Chapter 13:Operational Tasks for Azure Sentinel

As with any service or solution, an ongoing maintenance routine is a critical process to ensure timely service improvements, maintain operational efficiency and cost control, and —most importantly— ensure the service remains highly effective in detecting and responding to security issues.

In general, Security Operations Center (SOC) operations are performed by two distinct roles: SOC engineers and SOC analysts. In a small organization, this may be a single person carrying out both roles; in larger organizations, these roles will span many teams and will be carried out by dedicated professionals. In this chapter, we will provide details of the daily, weekly, and monthly tasks required for each role, and any ad hoc tasks that should be carried out as required.

The information in this chapter is meant to provide a starting point for your own planning and ongoing improvement, so you can carry out the necessary processes to produce a high-performing team and a well-managed Azure Sentinel solution.

In this chapter, we will cover the following topics:

• Dividing SOC duties
• Operational tasks for SOC engineers
• Operational tasks for SOC analysts

Dividing SOC duties

A well-developed SOC will be made up of multiple roles, to divide responsibilities and ensure that each individual can focus on their specific tasks. Depending on the size of the team, there could be many roles and many layers of management, leadership, and expertise, or it could be a smaller team in which two or three individuals carry out all the roles between them.

At a high level, the operation of an SOC will require experts that know how to install and maintain the technology solutions required to run the SOC (SOC engineers), and another set of experts that are able to use the solutions to hunt for threats and respond to security incidents (SOC analysts). These two roles work together to provide constant feedback on what works well, and where improvements are required.

Let’s review the primary differences between the two main roles, to understand the type of operational tasks they might need to carry out.

SOC engineers

SOC engineers are responsible for the initial design and configuration of Azure Sentinel, including the connection of data sources, configuring any threat intelligence (TI) feeds, and securing access to the platform and the data contained within.

Once the service is operational, SOC engineers are then responsible for ongoing improvements, creating analytic rules for threat detection, and fine-tuning to ensure the service remains operationally cost-effective and efficient.

SOC engineers will implement new features made available by Microsoft, and develop automations and other improvements based on feedback from SOC analysts.

SOC analysts

SOC analysts focus on using the tools and data available to respond to alerts and hunt for other threats that may not have been automatically detected.

This role relies on the continuous development of new detection methods, the advancement and integration of machine learning algorithms, and the automation of threat responses to ensure SOC analysts can react quickly to new alerts.

To ensure they can focus on threat detection, SOC analysts offload the tooling and rule configuration to SOC engineers, allowing them to create and maintain their playbooks, and define their standard operating procedures for identifying and responding to suspicious events and behaviors.

Operational tasks for SOC engineers

In this section, we will provide an initial list of tasks that have been identified as engineering tasks. You can use this list as a starting point, and then add your own tasks based on what works for your specific requirements. Each component that is added to the SOC architecture will have its own task requirements—for example, if you integrate a Cloud Access Security Broker (CASB) solution, you will need to carry out similar tasks within that platform to ensure it is well maintained and sending the appropriate information to Azure Sentinel.

Daily tasks

A list of daily tasks is as follows:

• Monitor the service health of all core components such as the Azure platform, Azure Active Directory (AD) for identity and access management (IAM), and any data collection servers (syslog), ensuring dashboards are available and alerts are triggering as expected.
• Review the planned maintenance, service health, and availability monitoring of the Microsoft Azure platform, using the following resources:
  

Weekly tasks

A list of weekly tasks is as follows:

• Review the Data connectors page for any new or preview connectors, and updates to existing connectors. Ensure each connector that is enabled is still functioning correctly.
• Review the Workbooks page for new workbook templates and any new updates, and ensure existing workbooks are functioning correctly.

Monthly tasks

A list of monthly tasks is as follows:

• Review the trends for data ingestion to carry out projected cost analysis; adjust the pricing tier to reflect the most cost-effective option (see the Service pricing for Azure Sentinel section in Chapter 1, Getting Started with Azure Sentinel for more details).
• Validate the quality of the logs ingested and carry out noise-reduction tuning, especially after the introduction of new data sources.
• Carry out a scenario-mapping exercise with SOC analysts to identify additional detection and response requirements (see the Scenario mapping section in Chapter 1, Getting Started with Azure Sentinel for more details). Transfer this knowledge to key stakeholders across business and technology teams.

Ad hoc tasks

A list of ad hoc tasks is as follows:

• Review any changes made to the IT infrastructure; look for opportunities to integrate additional log data to gain key insights; and configure automated responses based on attack scenarios.
• Review announcements from Microsoft for potential changes to the Azure Sentinel platform, and any integrated services and solutions. If you have them, also check third-party announcements.
• Update the Azure Sentinel architecture documentation to reflect changes made.
• Engage with external services that offer advanced security practices to further test and train your SOC capabilities, including penetration testing, social engineering, and define? activities.

Operational tasks for SOC analysts

In this section, we will provide an initial list of tasks that have been identified as operational requirements for SOC analysts. These tasks focus on the work required to create, maintain, and organize Azure Sentinel components to ensure operational efficiency.

Daily tasks

A list of daily tasks is as follows:

• Check the Incidents page to ensure any new incidents are assigned to an owner, and all open or in-progress incidents are actively investigated until completion.
• Go to the Hunting page and select Run all queries:
  

Review TI sources for current activities and new findings; apply findings to your threat-hunting procedures.

Weekly tasks

A list of weekly tasks is as follows:

• Go to the Hunting page and review all bookmarks that have been created, ensuring they are still associated with an active incident. Aim to keep this list short by deleting those that are no longer relevant.
• Review TI feeds to ensure they are still active; look for recommended new TI feeds relevant to the specific industry and region.
• Review all existing analytics queries; check those that are disabled, and decide whether they should be removed or enabled. For all active queries, review the following:
  
  

Monthly tasks

A list of monthly tasks is as follows:

• Carry out a scenario-mapping exercise with SOC engineers to identify additional detection and response requirements (see the Scenario mapping section in Chapter 1, Getting Started with Azure Sentinel for more details). Transfer this knowledge to key stakeholders across business and technology teams.
• Review all Azure Sentinel workbooks to ensure they are relevant and run correctly (execute them using test cases).
• Review the tag taxonomy.

Ad hoc tasks

A list of ad hoc tasks is as follows:

• Check naming conventions that are being used for various components that are created manually. Keeping strict governance over naming conventions and other standards ensures easier communication across the team when handing over incidents for review.
• Engage with external services that offer advanced security practices to further test and train your SOC capabilities, including penetration testing, social engineering, and Purple Team activities.

Summary

While this is one of the shorter chapters in this book, it has covered the importance of ongoing maintenance that will ensure SOC teams remain vigilant with respect to ongoing changes in the threat landscape, and will also keep Azure Sentinel tuned for efficient and effective security operations.

In the final chapter of this book, we will introduce some resources you can use to continue gaining the knowledge required to implement and operate Azure Sentinel and related solutions.

Questions

Review the following questions to test your knowledge of this subject:

1. What are the two main types of role within an SOC?
2. Which role carries out the scenario-mapping exercise?
3. How frequently should you check the log ingestion rate and pricing tier?
4. How often should an SOC analyst check the Incidents page?
5. If you, as an SOC engineer, are told that a new project using an Azure SQL instance is just starting, when should you start looking at ingesting its logs?