book

Microsoft Sentinel in Action - Second Edition

Name: Microsoft Sentinel in Action - Second Edition
ISBN: 9781801815536

by Richard Diver, Gary Bushey, John Perkins

February 2022

Intermediate to advanced

478 pages

9h 53m

English

Packt Publishing

Read now

Unlock full access

Microsoft Sentinel in Action
Second EditionContributorsAbout the authorsAbout the reviewers
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchShare Your Thoughts
Section 1: Design and Implementation
Chapter 1: Getting Started with Microsoft Sentinel
The current cloud security landscapeThe cloud security reference frameworkSOC platform componentsMapping the SOC architectureLog management and data sourcesOperations platformsThreat intelligence and threat huntingSOC mapping summarySecurity solution integrationsCloud platform integrationsIntegrating with Amazon Web Services (AWS)Integrating with Google Cloud Platform (GCP)Integrating with Microsoft AzurePrivate infrastructure integrationsService pricing for Microsoft SentinelScenario mappingStep 1 – defining the new scenariosStep 2 – explaining the purposeStep 3 – the kill chain stageStep 4 – which solution will perform detection?Step 5 – what actions will occur instantly?Step 6 – severity and outputStep 7 – what action should the analyst take?SummaryQuestionsFurther reading
Chapter 2: Azure Monitor – Introduction to Log Analytics
Technical requirementsIntroduction to Azure Monitor Log AnalyticsPlanning a workspaceCreating a workspace using the portalCreating a workspace using PowerShell or the CLICreating an Azure Resource Management templateUsing PowerShellUsing the CLIExploring the Overview pageManaging permissions for the workspaceEnabling Microsoft SentinelExploring the Microsoft Sentinel Overview pageThe header barThe summary barThe Events and alerts over time sectionThe Recent incidents sectionThe Data source anomalies sectionThe Potential malicious events sectionThe Democratize ML for your SecOps sectionConnecting your first data sourceObtaining information from Azure virtual machinesAdvanced settings for Log AnalyticsAgents managementThe Agents configuration optionsComputer GroupsSummaryQuestionsFurther reading
Section 2: Data Connectors, Management, and Queries
Chapter 3: Managing and Collecting Data
Choosing data that mattersUnderstanding connectorsNative connections – service to serviceDirect connections – service to serviceAPI connectionsAgent-basedConfiguring Microsoft Sentinel connectorsConfiguring Log Analytics storage optionsCalculating the cost of data ingestion and retentionReviewing alternative storage optionsSummaryQuestionsFurther reading
Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel
Introduction to TIUnderstanding STIX and TAXIIChoosing the right intel feeds for your needsImplementing TI connectorsEnabling the data connectorRegistering an app in Azure ADConfiguring the MineMeld TI feedConfirming the data is being ingested for use by Microsoft SentinelSummaryQuestionsFurther reading
Chapter 5: Using the Kusto Query Language (KQL)
Running KQL queriesIntroduction to KQL commandsTabular operatorsQuery statementsThe let statementScalar functionsThe ago() functionString operatorsSummaryQuestionsFurther reading
Chapter 6: Microsoft Sentinel Logs and Writing Queries
An introduction to the Microsoft Sentinel Logs pageNavigating through the Logs pageThe page headerThe Tables paneThe Queries paneThe Functions paneThe Filter paneThe KQL code windowRunning a queryThe Results windowLearn moreWriting a queryThe billable data ingestedMap view of loginsOther useful tablesSummaryQuestionsFurther reading

Section 3: Security Threat Hunting
Chapter 7: Creating Analytic Rules
An introduction to Microsoft Sentinel AnalyticsTypes of analytic rulesNavigating through the Analytics home pageCreating an analytic ruleCreating a rule from a rule templateCreating a new rule using the wizardManaging analytic rulesSummaryQuestionsFurther reading
Chapter 8: Creating and Using Workbooks
An overview of the Workbooks pageThe workbook headerThe Templates viewWorkbook detail viewMissing required data typesSaved template buttonsWalking through an existing workbookCreating workbooksCreating a workbook using a templateCreating a new workbook from scratchEditing a workbookAdvanced editingManaging workbooksWorkbook step typesTextQueryMetricParametersLinks/tabsGroupsAdvanced SettingsStyleSummaryQuestionsFurther reading
Chapter 9: Incident Management
Using the Microsoft Sentinel Incidents pageThe header barThe summary barThe search and filtering sectionIncident listingIncident details paneUsing the Actions buttonExploring the full details pageThe Timeline tabThe Alerts tabThe Bookmarks tabThe Entities tabThe Comments tabInvestigating an incidentShowing related alertsThe Timeline buttonThe Info buttonThe Entities buttonThe Insights buttonThe Help buttonSummaryQuestionsFurther reading
Chapter 10: Configuring and Using Entity Behavior
Introduction to Microsoft Sentinel Entity behaviorEnabling Entity behaviorOverview of the Entity behavior pageThe header barThe search sectionEntities with alertsOverview of the Entity behavior details pageIdentifying informationNotable eventsInsightsCreating Entity behavior queriesHeader barActivities listActivity details paneAdding a new activitySummaryQuestionsFurther reading
Chapter 11: Threat Hunting in Microsoft Sentinel
Introducing the Microsoft Sentinel Hunting pageThe header barThe summary barThe hunting queries listHunting query details paneWorking with Microsoft Sentinel hunting queriesAdding a new queryEditing a queryCloning a queryDeleting a queryAdding to LivestreamCreating an analytics ruleWorking with livestreamWorking with bookmarksCreating a bookmarkViewing bookmarksAssociating a bookmark with an incidentUsing Microsoft Sentinel notebooksThe header barThe summary barThe notebook listThe notebook details paneCreating a workspacePerforming a huntDeveloping a premiseDetermining dataPlanning a huntExecuting an investigationRespondingMonitoringImprovingSummaryQuestionsFurther reading
Section 4: Integration and Automation
Chapter 12: Creating Playbooks and Automation
Introduction to Microsoft Sentinel playbooksIntroduction to Microsoft Sentinel AutomationThe header barThe summary barAutomation rules listingAdding a new automation rulePlaybook pricingTypes of playbooksOverview of the Microsoft Sentinel connectorExploring the Playbooks tabLogic app listingLogic app settings pageThe menu barThe header barThe essentials sectionThe Runs history sectionCreating a new playbookUsing the Logic Apps Designer pageThe Logic Apps Designer header barThe Logic Apps Designer workflow editor sectionCreating a simple Microsoft Sentinel playbookSummaryQuestionsFurther reading
Chapter 13: ServiceNow Integration for Alert and Case Management
A brief history of Microsoft Sentinel and ServiceNow integrationIntegrating Microsoft Sentinel with ServiceNow ITSM using Microsoft Sentinel Logic AppsIntegrating Azure security alert sources (not just Sentinel) with ServiceNow Security Incident Response via the Microsoft Graph Security APIIntegrating Microsoft Sentinel with ServiceNow Security Incident Response via an API directly to Microsoft SentinelSteps to integrate Microsoft Sentinel with ServiceNowConfiguring the Microsoft Azure portalInstalling the Microsoft Sentinel integration plugin in ServiceNowConfiguring the ServiceNow Sentinel plugin to authenticate to Microsoft SentinelCreating profiles in the ServiceNow Sentinel integration pluginSummary
Section 5: Operational Guidance
Chapter 14: Operational Tasks for Microsoft Sentinel
Dividing SOC dutiesSOC engineersSOC analystsOperational tasks for SOC engineersDaily tasksWeekly tasksMonthly tasksAd hoc tasksOperational tasks for SOC analystsDaily tasksWeekly tasksMonthly tasksAd hoc tasksSummaryQuestions
Chapter 15: Constant Learning and Community Contribution
Official resources from MicrosoftOfficial documentationTech community – blogsTech community – forumsFeature requestsLinkedIn groupsOther resourcesResources for SOC operationsMITRE ATT&CK® frameworkNational Institute of Standards for Technology (NIST)Using GitHubGitHub for Microsoft SentinelGitHub for community contributionSpecific components and supporting technologiesKusto Query LanguageJupyter NotebookMachine learning with FusionAzure Logic AppsSummary
Assessments
Chapter 1Chapter 2Chapter 3Chapter 4Chapter 5Chapter 6Chapter 7Chapter 8Chapter 9Chapter 10Chapter 11Chapter 12Chapter 14
Why subscribe?
Other Books You May EnjoyWork with AKS (Azure Kubernetes Service) and use it with service mesh technologies to design a microservices hosting platform Packt is searching for authors like youShare Your Thoughts

Content preview from Microsoft Sentinel in Action - Second Edition

Chapter 8: Creating and Using Workbooks

Microsoft Sentinel workbooks are a way to create and show customizable and interactive reports that can display graphs, charts, and tables. Information can be presented from Log Analytics workspaces using the same Kusto Query Language (KQL) queries that you already know how to use. These workbooks are based on the workbook technology that has already been used with other Azure resources, including Azure Monitor and Log Analytics workspaces.

Microsoft Sentinel provides several templates that are ready for use. You can use these templates to create your own workbook that can then be modified as needed. Most of the data connectors that are used to ingest data come with their own workbooks, to allow you better ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Microsoft Sentinel: Planning and implementing Microsoft's cloud-native SIEM solution, 2nd Edition

Publisher Resources

ISBN: 9781801815536

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Microsoft Sentinel in Action - Second Edition

by Richard Diver, Gary Bushey, John Perkins

Chapter 8: Creating and Using Workbooks

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.