Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AzureBootcamp2022: Understanding Azure Sentinel by Matthias Gessenay

Azure Zurich User Group
PRO
May 10, 2022
Technology
0
17

AzureBootcamp2022: Understanding Azure Sentinel by Matthias Gessenay

This session is one of the sessions of Azure Bootcamp Switzerland 2022.
www.azurebootcamp.ch

Microsoft Sentinel is your birds-eye view across the enterprise. Put the cloud and large-scale intelligence from decades of Microsoft security experience to work. Make your threat detection and response smarter and faster with artificial intelligence (AI). See Sentinel in Action with Sentinel2Go and see, how easy you can get started with you cloud based security information event management system.
🙂 MATTHIAS GESSENAY ⚡️ Azure Architect & Co-CEO @ Corporate Software | Azure MVP

Check out Matthias at: https://www.linkedin.com/in/matthias-gessenay/

Azure Zurich User Group
PRO

May 10, 2022
Tweet

More Decks by Azure Zurich User Group

See All by Azure Zurich User Group
Aug23 [Slides]: HPC on Azure in the Financial Services Industry by Darko Mocelj
azurezurich
PRO
0
11
Container App Service Deep Dive by Mohammad Nofal
azurezurich
PRO
0
52
KEDA - Mastering Scale to Zero by Daniel Hasselwander
azurezurich
PRO
0
15
AzureBootcamp2023: Data Clean Rooms & Confidential Computing by David Sturzenegger & Primo Amrein
azurezurich
PRO
0
21
AzureBootcamp2023: Virtual Network Manager by Marcel Zehner
azurezurich
PRO
0
9
AzureBootcamp2023: Azure PaaS, but as private as possible by Stephan Graber
azurezurich
PRO
0
7
AzureBootcamp2023: Azure API Management by Michael Rüefli
azurezurich
PRO
0
6
AzureBootcamp2023: Eventdriven Systems on Azure done right by Robin Konrad
azurezurich
PRO
0
6
AzureBootcamp2023: Azure Networking vNext by Eric Berg
azurezurich
PRO
0
14

Other Decks in Technology

See All in Technology
アジャイルな組織を作るために開発チーム作成ガイドを書いた話 / Scrum Fest Mikawa 2023
ama_ch
3
1.6k
KARTEのAPIサーバ化
line_developers
PRO
1
240
S3から始めるAWS 〜S3の簡単なユースケースの紹介〜
kentosuzuki
1
100
フロントエンドの開発生産性とは
yosuke_furukawa
PRO
14
6.2k
バクラクのAI-OCR機能を支えるアノテーションの仕組み
tomoaki25
2
360
Androidアプリの良いユニットテストを考える / Thinking about good unit tests for Android apps
tkmnzm
3
1.8k
レイヤードアーキテクチャにおける 例外との向き合い方
yukihiromori
0
1.4k
Jetpack Glanceではじめる Material 3のColor
mochico
1
630
「挑戦しなければ障害は生まれない」 社内ポストモーテム共有会について
sheep_san_white
0
390
サーバーレスアーキテクチャを使って、小さく作って大きくする取り組み
daikimori
0
560
2023-09-05_OCIJP_まれによくあるマルチクラウドでDB-AP分離構成のこと
hk_shino
2
160
仲間から嫌われがちだった私が、アジャイルに出会い、仲間から慕われるようになるまでの道のり / I was often disliked by my peers, but then I met Agile, How I came to be admired by my peers
pauli
0
540

Featured

See All Featured
Being A Developer After 40
akosma
52
580k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
1.9k
Infographics Made Easy
chrislema
236
17k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.6k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
41
11k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
184
15k
Embracing the Ebb and Flow
colly
77
3.8k
From Idea to $5000 a Month in 5 Months
shpigford
376
45k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
49
15k
Rails Girls Zürich Keynote
gr2m
90
12k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k

Transcript

  1. Understanding Azure Sentinel

    View Slide

  2. View Slide

  3. Matthias Gessenay
    3
    Corporate Software
    Cloud Architect
    Azure MVP
    Microsoft Certified Trainer
    [email protected]
    • https://www.linkedin.com/in/matthias-gessenay
    • https://www.cloudspeed.io

    View Slide

  4. • This slidedeck is inspired from the great
    TechCommunity Post about how to become a
    Sentinel Ninja:
    https://techcommunity.microsoft.com/t5/azure-
    sentinel/become-an-azure-sentinel-ninja-the-
    complete-level-400-training/ba-p/1246310
    • and was originally partly created by Ofer Shezaf,
    Principal Program Manager at Microsoft.

    View Slide

  5. Security Operations Challenges
    Expanding digital estate

    View Slide

  6. Too many
    disconnected
    products
    76%
    report increasing
    security data*
    3.5M
    unfilled security
    jobs in 2021
    Lack of
    automation
    44%
    of alerts are
    never investigated
    IT deployment &
    maintenance
    Sophistication
    of threats
    Security operations challenges

    View Slide

  7. A cloud native SIEM For the Cloud And for on premises
    security information
    event management
    security orchestration
    automated response

    View Slide

  8. Getting started with Sentinel2Go

    View Slide

  9. • Auto-scales
    • Easy collection from cloud sources
    • Avoid sending cloud telemetry
    downstream
    • Key log sources are free
    No brainer Advantages
    But there is more!
    • DevOps deployment and
    enforcement
    • Distributed
    • Cloud native-schema
    A SIEM native
    to the cloud

    View Slide

  10. Cloud + Artificial Intelligence
    Security
    Operations Team

    View Slide

  11. Uses AI and automation to
    improve effectiveness
    Scales to support your
    growing digital estate
    Delivers instant value to
    your defenders

    View Slide

  12. Analytics
    Detect
    Collect
    Incidents Automation
    Visibility Hunting
    Investigate Respond

    View Slide

  13. View Slide

  14. Collection

    View Slide

  15. Collect security data at cloud scale from any source

    View Slide

  16. Visualization

    View Slide

  17. Choose from a gallery of workbooks
    Customize or create your own
    workbooks using queries
    Take advantage of rich visualization
    options
    Gain insight into one or more data
    sources

    View Slide

  18. View Slide

  19. View Slide

  20. View Slide

  21. Analytics

    View Slide

  22. Choose from more than 100 built-in
    analytics rules
    Customize and create your own rules
    using KQL queries
    Correlate events with your threat
    intelligence and now with Microsoft
    URL intelligence
    Trigger automated playbooks

    View Slide

  23. • Detects anomalies using
    transferred learning
    • Fuses data sources to detect
    threats that span the kill chain
    • Simply connect your data and
    learning begins
    • Bring your own ML models

    View Slide

  24. Incidents

    View Slide

  25. Use incident to collect related alerts,
    events, and bookmarks
    Manage assignments and track status
    Add tags and comments
    Integrate with your ticketing system

    View Slide

  26. Navigate the relationships between
    related alerts, bookmarks, and entities
    Expand the scope using exploration
    queries
    View a timeline of related alerts, events,
    and bookmarks
    Gain deep insights into related entities –
    users, domains, and more

    View Slide

  27. Configure URL Entities in analytics rules
    Automatically trigger URL detonation
    Enrich alerts with Verdicts, Final URLs and
    Screen Shots (e.g. for phishing sites)

    View Slide

  28. Hunting

    View Slide

  29. Run built-in threat hunting queries -
    no prior query experience required
    Customize and create your own
    hunting queries using KQL
    Integrate hunting and investigations

    View Slide

  30. View Slide

  31. Search using free text or fields
    Tabulate your data
    Visualize query results
    Automatically detect and plot
    anomalies in data

    View Slide

  32. View Slide

  33. View Slide

  34. Bookmark notable data
    Start an investigation from a
    bookmark or add to an existing
    incident
    Monitor a live stream of new threat
    related activity

    View Slide

  35. Run in the Azure cloud
    Save as sharable HTML/JSON
    Query Azure Sentinel data
    Bring external data sources
    Use your language of choice - Python,
    SQL, KQL, R, …

    View Slide

  36. Automation

    View Slide

  37. Build automated and scalable
    playbooks that integrate across tools
    Choose from a library of samples
    Create your own playbooks using 200+
    built-in connectors
    Trigger a playbook from an alert or
    incident investigation

    View Slide

  38. View Slide

  39. Assign an Incident to an Analyst
    Open a Ticket (ServiceNow/Jira)
    Keep Incident Status in Sync
    Post in a Teams or Slack Channel
    Incident Management Enrichment + Investigation
    Lookup Geo for an IP
    Trigger Defender ATP Investigation
    Send Validation Email to User
    Block an IP Address
    Block User Access
    Trigger Conditional Access
    Isolate Machine
    Remediation

    View Slide

  40. Strong Community Support

    View Slide

  41. Getting started with Sentinel2Go

    View Slide

  42. Questions?

    View Slide