Describe security capabilities of Microsoft Sentinel Flashcards
SIEM and SOAR
- Protecting an organization’s digital estate and data from security breaches is a growing challenge, especially with the rise of remote work.
- SIEM (Security Information and Event Management) is a system that collects data from various sources within an organization’s infrastructure, software, and resources.
- SIEM analyses the collected data, identifies correlations or anomalies, and generates alerts and incidents to provide security insights.
- SOAR (Security Orchestration Automated Response) complements SIEM by taking alerts from multiple sources, including SIEM systems.
- SOAR automates security workflows and processes, triggering action-driven responses to mitigate security issues and threats.
- By combining SIEM and SOAR, organizations can have a comprehensive approach to security, enhancing threat visibility, and enabling automated responses to security incidents.
- SIEM and SOAR provide security teams with the tools and insights necessary to effectively detect, investigate, and respond to security threats and attacks.
Microsoft Sentinel
- Microsoft Sentinel is a scalable, cloud-native SIEM/SOAR solution that provides intelligent security analytics and threat intelligence across the enterprise.
- It offers a comprehensive solution for alert detection, threat visibility, proactive hunting, and threat response.
- Collect data at cloud scale from various sources including users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
- Utilize advanced analytics and threat intelligence to detect previously uncovered threats and minimize false positives.
- Leverage artificial intelligence (AI) to investigate threats and hunt suspicious activities at scale, benefiting from Microsoft’s decades of cybersecurity expertise.
- Respond to security incidents rapidly with built-in orchestration and automation of common security tasks.
- Microsoft Sentinel enables organizations to establish modern Security Operations Centres (SOCs) and streamline their security operations.
- It provides end-to-end security operations, allowing security teams to effectively manage and respond to security threats.
- Microsoft Sentinel is designed to scale with the organization’s needs and provides a centralized platform for security operations.
Connecting Microsoft Sentinel to your data
- Onboarding Microsoft Sentinel requires connecting it to your security sources.
- Microsoft Sentinel includes out-of-the-box connectors for various Microsoft solutions, providing real-time integration. This includes Microsoft 365 Defender solutions and Microsoft 365 sources such as Office 365 and Azure AD.
- There are also built-in connectors to integrate with non-Microsoft security solutions, enabling you to leverage the broader security ecosystem.
- Community-built data connectors are available in the Microsoft Sentinel GitHub repository, offering additional options for connecting your data sources.
- To connect your data sources, you can follow the deployment procedures specific to your source. Generic deployment procedures are provided to guide you through the process.
- The “Learn more” section in the summary and resources unit provides links to additional information and resources to help you connect your data sources to Microsoft Sentinel.
Azure Monitor Workbooks
- Azure Monitor Workbooks enable you to monitor and analyse data from Microsoft Sentinel.
- Workbooks provide a canvas for data analysis and the creation of visual reports within the Azure portal.
- With Microsoft Sentinel integration, you can create custom workbooks tailored to your specific data and analysis needs.
- Built-in workbook templates are available in Microsoft Sentinel, offering pre-designed visualizations and insights across your data.
- By connecting your data sources to Microsoft Sentinel, you can leverage these workbooks to gain quick insights and visualize your security data.
- Workbooks provide a flexible and customizable way to explore and present your data within the Azure portal.
- Through the use of workbooks, you can enhance your understanding of security incidents, trends, and overall security posture.
- Workbooks in Azure Monitor are a powerful tool to support data analysis, reporting, and visualization in Microsoft Sentinel.
Analytics in Microsoft Sentinel:
- Microsoft Sentinel uses analytics to correlate alerts and group them into incidents, which represent actionable possible threats.
- Incidents in Microsoft Sentinel are comprised of related alerts that collectively indicate a potential security issue that requires investigation and resolution.
- Built-in correlation rules are available in Microsoft Sentinel to help with the detection and grouping of alerts into incidents.
- You can leverage the built-in correlation rules as they are, or customize them to align with your organization’s specific security requirements.
- Microsoft Sentinel also offers machine learning rules that analyse network behaviour and identify anomalies across your resources.
- These analytics capabilities in Microsoft Sentinel enable the identification of potential security incidents by connecting and combining low-fidelity alerts related to different entities.
- By leveraging analytics, Microsoft Sentinel enhances the accuracy and effectiveness of threat detection and response.
- Analytics help to uncover patterns, anomalies, and potential threats that may go unnoticed when analysing individual alerts in isolation.
- The use of analytics in Microsoft Sentinel provides a holistic view of the security landscape and enables proactive threat hunting and incident response.
Managing incidents in Microsoft Sentinel
- Incident management in Microsoft Sentinel enables the effective handling and tracking of security incidents throughout their lifecycle.
- Within an incident, you can view all related alerts that have been aggregated into the incident, providing a consolidated view of the security event.
- The incident management process involves triaging and investigating the alerts and related entities to gain a comprehensive understanding of the incident’s scope and impact.
- Microsoft Sentinel provides additional contextual information relevant to the triage process, facilitating informed decision-making during incident analysis.
- Playbooks can be triggered on the alerts grouped within an incident to initiate automated response actions and resolve the detected threats.
- Incident management in Microsoft Sentinel includes standard tasks such as changing the incident status or assigning incidents to specific individuals for further investigation.
- Through the incident management capabilities, you can track and document the progress and resolution of security incidents, ensuring a systematic and organized approach to incident response.
- Microsoft Sentinel offers a centralized interface for incident management, streamlining the process and improving collaboration among security teams.
- The ability to manage incidents in Microsoft Sentinel enhances efficiency, reduces response times, and helps mitigate the impact of security breaches on the organization.
Security automation and orchestration in Microsoft Sentinel
- Microsoft Sentinel enables security automation and orchestration, allowing you to automate repetitive security tasks and streamline your security operations centre (SOC) processes.
- Integration with Azure Logic Apps empowers you to create automated workflows, known as playbooks, in response to security events or incidents.
- A security playbook in Microsoft Sentinel is a collection of procedures and actions that can be executed in a coordinated manner to automate and simplify security tasks.
- Playbooks are designed to be flexible and accessible to SOC engineers and analysts of all skill levels, requiring no coding knowledge.
- With playbooks, you can automate single, repeatable tasks, such as triaging alerts, enriching data, or executing predefined response actions.
- Playbooks help improve SOC productivity by reducing manual effort, accelerating incident response, and ensuring consistent and standardized security operations.
- Microsoft Sentinel provides built-in playbook templates that offer preconfigured actions and workflows for common security scenarios, allowing you to quickly deploy automation capabilities.
- Custom playbooks can be created to address specific security requirements and tailored to the unique needs of your organization.
- Security automation and orchestration in Microsoft Sentinel enhance operational efficiency, enable faster response times, and support effective incident management within your SOC.
- By automating routine security tasks, you can free up resources to focus on more complex analysis and investigation, enhancing the overall effectiveness of your security operations.
Investigation
Microsoft Sentinel offers deep investigation tools that assist in understanding the scope of potential security threats and identifying their root causes.
The deep investigation tools are currently in preview, providing an interactive and intuitive way to analyse security incidents and investigate suspicious activities.
Hunting
Use Microsoft Sentinel’s powerful hunting search-and-query tools, based on the MITRE framework (a global database of adversary tactics and techniques), to proactively hunt for security threats across your organization’s data sources, before an alert is triggered.
After you discover which hunting query provides high-value insights into possible attacks, you can also create custom detection rules based on your query, and surface those insights as alerts to your security incident responders.
While hunting, you can bookmark interesting events. Bookmarking events enables you to return to them later, share them with others, and group them with other correlating events to create a compelling incident for investigation.
Notebooks
Microsoft Sentinel supports Jupyter notebooks.
Jupyter Notebook is an open-source web application that allows you to create and share documents that contain live code, equations, visualizations, and narrative text.
You can use Jupyter notebooks in Microsoft Sentinel to extend the scope of what you can do with Microsoft Sentinel data.
E.G. perform analytics that aren’t built in to Microsoft Sentinel, such as some Python machine learning features, create data visualizations that aren’t built in to Microsoft Sentinel, such as custom timelines and process trees, or integrate data sources outside of Microsoft Sentinel, such as an on-premises data set.
Community
The Microsoft Sentinel community is a powerful resource for threat detection and automation.
Microsoft security analysts constantly create and add new workbooks, playbooks, hunting queries, and more, posting them to the community for you to use in your environment.
You can download sample content from the private community GitHub repository to create custom workbooks, hunting queries, notebooks, and playbooks for Microsoft Sentinel.
Understand Sentinel costs
Microsoft Sentinel provides intelligent security analytics across your enterprise.
The data for this analysis is stored in an Azure Monitor Log Analytics workspace.
Billing is based on the volume of data ingested for analysis in Microsoft Sentinel and stored in the Azure Monitor Log Analytics workspace.
There are two ways to pay for the Microsoft Sentinel service: Capacity Reservations and Pay-As-You-Go.
Capacity Reservations: With Capacity Reservations, you’re billed a fixed fee based on the selected tier, enabling a predictable total cost for Microsoft Sentinel.
Pay-As-You-Go: With Pay-As-You-Go pricing, you’re billed per gigabyte (GB) for the volume of data ingested for analysis in Microsoft Sentinel and stored in the Azure Monitor Log Analytics workspace.
As the lead admin, it’s important to convince your team to start using Microsoft Sentinel. You’ve put together a presentation. What are the four security operation areas of Microsoft Sentinel that cover this area?
A. Collect, Detect, Investigate, and Redirect.
B. Collect, Detect, Investigate, and Respond.
C. Collect, Detect, Investigate, and Repair.
B. Collect, Detect, Investigate, and Respond.
A SIEM/SOAR solution uses collect, detect, investigate, and respond to identify and protect your organization’s network perimeter.
Your estate has many different data sources where data is stored. Which tool should be used with Microsoft Sentinel to quickly gain insights across your data as soon as a data source is connected?
A. Azure Monitor Workbooks.
B. Playbooks.
C. Microsoft 365 Defender.
A. Azure Monitor Workbooks.
Using the Microsoft Sentinel integration with Azure Monitor Workbooks allows you to monitor data and provides versatility in creating custom workbooks.
