Home Page Icon
Home Page
Table of Contents for
B15759_TOC_Final_AM_ePub
Close
B15759_TOC_Final_AM_ePub
by Richard Diver, Gary Bushey, Jason S. Rader
Learn Azure Sentinel
Learn Azure Sentinel
Why subscribe?
Foreword
Contributors
About the authors
About the reviewers
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Reviews
Section 1: Design and Implementation
Chapter 1: Getting Started with Azure Sentinel
The current cloud security landscape
Cloud security reference framework
SOC platform components
Mapping the SOC architecture
Log management and data sources
Operations platforms
Threat intelligence and threat hunting
SOC mapping summary
Security solution integrations
Cloud platform integrations
Integrating with AWS
Integrating with Google Cloud Platform (GCP)
Integrating with Microsoft Azure
Private infrastructure integrations
Service pricing for Azure Sentinel
Scenario mapping
Step 1 – Define the new scenarios
Step 2 – Explain the purpose
Step 3 – The kill-chain stage
Step 4 – Which solution will do detection?
Step 5 – What actions will occur instantly?
Step 6 – Severity and output
Step 7 – What action should the analyst take?
Summary
Questions
Further reading
Chapter 2: Azure Monitor – Log Analytics
Technical requirements
Introduction to Azure Monitor Log Analytics
Planning a workspace
Creating a workspace using the portal
Creating a workspace using PowerShell or the CLI
Exploring the Overview page
Managing the permissions of the workspace
Enabling Azure Sentinel
Exploring the Azure Sentinel Overview page
The header bar
The summary bar
The Events and alerts over time section
The Recent incidents section
The Data source anomalies section
The Potential malicious events section
The Democratize ML for your SecOps section
Connecting your first data source
Obtaining information from Azure virtual machines
Advanced settings for Log Analytics
Connected Sources
The Data option
Computer Groups
Summary
Questions
Further reading
Section 2: Data Connectors, Management, and Queries
Chapter 3: Managing and Collecting Data
Choosing data that matters
Understanding connectors
Native connections – service to service
Direct connections – service to service
API connections
Agent-based
Configuring Azure Sentinel connectors
Configuring Log Analytics storage options
Calculating the cost of data ingestion and retention
Reviewing alternative storage options
Questions
Further reading
Chapter 4: Integrating Threat Intelligence
Introduction to TI
Understanding STIX and TAXII
Choosing the right intel feeds for your needs
Implementing TI connectors
Enabling the data connector
Registering an app in Azure AD
Configuring the MineMeld threat intelligence feed
Confirming the data is being ingested for use by Azure Sentinel
Summary
Questions
Further reading
Chapter 5: Using the Kusto Query Language (KQL)
Running KQL queries
Introduction to KQL commands
Tabular operators
Query statement
Scalar functions
String operators
Summary
Questions
Further reading
Chapter 6: Azure Sentinel Logs and Writing Queries
An introduction to the Azure Sentinel Logs page
Navigating through the Logs page
The page header
The Tables pane
The Filter pane
The KQL code window
The results window
Learn more
Writing a query
The billable data ingested
Map view of logins
Other useful logs
Summary
Questions
Further reading
Section 3: Security Threat Hunting
Chapter 7: Creating Analytic Rules
An introduction to Azure Sentinel Analytics
Types of analytic rules
Navigating through the Analytics home page
Creating a rule from a rule template
Creating a new rule using the wizard
Managing analytic rules
Summary
Questions
Chapter 8: Introducing Workbooks
An overview of the Workbooks page
The workbook header
The Templates view
Workbook detail view
Missing required data types
Workbook detail view (continued)
Saved template buttons
Walking through an existing workbook
Creating workbooks
Creating a workbook using a template
Creating a new workbook from scratch
Editing a workbook
Advanced editing
Managing workbooks
Workbook step types
Text
Query
Metric
Parameters
Links/tabs
Advanced settings
Summary
Questions
Further reading
Chapter 9: Incident Management
Using the Azure Sentinel Incidents page
The header bar
The summary bar
The search and filtering section
Incident listing
Incident details pane
Using the Actions button
Exploring the full details page
The Alerts tab
The Bookmarks tab
The Entities tab
The Comments tab
Investigating an incident
Showing related alerts
The Timeline button
The Info button
The Entities button
The Help button
Questions
Further reading
Chapter 10: Threat Hunting in Azure Sentinel
Introducing the Azure Sentinel Hunting page
The header bar
The summary bar
The hunting queries list
Hunting query details pane
Working with Azure Sentinel Hunting queries
Adding a new query
Editing a query
Cloning a query
Deleting a query
Working with Livestream
Working with bookmarks
Creating a bookmark
Viewing bookmarks
Associating a bookmark with an incident
Using Azure Sentinel Notebooks
The header bar
The summary bar
The notebook details pane
Performing a hunt
Develop premise
Determine data
Plan hunt
Execute investigation
Respond
Monitor
Improve
Summary
Questions
Further reading
Section 4: Integration and Automation
Chapter 11: Creating Playbooks and Logic Apps
Introduction to Azure Sentinel playbooks
Playbook pricing
Overview of the Azure Sentinel connector
Exploring the Playbooks page
The header bar
The summary bar
Logic app listing
Logic app settings page
The menu bar
The header bar
The essentials section
The summary section
The Runs history section
Creating a new playbook
Using the Logic Apps Designer page
The Logic Apps Designer header bar
The Logic App Designer workflow editor section
Creating a simple Azure Sentinel playbook
Summary
Questions
Further reading
Chapter 12: ServiceNow Integration
Overview of Azure Sentinel alerts
Overview of IT Service Management (ITSM)
Logging in to ServiceNow
Cloning an existing logic app
Modifying the playbook
Additional incident information
Adding dynamic content
Adding an expression
Summary
Questions
Further reading
Section 5: Operational Guidance
Chapter 13:Operational Tasks for Azure Sentinel
Dividing SOC duties
SOC engineers
SOC analysts
Operational tasks for SOC engineers
Daily tasks
Weekly tasks
Ad hoc tasks
Operational tasks for SOC analysts
Daily tasks
Weekly tasks
Monthly tasks
Ad hoc tasks
Summary
Questions
Chapter 14: Constant Learning and Community Contribution
Official resources from Microsoft
Official documentation
Tech community – blogs
Tech community – forum
Feature requests
LinkedIn groups
Other resources
Resources for SOC operations
MITRE ATT&CK® framework
National Institute of Standards for Technology (NIST)
GitHub for Azure Sentinel
GitHub for community contribution
Kusto Query Language (KQL)
Jupyter Notebook
Azure Logic Apps
Summary
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Other Books You May Enjoy
Leave a review - let other readers know what you think
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Learn Azure Sentinel
Next
Next Chapter
Preface
Table of Contents
Learn Azure Sentinel2
Why subscribe?3
Foreword
Contributors
About the authors6
About the reviewers7
Packt is searching for authors like you7
Preface
Who this book is forix
What this book coversix
To get the most out of this bookxi
Download the color imagesxi
Conventions usedxi
Get in touchxii
Reviewsxii
Section 1: Design and Implementation
Chapter 1
: Getting Started with Azure Sentinel
The current cloud security landscape16
Cloud security reference framework17
SOC platform components20
Mapping the SOC architecture22
Log management and data sources22
Operations platforms23
Threat intelligence and threat hunting25
SOC mapping summary26
Security solution integrations26
Cloud platform integrations28
Integrating with AWS28
Integrating with Google Cloud Platform (GCP)28
Integrating with Microsoft Azure29
Private infrastructure integrations30
Service pricing for Azure Sentinel31
Scenario mapping34
Step 1 – Define the new scenarios34
Step 2 – Explain the purpose35
Step 3 – The kill-chain stage35
Step 4 – Which solution will do detection?36
Step 5 – What actions will occur instantly?36
Step 6 – Severity and output37
Step 7 – What action should the analyst take?37
Summary38
Questions38
Further reading39
Chapter 2
: Azure Monitor – Log Analytics
Technical requirements42
Introduction to Azure Monitor Log Analytics43
Planning a workspace46
Creating a workspace using the portal47
Creating a workspace using PowerShell or the CLI49
Exploring the Overview page56
Managing the permissions of the workspace57
Enabling Azure Sentinel58
Exploring the Azure Sentinel Overview page61
The header bar62
The summary bar62
The Events and alerts over time section62
The Recent incidents section62
The Data source anomalies section62
The Potential malicious events section62
The Democratize ML for your SecOps section63
Connecting your first data source63
Obtaining information from Azure virtual machines63
Advanced settings for Log Analytics66
Connected Sources67
The Data option68
Computer Groups69
Summary73
Questions73
Further reading73
Section 2: Data Connectors, Management, and Queries
Chapter 3
: Managing and Collecting Data
Choosing data that matters78
Understanding connectors80
Native connections – service to service81
Direct connections – service to service82
API connections82
Agent-based83
Configuring Azure Sentinel connectors85
Configuring Log Analytics storage options92
Calculating the cost of data ingestion and retention94
Reviewing alternative storage options96
Questions97
Further reading98
Chapter 4
: Integrating Threat Intelligence
Introduction to TI100
Understanding STIX and TAXII102
Choosing the right intel feeds for your needs103
Implementing TI connectors104
Enabling the data connector104
Registering an app in Azure AD106
Configuring the MineMeld threat intelligence feed110
Confirming the data is being ingested
for
use by Azure Sentinel116
Summary118
Questions118
Further reading119
Chapter 5:
Using the Kusto Query Language (KQL)
Running KQL queries122
Introduction to KQL commands124
Tabular operators125
Query statement140
Scalar functions140
String operators142
Summary143
Questions144
Further reading144
Chapter 6
: Azure Sentinel Logs and Writing Queries
An introduction to the Azure Sentinel Logs page146
Navigating through the Logs page146
The page header148
The Tables pane156
The Filter pane159
The KQL code window161
The results window166
Learn more173
Writing a query173
The billable data ingested174
Map view of logins175
Other useful logs176
Summary177
Questions178
Further reading178
Section 3: Security Threat Hunting
Chapter 7
: Creating Analytic Rules
An introduction to Azure Sentinel Analytics182
Types of analytic rules182
Navigating through the Analytics home page183
Creating a rule from a rule template191
Creating a new rule using the wizard192
Managing analytic rules205
Summary206
Questions207
Chapter 8
: Introducing Workbooks
An overview of the Workbooks page210
The workbook header211
The Templates view212
Workbook detail view212
Missing required data types213
Workbook detail view (continued)213
Saved template buttons214
Walking through an existing workbook216
Creating workbooks218
Creating a workbook using a template218
Creating a new workbook from scratch219
Editing a workbook221
Advanced editing224
Managing workbooks225
Workbook step types227
Text229
Query229
Metric234
Parameters234
Links/tabs240
Advanced settings244
Summary249
Questions250
Further reading250
Chapter 9
: Incident Management
Using the Azure Sentinel Incidents page252
The header bar252
The summary bar253
The search and filtering section253
Incident listing255
Incident details pane256
Using the Actions button261
Exploring the full details page262
The Alerts tab263
The Bookmarks tab265
The Entities tab266
The Comments tab266
Investigating an incident267
Showing related alerts268
The Timeline button270
The Info button271
The Entities button272
The Help button272
Questions273
Further reading274
Chapter 10
: Threat Hunting in Azure Sentinel
Introducing the Azure Sentinel Hunting page276
The header bar276
The summary bar277
The hunting queries list277
Hunting query details pane279
Working with Azure Sentinel Hunting queries281
Adding a new query281
Editing a query282
Cloning a query282
Deleting a query283
Working with Livestream283
Working with bookmarks285
Creating a bookmark286
Viewing bookmarks288
Associating a bookmark with an incident290
Using Azure Sentinel Notebooks293
The header bar294
The summary bar294
The notebook details pane295
Performing a hunt297
Develop premise298
Determine data299
Plan hunt300
Execute investigation 300
Respond300
Monitor301
Improve301
Summary302
Questions302
Further reading303
Section 4: Integration and Automation
Chapter 11
: Creating Playbooks and Logic Apps
Introduction to Azure Sentinel playbooks308
Playbook pricing309
Overview of the Azure Sentinel connector309
Exploring the Playbooks page311
The header bar312
The summary bar312
Logic app listing313
Logic app settings page313
The menu bar314
The header bar315
The essentials section316
The summary section316
The Runs history section317
Creating a new playbook318
Using the Logic Apps Designer page319
The Logic Apps Designer header bar321
The Logic App Designer workflow editor section322
Creating a simple Azure Sentinel playbook323
Summary330
Questions330
Further reading331
Chapter 12
: ServiceNow Integration
Overview of Azure Sentinel alerts 334
Overview of IT Service Management (ITSM)335
Logging in to ServiceNow336
Cloning an existing logic app337
Modifying the playbook340
Additional incident information343
Adding dynamic content346
Adding an expression349
Summary352
Questions352
Further reading352
Section 5: Operational Guidance
Chapter 13
:Operational Tasks for Azure Sentinel
Dividing SOC duties356
SOC engineers356
SOC analysts357
Operational tasks for SOC engineers357
Daily tasks357
Weekly tasks358
Ad hoc tasks358
Operational tasks for SOC analysts359
Daily tasks359
Weekly tasks359
Monthly tasks360
Ad hoc tasks360
Summary361
Questions361
Chapter 14
: Constant Learning and Community Contribution
Official resources from Microsoft364
Official documentation364
Tech community – blogs364
Tech community – forum365
Feature requests366
LinkedIn groups367
Other resources367
Resources for SOC operations368
MITRE ATT&CK® framework368
National Institute of Standards for Technology (NIST)368
GitHub for Azure Sentinel369
GitHub for community contribution370
Kusto Query Language (KQL)370
Jupyter Notebook371
Azure Logic Apps372
Summary373
Assessments
Chapter 1375
Chapter 2375
Chapter 3376
Chapter 4376
Chapter 5377
Chapter 6378
Chapter 7378
Chapter 8378
Chapter 9379
Chapter 10379
Chapter 11380
Chapter 12380
Chapter 13381
Other Books You May Enjoy
Leave a review - let other readers know what you think385
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset