Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Microsoft Sentinel in Action
  • Toc
  • feedback
Microsoft Sentinel in Action

Microsoft Sentinel in Action

By : Richard Diver, Gary Bushey
4.7 (3)
close
Microsoft Sentinel in Action

Microsoft Sentinel in Action

4.7 (3)
By: Richard Diver, Gary Bushey

Overview of this book

Microsoft Sentinel is a security information and event management (SIEM) tool developed by Microsoft that helps you integrate cloud security and artificial intelligence (AI). This book will teach you how to implement Microsoft Sentinel and understand how it can help detect security incidents in your environment with integrated AI, threat analysis, and built-in and community-driven logic. The first part of this book will introduce you to Microsoft Sentinel and Log Analytics, then move on to understanding data collection and management, as well as how to create effective Microsoft Sentinel queries to detect anomalous behaviors and activity patterns. The next part will focus on useful features, such as entity behavior analytics and Microsoft Sentinel playbooks, along with exploring the new bi-directional connector for ServiceNow. In the next part, you’ll be learning how to develop solutions that automate responses needed to handle security incidents and find out more about the latest developments in security, techniques to enhance your cloud security architecture, and explore how you can contribute to the security community. By the end of this book, you’ll have learned how to implement Microsoft Sentinel to fit your needs and protect your environment from cyber threats and other security issues.
Table of Contents (23 chapters)
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Section 1: Design and Implementation
Section 1: Design and Implementation
Free Chapter
2
Chapter 1: Getting Started with Microsoft Sentinel
chevron up
Chapter 1: Getting Started with Microsoft Sentinel
The current cloud security landscape
The cloud security reference framework
SOC platform components
Mapping the SOC architecture
Security solution integrations
Cloud platform integrations
Private infrastructure integrations
Service pricing for Microsoft Sentinel
Scenario mapping
Summary
Questions
Further reading
3
Chapter 2: Azure Monitor – Introduction to Log Analytics
Chapter 2: Azure Monitor – Introduction to Log Analytics
Technical requirements
Introduction to Azure Monitor Log Analytics
Creating a workspace using the portal
Creating a workspace using PowerShell or the CLI
Managing permissions for the workspace
Enabling Microsoft Sentinel
Exploring the Microsoft Sentinel Overview page
Connecting your first data source
Advanced settings for Log Analytics
Summary
Questions
Further reading
4
Section 2: Data Connectors, Management, and Queries
Section 2: Data Connectors, Management, and Queries
5
Chapter 3: Managing and Collecting Data
Chapter 3: Managing and Collecting Data
Choosing data that matters
Understanding connectors
Configuring Microsoft Sentinel connectors
Configuring Log Analytics storage options
Reviewing alternative storage options
Summary
Questions
Further reading
6
Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel
Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel
Introduction to TI
Understanding STIX and TAXII
Choosing the right intel feeds for your needs
Implementing TI connectors
Summary
Questions
Further reading
7
Chapter 5: Using the Kusto Query Language (KQL)
Chapter 5: Using the Kusto Query Language (KQL)
Running KQL queries
Introduction to KQL commands
Query statements
Scalar functions
String operators
Summary
Questions
Further reading
8
Chapter 6: Microsoft Sentinel Logs and Writing Queries
Chapter 6: Microsoft Sentinel Logs and Writing Queries
An introduction to the Microsoft Sentinel Logs page
Navigating through the Logs page
Writing a query
Summary
Questions
Further reading
9
Section 3: Security Threat Hunting
Section 3: Security Threat Hunting
10
Chapter 7: Creating Analytic Rules
Chapter 7: Creating Analytic Rules
An introduction to Microsoft Sentinel Analytics
Creating an analytic rule
Managing analytic rules
Summary
Questions
Further reading
11
Chapter 8: Creating and Using Workbooks
Chapter 8: Creating and Using Workbooks
An overview of the Workbooks page
Walking through an existing workbook
Creating workbooks
Editing a workbook
Managing workbooks
Workbook step types
Summary
Questions
Further reading
12
Chapter 9: Incident Management
Chapter 9: Incident Management
Using the Microsoft Sentinel Incidents page
Exploring the full details page
Investigating an incident
Summary
Questions
Further reading
13
Chapter 10: Configuring and Using Entity Behavior
Chapter 10: Configuring and Using Entity Behavior
Introduction to Microsoft Sentinel Entity behavior
Enabling Entity behavior
Overview of the Entity behavior page
Overview of the Entity behavior details page
Creating Entity behavior queries
Summary
Questions
Further reading
14
Chapter 11: Threat Hunting in Microsoft Sentinel
Chapter 11: Threat Hunting in Microsoft Sentinel
Introducing the Microsoft Sentinel Hunting page
Working with Microsoft Sentinel hunting queries
Working with livestream
Working with bookmarks
Using Microsoft Sentinel notebooks
Creating a workspace
Performing a hunt
Summary
Questions
Further reading
15
Section 4: Integration and Automation
Section 4: Integration and Automation
16
Chapter 12: Creating Playbooks and Automation
Chapter 12: Creating Playbooks and Automation
Introduction to Microsoft Sentinel playbooks
Introduction to Microsoft Sentinel Automation
Adding a new automation rule
Playbook pricing
Types of playbooks
Overview of the Microsoft Sentinel connector
Exploring the Playbooks tab
Logic app settings page
Creating a new playbook
Using the Logic Apps Designer page
Creating a simple Microsoft Sentinel playbook
Summary
Questions
Further reading
17
Chapter 13: ServiceNow Integration for Alert and Case Management
Chapter 13: ServiceNow Integration for Alert and Case Management
A brief history of Microsoft Sentinel and ServiceNow integration
Steps to integrate Microsoft Sentinel with ServiceNow
Summary
18
Section 5: Operational Guidance
Section 5: Operational Guidance
19
Chapter 14: Operational Tasks for Microsoft Sentinel
Chapter 14: Operational Tasks for Microsoft Sentinel
Dividing SOC duties
Operational tasks for SOC engineers
Operational tasks for SOC analysts
Summary
Questions
20
Chapter 15: Constant Learning and Community Contribution
Chapter 15: Constant Learning and Community Contribution
Official resources from Microsoft
Resources for SOC operations
Using GitHub
Specific components and supporting technologies
Summary
21
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 14
Why subscribe?
22
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Mapping the SOC architecture

To implement a cohesive technical solution for your SOC platform, you will need to ensure that the following components are reviewed and thoroughly implemented. This is best done on a routine basis and incorporates regularly testing for the strength of each capability using penetration testing experts that will provide feedback and guidance to help improve any weaknesses.

Log management and data sources

The first component of an SOC platform is the gathering and storing of log data from a diverse range of systems and services across your IT environment. This is where you need careful planning to ensure that you are collecting and retaining the most appropriate data. Some key considerations we can borrow from other well-documented big data guidance are listed here:

  • Variety: You need to ensure you have data feeds from multiple sources to gain visibility across the spectrum of hardware and software solutions across your organization.
  • Volume: Too large a volume and you could face some hefty ingestion and storage fees; too small and you could miss some important events that may lead to preventing you from fully analyzing a breach.
  • Velocity: Collecting real-time data is critical to reducing response times, but it is also important that the data is processed and analyzed in real time too.
  • Value/veracity: The quality of data is important to understand the meaning; too much noise will hamper investigations.
  • Validity: The accuracy and integrity must be verified to ensure that the right decisions can be made.
  • Volatility: How long is the data useful for? Not all data needs to be retained long term; once analyzed, some data can be dropped quickly.
  • Vulnerability: Some data is more sensitive than other data, and when collected and correlated together in one place, can become an extremely valuable data source to a would-be attacker.
  • Visualization: Human interpretation of data requires some level of visualization. Understanding how you will show this information to the relevant audience is a key requirement for reporting.

Microsoft Sentinel provides a range of data connectors to ensure that all types of data can be ingested and analyzed. Securing Azure Monitor will be covered in Chapter 2, Azure Monitor – Introduction to Log Analytics, and connector details will be available in Chapter 3, Managing and Collecting Data.

Operations platforms

Traditionally, a SIEM was used to look at all log data and reason over it, looking for any potential threats across a diverse range of technologies. Today, there are multiple platforms available that carry out self-monitoring and alerting functionality, like the way a SIEM would work, except they are designed with a specific focus on a particular area of expertise. Each platform may carry out its own log collection and analysis, provide specific threat intelligence and vulnerability scanning, and make use of machine learning algorithms to detect changes in user and system behavior patterns. If they are advanced systems, they will also provide a level of automated response in reaction to the threats detected.

The following solutions each have a range of capabilities built in to collect and analyze logs, carry out immediate remediations, and report their findings to the SIEM solution for further investigation and cross-analysis:

  • Identity and Access Management (IAM): The IAM solution may be made up of multiple solutions, combined to ensure the full life cycle management of identities from creation to destruction. The IAM system should include governance actions, such as approvals, attestation, and the automated cleanup of group membership and permissions management. IAM also covers the capability of implementing multi-factor authentication: a method of challenging the sign-in process to provide more than a simple combination of user ID and password. All actions carried out by administrators and user-driven activities should be recorded and reported to the SIEM for context and end user behavior analytics.

    Modern IAM solutions will also include built-in user behavior analytics to detect changes in baseline patterns, suspicious activities, and the potential of insider-threat risks. These systems should also be integrated with a CASB solution to provide session-based authentication controls, which is the ability to apply further restrictions if the intent changes or access to higher-sensitivity actions is required. Finally, every organization should implement privileged access management solutions to control access to sensitive systems and services.

  • Endpoint Detection and Response (EDR): Going beyond anti-virus and anti-malware, a modern endpoint protection solution will include the ability to detect and respond to advanced threats as they occur. Detection will be based not only on signature-based known threats but also on patterns of behavior and integrated threat intelligence. Detection expands from a single machine to complete visibility across all endpoints in the organization, both on the network and roaming across the internet.

    Response capabilities will include the ability to isolate the machine from the network, to prevent the further spread of malicious activities, while retaining evidence for forensic analysis and providing remote access for investigators. The response may also trigger other actions across integrated systems, such as mailbox actions to remove threats that are executed via email or removing access to specific files on the network to prevent further execution of malicious code.

    Many companies have already invested in an EDR solution due to their effectiveness in reducing the risk of intrusion via advanced attacks. The trend now is to mature this implementation and focus on Extended Detection and Response (XDR) platforms: an XDR solution will include EDR, IAM, CASB, and several other solutions integrated to ensure complete attack chain detection and response capabilities.

  • CASB: A CASB is now a critical component in any cloud-based security architecture. With the ability to ingest logs from network firewalls and proxy servers, as well as connecting to multiple cloud services via their APIs, the CASB has become the first point of collation for many user activities across the network, both on-premises and when directly connected to the internet. This also prevents the need to ingest these logs directly into the SIEM (saving on costs) unless there is a need to directly query these logs rather than pivoting from the SIEM to the CASB portal to carry out an investigation.

    A CASB will come with many connectors for deep integration into cloud services, as well as connection to the IAM system to help govern access to other cloud services (via Single Sign-On (SSO)), acting as a reverse proxy and enforcing session-based controls. The CASB will also provide many detection rule templates to deploy immediately, as well as offering the ability to define custom rules for an almost infinite set of use cases unique to your organization. The response capabilities of the CASB are dependent on your specific integrations with the relevant cloud services; these can include the ability to restrict or revoke access to cloud services, prevent the upload or download of documents, or hide specific documents from the view of others.

  • Cloud Workload Protection Platform (CWPP): The CWPP may also be known as a Cloud Security Posture Management (CSPM) solution. Either of these will provide the unique capability of scanning and continuously monitoring systems to ensure that they meet compliance and governance requirements. This solution provides a centralized method for vulnerability scanning and for carrying out continuous audits across multiple cloud services (such as Amazon Web Services (AWS) and Microsoft Azure), while also centralizing policies and remediation actions. Resources within these services can be protected by implementing policies and technologies including Just In Time (JIT) access and Attack Surface Reduction (ASR).

    When these solutions are deployed, it is one less capability that we need the SIEM to provide; instead, it can take a feed from the service to understand the potential risk and provide an integration point for remediation actions.

  • Next-Generation Firewall (NGFW): Firewalls have been the backbone of network security since the 1980s and remain a core component of the segmentation and isolation of internal networks, as well as acting as the front door for many internet-facing services. With NGFW, not only do you get all the benefits of previous firewall technologies, but now you can carry out deep packet inspection for the application layer security and integrated intrusion detection/prevention systems. The deployment of NGFW solutions will also assist with the detection and remediation of malware and advanced threats on the network, preventing the spread to more hosts and network-based systems.

As you can see from these examples, the need to deploy a SIEM to do all the work of centrally collecting and analyzing logs is in the past. With each of these advanced solutions deployed to manage their specific area of expertise, the focus of SIEM changes to look for common patterns across the solutions as well as monitoring those systems that are not covered by these individual solutions. With Microsoft Sentinel as the SIEM, it will also act as the SOAR, enabling a coordinated response to threats across each of these individual solutions, preventing the need to re-engineer them all each time there is a change in requirements for alerting, reporting, and responding.

Threat intelligence and threat hunting

Threat intelligence adds additional context to the log data collected. Knowing what to look for in the logs and how to identify serious events requires a combination of threat hunting skills and the ongoing intelligence feed from a range of experts that are deep in the field of cybercrime research. Much of this work is augmented by Artificial Intelligence (AI) platforms; however, a human touch is always required to add that gut-feeling element that many detectives and police officers will tell you they get from working their own investigations in law enforcement.

SOC mapping summary

The following diagram provides a summary of the multiple components that come together to help to make up the SOC architecture, with some additional thoughts when implementing each one:

Figure 1.3 – The SOC mapping summary

Figure 1.3 – The SOC mapping summary

This solution works best when there is a rich source of log data streaming into the log management solution, tied in with data feeds coming from threat intel and vulnerability scans and databases. This information is used for discovery and threat hunting and may indicate any issues with configuration drift. The core solutions of the SOC operations include the SIEM, CASB, and EDR, among others, each with its own End User Behavior Analytics (EUBA) and SOAR capabilities. Integrating these solutions is a critical step in minimizing the noise and working toward improving the speed of response. The outcome should be the ability to report accurately on the current risk profile, compliance status, and clearly communicate in situations that require an immediate response and accurate data.

End of Section 5
Next Section
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete