The basics Flashcards
What is Azure Sentinel?
A cloud-native SIEM (Security Information and Event Management) platform provided by Microsoft.
How does Azure Sentinel work?
It uses AI to analyse data from your entire environment, helping you detect and respond to threats.
What can I use Azure Sentinel for?
- Centralized security monitoring: Collect data from all sources (on-premises, cloud, devices) and get a unified view of your security posture.
- Threat detection and investigation: Leverage built-in AI and threat intelligence to identify suspicious activity and quickly investigate potential threats.
- Proactive threat hunting: Uncover hidden threats and vulnerabilities before they cause damage.
- Automated response and remediation: Orchestrate actions to contain threats and minimize impact.
- Compliance reporting and auditing: Meet security regulations and track your security posture over time.
How do threats look in Azure Sentinel?
- Suspicious events: Unusual login attempts, high data transfers, malware detections, etc.
- Anomalies: Deviations from normal user or device behaviour, identified by AI.
- Correlated events: Seemingly unrelated events that, when combined, point to a potential threat.
- Indicators of compromise (IOCs): Known malicious signatures or patterns associated with specific threats.
- Threat intelligence feeds: Updated information about the latest threats and vulnerabilities.
What are some key features of Azure Sentinel?
- Cloud-native: Scalable and elastic, no need for on-premises infrastructure.
- Built-in AI: Reduces false positives and improves threat detection accuracy.
- Rich threat intelligence: Access to Microsoft’s vast security expertise and real-time threat data.
- Open and extensible: Integrates with other security tools and services.
- Cost-effective: Pay-as-you-go pricing based on data ingestion and storage.
What are the four pillars of Azure Sentinel?
Collect, detect, investigate, and respond
What is the query language used by Azure Sentinel?
Kusto Query Language (KQL)
How do you onboard Azure Sentinel to a Log Analytics workspace?
Search for Microsoft Sentinel and click “create”, then add Sentinel to the workspace or create a new one
How do you deploy data connectors to start logging data from various sources?
On Sentinel’s GUI, select Data connectors, then click the connector you want to use and follow the instructions
How does Azure Sentinel use AI to investigate threats and reduce false positives?
Azure Sentinel uses machine learning and knowledge based on analysing “trillions” of signals daily to correlate and prioritize alerts, and to provide guided investigation and hunting queries
How do you respond to incidents rapidly with Azure Sentinel?
You can use built-in orchestration and automation of common tasks by using playbooks, which are based on Azure Logic Apps
What are some of the data sources that Azure Sentinel can collect data from?
Azure, on-premises, and other cloud platforms, with built-in or custom connectors.
How does Azure Sentinel detect threats and minimize false positives?
It uses advanced analytics, machine learning, and threat intelligence.
How does Azure Sentinel investigate and hunt for suspicious activities?
It uses AI and interactive dashboards to investigate and hunt at scale.
How does Azure Sentinel respond to incidents quickly and efficiently?
It uses built-in or custom playbooks to automate and orchestrate tasks.
