Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Microsoft Sentinel in Action
  • Toc
  • feedback
Microsoft Sentinel in Action

Microsoft Sentinel in Action

By : Richard Diver, Gary Bushey
4.7 (3)
close
Microsoft Sentinel in Action

Microsoft Sentinel in Action

4.7 (3)
By: Richard Diver, Gary Bushey

Overview of this book

Microsoft Sentinel is a security information and event management (SIEM) tool developed by Microsoft that helps you integrate cloud security and artificial intelligence (AI). This book will teach you how to implement Microsoft Sentinel and understand how it can help detect security incidents in your environment with integrated AI, threat analysis, and built-in and community-driven logic. The first part of this book will introduce you to Microsoft Sentinel and Log Analytics, then move on to understanding data collection and management, as well as how to create effective Microsoft Sentinel queries to detect anomalous behaviors and activity patterns. The next part will focus on useful features, such as entity behavior analytics and Microsoft Sentinel playbooks, along with exploring the new bi-directional connector for ServiceNow. In the next part, you’ll be learning how to develop solutions that automate responses needed to handle security incidents and find out more about the latest developments in security, techniques to enhance your cloud security architecture, and explore how you can contribute to the security community. By the end of this book, you’ll have learned how to implement Microsoft Sentinel to fit your needs and protect your environment from cyber threats and other security issues.
Table of Contents (23 chapters)
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Section 1: Design and Implementation
Section 1: Design and Implementation
Free Chapter
2
Chapter 1: Getting Started with Microsoft Sentinel
chevron up
Chapter 1: Getting Started with Microsoft Sentinel
The current cloud security landscape
The cloud security reference framework
SOC platform components
Mapping the SOC architecture
Security solution integrations
Cloud platform integrations
Private infrastructure integrations
Service pricing for Microsoft Sentinel
Scenario mapping
Summary
Questions
Further reading
3
Chapter 2: Azure Monitor – Introduction to Log Analytics
Chapter 2: Azure Monitor – Introduction to Log Analytics
Technical requirements
Introduction to Azure Monitor Log Analytics
Creating a workspace using the portal
Creating a workspace using PowerShell or the CLI
Managing permissions for the workspace
Enabling Microsoft Sentinel
Exploring the Microsoft Sentinel Overview page
Connecting your first data source
Advanced settings for Log Analytics
Summary
Questions
Further reading
4
Section 2: Data Connectors, Management, and Queries
Section 2: Data Connectors, Management, and Queries
5
Chapter 3: Managing and Collecting Data
Chapter 3: Managing and Collecting Data
Choosing data that matters
Understanding connectors
Configuring Microsoft Sentinel connectors
Configuring Log Analytics storage options
Reviewing alternative storage options
Summary
Questions
Further reading
6
Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel
Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel
Introduction to TI
Understanding STIX and TAXII
Choosing the right intel feeds for your needs
Implementing TI connectors
Summary
Questions
Further reading
7
Chapter 5: Using the Kusto Query Language (KQL)
Chapter 5: Using the Kusto Query Language (KQL)
Running KQL queries
Introduction to KQL commands
Query statements
Scalar functions
String operators
Summary
Questions
Further reading
8
Chapter 6: Microsoft Sentinel Logs and Writing Queries
Chapter 6: Microsoft Sentinel Logs and Writing Queries
An introduction to the Microsoft Sentinel Logs page
Navigating through the Logs page
Writing a query
Summary
Questions
Further reading
9
Section 3: Security Threat Hunting
Section 3: Security Threat Hunting
10
Chapter 7: Creating Analytic Rules
Chapter 7: Creating Analytic Rules
An introduction to Microsoft Sentinel Analytics
Creating an analytic rule
Managing analytic rules
Summary
Questions
Further reading
11
Chapter 8: Creating and Using Workbooks
Chapter 8: Creating and Using Workbooks
An overview of the Workbooks page
Walking through an existing workbook
Creating workbooks
Editing a workbook
Managing workbooks
Workbook step types
Summary
Questions
Further reading
12
Chapter 9: Incident Management
Chapter 9: Incident Management
Using the Microsoft Sentinel Incidents page
Exploring the full details page
Investigating an incident
Summary
Questions
Further reading
13
Chapter 10: Configuring and Using Entity Behavior
Chapter 10: Configuring and Using Entity Behavior
Introduction to Microsoft Sentinel Entity behavior
Enabling Entity behavior
Overview of the Entity behavior page
Overview of the Entity behavior details page
Creating Entity behavior queries
Summary
Questions
Further reading
14
Chapter 11: Threat Hunting in Microsoft Sentinel
Chapter 11: Threat Hunting in Microsoft Sentinel
Introducing the Microsoft Sentinel Hunting page
Working with Microsoft Sentinel hunting queries
Working with livestream
Working with bookmarks
Using Microsoft Sentinel notebooks
Creating a workspace
Performing a hunt
Summary
Questions
Further reading
15
Section 4: Integration and Automation
Section 4: Integration and Automation
16
Chapter 12: Creating Playbooks and Automation
Chapter 12: Creating Playbooks and Automation
Introduction to Microsoft Sentinel playbooks
Introduction to Microsoft Sentinel Automation
Adding a new automation rule
Playbook pricing
Types of playbooks
Overview of the Microsoft Sentinel connector
Exploring the Playbooks tab
Logic app settings page
Creating a new playbook
Using the Logic Apps Designer page
Creating a simple Microsoft Sentinel playbook
Summary
Questions
Further reading
17
Chapter 13: ServiceNow Integration for Alert and Case Management
Chapter 13: ServiceNow Integration for Alert and Case Management
A brief history of Microsoft Sentinel and ServiceNow integration
Steps to integrate Microsoft Sentinel with ServiceNow
Summary
18
Section 5: Operational Guidance
Section 5: Operational Guidance
19
Chapter 14: Operational Tasks for Microsoft Sentinel
Chapter 14: Operational Tasks for Microsoft Sentinel
Dividing SOC duties
Operational tasks for SOC engineers
Operational tasks for SOC analysts
Summary
Questions
20
Chapter 15: Constant Learning and Community Contribution
Chapter 15: Constant Learning and Community Contribution
Official resources from Microsoft
Resources for SOC operations
Using GitHub
Specific components and supporting technologies
Summary
21
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 14
Why subscribe?
22
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

The current cloud security landscape

To understand your security architecture requirements, you must first ensure that you have a solid understanding of the IT environment that you are trying to protect. Before deploying any new security solution, there is a need to map out the solutions that are currently deployed and how they protect each area of the IT environment. The following list provides the major components of any modern IT environment:

  • End user habits that are counter-productive to security endeavors
  • Identity for the authentication and authorization of access to systems
  • Networks to gain access to internal resources and the internet
  • Storage and compute in the data center for internal applications and sensitive information
  • End user devices and the applications they use to interact with data
  • And in some environments, you can include Industrial Control Systems (ICS) and the Internet of Things (IoT)

When we start to look at the threats and vulnerabilities for these components, we quickly find ourselves deep in the alphabet soup of problems and solutions.

Figure 1.1 – The alphabet soup of cybersecurity

Figure 1.1 – The alphabet soup of cybersecurity

This is by no means an exhaustive list of the potential acronyms available. Understanding these acronyms is the first hurdle; matching them to the appropriate solutions and ensuring they are well deployed is another challenge altogether (a table of these acronyms can be found in the appendix of this book).

End of Section 2
Next Section
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete