$30 off During Our Annual Pro Sale. View details »

AzureBootcamp2022: Understanding Azure Sentinel by Matthias Gessenay

AzureBootcamp2022: Understanding Azure Sentinel by Matthias Gessenay

This session is one of the sessions of Azure Bootcamp Switzerland 2022.

Microsoft Sentinel is your birds-eye view across the enterprise. Put the cloud and large-scale intelligence from decades of Microsoft security experience to work. Make your threat detection and response smarter and faster with artificial intelligence (AI). See Sentinel in Action with Sentinel2Go and see, how easy you can get started with you cloud based security information event management system.
🙂 MATTHIAS GESSENAY ⚡️ Azure Architect & Co-CEO @ Corporate Software | Azure MVP

Check out Matthias at: https://www.linkedin.com/in/matthias-gessenay/

Azure Zurich User Group

May 10, 2022

More Decks by Azure Zurich User Group

Other Decks in Technology


  1. Understanding Azure Sentinel

  2. None
  3. Matthias Gessenay 3 Corporate Software Cloud Architect Azure MVP Microsoft

    Certified Trainer • Matthias.gessenay@corporatesoftware.ch • https://www.linkedin.com/in/matthias-gessenay • https://www.cloudspeed.io
  4. • This slidedeck is inspired from the great TechCommunity Post

    about how to become a Sentinel Ninja: https://techcommunity.microsoft.com/t5/azure- sentinel/become-an-azure-sentinel-ninja-the- complete-level-400-training/ba-p/1246310 • and was originally partly created by Ofer Shezaf, Principal Program Manager at Microsoft.
  5. Security Operations Challenges Expanding digital estate

  6. Too many disconnected products 76% report increasing security data* 3.5M

    unfilled security jobs in 2021 Lack of automation 44% of alerts are never investigated IT deployment & maintenance Sophistication of threats Security operations challenges
  7. A cloud native SIEM For the Cloud And for on

    premises security information event management security orchestration automated response
  8. Getting started with Sentinel2Go

  9. • Auto-scales • Easy collection from cloud sources • Avoid

    sending cloud telemetry downstream • Key log sources are free No brainer Advantages But there is more! • DevOps deployment and enforcement • Distributed • Cloud native-schema A SIEM native to the cloud
  10. Cloud + Artificial Intelligence Security Operations Team

  11. Uses AI and automation to improve effectiveness Scales to support

    your growing digital estate Delivers instant value to your defenders
  12. Analytics Detect Collect Incidents Automation Visibility Hunting Investigate Respond

  13. None
  14. Collection

  15. Collect security data at cloud scale from any source

  16. Visualization

  17. Choose from a gallery of workbooks Customize or create your

    own workbooks using queries Take advantage of rich visualization options Gain insight into one or more data sources
  18. None
  19. None
  20. None
  21. Analytics

  22. Choose from more than 100 built-in analytics rules Customize and

    create your own rules using KQL queries Correlate events with your threat intelligence and now with Microsoft URL intelligence Trigger automated playbooks
  23. • Detects anomalies using transferred learning • Fuses data sources

    to detect threats that span the kill chain • Simply connect your data and learning begins • Bring your own ML models
  24. Incidents

  25. Use incident to collect related alerts, events, and bookmarks Manage

    assignments and track status Add tags and comments Integrate with your ticketing system
  26. Navigate the relationships between related alerts, bookmarks, and entities Expand

    the scope using exploration queries View a timeline of related alerts, events, and bookmarks Gain deep insights into related entities – users, domains, and more
  27. Configure URL Entities in analytics rules Automatically trigger URL detonation

    Enrich alerts with Verdicts, Final URLs and Screen Shots (e.g. for phishing sites)
  28. Hunting

  29. Run built-in threat hunting queries - no prior query experience

    required Customize and create your own hunting queries using KQL Integrate hunting and investigations
  30. None
  31. Search using free text or fields Tabulate your data Visualize

    query results Automatically detect and plot anomalies in data
  32. None
  33. None
  34. Bookmark notable data Start an investigation from a bookmark or

    add to an existing incident Monitor a live stream of new threat related activity
  35. Run in the Azure cloud Save as sharable HTML/JSON Query

    Azure Sentinel data Bring external data sources Use your language of choice - Python, SQL, KQL, R, …
  36. Automation

  37. Build automated and scalable playbooks that integrate across tools Choose

    from a library of samples Create your own playbooks using 200+ built-in connectors Trigger a playbook from an alert or incident investigation
  38. None
  39. Assign an Incident to an Analyst Open a Ticket (ServiceNow/Jira)

    Keep Incident Status in Sync Post in a Teams or Slack Channel Incident Management Enrichment + Investigation Lookup Geo for an IP Trigger Defender ATP Investigation Send Validation Email to User Block an IP Address Block User Access Trigger Conditional Access Isolate Machine Remediation
  40. Strong Community Support

  41. Getting started with Sentinel2Go

  42. Questions?