+ operator, KQL, 189
– operator, KQL, 189
* operator, KQL, 189
/ operator, KQL, 189
% operator, KQL, 189
< operator, KQL, 189
> operator, KQL, 189
-- operator, KQL, 189
!- operator, KQL, 189
<- operator, KQL, 189
>- operator, KQL, 189
Actions menu, incidents, 149
ADX (Azure Data Explorer), 96
aggregation functions, KQL (Kusto Query Language), 192
alerts
exploring for incidents, 72–73
AML (Azure Machine Learning) workspaces, configuring, 109–116. See also workspace design
analysis and investigation, 6–7
analytic rules
Alert Details section, 41
alert simulation graphic, 39
Alert threshold section, 41
Automated response section, 43
Custom Details section, 40
Entity Mapping section, 40, 48
Event grouping section, 42
General section, 47
Incident settings section, 43
Logic section, 38
MSSPs (managed security service providers), 206–207
Query Language Reference, 38
Query scheduling section, 41
Review And Create tab, 44
Review And Update tab, 49
Suppression setting, 42
Analytics dashboard, accessing, 32–33
anomaly rules, 44
any() aggregation function, KQL, 192
APT (Advanced Persistent Threat), 9
arg_max() function, KQL, 192
arg_min() function, KQL, 192
ARM (Azure Resource Manager), 22, 167–170
ARM templates, MSSPs (managed security service providers), 212–213
ASIM (Advanced Security Information Model), 178
authenticating to Microsoft Sentinel, 118
automation rules
completing and testing, 143–146
conditions and actions, 128
triggering, 128
automation with Playbooks. See also Playbooks gallery
completing, 142
condition for evaluation, 139
Dynamic Content, 135
If true action area, 140
Microsoft Teams action, 141
Office 365 action, 137
Send Approval email action, 138
automations, 15
automation/SOAR, MSSPs (managed security service providers), 210. See also SOAR (security orchestration and automated response)
avg() function, KQL, 192
AWS (Amazon Web Services) S3 connector, 171–172
Azure Activity blade, 23
Azure Activity Log, 22
Azure AD (Active Directory) B2B, MSSPs (managed security service providers), 203–204
Azure AD (Active Directory), connecting to, 26–27
Azure Key Vault honeytokens, using Livestream with, 94–96
Azure Lighthouse, MSSPs (managed security service providers), 199–203
Azure Logic Apps, 44
Azure Policy, 24
Azure portal, using with data connectors, 169–170
Azure RBAC (role-based access control), 15–16
Azure Workbook, 14
big data problem, security as, 8–9
bookmarks
adding to hunting queries, 85–88
adding to incidents, 91
bool data type and KQL, 186
brute-force attacks
buildschema() function, KQL, 192
bulletproof hosting services, 2
CAV (counter-antivirus) services, 2
CCP (Codeless Connector Platform), 166
CD (continuous deployment), MSSPs (managed security service providers), 212–213
CDOC (Cyber Defense Operations Center), 7–8
CEF and Syslog connectors, 19
CI (continuous deployment), MSSPs (managed security service providers), 212–213
CISO (Chief Information Security Officers), 1
code injection methods, 2
Colonial Pipeline attack, 2
columns
choosing for incidents, 58
compute instance, creating, 115–116
count() function, KQL, 192
countif() function, KQL, 192
CTI (cyber threat intelligence), 9–11, 14, 97. See also TI (threat intelligence)
custom logs, 53
CVE-2021-44228 vulnerability, 5
cybersecurity professionals, number of, 8
DART (Detection and Response Team), 6
Data Collection Anomalies View, 174
data connectors. See also environment and data
AWS (Amazon Web Services) S3, 171–172
CCP (Codeless Connector Platform), 166
enabling and configuring, 167–170
ingestion methods, 165
Microsoft 365 Defender, 170
normalization, 163
repositories feature, 177
REST APIs, 166
data ingestion, 22–27. See also ingested data
data sources, 18
data visualization. See also visualizations
Microsoft Sentinel Workbooks, 151–156
datetime data type and KQL, 186
dcount() function, KQL, 192
Deception solution, 94
decimal data type and KQL, 186
Defender for Cloud, connecting, 25–26
Discovery Tactics, MITRE ATT&CK knowledge base, 4
dynamic data type and KQL, 186
Edit API Connection blade, 148
entities
exploring for incidents, 72–73
searching for, 62
Entity page, opening for incidents, 66–67
environment and data, knowing, 76. See also data connectors
evaluate operator, KQL (Kusto Query Language), 195–196
Excel visualizations, 162
extend, KQL (Kusto Query Language), 193
failed logins, looking at, 81–82, 90. See also logins
fileless techniques, 2
filters, adding, 79
forensics and hunting, 7, 11, 14. See also threat hunting
FROM keyword, using with SQL, 184
fullouter join, KQL, 195
fusion center model, SOCs, 7
fusion rule, 44
configuring, 68
git clone command, using with Notebooks, 119–120
GitHub repository
hunting queries, 84
repositories connection, 177
sample queries, 4
testing Notebooks from, 118–120
graphical investigation, incidents, 71–74
guid data type and KQL, 186
hardening considerations, 18
Honeytokens Deception solution, using Livestream with, 94–96
hunting See also threat hunting
MSSPs (managed security service providers), 207–209
Hunting blade, accessing, 76–77
hunting bookmark, creating incident from, 89
hunting queries
adding to Livestream, 91
Investigation graph, 88
hunting queries (continued)
searching for, 78
IIoT (Industrial Internet of Things), 8
in operator, KQL, 189
!in operator, KQL, 189
incident actions, invoking, 61–62
incident management, MSSPs (managed security service providers), 209–210
Incident Overview Workbook, 61. See also Workbooks
incidents. See also Incident Overview Workbook; Investigation graph; post-incident automation
adding bookmarks to, 91
creating from hunting bookmarks, 89
explained, 14
graphical investigation, 71–74
IoCs (Indicators of Compromise), 103
timeline, 64
Incidents blade, Guides & Feedback pane, 59
Incidents view, configuring, 54–58
ingested data. See also data ingestion
inner join, KQL, 195
innerunique join, KQL, 195
int data type and KQL, 186
IntelliSense suggestions, ingested data, 29
investigation and analysis, 6–7
Investigation graph, using with hunting, 88. See also incidents
Investigation Insights Workbook, 106
IOA (indicators of attack), 32
IoCs (Indicators of Compromise). See also Ransomware IoCs
analytics, 31
CTI (cyber threat intelligence), 97
incidents, 103
TimeGenerated field, 101
(ISC)2 nonprofit, 8
ISVs (independent software vendors), 166
JBS Foods REvil ransomware, 2
JNDI (Java Naming and Directory Interface), 5
join operators, KQL (Kusto Query Language), 194–195
Jupyter notebooks, 14
Key Vault, using, 110
keyboard shortcuts, cells in Notebooks, 116
KQL (Kusto Query Language), 14–15, 28, 81
adding and removing columns, 192–193
aggregation functions, 192
extend, 193
getting data, 187
learning resources, 197
limiting data, 188
numerical operators, 189
order operator, 188
project and project-away, 192–193
query structure, 183
sorting data, 188
SQL, 184
take operator, 188
union operator, 194
KQL queries, MSSPs (managed security service providers), 205
leftanti join, KQL, 195
leftouter join, KQL, 195
leftsemi join, KQL, 195
let statements, KQL (Kusto Query Language), 196–197
Livestream feature, 91–96. See also Query Language Reference
Log Analytics workspace, 17
creating, 20
Log Analytics workspaces, MSSPs (managed security service providers), 205
Log4j vulnerability, 31
Log4Shell, CVE-2021-44228 vulnerability, 5
Logic App Designer, 148
Logic Apps
Create Playbook Blade, 131
Create Playbook/Connections Options, 132
Designer blade, 133
Save button, 141
logins, investigating, 90. See also failed logins
long data type and KQL, 186
machine learning behavioral rule, 45
Machine Learning Workspace, creating, 112
make_bag() function, KQL, 192
make_list() function, KQL, 192
make_set() function, KQL, 192
max() function, KQL, 192
Microsoft 365 Defender connector, 170
Microsoft DART (Detection and Response Team), 6
Microsoft Defender for Cloud, connecting, 25–26
Microsoft Defender for Endpoint, 5
Microsoft Digital Defense Report 2021, Acer REvil ransomware, 2
Microsoft Security rules, 45
Microsoft Sentinel
authenticating to, 118
configuring with PowerShell, 167
core capabilities, 12
hardening considerations, 18
News & Guides page, 21
overview, 12
pricing, 19
scenarios and considerations, 16
Microsoft Sentinel Community, 46
Microsoft Sentinel Deception solution, 94
Microsoft Sentinel Notebooks, 108
Microsoft Sentinel Workbooks
Azure Activity blade, 153
data collection anomalies view, 156
Data Collection Health Monitoring, 155
editing, 157
graphical representation of query, 158
series_decompose_anomalies() function, 156
Templates tab, 152
visualization for time chart, 159
Microsoft Sentinel workspaces
interaction with Notebooks, 116–118
querying, 117
Microsoft SentinelHealth table, 175–176
Microsoft Teams, automation with Playbooks, 141. See also Teams integration
min() function, KQL, 192
MITRE ATT&CK
NRT rules, 14
website, 32
MITRE Tactics, filtering hunting queries, 78
MSSPs (managed security service providers), 17, 166, 210
automation/SOAR, 210
Azure AD (Active Directory) B2B, 203–204
Azure AD entitlement management, 204
CD (continuous deployment), 212–213
CI (continuous deployment), 212–213
KQL queries, 205
Log Analytics workspaces, 205
multi-tenant management, 205
Notebooks, 208
PIM (Privileged Identity Management), 202
security content management, 212–214
watchlists, 209
Workbooks, 211
MSTIC (Microsoft’s Threat Intelligence Center), 116
msticpyconfig.yanml file, 117
NIST (National Institute of Standards and Technology), 53
normalization, 163
normalized logs and events, 53
Notebooks
configuring AML workspaces, 109–116
creating from templates, 112–113
documentation, 107
interaction with workspaces, 116–118
and Key Vault, 110
MSSPs (managed security service providers), 208
MSTICpy query listing, 121
running, 109
sign-ins and MFA challenge, 121–124
testing from GitHub repo, 118–120
using, 14
versus Workbooks and Playbooks, 108
NRT (near-real-time) rule, 45
numerical operators, KQL (Kusto Query Language), 189
Office 365 data connector, 167–169
Operation WilySupply, 5
order operator, KQL (Kusto Query Language), 188
percentiles() function, KQL, 192
phishing emails, 6
PIM (Privileged Identity Management), 202
Playbook gallery, 147. See also automation with Playbooks
Playbooks versus Workbooks and Notebooks, 108
post-incident automation, 146–150. See also incidents
Power BI
Workbooks, 211
PowerShell
configuring Microsoft Sentinel with, 167
using, 2
project and project-away, KQL (Kusto Query Language), 192–193
Query Language Reference, 38. See also Livestream feature
querying Microsoft Sentinel workspaces, 117
QueryProvider object, 117
RaaS (Ransomware as a Service), 1–2
Ransomware IoCs, displaying, 99. See also IoCs (Indicators of Compromise)
RBAC (role-based access controls), 16
real data type and KQL, 186
Remediation tab, 24
repositories
connections, 177
REST APIs, 166
REvil ransomware, 2
rightanti join, KQL, 195
rightouter join, KQL, 195
rightsemi join, KQL, 195
role aggregation scenarios, 16
SaaS (Software as a Service), 166
scheduled analytics, 46
searching
for hunting queries, 78
for indicators of compromise, 96
SecOps (Security Operations)
features, 6
resource challenges, 8
security, as big data problem, 8–9
Security Efficiency Workbook, accessing, 57. See also Workbooks
SELECT keyword, using with SQL, 184
Sentinel. See Microsoft Sentinel
series_decompose_anomalies() function, 156
settings, 15
SIEM (Security Incident and Event Management), 1
and Microsoft Sentinel, 12
“single pane of glass,” 9
SOAR (security orchestration and automated response), 12, 127–128. See also automation SOAR
SOCs (security operations centers)
and CDOC (Cyber Defense Operations Center), 7–8
CTI (cyber threat intelligence), 10
staffing shortages, 8
SolarWinds Orion, 4
Solorigate supply chain attack, 2–3
SQL and KQL, 184
stdev() function, KQL, 192
STIX (Structured Threat Information Expression), 10–11, 98
string data type and KQL, 186
sum() function, KQL, 192
Sunburs supply chain attack, 2–3
support engineers and SOCs, 7
Syslog and CEF connectors, 19
Tactics, filtering, 78
take operator, KQL (Kusto Query Language), 188
TAXII (Trusted Automated Exchange of Intelligence Information), 11, 98–100
Teams integration, incidents, 69–70. See also Microsoft Teams
Terminal, opening for Notebooks, 119
threat detection signatures, 9
threat hunting. See also hunting
fundamentals, 81
threat indicators, customizing, 101–103
rule, 46
Threat Intelligence Platforms, connecting, 97
Threat Intelligence Workbook, 104–105
ThreatIntelligenceIndicator table, 103
TI (threat intelligence). See also CTI (cyber threat intelligence)
integration, 97
Tier 1 analyst, function of, 60
Tiers of SOCs (Security Operations), 6–7
union operator, KQL (Kusto Query Language), 194
variance() function, KQL, 192
visualizations. See also data visualization
changing for time charts, 159
Excel, 162
VM (virtual machine), creating and deleting, 143–144
VM Insights, configuring, 100
watchlists
described, 15
MSSPs (managed security service providers), 209
where operator, KQL (Kusto Query Language), 189–190
Workbooks. See also Incident Overview Workbook; Security Efficiency Workbook
Investigation Insights, 106
MSSPs (managed security service providers), 211
versus Notebooks and Playbooks, 108
Power BI, 211
using, 14
workspace design, 17–18, 20. See also AML (Azure Machine Learning) workspaces
workspaces
interaction with Notebooks, 116–118
querying, 117
Yara threat detection signature, 9
3.16.81.200