8 Security operations and response: Microsoft Sentinel

 

This chapter covers

  • Security information and event management
  • Microsoft Sentinel
  • Data collection
  • Analytics rules
  • Incidents
  • User entity behavior analytics
  • Security orchestration, automation, and response
  • Automation rules

As you learned in chapter 7, enabling threat detection for commonly used resource types in Azure (such as your virtual machines [VMs], containers, storage accounts, and others) notifies you about suspicious activities and potential signs of compromise in your Azure environment. Many organizations, in addition to infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) resources, use software-as-a-service (SaaS) applications (such as Microsoft 365 or SAP). To complicate things further, large enterprises typically have many resources on-premises (and even in other public cloud providers such as AWS or Google Cloud Platform).

How do you detect threats across your entire digital estate (spanning IaaS, PaaS, SaaS, and on-premises)? Historically, organizations have relied on a system called Security Information and Event Management (SIEM), which provides them with the end-to-end visibility of their entire digital estate in a single dashboard.

Note

You can see how Gartner defines SIEM at http://mng.bz/XN4Y.

8.1 Security Information and Event Management

8.2 Microsoft Sentinel

8.2.1 Microsoft Sentinel capabilities

8.2.2 Enabling Microsoft Sentinel

8.3 Data collection

8.3.1 What data should go in a SIEM?

8.3.2 Data connectors

8.3.3 Data connectors in action

8.3.4 Content hub

8.4 Analytics rules