Learn Azure Sentinel

Learn Azure Sentinel

by Richard Diver, Gary Bushey
Released April 2020
Publisher(s): Packt Publishing
ISBN: 9781838980924

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Understand how to set up, configure, and use Azure Sentinel to provide security incident and event management services for your environment

Key Features

  • Secure your network, infrastructure, data, and applications on Microsoft Azure effectively
  • Integrate artificial intelligence, threat analysis, and automation for optimal security solutions
  • Investigate possible security breaches and gather forensic evidence to prevent modern cyber threats

Book Description

Azure Sentinel is a Security Information and Event Management (SIEM) tool developed by Microsoft to integrate cloud security and artificial intelligence (AI). Azure Sentinel not only helps clients identify security issues in their environment, but also uses automation to help resolve these issues. With this book, you’ll implement Azure Sentinel and understand how it can help find security incidents in your environment with integrated artificial intelligence, threat analysis, and built-in and community-driven logic.

This book starts with an introduction to Azure Sentinel and Log Analytics. You’ll get to grips with data collection and management, before learning how to create effective Azure Sentinel queries to detect anomalous behaviors and patterns of activity. As you make progress, you’ll understand how to develop solutions that automate the responses required to handle security incidents. Finally, you’ll grasp the latest developments in security, discover techniques to enhance your cloud security architecture, and explore how you can contribute to the security community.

By the end of this book, you’ll have learned how to implement Azure Sentinel to fit your needs and be able to protect your environment from cyber threats and other security issues.

What you will learn

  • Understand how to design and build a security operations center
  • Discover the key components of a cloud security architecture
  • Manage and investigate Azure Sentinel incidents
  • Use playbooks to automate incident responses
  • Understand how to set up Azure Monitor Log Analytics and Azure Sentinel
  • Ingest data into Azure Sentinel from the cloud and on-premises devices
  • Perform threat hunting in Azure Sentinel

Who this book is for

This book is for solution architects and system administrators who are responsible for implementing new solutions in their infrastructure. Security analysts who need to monitor and provide immediate security solutions or threat hunters looking to learn how to use Azure Sentinel to investigate possible security breaches and gather forensic evidence will also benefit from this book. Prior experience with cloud security, particularly Azure, is necessary.

Table of contents

  1. Learn Azure Sentinel
  2. Why subscribe?
  3. Foreword
  4. Contributors
  5. About the authors
  6. About the reviewers
  7. Packt is searching for authors like you
  8. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Reviews
  9. Section 1: Design and Implementation
  10. Chapter 1: Getting Started with Azure Sentinel
    1. The current cloud security landscape
    2. The cloud security reference framework
    3. SOC platform components
    4. Mapping the SOC architecture
      1. Log management and data sources
      2. Operations platforms
      3. Threat intelligence and threat hunting
      4. SOC mapping summary
    5. Security solution integrations
    6. Cloud platform integrations
      1. Integrating with AWS
      2. Integrating with Google Cloud Platform (GCP)
      3. Integrating with Microsoft Azure
    7. Private infrastructure integrations
    8. Service pricing for Azure Sentinel
    9. Scenario mapping
      1. Step 1 – Define the new scenarios
      2. Step 2 – Explain the purpose
      3. Step 3 – The kill-chain stage
      4. Step 4 – Which solution will do detection?
      5. Step 5 – What actions will occur instantly?
      6. Step 6 – Severity and output
      7. Step 7 – What action should the analyst take?
    10. Summary
    11. Questions
    12. Further reading
  11. Chapter 2: Azure Monitor – Log Analytics
    1. Technical requirements
    2. Introduction to Azure Monitor Log Analytics
      1. Planning a workspace
      2. Creating a workspace using the portal
      3. Creating a workspace using PowerShell or the CLI
      4. Exploring the Overview page
    3. Managing the permissions of the workspace
    4. Enabling Azure Sentinel
    5. Exploring the Azure Sentinel Overview page
      1. The header bar
      2. The summary bar
      3. The Recent incidents section
      4. The Data source anomalies section
      5. The Potential malicious events section
      6. The Democratize ML for your SecOps section
      7. Obtaining information from Azure virtual machines
    6. Advanced settings for Log Analytics
      1. Connected Sources
      2. The Data option
      3. Computer Groups
    7. Summary
    8. Questions
    9. Further reading
  12. Section 2: Data Connectors, Management, and Queries
  13. Chapter 3: Managing and Collecting Data
    1. Choosing data that matters
    2. Understanding connectors
      1. Native connections – service to service
      2. Direct connections – service to service
      3. API connections
      4. Agent-based
    3. Configuring Azure Sentinel connectors
    4. Configuring Log Analytics storage options
      1. Calculating the cost of data ingestion and retention
      2. Reviewing alternative storage options
    5. Summary
    6. Questions
    7. Further reading
  14. Chapter 4: Integrating Threat Intelligence
    1. Introduction to TI
    2. Understanding STIX and TAXII
    3. Choosing the right intel feeds for your needs
    4. Implementing TI connectors
      1. Enabling the data connector
      2. Registering an app in Azure AD
      3. Configuring the MineMeld TI feed
      4. Confirming the data is being ingested for use by Azure Sentinel
    5. Summary
    6. Questions
    7. Further reading
  15. Chapter 5: Using the Kusto Query Language (KQL)
    1. Running KQL queries
    2. Introduction to KQL commands
      1. Tabular operators
      2. Query statement
      3. Scalar functions
      4. String operators
    3. Summary
    4. Questions
    5. Further reading
  16. Chapter 6: Azure Sentinel Logs and Writing Queries
    1. An introduction to the Azure Sentinel Logs page
    2. Navigating through the Logs page
      1. The page header
      2. The Tables pane
      3. The Filter pane
      4. The KQL code window
      5. The results window
      6. Learn more
    3. Writing a query
      1. The billable data ingested
      2. Map view of logins
      3. Other useful logs
    4. Summary
    5. Questions
    6. Further reading
  17. Section 3: Security Threat Hunting
  18. Chapter 7: Creating Analytic Rules
    1. An introduction to Azure Sentinel Analytics
      1. Types of analytic rules
      2. Navigating through the Analytics home page
    2. Creating an analytic rule
      1. Creating a rule from a rule template
      2. Creating a new rule using the wizard
    3. Managing analytic rules
    4. Summary
    5. Questions
    6. Further reading
  19. Chapter 8:Introducing Workbooks
    1. An overview of the Workbooks page
      1. The workbook header
      2. The Templates view
      3. Workbook detail view
      4. Missing required data types
      5. Workbook detail view (continued)
      6. Saved template buttons
    2. Walking through an existing workbook
    3. Creating workbooks
      1. Creating a workbook using a template
      2. Creating a new workbook from scratch
    4. Editing a workbook
      1. Advanced editing
    5. Managing workbooks
    6. Workbook step types
      1. Text
      2. Query
      3. Parameters
      4. Links/tabs
      5. Advanced settings
    7. Summary
    8. Questions
    9. Further reading
  20. Chapter 9:Incident Management
    1. Using the Azure Sentinel Incidents page
      1. The header bar
      2. The summary bar
      3. The search and filtering section
      4. Incident listing
      5. Incident details pane
      6. Using the Actions button
    2. Exploring the full details page
      1. The Alerts tab
      2. The Bookmarks tab
      3. The Entities tab
      4. The Comments tab
    3. Investigating an incident
      1. Showing related alerts
      2. The Timeline button
      3. The Info button
      4. The Entities button
      5. The Help button
    4. Summary
    5. Questions
    6. Further reading
  21. Chapter 10: Threat Hunting in Azure Sentinel
    1. Introducing the Azure Sentinel Hunting page
      1. The header bar
      2. The summary bar
      3. The hunting queries list
      4. Hunting query details pane
    2. Working with Azure Sentinel Hunting queries
      1. Adding a new query
      2. Editing a query
      3. Cloning a query
      4. Deleting a query
    3. Working with Livestream
    4. Working with bookmarks
      1. Creating a bookmark
      2. Viewing bookmarks
    5. Using Azure Sentinel Notebooks
      1. The header bar
      2. The summary bar
      3. The notebook list
      4. The notebook details pane
    6. Performing a hunt
      1. Develop premise
      2. Determine data
      3. Plan hunt
      4. Execute investigation
      5. Respond
      6. Monitor
      7. Improve
    7. Summary
    8. Questions
    9. Further reading
  22. Section 4: Integration and Automation
  23. Chapter 11: Creating Playbooks and Logic Apps
    1. Introduction to Azure Sentinel playbooks
    2. Playbook pricing
    3. Overview of the Azure Sentinel connector
    4. Exploring the Playbooks page
      1. The header bar
      2. The summary bar
      3. Logic app listing
    5. Logic Apps settings page
      1. The menu bar
      2. The header bar
      3. The essentials section
      4. The summary section
      5. The Runs history section
    6. Creating a new playbook
    7. Using the Logic Apps Designer page
      1. The Logic Apps Designer header bar
      2. The Logic Apps Designer workflow editor section
    8. Creating a simple Azure Sentinel playbook
    9. Summary
    10. Questions
    11. Further reading
  24. Chapter 12: ServiceNow Integration
    1. Overview of Azure Sentinel alerts
    2. Overview of IT Service Management (ITSM)
    3. Logging in to ServiceNow
    4. Creating a playbook to trigger a ticket in ServiceNow
      1. Cloning an existing logic app
      2. Modifying the playbook
      3. Additional incident information
      4. Adding dynamic content
      5. Adding static content
      6. Adding an expression
    5. Summary
    6. Questions
    7. Further reading
  25. Section 5: Operational Guidance
  26. Chapter 13: Operational Tasks for Azure Sentinel
    1. Dividing SOC duties
      1. SOC engineers
      2. SOC analysts
    2. Operational tasks for SOC engineers
      1. Daily tasks
      2. Weekly tasks
      3. Monthly tasks
      4. Ad hoc tasks
    3. Operational tasks for SOC analysts
      1. Daily tasks
      2. Weekly tasks
      3. Monthly tasks
      4. Ad hoc tasks
    4. Summary
    5. Questions
  27. Chapter 14: Constant Learning and Community Contribution
    1. Official resources from Microsoft
      1. Official documentation
      2. Tech community – blogs
      3. Tech community – forum
      4. Feature requests
      5. LinkedIn groups
      6. Other resources
    2. Resources for SOC operations
      1. MITRE ATT&CK® framework
      2. National Institute of Standards for Technology (NIST)
    3. Using GitHub
      1. GitHub for Azure Sentinel
      2. GitHub for community contribution
    4. Specific components and supporting technologies
      1. Kusto Query Language
      2. Jupyter Notebook
      3. Machine learning with Fusion
      4. Azure Logic Apps
    5. Summary
  28. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
  29. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Learn Azure Sentinel
  • Author(s): Richard Diver, Gary Bushey
  • Release date: April 2020
  • Publisher(s): Packt Publishing
  • ISBN: 9781838980924