Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Microsoft Sentinel in Action
  • Toc
  • feedback
Microsoft Sentinel in Action

Microsoft Sentinel in Action

By : Richard Diver, Gary Bushey
4.7 (3)
close
Microsoft Sentinel in Action

Microsoft Sentinel in Action

4.7 (3)
By: Richard Diver, Gary Bushey

Overview of this book

Microsoft Sentinel is a security information and event management (SIEM) tool developed by Microsoft that helps you integrate cloud security and artificial intelligence (AI). This book will teach you how to implement Microsoft Sentinel and understand how it can help detect security incidents in your environment with integrated AI, threat analysis, and built-in and community-driven logic. The first part of this book will introduce you to Microsoft Sentinel and Log Analytics, then move on to understanding data collection and management, as well as how to create effective Microsoft Sentinel queries to detect anomalous behaviors and activity patterns. The next part will focus on useful features, such as entity behavior analytics and Microsoft Sentinel playbooks, along with exploring the new bi-directional connector for ServiceNow. In the next part, you’ll be learning how to develop solutions that automate responses needed to handle security incidents and find out more about the latest developments in security, techniques to enhance your cloud security architecture, and explore how you can contribute to the security community. By the end of this book, you’ll have learned how to implement Microsoft Sentinel to fit your needs and protect your environment from cyber threats and other security issues.
Table of Contents (23 chapters)
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Section 1: Design and Implementation
Section 1: Design and Implementation
Free Chapter
2
Chapter 1: Getting Started with Microsoft Sentinel
chevron up
Chapter 1: Getting Started with Microsoft Sentinel
The current cloud security landscape
The cloud security reference framework
SOC platform components
Mapping the SOC architecture
Security solution integrations
Cloud platform integrations
Private infrastructure integrations
Service pricing for Microsoft Sentinel
Scenario mapping
Summary
Questions
Further reading
3
Chapter 2: Azure Monitor – Introduction to Log Analytics
Chapter 2: Azure Monitor – Introduction to Log Analytics
Technical requirements
Introduction to Azure Monitor Log Analytics
Creating a workspace using the portal
Creating a workspace using PowerShell or the CLI
Managing permissions for the workspace
Enabling Microsoft Sentinel
Exploring the Microsoft Sentinel Overview page
Connecting your first data source
Advanced settings for Log Analytics
Summary
Questions
Further reading
4
Section 2: Data Connectors, Management, and Queries
Section 2: Data Connectors, Management, and Queries
5
Chapter 3: Managing and Collecting Data
Chapter 3: Managing and Collecting Data
Choosing data that matters
Understanding connectors
Configuring Microsoft Sentinel connectors
Configuring Log Analytics storage options
Reviewing alternative storage options
Summary
Questions
Further reading
6
Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel
Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel
Introduction to TI
Understanding STIX and TAXII
Choosing the right intel feeds for your needs
Implementing TI connectors
Summary
Questions
Further reading
7
Chapter 5: Using the Kusto Query Language (KQL)
Chapter 5: Using the Kusto Query Language (KQL)
Running KQL queries
Introduction to KQL commands
Query statements
Scalar functions
String operators
Summary
Questions
Further reading
8
Chapter 6: Microsoft Sentinel Logs and Writing Queries
Chapter 6: Microsoft Sentinel Logs and Writing Queries
An introduction to the Microsoft Sentinel Logs page
Navigating through the Logs page
Writing a query
Summary
Questions
Further reading
9
Section 3: Security Threat Hunting
Section 3: Security Threat Hunting
10
Chapter 7: Creating Analytic Rules
Chapter 7: Creating Analytic Rules
An introduction to Microsoft Sentinel Analytics
Creating an analytic rule
Managing analytic rules
Summary
Questions
Further reading
11
Chapter 8: Creating and Using Workbooks
Chapter 8: Creating and Using Workbooks
An overview of the Workbooks page
Walking through an existing workbook
Creating workbooks
Editing a workbook
Managing workbooks
Workbook step types
Summary
Questions
Further reading
12
Chapter 9: Incident Management
Chapter 9: Incident Management
Using the Microsoft Sentinel Incidents page
Exploring the full details page
Investigating an incident
Summary
Questions
Further reading
13
Chapter 10: Configuring and Using Entity Behavior
Chapter 10: Configuring and Using Entity Behavior
Introduction to Microsoft Sentinel Entity behavior
Enabling Entity behavior
Overview of the Entity behavior page
Overview of the Entity behavior details page
Creating Entity behavior queries
Summary
Questions
Further reading
14
Chapter 11: Threat Hunting in Microsoft Sentinel
Chapter 11: Threat Hunting in Microsoft Sentinel
Introducing the Microsoft Sentinel Hunting page
Working with Microsoft Sentinel hunting queries
Working with livestream
Working with bookmarks
Using Microsoft Sentinel notebooks
Creating a workspace
Performing a hunt
Summary
Questions
Further reading
15
Section 4: Integration and Automation
Section 4: Integration and Automation
16
Chapter 12: Creating Playbooks and Automation
Chapter 12: Creating Playbooks and Automation
Introduction to Microsoft Sentinel playbooks
Introduction to Microsoft Sentinel Automation
Adding a new automation rule
Playbook pricing
Types of playbooks
Overview of the Microsoft Sentinel connector
Exploring the Playbooks tab
Logic app settings page
Creating a new playbook
Using the Logic Apps Designer page
Creating a simple Microsoft Sentinel playbook
Summary
Questions
Further reading
17
Chapter 13: ServiceNow Integration for Alert and Case Management
Chapter 13: ServiceNow Integration for Alert and Case Management
A brief history of Microsoft Sentinel and ServiceNow integration
Steps to integrate Microsoft Sentinel with ServiceNow
Summary
18
Section 5: Operational Guidance
Section 5: Operational Guidance
19
Chapter 14: Operational Tasks for Microsoft Sentinel
Chapter 14: Operational Tasks for Microsoft Sentinel
Dividing SOC duties
Operational tasks for SOC engineers
Operational tasks for SOC analysts
Summary
Questions
20
Chapter 15: Constant Learning and Community Contribution
Chapter 15: Constant Learning and Community Contribution
Official resources from Microsoft
Resources for SOC operations
Using GitHub
Specific components and supporting technologies
Summary
21
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 14
Why subscribe?
22
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Cloud platform integrations

One of the key reasons you might be planning to deploy Microsoft Sentinel is to manage the security of your cloud platform deployments. Instead of sending logs from the cloud provider to an on-premises SIEM solution, you will likely want to keep that data off your local network, to save on bandwidth usage and storage costs.

Let's now look at how some of these platforms can be integrated with Microsoft Sentinel.

Integrating with Amazon Web Services (AWS)

AWS provides API access to most features across the platform, which enables Microsoft Sentinel to be a rich integration solution. The following list provides some of the common resources that should be integrated with Microsoft Sentinel if enabled in an AWS account(s):

  • AWS CloudTrail logs provide insights into AWS user activities, including failed sign-in attempts, IP addresses, regions, user agents, and identity types, as well as potentially malicious user activities with assumed roles.
  • AWS CloudTrail logs also provide network-related resource activities, including the creation, update, and deletion of security groups, network access control lists (ACLs) and routes, gateways, elastic load balancers, Virtual Private Cloud (VPC), subnets, and network interfaces.

Some resources deployed within an AWS account(s) can be configured to send logs directly to Microsoft Sentinel (such as Windows event logs). You may also deploy a log collector (Syslog, CEF, or Logstash) within an AWS account(s) to centralize the log collection, the same as you would for a private data center.

Integrating with Google Cloud Platform (GCP)

Google provides API access to most features of both GCP and the G Suite solution. G Suite Connector is currently in development. If you are managing either a G Suite or a GCP instance and want to use Microsoft Sentinel to secure them, you should consider the following options (until a fully supported connector is available):

  • REST API—this feature is still in development; when released, it will allow you to create your own investigation queries.
  • Deploy a CASB solution that can interact with GCP logs, control session access, and forward relevant information to Microsoft Sentinel.
  • Deploy a log collector such as Syslog, CEF, or Logstash. Ensure that all deployed resources can forward their logs via the log collector to Microsoft Sentinel.

Integrating with Microsoft Azure

The Microsoft Azure platform provides direct integration with many Microsoft security solutions, and more are being added every month:

  • Azure Active Directory, for collecting audit and sign-in logs to gather insights about app usage, Conditional Access policies, legacy authentication, self-service password reset usage, and the management of users, groups, roles, and apps.
  • Azure Active Directory Identity Protection, which provides user and sign-in risk events and vulnerabilities, with the ability to remediate these risks immediately.
  • Azure Activity, for insights into subscription-level events such as Azure Resource Manager, service health, write operations on resources, and the status of activities performed in Azure.
  • Azure DDoS Protection, for the protection of web services that could be susceptible to attack through DDoS.
  • Microsoft Defender, the integrated CWPP for security management across Azure, AWS, GCP, and hybrid deployments.
  • Microsoft Defender for IoT, for insights into the IoT and OT networks with recommendations based on the severity of the risk.
  • Azure Firewall, the managed, cloud-based network security service to protect Azure Virtual Networks.
  • Microsoft Information Protection, to classify and optionally protect sensitive information.
  • Azure Key Vault, for securely storing and accessing secrets including API keys, passwords, certificates, or cryptographic keys.
  • Azure Kubernetes Service (AKS), an open source, fully managed container orchestration service to manage and deploy Docker containers.
  • Azure SQL Database, a fully managed PaaS database engine. This connector lets you stream the audit and diagnostic logs into Microsoft Sentinel.
  • An Azure storage account, a cloud solution for modern data storage scenarios.
  • DNS, to improve investigations for clients that try to resolve malicious domain names, talkative DNS clients, and other DNS health-related events.
  • Dynamics 365, for insights into admin, user, and support activities on this platform.
  • Microsoft 365 Defender, a consolidation of multiple connectors (Endpoint, Identity, Office 365, and Microsoft Cloud App Security (MCAS)).
  • Microsoft Defender for Cloud Apps, to gain visibility into connected cloud apps (SaaS), cloud services (IaaS and PaaS), and an analysis of firewall and proxy logs.
  • Microsoft Defender for Endpoint, a security platform designed to prevent, detect, investigate, and respond to advanced threats across all client devices.
  • Microsoft Defender for Identity, to gain visibility of the events and user analytics on Active Directory domain controllers.
  • Microsoft Defender for Office 365, to provide insights into ongoing user activities, such as file downloads, access requests, changes to group events, and mailbox activity. This solution also protects advanced attacks in emails (such as phishing and whaling), Teams, SharePoint Online, and OneDrive for Business.
  • Threat intelligence – TAXII, a service to ingest TAXII v2.0- and v2.1-compatible data sources to enable monitoring, alerting, and hunting using threat intelligence.
  • Microsoft threat intelligence platforms, for integration with the Microsoft Graph Security API data sources: This connector is used to send threat indicators from Microsoft and third-party threat intelligence platforms.
  • Windows Firewall, if enabled on your servers and clients (recommended).
  • Azure WAF, to protect applications from common web vulnerabilities such as SQL injection and cross-site scripting.

Microsoft makes many of these log sources available to Microsoft Sentinel for no additional log storage charges, which could provide a significant cost saving when considering other SIEM tool options.

Other cloud platforms will provide similar capabilities, so review the options as part of your ongoing due diligence across your infrastructure and security landscape.

Whichever cloud platforms you choose to deploy, we encourage you to consider deploying suitable CWPP and CSPM solutions to provide additional protections against misconfiguration and compliance violations. These solutions can then forward events to Microsoft Sentinel for central reporting, alerting, and remediation.

In the next section, we will look at how you can integrate with private or on-premises infrastructure to ensure full coverage of your IT estate.

End of Section 7
Next Section
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete