Microsoft Sentinel in Action - Second Edition

Microsoft Sentinel in Action - Second Edition

by Richard Diver, Gary Bushey, John Perkins
Released February 2022
Publisher(s): Packt Publishing
ISBN: 9781801815536

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Learn how to set up, configure, and use Microsoft Sentinel to provide security incident and event management services for your multi-cloud environment

Key Features

  • Collect, normalize, and analyze security information from multiple data sources
  • Integrate AI, machine learning, built-in and custom threat analyses, and automation to build optimal security solutions
  • Detect and investigate possible security breaches to tackle complex and advanced cyber threats

Book Description

Microsoft Sentinel is a security information and event management (SIEM) tool developed by Microsoft that helps you integrate cloud security and artificial intelligence (AI). This book will teach you how to implement Microsoft Sentinel and understand how it can help detect security incidents in your environment with integrated AI, threat analysis, and built-in and community-driven logic.

The first part of this book will introduce you to Microsoft Sentinel and Log Analytics, then move on to understanding data collection and management, as well as how to create effective Microsoft Sentinel queries to detect anomalous behaviors and activity patterns. The next part will focus on useful features, such as entity behavior analytics and Microsoft Sentinel playbooks, along with exploring the new bi-directional connector for ServiceNow. In the next part, you'll be learning how to develop solutions that automate responses needed to handle security incidents and find out more about the latest developments in security, techniques to enhance your cloud security architecture, and explore how you can contribute to the security community.

By the end of this book, you'll have learned how to implement Microsoft Sentinel to fit your needs and protect your environment from cyber threats and other security issues.

What you will learn

  • Implement Log Analytics and enable Microsoft Sentinel and data ingestion from multiple sources
  • Tackle Kusto Query Language (KQL) coding
  • Discover how to carry out threat hunting activities in Microsoft Sentinel
  • Connect Microsoft Sentinel to ServiceNow for automated ticketing
  • Find out how to detect threats and create automated responses for immediate resolution
  • Use triggers and actions with Microsoft Sentinel playbooks to perform automations

Who this book is for

You'll get the most out of this book if you have a good grasp on other Microsoft security products and Azure, and are now looking to expand your knowledge to incorporate Microsoft Sentinel. Security experts who use an alternative SIEM tool and want to adopt Microsoft Sentinel as an additional or a replacement service will also find this book useful.

Table of contents

  1. Microsoft Sentinel in Action
    1. Second Edition
  2. Contributors
  3. About the authors
  4. About the reviewers
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Share Your Thoughts
  6. Section 1: Design and Implementation
  7. Chapter 1: Getting Started with Microsoft Sentinel
    1. The current cloud security landscape
    2. The cloud security reference framework
    3. SOC platform components
    4. Mapping the SOC architecture
      1. Log management and data sources
      2. Operations platforms
      3. Threat intelligence and threat hunting
      4. SOC mapping summary
    5. Security solution integrations
    6. Cloud platform integrations
      1. Integrating with Amazon Web Services (AWS)
      2. Integrating with Google Cloud Platform (GCP)
      3. Integrating with Microsoft Azure
    7. Private infrastructure integrations
    8. Service pricing for Microsoft Sentinel
    9. Scenario mapping
      1. Step 1 – defining the new scenarios
      2. Step 2 – explaining the purpose
      3. Step 3 – the kill chain stage
      4. Step 4 – which solution will perform detection?
      5. Step 5 – what actions will occur instantly?
      6. Step 6 – severity and output
      7. Step 7 – what action should the analyst take?
    10. Summary
    11. Questions
    12. Further reading
  8. Chapter 2: Azure Monitor – Introduction to Log Analytics
    1. Technical requirements
    2. Introduction to Azure Monitor Log Analytics
      1. Planning a workspace
    3. Creating a workspace using the portal
    4. Creating a workspace using PowerShell or the CLI
      1. Creating an Azure Resource Management template
      2. Using PowerShell
      3. Using the CLI
      4. Exploring the Overview page
    5. Managing permissions for the workspace
    6. Enabling Microsoft Sentinel
    7. Exploring the Microsoft Sentinel Overview page
      1. The header bar
      2. The summary bar
      3. The Events and alerts over time section
      4. The Recent incidents section
      5. The Data source anomalies section
      6. The Potential malicious events section
      7. The Democratize ML for your SecOps section
    8. Connecting your first data source
      1. Obtaining information from Azure virtual machines
    9. Advanced settings for Log Analytics
      1. Agents management
      2. The Agents configuration options
      3. Computer Groups
    10. Summary
    11. Questions
    12. Further reading
  9. Section 2: Data Connectors, Management, and Queries
  10. Chapter 3: Managing and Collecting Data
    1. Choosing data that matters
    2. Understanding connectors
      1. Native connections – service to service
      2. Direct connections – service to service
      3. API connections
      4. Agent-based
    3. Configuring Microsoft Sentinel connectors
    4. Configuring Log Analytics storage options
      1. Calculating the cost of data ingestion and retention
    5. Reviewing alternative storage options
    6. Summary
    7. Questions
    8. Further reading
  11. Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel
    1. Introduction to TI
    2. Understanding STIX and TAXII
    3. Choosing the right intel feeds for your needs
    4. Implementing TI connectors
      1. Enabling the data connector
      2. Registering an app in Azure AD
      3. Configuring the MineMeld TI feed
      4. Confirming the data is being ingested for use by Microsoft Sentinel
    5. Summary
    6. Questions
    7. Further reading
  12. Chapter 5: Using the Kusto Query Language (KQL)
    1. Running KQL queries
    2. Introduction to KQL commands
      1. Tabular operators
    3. Query statements
      1. The let statement
    4. Scalar functions
      1. The ago() function
    5. String operators
    6. Summary
    7. Questions
    8. Further reading
  13. Chapter 6: Microsoft Sentinel Logs and Writing Queries
    1. An introduction to the Microsoft Sentinel Logs page
    2. Navigating through the Logs page
      1. The page header
      2. The Tables pane
      3. The Queries pane
      4. The Functions pane
      5. The Filter pane
      6. The KQL code window
      7. Running a query
      8. The Results window
      9. Learn more
    3. Writing a query
      1. The billable data ingested
      2. Map view of logins
      3. Other useful tables
    4. Summary
    5. Questions
    6. Further reading
  14. Section 3: Security Threat Hunting
  15. Chapter 7: Creating Analytic Rules
    1. An introduction to Microsoft Sentinel Analytics
      1. Types of analytic rules
      2. Navigating through the Analytics home page
    2. Creating an analytic rule
      1. Creating a rule from a rule template
      2. Creating a new rule using the wizard
    3. Managing analytic rules
    4. Summary
    5. Questions
    6. Further reading
  16. Chapter 8: Creating and Using Workbooks
    1. An overview of the Workbooks page
      1. The workbook header
      2. The Templates view
      3. Workbook detail view
      4. Missing required data types
      5. Saved template buttons
    2. Walking through an existing workbook
    3. Creating workbooks
      1. Creating a workbook using a template
      2. Creating a new workbook from scratch
    4. Editing a workbook
      1. Advanced editing
    5. Managing workbooks
    6. Workbook step types
      1. Text
      2. Query
      3. Metric
      4. Parameters
      5. Links/tabs
      6. Groups
      7. Advanced Settings
      8. Style
    7. Summary
    8. Questions
    9. Further reading
  17. Chapter 9: Incident Management
    1. Using the Microsoft Sentinel Incidents page
      1. The header bar
      2. The summary bar
      3. The search and filtering section
      4. Incident listing
      5. Incident details pane
      6. Using the Actions button
    2. Exploring the full details page
      1. The Timeline tab
      2. The Alerts tab
      3. The Bookmarks tab
      4. The Entities tab
      5. The Comments tab
    3. Investigating an incident
      1. Showing related alerts
      2. The Timeline button
      3. The Info button
      4. The Entities button
      5. The Insights button
      6. The Help button
    4. Summary
    5. Questions
    6. Further reading
  18. Chapter 10: Configuring and Using Entity Behavior
    1. Introduction to Microsoft Sentinel Entity behavior
    2. Enabling Entity behavior
    3. Overview of the Entity behavior page
      1. The header bar
      2. The search section
      3. Entities with alerts
    4. Overview of the Entity behavior details page
      1. Identifying information
      2. Notable events
      3. Insights
    5. Creating Entity behavior queries
      1. Header bar
      2. Activities list
      3. Activity details pane
      4. Adding a new activity
    6. Summary
    7. Questions
    8. Further reading
  19. Chapter 11: Threat Hunting in Microsoft Sentinel
    1. Introducing the Microsoft Sentinel Hunting page
      1. The header bar
      2. The summary bar
      3. The hunting queries list
      4. Hunting query details pane
    2. Working with Microsoft Sentinel hunting queries
      1. Adding a new query
      2. Editing a query
      3. Cloning a query
      4. Deleting a query
      5. Adding to Livestream
      6. Creating an analytics rule
    3. Working with livestream
    4. Working with bookmarks
      1. Creating a bookmark
      2. Viewing bookmarks
      3. Associating a bookmark with an incident
    5. Using Microsoft Sentinel notebooks
      1. The header bar
      2. The summary bar
      3. The notebook list
      4. The notebook details pane
    6. Creating a workspace
    7. Performing a hunt
      1. Developing a premise
      2. Determining data
      3. Planning a hunt
      4. Executing an investigation
      5. Responding
      6. Monitoring
      7. Improving
    8. Summary
    9. Questions
    10. Further reading
  20. Section 4: Integration and Automation
  21. Chapter 12: Creating Playbooks and Automation
    1. Introduction to Microsoft Sentinel playbooks
    2. Introduction to Microsoft Sentinel Automation
      1. The header bar
      2. The summary bar
      3. Automation rules listing
    3. Adding a new automation rule
    4. Playbook pricing
    5. Types of playbooks
    6. Overview of the Microsoft Sentinel connector
    7. Exploring the Playbooks tab
      1. Logic app listing
    8. Logic app settings page
      1. The menu bar
      2. The header bar
      3. The essentials section
      4. The Runs history section
    9. Creating a new playbook
    10. Using the Logic Apps Designer page
      1. The Logic Apps Designer header bar
      2. The Logic Apps Designer workflow editor section
    11. Creating a simple Microsoft Sentinel playbook
    12. Summary
    13. Questions
    14. Further reading
  22. Chapter 13: ServiceNow Integration for Alert and Case Management
    1. A brief history of Microsoft Sentinel and ServiceNow integration
      1. Integrating Microsoft Sentinel with ServiceNow ITSM using Microsoft Sentinel Logic Apps
      2. Integrating Azure security alert sources (not just Sentinel) with ServiceNow Security Incident Response via the Microsoft Graph Security API
      3. Integrating Microsoft Sentinel with ServiceNow Security Incident Response via an API directly to Microsoft Sentinel
    2. Steps to integrate Microsoft Sentinel with ServiceNow
      1. Configuring the Microsoft Azure portal
      2. Installing the Microsoft Sentinel integration plugin in ServiceNow
      3. Configuring the ServiceNow Sentinel plugin to authenticate to Microsoft Sentinel
      4. Creating profiles in the ServiceNow Sentinel integration plugin
    3. Summary
  23. Section 5: Operational Guidance
  24. Chapter 14: Operational Tasks for Microsoft Sentinel
    1. Dividing SOC duties
      1. SOC engineers
      2. SOC analysts
    2. Operational tasks for SOC engineers
      1. Daily tasks
      2. Weekly tasks
      3. Monthly tasks
      4. Ad hoc tasks
    3. Operational tasks for SOC analysts
      1. Daily tasks
      2. Weekly tasks
      3. Monthly tasks
      4. Ad hoc tasks
    4. Summary
    5. Questions
  25. Chapter 15: Constant Learning and Community Contribution
    1. Official resources from Microsoft
      1. Official documentation
      2. Tech community – blogs
      3. Tech community – forums
      4. Feature requests
      5. LinkedIn groups
      6. Other resources
    2. Resources for SOC operations
      1. MITRE ATT&CK® framework
      2. National Institute of Standards for Technology (NIST)
    3. Using GitHub
      1. GitHub for Microsoft Sentinel
      2. GitHub for community contribution
    4. Specific components and supporting technologies
      1. Kusto Query Language
      2. Jupyter Notebook
      3. Machine learning with Fusion
      4. Azure Logic Apps
    5. Summary
  26. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 14
    14. Why subscribe?
  27. Other Books You May Enjoy
    1. Work with AKS (Azure Kubernetes Service) and use it with service mesh technologies to design a microservices hosting platform
    2. Packt is searching for authors like you
    3. Share Your Thoughts

Product information

  • Title: Microsoft Sentinel in Action - Second Edition
  • Author(s): Richard Diver, Gary Bushey, John Perkins
  • Release date: February 2022
  • Publisher(s): Packt Publishing
  • ISBN: 9781801815536