Learn how to set up, configure, and use Microsoft Sentinel to provide security incident and event management services for your multi-cloud environment

Key Features

  • Collect, normalize, and analyze security information from multiple data sources
  • Integrate AI, machine learning, built-in and custom threat analyses, and automation to build optimal security solutions
  • Detect and investigate possible security breaches to tackle complex and advanced cyber threats

Book Description

Microsoft Sentinel is a security information and event management (SIEM) tool developed by Microsoft that helps you to integrate cloud security and artificial intelligence (AI). This book will enable you to implement Microsoft Sentinel and understand how it can help detect security incidents in your environment with integrated AI, threat analysis, and built-in and community-driven logic.

The book begins by introducing you to Microsoft Sentinel and Log Analytics. You'll then get to grips with data collection and management, before learning how to create effective Microsoft Sentinel queries to detect anomalous behaviors and activity patterns. Moving ahead, you'll learn about useful features such as entity behavior analytics and Microsoft Sentinel playbooks along with exploring the new bi-directional connector for ServiceNow. As you progress, you'll find out how to develop solutions that automate responses needed to handle security incidents. Finally, you'll grasp the latest developments in security, discover techniques to enhance your cloud security architecture, and explore how you can contribute to the security community.

By the end of this Microsoft Sentinel book, you'll have learned how to implement Microsoft Sentinel to fit your needs and be able to protect your environment from cyber threats and other security issues.

What you will learn

  • Implement Log Analytics and enable Microsoft Sentinel and data ingestion from multiple sources
  • Get to grips with coding using the Kusto Query Language (KQL)
  • Discover how to carry out threat hunting activities in Microsoft Sentinel
  • Connect Microsoft Sentinel to ServiceNow for automated ticketing
  • Find out how to detect threats and create automated responses for immediate resolution
  • Use triggers and actions with Microsoft Sentinel playbooks to perform automations

Who this book is for

If you are an IT professional with prior experience in other Microsoft security products and Azure and are now looking to expand your knowledge to incorporate Microsoft Sentinel, then this book is for you. Security experts using an alternative SIEM tool who want to adopt Microsoft Sentinel as an additional service or as a replacement will also find this book useful.

Table of Contents

  1. Microsoft Sentinel in Action
    1. Second Edition
  2. Contributors
  3. About the authors
  4. About the reviewers
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Share Your Thoughts
  6. Section 1: Design and Implementation
  7. Chapter 1: Getting Started with Microsoft Sentinel
    1. The current cloud security landscape
    2. The cloud security reference framework
    3. SOC platform components
    4. Mapping the SOC architecture
    5. Log management and data sources
    6. Operations platforms
    7. Threat intelligence and threat hunting
    8. SOC mapping summary
    9. Security solution integrations
    10. Cloud platform integrations
    11. Integrating with Amazon Web Services (AWS)
    12. Integrating with Google Cloud Platform (GCP)
    13. Integrating with Microsoft Azure
    14. Private infrastructure integrations
    15. Service pricing for Microsoft Sentinel
    16. Scenario mapping
    17. Step 1 – defining the new scenarios
    18. Step 2 – explaining the purpose
    19. Step 3 – the kill chain stage
    20. Step 4 – which solution will perform detection?
    21. Step 5 – what actions will occur instantly?
    22. Step 6 – severity and output
    23. Step 7 – what action should the analyst take?
    24. Summary
    25. Questions
    26. Further reading
  8. Chapter 2: Azure Monitor – Introduction to Log Analytics
    1. Technical requirements
    2. Introduction to Azure Monitor Log Analytics
    3. Planning a workspace
    4. Creating a workspace using the portal
    5. Creating a workspace using PowerShell or the CLI
    6. Creating an Azure Resource Management template
    7. Using PowerShell
    8. Using the CLI
    9. Exploring the Overview page
    10. Managing permissions for the workspace
    11. Enabling Microsoft Sentinel
    12. Exploring the Microsoft Sentinel Overview page
    13. The header bar
    14. The summary bar
    15. The Events and alerts over time section
    16. The Recent incidents section
    17. The Data source anomalies section
    18. The Potential malicious events section
    19. The Democratize ML for your SecOps section
    20. Connecting your first data source
    21. Obtaining information from Azure virtual machines
    22. Advanced settings for Log Analytics
    23. Agents management
    24. The Agents configuration options
    25. Computer Groups
    26. Summary
    27. Questions
    28. Further reading
  9. Section 2: Data Connectors, Management, and Queries
  10. Chapter 3: Managing and Collecting Data
    1. Choosing data that matters
    2. Understanding connectors
    3. Native connections – service to service
    4. Direct connections – service to service
    5. API connections
    6. Agent-based
    7. Configuring Microsoft Sentinel connectors
    8. Configuring Log Analytics storage options
    9. Calculating the cost of data ingestion and retention
    10. Reviewing alternative storage options
    11. Summary
    12. Questions
    13. Further reading
  11. Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel
    1. Introduction to TI
    2. Understanding STIX and TAXII
    3. Choosing the right intel feeds for your needs
    4. Implementing TI connectors
    5. Enabling the data connector
    6. Registering an app in Azure AD
    7. Configuring the MineMeld TI feed
    8. Confirming the data is being ingested for use by Microsoft Sentinel
    9. Summary
    10. Questions
    11. Further reading
  12. Chapter 5: Using the Kusto Query Language (KQL)
    1. Running KQL queries
    2. Introduction to KQL commands
    3. Tabular operators
    4. Query statements
    5. The let statement
    6. Scalar functions
    7. The ago() function
    8. String operators
    9. Summary
    10. Questions
    11. Further reading
  13. Chapter 6: Microsoft Sentinel Logs and Writing Queries
    1. An introduction to the Microsoft Sentinel Logs page
    2. Navigating through the Logs page
    3. The page header
    4. The Tables pane
    5. The Queries pane
    6. The Functions pane
    7. The Filter pane
    8. The KQL code window
    9. Running a query
    10. The Results window
    11. Learn more
    12. Writing a query
    13. The billable data ingested
    14. Map view of logins
    15. Other useful tables
    16. Summary
    17. Questions
    18. Further reading
  14. Section 3: Security Threat Hunting
  15. Chapter 7: Creating Analytic Rules
    1. An introduction to Microsoft Sentinel Analytics
    2. Types of analytic rules
    3. Navigating through the Analytics home page
    4. Creating an analytic rule
    5. Creating a rule from a rule template
    6. Creating a new rule using the wizard
    7. Managing analytic rules
    8. Summary
    9. Questions
    10. Further reading
  16. Chapter 8: Creating and Using Workbooks
    1. An overview of the Workbooks page
    2. The workbook header
    3. The Templates view
    4. Workbook detail view
    5. Missing required data types
    6. Saved template buttons
    7. Walking through an existing workbook
    8. Creating workbooks
    9. Creating a workbook using a template
    10. Creating a new workbook from scratch
    11. Editing a workbook
    12. Advanced editing
    13. Managing workbooks
    14. Workbook step types
    15. Text
    16. Query
    17. Metric
    18. Parameters
    19. Links/tabs
    20. Groups
    21. Advanced Settings
    22. Style
    23. Summary
    24. Questions
    25. Further reading
  17. Chapter 9: Incident Management
    1. Using the Microsoft Sentinel Incidents page
    2. The header bar
    3. The summary bar
    4. The search and filtering section
    5. Incident listing
    6. Incident details pane
    7. Using the Actions button
    8. Exploring the full details page
    9. The Timeline tab
    10. The Alerts tab
    11. The Bookmarks tab
    12. The Entities tab
    13. The Comments tab
    14. Investigating an incident
    15. Showing related alerts
    16. The Timeline button
    17. The Info button
    18. The Entities button
    19. The Insights button
    20. The Help button
    21. Summary
    22. Questions
    23. Further reading
  18. Chapter 10: Configuring and Using Entity Behavior
    1. Introduction to Microsoft Sentinel Entity behavior
    2. Enabling Entity behavior
    3. Overview of the Entity behavior page
    4. The header bar
    5. The search section
    6. Entities with alerts
    7. Overview of the Entity behavior details page
    8. Identifying information
    9. Notable events
    10. Insights
    11. Creating Entity behavior queries
    12. Header bar
    13. Activities list
    14. Activity details pane
    15. Adding a new activity
    16. Summary
    17. Questions
    18. Further reading
  19. Chapter 11: Threat Hunting in Microsoft Sentinel
    1. Introducing the Microsoft Sentinel Hunting page
    2. The header bar
    3. The summary bar
    4. The hunting queries list
    5. Hunting query details pane
    6. Working with Microsoft Sentinel hunting queries
    7. Adding a new query
    8. Editing a query
    9. Cloning a query
    10. Deleting a query
    11. Adding to Livestream
    12. Creating an analytics rule
    13. Working with livestream
    14. Working with bookmarks
    15. Creating a bookmark
    16. Viewing bookmarks
    17. Associating a bookmark with an incident
    18. Using Microsoft Sentinel notebooks
    19. The header bar
    20. The summary bar
    21. The notebook list
    22. The notebook details pane
    23. Creating a workspace
    24. Performing a hunt
    25. Developing a premise
    26. Determining data
    27. Planning a hunt
    28. Executing an investigation
    29. Responding
    30. Monitoring
    31. Improving
    32. Summary
    33. Questions
    34. Further reading
  20. Section 4: Integration and Automation
  21. Chapter 12: Creating Playbooks and Automation
    1. Introduction to Microsoft Sentinel playbooks
    2. Introduction to Microsoft Sentinel Automation
    3. The header bar
    4. The summary bar
    5. Automation rules listing
    6. Adding a new automation rule
    7. Playbook pricing
    8. Types of playbooks
    9. Overview of the Microsoft Sentinel connector
    10. Exploring the Playbooks tab
    11. Logic app listing
    12. Logic app settings page
    13. The menu bar
    14. The header bar
    15. The essentials section
    16. The Runs history section
    17. Creating a new playbook
    18. Using the Logic Apps Designer page
    19. The Logic Apps Designer header bar
    20. The Logic Apps Designer workflow editor section
    21. Creating a simple Microsoft Sentinel playbook
    22. Summary
    23. Questions
    24. Further reading
  22. Chapter 13: ServiceNow Integration for Alert and Case Management
    1. A brief history of Microsoft Sentinel and ServiceNow integration
    2. Integrating Microsoft Sentinel with ServiceNow ITSM using Microsoft Sentinel Logic Apps
    3. Integrating Azure security alert sources (not just Sentinel) with ServiceNow Security Incident Response via the Microsoft Graph Security API
    4. Integrating Microsoft Sentinel with ServiceNow Security Incident Response via an API directly to Microsoft Sentinel
    5. Steps to integrate Microsoft Sentinel with ServiceNow
    6. Configuring the Microsoft Azure portal
    7. Installing the Microsoft Sentinel integration plugin in ServiceNow
    8. Configuring the ServiceNow Sentinel plugin to authenticate to Microsoft Sentinel
    9. Creating profiles in the ServiceNow Sentinel integration plugin
    10. Summary
  23. Section 5: Operational Guidance
  24. Chapter 14: Operational Tasks for Microsoft Sentinel
    1. Dividing SOC duties
    2. SOC engineers
    3. SOC analysts
    4. Operational tasks for SOC engineers
    5. Daily tasks
    6. Weekly tasks
    7. Monthly tasks
    8. Ad hoc tasks
    9. Operational tasks for SOC analysts
    10. Daily tasks
    11. Weekly tasks
    12. Monthly tasks
    13. Ad hoc tasks
    14. Summary
    15. Questions
  25. Chapter 15: Constant Learning and Community Contribution
    1. Official resources from Microsoft
    2. Official documentation
    3. Tech community – blogs
    4. Tech community – forums
    5. Feature requests
    6. LinkedIn groups
    7. Other resources
    8. Resources for SOC operations
    9. MITRE ATT&CK® framework
    10. National Institute of Standards for Technology (NIST)
    11. Using GitHub
    12. GitHub for Microsoft Sentinel
    13. GitHub for community contribution
    14. Specific components and supporting technologies
    15. Kusto Query Language
    16. Jupyter Notebook
    17. Machine learning with Fusion
    18. Azure Logic Apps
    19. Summary
  26. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 14
    14. Why subscribe?
  27. Other Books You May Enjoy
    1. Work with AKS (Azure Kubernetes Service) and use it with service mesh technologies to design a microservices hosting platform
    2. Packt is searching for authors like you
    3. Share Your Thoughts