Index
A
Action Center, 39
Active Directory (AD). See Azure Active Directory (AD)
Active Directory Domain Services threats, 95–99
AD (Active Directory). See Azure Active Directory (AD)
Security Reader role, 44
Advanced Hunting, custom detection rules, 71–78
ADX (Azure Data Explorer), 195
AKS (Azure Defender for Azure Kubernetes), 165–166
alert API, creating, 70
alerts
investigating and remediating, 35–40
viewing on Timeline tab, 255
Amazon Web Service (AWS), 132, 140–143
AML (Azure Machine Learning) workspace, 298–299
Analytics Rule Wizard, 293, 295
analytics rules
attaching Playbooks to, 242
converting hunting queries to, 292–295
converting Livestream to, 292–294
creating, 231
cross-workspace, 257
customizing and optimizing, 225, 241–242
versus hunting queries, 277
triage incidents, 254
Anomaly rules, Azure Sentinel, 221
anti-phishing policies
impersonation protection, 14
phishing thresholds, 15
App Service, Azure Defender for, 166–167
ARM (Azure Resource Manager) templates, 163–164, 171–172, 246
attachments. See malicious attachments
attack simulation training, 24–30
automated message, configuring, 160
automated response
ARM (Azure Resource Manager) template, 163–164
configuring in Azure Security Center, 154–156
Automation page, Azure Sentinel, 237
Auto-Provisioning agent, 135
AWS (Amazon Web Service), 132, 140–143
Azure Active Directory (AD)
data connector, 201
identity protection notifications, 92
identity protection policies, 95
identity protection risks, 89–95
MFA (multifactor authentication), 92–95
Risky Sign-Ins, 90
risky users, 91
role-based access control, 43
Security Reader role, 44
Sign-in Analysis workbook, 272
Sign-In Risk Policy, 94
User Risk Policy, 94
Azure Activity data connector, 201–202
Azure Data Explorer (ADX), 195
Azure Defender
access control, 124
accessing security contact data, 181
adding servers to workspace, 137
Agents Management, 137
alert types for workloads, 164–173
best practices, 123
CLI (command-line interface) for installation, 139
cloud workload protection, 128–130
connecting AWS cloud resources, 140–143
connecting GCP cloud resources, 143–145
connecting on-premises computers, 136–140
data collection and resources, 133–135
data retention policies, 126–128
data sources for ingestion, 132–133
enabling, 131
enabling security control, 130
JIT (just-in-time) access feature, 181
Log Analytics workspace, 127
monitor pricing, 126
PaaS-related resources, 133
planning and configuring settings, 122–123
Pricing page for plans, 131
remediating incidents, 161–163
resources and data collection, 133–135
Security Solutions page, 132
Take Action tab, 163
target subscriptions and workspace, 122–123
user data discovered in investigations, 181
VM and workspace locations, 123
workspace control, 134
workspace ID and primary key, 139
Azure Defender alert rules
setting up email notifications, 150–151
validating alert configuration, 146–150
Azure Defender for Azure Kubernetes (AKS), 165–166
Azure Defender for Servers
Linux, 165
Azure Log Analytics, custom logs, 214–215
Azure Logic Apps
connector list, 236
security incident remediation, 242–243
signing in to Azure Sentinel, 239
template deployment, 248
Azure Machine Learning (ML) workspace, 298–299
Azure Monitor HTTP Data Collector API, 215
Azure portal
Analytics page, 221
Auto Provisioning settings, 134
navigating to, 126
Resource Groups page, 191
Azure Resource Manager (ARM) templates, 163–164, 171–172, 246
Azure Security Center
configuring automated response, 154–156
Security recommendations, 130
Azure Security Insights, 249
Azure Sentinel. See also SOAR (security orchestration, automation, and response)
Access Control (IAM) for resource group, 191
advanced visualizations, 269–271
alerting and remediation, 237
Analytic Templates, 230
CEF and Syslog event collections, 202–205
charts, 270
commitment tiers, 189
connector-provided scheduled queries, 229–230
Contributor rule, 190
custom scheduled queries, 230–231
Data Connectors gallery, 197
data retention, 193
Data Retention settings, 194
design considerations, 188–189
email connectors, 240
EPS (events per second), 205
Event IDS, 211
free data sources, 199
graphs, 271
grids, 271
guest users assigning incidents, 195
incident creation logic, 231
investigating incidents, 249–254
KQL (Kusto Query Language), 232–235
and Log Analytics, 186
Log Analytics workspace, 189, 194
lookback windows, 226
Microsoft Graph Security API, 198
multi-workspace incidents, 256–257
Outlook account, 240
Overview page, 197
permissions and built-in roles, 196
pricing calculator, 193
query results and bookmarks, 284–288
Reader rule, 190
Responder rule, 190
responding to incidents, 255–256
rules and data sources, 223
Security Events connector, 205
security operations efficiency workbooks, 274–276
signing in from Logic App designer, 239
Syslog and CEF event collections, 202–205
threat intelligence connectors, 211–214
tiles, 271
tracking incident metrics, 274–276
UEBA (user and entity behavior analytics), 257–261
IN USE analytic rules, 230
viewing and analyzing data, 272–274
Windows Events collections, 205–211
workbooks, 195, 262–269, 272–274
Azure Sentinel portal. See also threats
custom hunting queries, 277–279
hunting bookmarks for data investigations, 288–292
hunting queries and analytics rules, 292–295
hunting with notebooks, 295–300
Livestream for hunting queries, 281–284
monitoring hunting queries, 281–284
running hunting queries, 279–280
tracking queries with bookmarks, 284–288
Azure WAF (Web Application Firewall), 133
Azure Web Application Firewall (WAF), 133
Azure Windows Virtual Machines, Windows security event collection, 206–207
B
bookmarks. See also hunting bookmarks
exploring in investigation graph, 291–292
tracking query results, 284–288
C
CASB (Cloud App Security Broker), 99
CEF and Syslog event collections, 202–205
charts, Azure Sentinel workbook, 270
Cloud App Security Broker (CASB), 99
cloud applications, 104
Cloud Connector, configuring, 140–143
Cloud Security Posture Management (CSPM), 128
Cloud Workload Protection Platform (CWPP), 129
“collection is not detection,” 198
cost savings, looking for, 128
Count operator, KQL, 233
credential harvesting website, 3
cross-domain incidents
Add file has indicator, 116
Add URL/Domain Indicator, 115
Alerts view, 109
Devices tab, 108
Email Actions, 113
email and collaboration explorer query tool, 113
File page, 116
hunting query editor, 112
Impossible Travel Activity alert, 110
Inbox mail forwarding rule, 110
Incident page, 108
Manage Incident, 117
Suspend User, 108
Suspicious PowerShell Command Line alert, 111
URL page, 114
cross-workspace analytics rules, 257
CSPM (Cloud Security Posture Management), 128
custom logs, 214–220. See also Log Analytics
CWPP (Cloud Workload Protection Platform), 129
cybersecurity awareness program, 24
D
data connector vs. Logic App connector, 218
data investigations, hunting bookmarks, 288–292. See also investigation graphs
data loss prevention (DLP) alerts, 32–34
Detection Rule wizard, creating, 74
detections, customizing, 70–81
devices, Microsoft products for, 104
DLP (data loss prevention) alerts, 32–34
E
EDR (Endpoint Detection and Response), 53
email. See also spear fishing email
and Office documents, 104
protecting, 3
email connectors, Azure Sentinel, 240
email notifications, Azure Defender alert rules, 150–151
Endpoint Detection and Response (EDR), 53. See also Microsoft Defender for Endpoint
enrichment
automation in Azure Sentinel, 237
triage incidents, 255
EOP (Exchange Online Protection), 14
EPS (events per second), Azure Sentinel, 205
event ID, collection for Windows, 135
Event IDS, Azure Sentinel, 211
Exam Tips
Azure Sentinel, 256
cost savings on data, 128
custom workbooks, 266
data connectors for Azure Sentinel, 198
file activity store in cloud apps, 103
KQL queries, 232
metrics for SOC managers and KPIs, 276
remediation activities and exceptions, 83
remediation ideas, 243
rights to endpoint data, 47
Security Operations Efficiency workbook, 275
UEBA (user and entity behavior analytics), 261
Visualizations Demo workbook, 270
workbooks and KQL queries, 268
exceptions, creating and viewing, 88–89
Exchange Online Protection (EOP), 14
Extend operator, KQL, 233
F
Fusion rules, Azure Sentinel, 221
G
GCP (Google Cloud Platform), 132, 143–145
GDPR (General Data Protection Regulation), 181
General Data Protection Regulation (GDPR), 181
GitHub repository, 71
Google Cloud Platform (GCP), 132, 143–145
graphs, Azure Sentinel workbook, 271
grids, Azure Sentinel workbook, 271
H
HTTP Data Collector API, 214–215
hunting bookmarks, 288–292. See also bookmarks
hunting queries. See also notebooks; queries
converting to analytics rules, 292–295
monitoring using Livestream, 281–284
results on Logs page, 286
I
identity threats, identifying and responding to, 89–95. See also Microsoft Defender for Identity
impersonation protection, anti-phishing policies, 14
incident tab, posting comments on, 256
incidents
investigating and remediating, 35–37, 40
managing with Playbooks, 243–244
indicators, creating, 81
Indicators of compromise (IOCs), 78–79
insider risk, 34–35. See also risk management
investigation graphs, 251–253, 291–292. See also data investigations
IOCs (Indicators of compromise), 78–79, 211–212, 214
J
JIT (just-in-time) access feature, Azure Defender, 181
JSON Request Body format, Playbooks, 219
K
Key Vault, Azure Defender for, 170–171, 179–180
KQL (Kusto Query Language)
Advanced Hunting, 71
analytics rule, 226
query time parsing, 203
workbook templates, 268
Kubernetes, Azure Defender for Servers, 165–166
Kusto Query Language (KQL)
Advanced Hunting, 71
analytics rule, 226
query time parsing, 203
workbook templates, 268
L
Let operator, KQL, 233
Linux, Azure Defender for Servers, 165
Livestream
converting to analytics rule, 292–294
monitoring hunting queries, 281–284
Log Analytics. See also custom logs
and Azure Sentinel, 186
Azure Sentinel, 193
gateway, 206
queries, 71
Logic Apps
connector list, 236
security incident remediation, 242–243
signing in to Azure Sentinel, 239
template deployment, 248
Logs page, 294
M
Machine learning (ML) behavioral analytics, 221
Machine Learning page, 297
malicious spear phishing email, 2–3
MCAS (Microsoft Cloud App Security)
admin access, 99
Impossible Travel Policy, 101–102
risk domain, 104
threat detection policies, 99–102
Microsoft, threat protection products, 104
Microsoft 365, anti-phishing policies, 24
Microsoft 365 Defender, cross-domain incidents, 106–118
Microsoft 365 Defender Security portal
cross-domain incidents, 105–106
cross-domain investigations, 104–118
Incidents view, 56
resource, 118
Microsoft Defender
triggers and actions, 245
Microsoft Defender Credential Guard, 87–88
Microsoft Defender for Endpoint. See also Endpoint Detection and Response (EDR)
advanced settings, 53
Breach insights icon, 84
Classification and Status, 59
configuring, 41
data storage and privacy, 42
Demote Rank button, 51
Determination setting, 70
Device action menu, 63
Devices tab, 68
File menu, 66
investigation graph, 65
Investigation Summary, 68
IOCs (Indicators of compromise), 78–79
Manage incident, 69
permissions, 47
Promote Rank button, 51
Remediation Request wizard, 85
risk domain, 104
role-based access control, 43–51
roles, 43
security tasks, 86
setting up for deployment, 42
setting up for subscription, 41–43
Simulations & Tutorials, 55
Suppression Rule for alert, 62
User Access tab, 49
user groups, 46
Microsoft Defender for Identity. See also identity threats
Honeytoken configuration, 98
portal, 99
quick start guide, 95
risk domain, 104
User Directory Data, 98
Microsoft Defender for Office 365
remediation actions, 39
risk domain, 104
roles, 4
Safe Attachments policies, 13
Microsoft Graph Security API, Azure Sentinel, 198
Microsoft Intune Connection, 85
Microsoft security rules, Azure Sentinel, 221
Microsoft security service
alert connector, 228
Include/Exclude Specific Alerts, 229
Microsoft Threat Experts (MTE) service, 64
MITRE ATT&CK, 2, 57–58, 95, 148
ML (Machine learning) behavioral analytics, 221
Monitoring Agent Setup Wizard, 209
MTE (Microsoft Threat Experts) service, 64
N
notebooks, advanced hunting, 295–300. See also hunting queries
O
Office 365 roles, 4
OfficeActivity table, 233
OMS agent, installing, 203–204
Outlook account, signing into, 240
P
PaaS-related resources, Azure, 133
phishing thresholds, 15
Playbooks
across Microsoft Defender solutions, 244–249
attaching to analytics rules, 242
Azure Sentinel, 195
GitHub repository, 243
JSON Request Body format, 219
running against alerts, 256
running in Logic App Designer, 218
Project operator, KQL, 233
Q
queries, best practice, 73. See also hunting queries
query results, tracking with bookmarks, 284–288
query time parsing, KQL (Kusto Query Language), 203
R
RBAC (Role–Based Access Control), 124
remediating
remediation, activities, and exceptions, 83–89, 237
risk domains, 104
risk management, 34–35, 81–89. See also insider risk; security recommendations; vulnerability management
role groups, 24
Role–Based Access Control (RBAC), 124
Microsoft Defender for Endpoint, 43–51
roles, Office 365, 4
S
Saas (Software as a Service), 99–104
Safe Links policy, configuring, 3–9
Scheduled queries, Azure Sentinel, 221
Secure Hash Algorithm 1 (SHA1), 63
Security Events connector, Azure Sentinel, 205
security incident flow diagram, 105
security information and event management (SIEM), 185, 235
security operations center (SOC), 145, 224
Security Operations Efficiency workbook, 274–276
security orchestration, automation, and response (SOAR), 236–248
security recommendations, 81–89, 130. See also risk management
SecurityIncidents table, 250
SHA1 (Secure Hash Algorithm 1), 63
SHA256 hash, IOCs (Indicators of compromise), 78–79
SIEM (security information and event management)
solutions, 198
translating rules to KQL, 185, 235
simulations. See attack simulation training
SOAR (security orchestration, automation, and response), 236–248. See also Azure Sentinel
SOC (security operations center), 145, 224, 249
Sort operator, KQL, 233
spear fishing email, 2–3. See also email
SQL, Azure Defender for, 169–170
STIX (Structured Threat Information eXpression), 212
Storage, Azure Defender for, 167–168
Structured Threat Information eXpression (STIX), 212
Summarize operator, KQL, 233
suspicious user activity, detecting, 104
Syslog and CEF event collections, 202–205
T
Take operator, KQL, 233
TAXII (Trusted Automated eXchange of Indicator Information), 212–213
Threat & Vulnerability Dashboard, 82
Threat analytics, 118
threat intelligence, Azure Defender, 178–179
threat protection products, 104
threats. See also Azure Sentinel portal
identifying with UEBA, 257–261
TI (threat intelligence), custom connectors, 211–214
TI matching, triage incidents, 254
tiles, Azure Sentinel workbook, 271
Timeline tab, viewing alerts on, 255
Top operator, KQL, 233
Trusted Automated eXchange of Indicator Information (TAXII), 212–213
U
UEBA (user and entity behavior analytics), 104
uncoder.io tool, using with SIEMs, 235
user activity, detecting, 104
user and entity behavior analytics (UEBA), 257–261
user data, discovery during investigation, 181
V
Visualizations Demo workbook, 270
VMSS (VM Scale Set), 135
vulnerability management, 81–89. See also risk management
W
WAF (Web Application Firewall), 133
watchlists, triage incidents, 254
Web Application Firewall (WAF), 133
Where operator, KQL, 233
Windows, Azure Defender for Servers, 164–165
Windows Events collections, 205–211
Workbook template summary, 264
workbooks
parameters, 274
Workbooks gallery
Azure Sentinel, 263
saving workbooks in, 265