:

  • In order to hunt for suspicious activity or malware within the enterprise, threat hunting serves the purpose.
  • SOC analyst can use the in-built hunting queries or customize it or use programming language to completely hunt their own data.

No alt text provided for this image

Incidents and Investigations:

  • Whenever an alert gets generated in the data source(MDE/MDO/etc), the alert gets synced with Sentinel and it creates an incident.
  • SOC will work on the incidents created by assigning them, changing the status and viewing the timeline events. We can also visually investigate incidents by mapping entities across log data in timeline events shared.

No alt text provided for this image

Automation Playbooks:

  • Manual actions usually are time consuming, resource compliant and needs human intervention to take actions. In real quick world, it's more important to act faster on the security incidents to protect our network and data.
  • In that mind, SecOps have automated certain abilities for Sentinel to respond and be more productive.
  • These capabilities are often referred to as security orchestration, automation, and response (SOAR).
  • Azure Logic Apps serves the purpose here to automate.

No alt text provided for this image

 Overall Review: https://www.microsoft.com/en-in/videoplayer/embed/RE4LHLR?postJsllMsg=true&autoCaptions=en-in

 

Plans and Pricings: Azure Sentinel Pricing | Microsoft Azure

To view or add a comment, sign in

More articles by this author

See all

Others also viewed

Similar topics

Explore content categories