Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AzureBootcamp2022: Understanding Azure Sentinel by Matthias Gessenay

AzureBootcamp2022: Understanding Azure Sentinel by Matthias Gessenay

This session is one of the sessions of Azure Bootcamp Switzerland 2022.

Microsoft Sentinel is your birds-eye view across the enterprise. Put the cloud and large-scale intelligence from decades of Microsoft security experience to work. Make your threat detection and response smarter and faster with artificial intelligence (AI). See Sentinel in Action with Sentinel2Go and see, how easy you can get started with you cloud based security information event management system.
🙂 MATTHIAS GESSENAY ⚡️ Azure Architect & Co-CEO @ Corporate Software | Azure MVP

Check out Matthias at: https://www.linkedin.com/in/matthias-gessenay/

More Decks by Azure Zurich User Group

Other Decks in Technology


  1. Matthias Gessenay 3 Corporate Software Cloud Architect Azure MVP Microsoft

    Certified Trainer • [email protected] • https://www.linkedin.com/in/matthias-gessenay • https://www.cloudspeed.io
  2. • This slidedeck is inspired from the great TechCommunity Post

    about how to become a Sentinel Ninja: https://techcommunity.microsoft.com/t5/azure- sentinel/become-an-azure-sentinel-ninja-the- complete-level-400-training/ba-p/1246310 • and was originally partly created by Ofer Shezaf, Principal Program Manager at Microsoft.
  3. Too many disconnected products 76% report increasing security data* 3.5M

    unfilled security jobs in 2021 Lack of automation 44% of alerts are never investigated IT deployment & maintenance Sophistication of threats Security operations challenges
  4. A cloud native SIEM For the Cloud And for on

    premises security information event management security orchestration automated response
  5. • Auto-scales • Easy collection from cloud sources • Avoid

    sending cloud telemetry downstream • Key log sources are free No brainer Advantages But there is more! • DevOps deployment and enforcement • Distributed • Cloud native-schema A SIEM native to the cloud
  6. Uses AI and automation to improve effectiveness Scales to support

    your growing digital estate Delivers instant value to your defenders
  7. Choose from a gallery of workbooks Customize or create your

    own workbooks using queries Take advantage of rich visualization options Gain insight into one or more data sources
  8. Choose from more than 100 built-in analytics rules Customize and

    create your own rules using KQL queries Correlate events with your threat intelligence and now with Microsoft URL intelligence Trigger automated playbooks
  9. • Detects anomalies using transferred learning • Fuses data sources

    to detect threats that span the kill chain • Simply connect your data and learning begins • Bring your own ML models
  10. Use incident to collect related alerts, events, and bookmarks Manage

    assignments and track status Add tags and comments Integrate with your ticketing system
  11. Navigate the relationships between related alerts, bookmarks, and entities Expand

    the scope using exploration queries View a timeline of related alerts, events, and bookmarks Gain deep insights into related entities – users, domains, and more
  12. Configure URL Entities in analytics rules Automatically trigger URL detonation

    Enrich alerts with Verdicts, Final URLs and Screen Shots (e.g. for phishing sites)
  13. Run built-in threat hunting queries - no prior query experience

    required Customize and create your own hunting queries using KQL Integrate hunting and investigations
  14. Search using free text or fields Tabulate your data Visualize

    query results Automatically detect and plot anomalies in data
  15. Bookmark notable data Start an investigation from a bookmark or

    add to an existing incident Monitor a live stream of new threat related activity
  16. Run in the Azure cloud Save as sharable HTML/JSON Query

    Azure Sentinel data Bring external data sources Use your language of choice - Python, SQL, KQL, R, …
  17. Build automated and scalable playbooks that integrate across tools Choose

    from a library of samples Create your own playbooks using 200+ built-in connectors Trigger a playbook from an alert or incident investigation
  18. Assign an Incident to an Analyst Open a Ticket (ServiceNow/Jira)

    Keep Incident Status in Sync Post in a Teams or Slack Channel Incident Management Enrichment + Investigation Lookup Geo for an IP Trigger Defender ATP Investigation Send Validation Email to User Block an IP Address Block User Access Trigger Conditional Access Isolate Machine Remediation