8 Security operations and response: Microsoft Sentinel
This chapter covers
- Security information and event management
- Microsoft Sentinel
- Data collection
- Analytics rules
- Incidents
- User entity behavior analytics
- Security orchestration, automation, and response
- Automation rules
As you learned in chapter 7, enabling threat detection for commonly used resource types in Azure (like your VMs, containers, storage accounts, and others) notifies you about suspicious activities and potential signs of compromise in your Azure environment. Have you ever found yourself wondering how to detect threats across your entire digital estate, not just in Azure? If you have, you’re not alone. Many organizations, in addition to IaaS and PaaS resources, also use SaaS applications (like Microsoft 365 or SAP). Furthermore, to further complicate things, large enterprises typically have many resources on-premises too (and even in other public cloud providers like AWS or GCP). The question then becomes how do you detect threats across your entire digital estate (spanning IaaS, PaaS, SaaS, and on-premises)? Historically, organizations have relied on a system called Security Information and Event Management (SIEM), that provided them with the end-to-end visibility of their entire digital estate in a single dashboard.
Note
You can see how Gartner defines SIEM at https://www.gartner.com/en/information-technology/glossary/security-information-and-event-management-siem.