Chapter 3. Analytics
The power of Azure Sentinel comes from the ability to detect, investigate, and remediate threats. To do this, you must ingest data in the form of alerts from security providers, such as Microsoft solutions or third-party solutions. The alerts must be in the form of raw logs from services and endpoints that you need to monitor.
Analytics in Azure Sentinel allow you to define detection rules across ingested data and create cases for investigation by security analysts. Some of those rules might be simple and create a case for an alert that comes from a connected solution. Others might be more complex and join data from various sources to determine whether a threat exists. For example, you might look for an unregistered DHCP ...
Get Microsoft Azure Sentinel: Planning and implementing Microsoft s cloud-native SIEM solution now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
