Table of Contents

Learn Azure Sentinel2

Why subscribe?3

Foreword

Contributors

About the authors6

About the reviewers7

Packt is searching for authors like you7

Preface

Who this book is forix

What this book coversix

To get the most out of this bookxi

Download the color imagesxi

Conventions usedxi

Get in touchxii

Reviewsxii

Section 1: Design and Implementation

Chapter 1: Getting Started with Azure Sentinel

The current cloud security landscape16

Cloud security reference framework17

SOC platform components20

Mapping the SOC architecture22

Log management and data sources22

Operations platforms23

Threat intelligence and threat hunting25

SOC mapping summary26

Security solution integrations26

Cloud platform integrations28

Integrating with AWS28

Integrating with Google Cloud Platform (GCP)28

Integrating with Microsoft Azure29

Private infrastructure integrations30

Service pricing for Azure Sentinel31

Scenario mapping34

Step 1 – Define the new scenarios34

Step 2 – Explain the purpose35

Step 3 – The kill-chain stage35

Step 4 – Which solution will do detection?36

Step 5 – What actions will occur instantly?36

Step 6 – Severity and output37

Step 7 – What action should the analyst take?37

Summary38

Questions38

Further reading39

Chapter 2: Azure Monitor – Log Analytics

Technical requirements42

Introduction to Azure Monitor Log Analytics43

Planning a workspace46

Creating a workspace using the portal47

Creating a workspace using PowerShell or the CLI49

Exploring the Overview page56

Managing the permissions of the workspace57

Enabling Azure Sentinel58

Exploring the Azure Sentinel Overview page61

The header bar62

The summary bar62

The Events and alerts over time section62

The Recent incidents section62

The Data source anomalies section62

The Potential malicious events section62

The Democratize ML for your SecOps section63

Connecting your first data source63

Obtaining information from Azure virtual machines63

Advanced settings for Log Analytics66

Connected Sources67

The Data option68

Computer Groups69

Summary73

Questions73

Further reading73

Section 2: Data Connectors, Management, and Queries

Chapter 3: Managing and Collecting Data

Choosing data that matters78

Understanding connectors80

Native connections – service to service81

Direct connections – service to service82

API connections82

Agent-based83

Configuring Azure Sentinel connectors85

Configuring Log Analytics storage options92

Calculating the cost of data ingestion and retention94

Reviewing alternative storage options96

Questions97

Further reading98

Chapter 4: Integrating Threat Intelligence

Introduction to TI100

Understanding STIX and TAXII102

Choosing the right intel feeds for your needs103

Implementing TI connectors104

Enabling the data connector104

Registering an app in Azure AD106

Configuring the MineMeld threat intelligence feed110

Confirming the data is being ingested for use by Azure Sentinel116

Summary118

Questions118

Further reading119

Chapter 5: Using the Kusto Query Language (KQL)

Running KQL queries122

Introduction to KQL commands124

Tabular operators125

Query statement140

Scalar functions140

String operators142

Summary143

Questions144

Further reading144

Chapter 6: Azure Sentinel Logs and Writing Queries

An introduction to the Azure Sentinel Logs page146

Navigating through the Logs page146

The page header148

The Tables pane156

The Filter pane159

The KQL code window161

The results window166

Learn more173

Writing a query173

The billable data ingested174

Map view of logins175

Other useful logs176

Summary177

Questions178

Further reading178

Section 3: Security Threat Hunting

Chapter 7: Creating Analytic Rules

An introduction to Azure Sentinel Analytics182

Types of analytic rules182

Navigating through the Analytics home page183

Creating a rule from a rule template191

Creating a new rule using the wizard192

Managing analytic rules205

Summary206

Questions207

Chapter 8: Introducing Workbooks

An overview of the Workbooks page210

The workbook header211

The Templates view212

Workbook detail view212

Missing required data types213

Workbook detail view (continued)213

Saved template buttons214

Walking through an existing workbook216

Creating workbooks218

Creating a workbook using a template218

Creating a new workbook from scratch219

Editing a workbook221

Advanced editing224

Managing workbooks225

Workbook step types227

Text229

Query229

Metric234

Parameters234

Links/tabs240

Advanced settings244

Summary249

Questions250

Further reading250

Chapter 9: Incident Management

Using the Azure Sentinel Incidents page252

The header bar252

The summary bar253

The search and filtering section253

Incident listing255

Incident details pane256

Using the Actions button261

Exploring the full details page262

The Alerts tab263

The Bookmarks tab265

The Entities tab266

The Comments tab266

Investigating an incident267

Showing related alerts268

The Timeline button270

The Info button271

The Entities button272

The Help button272

Questions273

Further reading274

Chapter 10: Threat Hunting in Azure Sentinel

Introducing the Azure Sentinel Hunting page276

The header bar276

The summary bar277

The hunting queries list277

Hunting query details pane279

Working with Azure Sentinel Hunting queries281

Adding a new query281

Editing a query282

Cloning a query282

Deleting a query283

Working with Livestream283

Working with bookmarks285

Creating a bookmark286

Viewing bookmarks288

Associating a bookmark with an incident290

Using Azure Sentinel Notebooks293

The header bar294

The summary bar294

The notebook details pane295

Performing a hunt297

Develop premise298

Determine data299

Plan hunt300

Execute investigation 300

Respond300

Monitor301

Improve301

Summary302

Questions302

Further reading303

Section 4: Integration and Automation

Chapter 11: Creating Playbooks and Logic Apps

Introduction to Azure Sentinel playbooks308

Playbook pricing309

Overview of the Azure Sentinel connector309

Exploring the Playbooks page311

The header bar312

The summary bar312

Logic app listing313

Logic app settings page313

The menu bar314

The header bar315

The essentials section316

The summary section316

The Runs history section317

Creating a new playbook318

Using the Logic Apps Designer page319

The Logic Apps Designer header bar321

The Logic App Designer workflow editor section322

Creating a simple Azure Sentinel playbook323

Summary330

Questions330

Further reading331

Chapter 12: ServiceNow Integration

Overview of Azure Sentinel alerts 334

Overview of IT Service Management (ITSM)335

Logging in to ServiceNow336

Cloning an existing logic app337

Modifying the playbook340

Additional incident information343

Adding dynamic content346

Adding an expression349

Summary352

Questions352

Further reading352

Section 5: Operational Guidance

Chapter 13:Operational Tasks for Azure Sentinel

Dividing SOC duties356

SOC engineers356

SOC analysts357

Operational tasks for SOC engineers357

Daily tasks357

Weekly tasks358

Ad hoc tasks358

Operational tasks for SOC analysts359

Daily tasks359

Weekly tasks359

Monthly tasks360

Ad hoc tasks360

Summary361

Questions361

Chapter 14: Constant Learning and Community Contribution

Official resources from Microsoft364

Official documentation364

Tech community – blogs364

Tech community – forum365

Feature requests366

LinkedIn groups367

Other resources367

Resources for SOC operations368

MITRE ATT&CK® framework368

National Institute of Standards for Technology (NIST)368

GitHub for Azure Sentinel369

GitHub for community contribution370

Kusto Query Language (KQL)370

Jupyter Notebook371

Azure Logic Apps372

Summary373

Assessments

Chapter 1375

Chapter 2375

Chapter 3376

Chapter 4376

Chapter 5377

Chapter 6378

Chapter 7378

Chapter 8378

Chapter 9379

Chapter 10379

Chapter 11380

Chapter 12380

Chapter 13381

Other Books You May Enjoy

Leave a review - let other readers know what you think385