Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AzureBootcamp2022: Understanding Azure Sentinel by Matthias Gessenay

AzureBootcamp2022: Understanding Azure Sentinel by Matthias Gessenay

This session is one of the sessions of Azure Bootcamp Switzerland 2022.
www.azurebootcamp.ch

Microsoft Sentinel is your birds-eye view across the enterprise. Put the cloud and large-scale intelligence from decades of Microsoft security experience to work. Make your threat detection and response smarter and faster with artificial intelligence (AI). See Sentinel in Action with Sentinel2Go and see, how easy you can get started with you cloud based security information event management system.
🙂 MATTHIAS GESSENAY ⚡️ Azure Architect & Co-CEO @ Corporate Software | Azure MVP

Check out Matthias at: https://www.linkedin.com/in/matthias-gessenay/

Azure Zurich User Group
PRO

May 10, 2022
Tweet

More Decks by Azure Zurich User Group

Other Decks in Technology

Transcript

  1. Understanding Azure Sentinel

    View Slide

  2. View Slide

  3. Matthias Gessenay
    3
    Corporate Software
    Cloud Architect
    Azure MVP
    Microsoft Certified Trainer
    • [email protected]
    • https://www.linkedin.com/in/matthias-gessenay
    • https://www.cloudspeed.io

    View Slide

  4. • This slidedeck is inspired from the great
    TechCommunity Post about how to become a
    Sentinel Ninja:
    https://techcommunity.microsoft.com/t5/azure-
    sentinel/become-an-azure-sentinel-ninja-the-
    complete-level-400-training/ba-p/1246310
    • and was originally partly created by Ofer Shezaf,
    Principal Program Manager at Microsoft.

    View Slide

  5. Security Operations Challenges
    Expanding digital estate

    View Slide

  6. Too many
    disconnected
    products
    76%
    report increasing
    security data*
    3.5M
    unfilled security
    jobs in 2021
    Lack of
    automation
    44%
    of alerts are
    never investigated
    IT deployment &
    maintenance
    Sophistication
    of threats
    Security operations challenges

    View Slide

  7. A cloud native SIEM For the Cloud And for on premises
    security information
    event management
    security orchestration
    automated response

    View Slide

  8. Getting started with Sentinel2Go

    View Slide

  9. • Auto-scales
    • Easy collection from cloud sources
    • Avoid sending cloud telemetry
    downstream
    • Key log sources are free
    No brainer Advantages
    But there is more!
    • DevOps deployment and
    enforcement
    • Distributed
    • Cloud native-schema
    A SIEM native
    to the cloud

    View Slide

  10. Cloud + Artificial Intelligence
    Security
    Operations Team

    View Slide

  11. Uses AI and automation to
    improve effectiveness
    Scales to support your
    growing digital estate
    Delivers instant value to
    your defenders

    View Slide

  12. Analytics
    Detect
    Collect
    Incidents Automation
    Visibility Hunting
    Investigate Respond

    View Slide

  13. View Slide

  14. Collection

    View Slide

  15. Collect security data at cloud scale from any source

    View Slide

  16. Visualization

    View Slide

  17. Choose from a gallery of workbooks
    Customize or create your own
    workbooks using queries
    Take advantage of rich visualization
    options
    Gain insight into one or more data
    sources

    View Slide

  18. View Slide

  19. View Slide

  20. View Slide

  21. Analytics

    View Slide

  22. Choose from more than 100 built-in
    analytics rules
    Customize and create your own rules
    using KQL queries
    Correlate events with your threat
    intelligence and now with Microsoft
    URL intelligence
    Trigger automated playbooks

    View Slide

  23. • Detects anomalies using
    transferred learning
    • Fuses data sources to detect
    threats that span the kill chain
    • Simply connect your data and
    learning begins
    • Bring your own ML models

    View Slide

  24. Incidents

    View Slide

  25. Use incident to collect related alerts,
    events, and bookmarks
    Manage assignments and track status
    Add tags and comments
    Integrate with your ticketing system

    View Slide

  26. Navigate the relationships between
    related alerts, bookmarks, and entities
    Expand the scope using exploration
    queries
    View a timeline of related alerts, events,
    and bookmarks
    Gain deep insights into related entities –
    users, domains, and more

    View Slide

  27. Configure URL Entities in analytics rules
    Automatically trigger URL detonation
    Enrich alerts with Verdicts, Final URLs and
    Screen Shots (e.g. for phishing sites)

    View Slide

  28. Hunting

    View Slide

  29. Run built-in threat hunting queries -
    no prior query experience required
    Customize and create your own
    hunting queries using KQL
    Integrate hunting and investigations

    View Slide

  30. View Slide

  31. Search using free text or fields
    Tabulate your data
    Visualize query results
    Automatically detect and plot
    anomalies in data

    View Slide

  32. View Slide

  33. View Slide

  34. Bookmark notable data
    Start an investigation from a
    bookmark or add to an existing
    incident
    Monitor a live stream of new threat
    related activity

    View Slide

  35. Run in the Azure cloud
    Save as sharable HTML/JSON
    Query Azure Sentinel data
    Bring external data sources
    Use your language of choice - Python,
    SQL, KQL, R, …

    View Slide

  36. Automation

    View Slide

  37. Build automated and scalable
    playbooks that integrate across tools
    Choose from a library of samples
    Create your own playbooks using 200+
    built-in connectors
    Trigger a playbook from an alert or
    incident investigation

    View Slide

  38. View Slide

  39. Assign an Incident to an Analyst
    Open a Ticket (ServiceNow/Jira)
    Keep Incident Status in Sync
    Post in a Teams or Slack Channel
    Incident Management Enrichment + Investigation
    Lookup Geo for an IP
    Trigger Defender ATP Investigation
    Send Validation Email to User
    Block an IP Address
    Block User Access
    Trigger Conditional Access
    Isolate Machine
    Remediation

    View Slide

  40. Strong Community Support

    View Slide

  41. Getting started with Sentinel2Go

    View Slide

  42. Questions?

    View Slide