This document provides an overview and summary of Microsoft Sentinel, a cloud-native security information and event management (SIEM) tool powered by artificial intelligence. The summary highlights that Microsoft Sentinel allows organizations to harness the scale of the cloud to optimize security operations, detect evolving threats using machine learning, and expedite incident response. It collects security data from any source at cloud scale, provides analytics and hunting capabilities, integrates threat intelligence, and enables automated incident response through orchestration and playbooks.
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
Using NIST cybersecurity framework, one of the largest healthcare IT firms in the US developed the global security architecture and roadmap addressing security gaps by architecture domain and common security capability. This session will discuss the architecture framework, capability matrix, the architecture development methodology and key deliverables.
(Source : RSA Conference USA 2017)
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
Using NIST cybersecurity framework, one of the largest healthcare IT firms in the US developed the global security architecture and roadmap addressing security gaps by architecture domain and common security capability. This session will discuss the architecture framework, capability matrix, the architecture development methodology and key deliverables.
(Source : RSA Conference USA 2017)
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
SIEM is a technological solution that collects and aggregates logs from various data sources, discovers trends, and alerts when it spots anomalous activity, like a possible security threat.
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
Abstract: Modern day cyber threats are ever increasing in sophistication and evasiveness against Process Control Networks. Organizations in the industry are facing a constant challenge to adopt modern techniques to proactively monitor the security posture within the SCADA infrastructure whilst keeping cyber attackers and threat actors at bay.
In this presentation we will cover the fundamental building blocks of building a SCADA cyber security operations center with key responsibilities such as Incident Response Management, Vulnerability and Patch Management, Secure-by-design Architecture, Security Logging and Monitoring and how such security domains drive accountability and act as a line of authority across the PCN.
Building an effective Information Security RoadmapElliott Franklin
As company information security functions continue to grow each year with increasing attacks and regulations, how are you handling the
pressure? Are you constantly battling to run the business projects and reacting to customer requests? Have you blocked off a few hours each week
on your calendar to close your email, turn off your phone and try to build, assess and maintain an effective vision for your security team? This
presentation will discuss a cascading approach to creating such a roadmap that is easily understood by executives and has helped gain quick buy
in for multiple enterprise wide security projects.
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
Get comprehensive protection across all your platforms and clouds
Protect your organization from threats across devices, identities, apps, data and clouds. Get unmatched visibility into your multiplatform environment that unifies Security Information and Event Management (SIEM) and Extended Detection and Response (XDR). Simplify your security stack with Azure Sentinel and Microsoft Defender.
the IBM Security Intelligence Platform, also known as QRadar®, integrates SIEM, log management, anomaly detection, vulnerability management, risk management and incident forensics into a unified, highly scalable, real-time solution that provides superior threat detection, greater ease of use, and low total cost of ownership compared with competitive products
Azure Sentinel is Microsoft cloud-native SIEM and SOAR. Say goodbye to 6 months SIEM solution setup and architecture - get started with visibility on you environement just now, and use the rich ecosystem of connectors to extend intelligence to your complete security suite.
Cyberspace is the new battlefield:
We’re seeing attacks on civilians and organizations from nation states. Attacks are no longer just against governments or enterprise systems directly. We’re seeing attacks against private property—the mobile devices we carry around everyday, the laptop on our desks—and public infrastructure. What started a decade-and-a-half ago as a sense that there were some teenagers in the basement hacking their way has moved far beyond that. It has morphed into sophisticated international organized crime and, worse, sophisticated nation state attacks.
Personnel and resources are limited:
According to an annual survey of 620 IT professional across North America and Western Europe from ESG, 51% respondents claim their organization had a problem of shortage of cybersecurity skills—up from 23% in 2014.1 The security landscape is getting more complicated and the stakes are rising, but many enterprises don’t have the resources they need to meet their security needs.
Virtually anything can be corrupted:
The number of connected devices in 2018 is predict to top 11 billion – not including computers and phones. As we connect virtually everything, anything can be disrupted. Everything from the cloud to the edge needs to be considered and protected.2
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
Senior Director of Business Development, Matt Cowell's, S4x20 presentation details how to build an effective OT security operations center and the tools and skills needed.
SOC Architecture - Building the NextGen SOCPriyanka Aash
Why are APTs difficult to detect
Revisit the cyber kill chain
Process orient detection
NextGen SOC Process
Building your threat mind map
Implement and measure your SOC
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
SIEM is a technological solution that collects and aggregates logs from various data sources, discovers trends, and alerts when it spots anomalous activity, like a possible security threat.
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
Abstract: Modern day cyber threats are ever increasing in sophistication and evasiveness against Process Control Networks. Organizations in the industry are facing a constant challenge to adopt modern techniques to proactively monitor the security posture within the SCADA infrastructure whilst keeping cyber attackers and threat actors at bay.
In this presentation we will cover the fundamental building blocks of building a SCADA cyber security operations center with key responsibilities such as Incident Response Management, Vulnerability and Patch Management, Secure-by-design Architecture, Security Logging and Monitoring and how such security domains drive accountability and act as a line of authority across the PCN.
Building an effective Information Security RoadmapElliott Franklin
As company information security functions continue to grow each year with increasing attacks and regulations, how are you handling the
pressure? Are you constantly battling to run the business projects and reacting to customer requests? Have you blocked off a few hours each week
on your calendar to close your email, turn off your phone and try to build, assess and maintain an effective vision for your security team? This
presentation will discuss a cascading approach to creating such a roadmap that is easily understood by executives and has helped gain quick buy
in for multiple enterprise wide security projects.
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
Get comprehensive protection across all your platforms and clouds
Protect your organization from threats across devices, identities, apps, data and clouds. Get unmatched visibility into your multiplatform environment that unifies Security Information and Event Management (SIEM) and Extended Detection and Response (XDR). Simplify your security stack with Azure Sentinel and Microsoft Defender.
the IBM Security Intelligence Platform, also known as QRadar®, integrates SIEM, log management, anomaly detection, vulnerability management, risk management and incident forensics into a unified, highly scalable, real-time solution that provides superior threat detection, greater ease of use, and low total cost of ownership compared with competitive products
Azure Sentinel is Microsoft cloud-native SIEM and SOAR. Say goodbye to 6 months SIEM solution setup and architecture - get started with visibility on you environement just now, and use the rich ecosystem of connectors to extend intelligence to your complete security suite.
Cyberspace is the new battlefield:
We’re seeing attacks on civilians and organizations from nation states. Attacks are no longer just against governments or enterprise systems directly. We’re seeing attacks against private property—the mobile devices we carry around everyday, the laptop on our desks—and public infrastructure. What started a decade-and-a-half ago as a sense that there were some teenagers in the basement hacking their way has moved far beyond that. It has morphed into sophisticated international organized crime and, worse, sophisticated nation state attacks.
Personnel and resources are limited:
According to an annual survey of 620 IT professional across North America and Western Europe from ESG, 51% respondents claim their organization had a problem of shortage of cybersecurity skills—up from 23% in 2014.1 The security landscape is getting more complicated and the stakes are rising, but many enterprises don’t have the resources they need to meet their security needs.
Virtually anything can be corrupted:
The number of connected devices in 2018 is predict to top 11 billion – not including computers and phones. As we connect virtually everything, anything can be disrupted. Everything from the cloud to the edge needs to be considered and protected.2
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
Senior Director of Business Development, Matt Cowell's, S4x20 presentation details how to build an effective OT security operations center and the tools and skills needed.
SOC Architecture - Building the NextGen SOCPriyanka Aash
Why are APTs difficult to detect
Revisit the cyber kill chain
Process orient detection
NextGen SOC Process
Building your threat mind map
Implement and measure your SOC
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...azuredayit
We will create a security playbook, that is a collection of procedures that can be run from Azure Sentinel in response to an alert. It will help automate and orchestrate that response, and can be run manually or set to run automatically when specific alerts are triggered
Microsoft Azure Sentinel is a new Cloud native SIEM service with built-in AI for analytics that removes the cost and complexity of achieving a central and focused near real-time view of the active threats in your environment.
Knowledge is power. This session will explore the rich real-time telemetry and tools available in Windows and in our cloud services for analyzing security activity in your IT environment.
Organizations need to apply security analytics to obtain seamless visibility and monitoring across both their on-premises and cloud environments. These challenges can be solved with comprehensive detection rules and behavioral analytics to ensure you detect potential threats.
Join FireEye and AWS to learn how Threat Analytics Platform (TAP) helped unify a major U.S. financial company’s on-premises and cloud-based Security Operations Centers (SOCs) by providing a single, cloud-based solution for monitoring their hybrid IT environment. FireEye’s TAP provides seamless visibility, detection and investigation across your on-premises and AWS Cloud environments ensuring actionable insight into threats targeting your company.
Join us to learn:
• How TAP ingests and analyzes AWS CloudTrail log files, providing visibility into both your AWS environment and the applications running on it
• TAP's best practices workflow to guide and inform your threat investigation
• How a major U.S. financial company unified their on-premises and cloud-based SOCs in to a single, cloud-based security operation
Who should attend: Directors and Managers of Security, IT Administrators, IT Architects, and IT Security Engineers
here's where Microsoft has invested, across these areas: identity and access management, apps and data security, network security, threat protection, and security management.
We’ve put a tremendous amount of investment into these areas and the way it shows up is across a pretty broad array of product areas and features.
Our Identity and Access Management tools enable you to take an identity-based approach to security, and establish truly conditional access policies
Our App and Data Security help you protect your apps and your data as it moves around—both inside and outside your organization
Azure includes a robust networking infrastructure with built-in security controls for your application and service connectivity.
Our Threat Protection capabilities are built in and fully integrated, so you can strengthen both pre-breach protection with deep capabilities across e-mail, collaboration services, and end points including hardware based protection; and post-breach detection that includes memory and kernel based protection and response with automation.
And our Security Management tools give you the visibility and more importantly the guidance to manage policy centrally
Microsoft Sentinel and Its Components.pptxInfosectrain3
The Microsoft Sentinel was previously known as Azure Sentinel. Microsoft Sentinel is a cloud-based SIEM (Security Information Event Management) and SOAR (Security Orchestration Automated Response) tool used by security operation analysts to gather information from many sources and provide security insights to the corporation.
Overall Security Process Review CISC 6621Agend.docxkarlhennesey
Overall Security Process Review
CISC 662
1
Agenda
Review of the following technologies and current products:
SIEM
CASB
EDR (Enterprise Detection and Response)
NGFW (Next Generation Firewalls)
Threat Intelligence
Summary of Term
SANS Technology Institute - Candidate for Master of Science Degree
What is a SIEM?
SIEM - Security Information Event Management
Logging and Event Aggregation
Network (router,switch,firewall,etc)
System (Server,workstation,etc)
Application (Web, DB )
Correlation Engine
2+ related events = higher alarm (1+1=3)
3
At first glance SIEM's appliances and software look like an event aggregator. While a SIEM has the advantage of aggregating logs what puts them apart from the event aggregator market are the correlation engines.
The correlation engines allow the ability to uncover threats/attacks across multiple related events which by themselves would not be a cause for alarm.
SIEM
4
What is a SIEM?
5
Security information and event management (SIEM) is the technology that can tie all your systems together and give you a comprehensive view of IT security.
IT security is typically a patchwork of technologies – firewalls, intrusion prevention, endpoint protection, threat intelligence and the like – that work together to protect an organization’s network and data from hackers and other threats. Tying all those disparate systems together is another challenge, however, and that’s where SIEM can help.
SIEM systems manage and make sense of security logs from all kinds of devices and carry out a range of functions, including spotting threats, preventing breaches before they occur, detecting breaches, and providing forensic information to determine how a security incident occurred as well as its possible impact.
Using SIEM
How do SIEM Products help the following Security concerns?
Countermeasures to detect attempts to infect internal system
Identification of infected systems trying to exfiltrate information
Mitigation of the impact of infected systems
Detection of outbound sensitive information ( DLP)
6
These questions are a core part of a companies overall security architecture. If a SIEM isn't providing answers or solutions to these questions what is it doing?
If you aren't using your SIEM to solve issues like these it may just be an expensive log aggregator/collection system sitting in your network collecting dust.
SIEM Advantages
Correlation of data from multiple systems and from different events detecting security and operational conditions
Anomaly detection by using a baseline of events over time to find deviations from expected or normal behavior
Comprehensive view into an environment based on event types, protocols, log sources, etc
APT (advanced persistent threat) protection through detection of protocol and application anomalies
Prioritization based on risk of threat to assets, staff can triage the most vulnerable targets
Alerting and monitoring on events of interest to escalate pri ...
Platform + Intelligence + Partners
This new understanding has led us to build new solutions for our customers. It informs our entire approach across three critical elements:
Building a platform that looks holistically across all the critical end-points we talked about – building security into our platform as well as providing security tools and technologies to you
Acting on the Intelligence that comes from our security-related signals and insights – helps you and us to detect threats more quickly
Fostering a vibrant ecosystem of partners who help us raise the bar across the industry – we know we’re not your only security vendor, and we want to work with the industry and take a holistic approach to technology
Microsoft 365 provides holistic security that is aligned to these four pillars of security.
By helping enterprise businesses secure corporate data and manage risk in today’s mobile-first, cloud-first world Microsoft 365 E5 enables customers to digitally transform by unifying user productivity and enterprise security tools into a single suite that enables the modern workplace.
Identity & Access Mgmt
Protect users’ identities and control access to valuable resources based on user risk level
Information Protection
Ensure documents and emails are seen only by authorized people
Threat Protection
Protect against advanced threats and recover quickly when attacked
Security Management
Gain visibility and control over security tools
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
07 - Defend Against Threats with SIEM Plus XDR Workshop - Microsoft Sentinel Overview.pptx
1. Defend Against Threats
with SIEM Plus XDR Workshop
Microsoft Sentinel Overview
Presenter name
Date
Always make sure you have the latest version
of this presentation before you start a new engagement!
3. Security operations challenges
76%
report increasing
security data*
Too many
disconnected
products
Sophistication
of threats
3.5M
unfilled security
jobs in 2021**
IT deployment and
maintenance
Lack of
automation
44%
of alerts are
never investigated*
5. Microsoft Sentinel
Optimize security operations with cloud-native SIEM powered by AI and automation
Harness the scale
of the cloud
Detect
evolving threats
Expedite
incident response
Get ahead
of attackers
6. Harness the scale
of cloud-native SIEM
Eliminate infrastructure setup or maintenance
Put no limits to compute or storage resources
and scale at will
Collect and analyze data across your entire
organization at cloud scale
Pay only for what you use—resulting in
a SIEM 48% less expensive than traditional SIEMs*
7. Detect evolving threats
Harness ML based on decades of Microsoft security
experience and learnings
Leverage threat intelligence from Microsoft’s expert
security team, or bring in your own
Dive deeper with XDR with Microsoft 365 Defender
and Microsoft Defender for Cloud integration
8. Expedite investigation
and response
Focus on what matters with AI that reduces false
positives by 79%*
Easily understand the scope of an attack with
incidents that automatically map related entities
Integrate automation into your day-to-day
operations workflow
9. Stay ahead of attackers
Rapidly hunt for threats with the speed
of the cloud with robust threat hunting tooling
Get advanced insights into entities fueled
by built-in User and Entity Behavior Analytics (UEBA)
Conduct advanced, custom hunting with built-in
Jupyter notebooks
11. “Microsoft roars into the security analytics market…
The vendor’s entry into the security analytics space captivated
security buyers. Microsoft’s bold move to allow the ingestion
of Microsoft Azure and Microsoft Office 365 activity logs into
Sentinel at no cost makes the solution attractive to enterprises
invested in Azure and Microsoft 365.”
- The Forrester Wave™: Security Analytics Platforms, Q4 2020 report
The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not
endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
12. Microsoft Sentinel has more than 10,000 paying
customers analyzing 5 petabytes of data per month
15. Collect security data at cloud scale from any source
Azure + Microsoft 365
Security Alerts, Activity Data
Collectors
CEF, Syslog, Windows, Linux
TAXII + Microsoft graph
Threat Indicators
APIs
Custom Logs
Proven log platform with more than 10 petabytes of daily ingestion
16. Integrate out-of-the-box
with your existing tools
in Azure, on-premises,
or in other clouds
150+ out-of-the-box integrations,
with more on the way
17. Get interactive dashboards for powerful insights
Choose from a gallery of workbooks
Customize or create your own
workbooks using queries
Take advantage
of rich visualization options
Gain insight into one
or more data sources
20. Leverage extensive library of detections
or build your own
Choose from more than 100 built-in
analytics rules
Customize and create your own rules
using KQL queries
Correlate events with your threat
intelligence and now with Microsoft URL
intelligence + network data
Democratize machine learning
with code-free, customizable ML
anomaly detections
21. Improve insider and unknown threat detection
with User and Entity Behavior Analytics
Use behavioral insights to detect
anomalies, understand the relative
sensitivity of entities, and evaluate
potential impact
Get baseline behavioral profiles
of entities across time and peer
group horizons
Powered by the proven Microsoft User and
Entity Behavior Analytics (UEBA) engine
23. Start hunting over security data with fast,
flexible queries
Run built-in threat hunting queries—no
prior query experience required
Customize and create your own
hunting queries using KQL
Integrate hunting and investigations
Use bookmarks and live stream
to manage your hunts
24. Use Jupyter notebooks for advanced hunting
Run in Azure Machine Learning
Use sample templates to help you
get started
Save as sharable HTML/JSON
Query Microsoft Sentinel data and bring
in external data sources
Use your language of choice—Python,
SQL, KQL, R, …
26. Monitor and manage threat intelligence
Create, view, search, filter, sort, and tag
all your threat indicators in a single pane
Use alert metrics to help understand top
threats targeting your organization
Use automation playbooks for leading
threat intelligence providers to enrich alerts
27. Use Watchlists to integrate business insights
Create collections of data for threat
hunting and detection (e.g. restricted IPs,
trusted systems, critical assets, risky users,
vulnerable hosts)
Incorporate watchlists into analytic
rules, hunting queries, workbooks, and
more—create allow/deny lists, add
context, and add enrichments
Upload a CSV file, create automation
playbooks upload
28. Access unified insights with entity profiles
Get a complete view of a host or user
by bringing together data from multiple
sources, including UEBA
View timeline information across
the most relevant data sources
Use Insights to quickly identify activities
of interest
Customize timeline to tune results
and add other data sources
Link directly to Microsoft 365 and Microsoft
Defender for Cloud where relevant for more
information
30. Start and track investigations from prioritized,
actionable security incidents
Use incident to collect related alerts,
events, and bookmarks
Manage assignments and track status,
with automation at your fingertips
Collaborate easily with built-in
Microsoft Teams integration
31. Visualize the entire attack to determine scope
and impact
Navigate the relationships between
related alerts, bookmarks, and entities
Expand the scope using exploration queries
Gain deep insights into related entities—users,
domains, and more
80% reduction in investigation
effort compared to legacy SIEMs1
Commissioned study-The Total Economic Impact™ of Microsoft Sentinel
32. Gain deeper insight with built-in
automated detonation
Configure URL Entities in analytics rules
Automatically trigger URL detonation
Enrich alerts with Verdicts, Final URLs and
Screen Shots (e.g. for phishing sites)
34. Respond rapidly with built-in orchestration
and automation
Build automated and
scalable playbooks that
integrate across tools
Security products
Ticketing systems
(ServiceNow)
Additional tools
35. Automate and orchestrate security operations
using integrated Azure Logic Apps
Build automated and scalable playbooks
that integrate across tools
Choose from a library of samples
Create your own playbooks
using 200+ built-in connectors
Trigger a playbook from an alert
or incident investigation
36. Take actions today: Get started with Microsoft Sentinel
Start
Microsoft Azure trial
Open Microsoft Sentinel
dashboard in Azure portal
Connect
data sources
To learn more, visit
https://aka.ms/MicrosoftSentinel
Previous versions:
1.0 Initial Release of Security Workshop with or without Threat Check, July 2019
2.0 Initial Release of Security Workshop with Azure Sentinel Add-on module, July 2020
2.1 Updated Microsoft Defender product names and added the Endpoint Protection optional module. Added customer cost savings optional module, October 2020
2.2 Initial Release as Security Workshop without Azure Sentinel Add-on module, February 2021
2.3 Added Hybrid Identity Protection optional module, April 2021
3.0 Name changed to Threat Protection Workshop, July 2021
3.1 Added Attack Simulation, April 2022
Today, organizations are faced with the incredibly difficult task of trying to protect their expanded digital estate from increasing cyber threats. The move to the cloud and a mobile workforce have pushed the border of your estate beyond the boundary of your physical network. You data and users and systems are everywhere. Meanwhile the frequency and sophistication of attacks are ever growing. Regardless of the size of your organization or the industry, you are a target.
This is the challenge that we all struggle with in IT security. And it's a challenge we at Microsoft think that we can uniquely help with.
This creates significant challenges for your security operations teams who are tasked with defending your extended estate.
Security data explosion
As your digital estate grows, so does the volume of security data. In fact 76% of organizations report an increase. And much of it is coming from in the cloud. So pumping it into legacy, on-premises systems (with all the deployment and maintenance overhead that comes with that) just doesn’t make a ton of sense. And that volume is just going to keep growing. Data is the fuel for ML models that have become so critical to threat detection. The models need both more signals and more diverse signals.
To shore up their defenses, enterprise have deployed dozens of security products, each producing a large volume of alerts. In isolation, these products may have high false positive rates and poor response prioritization, resulting in deafening alert noise. As a result, organizations report that nearly half of alerts (44%) are never investigated.
Part of the reason for these alerts to fall through the cracks is a massive shortage in security professionals. A recent report by CSO magazine showed that this global talent shortage will increase to 3.5 million unfilled security jobs by 2021.
The cloud can help manage that complexity of the expanding digital estate. It simplifies and makes security easy to manage. Harnessing the power of cloud will set your SecOps teams free of IT work and help them focus on security work with no limits.
Next generation of AI and automation in the cloud helps to super-charge your work. It will leverage the large-scale intelligence available in the cloud and make it work for you.
This is where Microsoft Sentinel comes in. Microsoft Sentinel offers a new, modern approach to SIEM, entirely cloud-native and powered by AI and automation to help optimize security operations.
Microsoft Sentinel’s cloud-native nature empowers you with the scale, flexibility, and speed of the cloud, while eliminating the time and money spent on managing infrastructure.
It detects complex, evolving threats across massive volumes of low-fidelity signals using built-in machine learning developed by Microsoft security experts.
It gives you everything you need to expedite incident response, streamlining investigations with robust incidents and equipping you with built-in automation.
And finally, with these efficiency gains, Microsoft Sentinel gives you the ability to finally be proactive about finding and stopping threats. It includes robust threat hunting tools to help you get ahead of attackers.
It all starts with the cloud. Microsoft Sentinel gives you the power and flexibility of cloud-native SIEM.
Eliminate infrastructure setup and maintenance, enabling you to focus on what really matters – protecting the organization.
You have no limits to compute or storage resources, and can scale up or down at will.
Microsoft Sentinel gives you everything you need to take advantage of this unmatched scale – you can collect and analyze data from all clouds, users, devices, and solutions, all powered by the speed and scale of a leading cloud platform.
And all of this also results in much greater cost effiency than traditional SIEM. According to the 2020 Total Economic Impact™ of Microsoft Sentinel study by Forrester Consulting, Microsoft Sentinel is 48% less expensive in licensing and infrastructure costs than traditional SIEMs.
What do you do with all of that data? Microsoft Sentinel uses machine learning created by Microsoft’s security experts to filter all of those low-fidelity signals into actionable threat detection.
Our machine learning is based off of Microsoft’s extensive experience and insights as a major $10B/year security vendor.
Microsoft Sentinel also includes built-in user and entity behavioral analytics fully integrated into the platform for deep understanding of behavioral anomalies.
Leverage threat intelligence from Microsoft’s security expertise, or bring your own with flexible TI management capabilities.
Plus, Microsoft Sentinel integrates natively with Microsoft 365 Defender and Microsoft Defender for Cloud, Microsoft’s XDR solutions, for integrated threat protection.
---
Get deep understanding of behavioral anomalies with built-in UEBA.
Conduct investigations and response more efficiently than ever.
Microsoft Sentinel’s AI reduces false positives by 79%, already ensuring that you only spend some on incidents that actually need your attention.
With incidents, Microsoft Sentinel automatically maps related entities, allowing you to easily see and understand the full scope of an attack.
And with built-in automation, you can streamline day-to-day operations and accelerate your response.
All of these factors lead to massive efficiency gains, and with that saved times, you finally are enabled to shift from reactive to proactive. Many Microsoft Sentinel customers are finally able to strategically and proactively hunt for threats after years of being stuck in an endless loop of reactive response.
Microsoft Sentinel includes robust tooling for threat hunting, allowing you to rapidly search over massive amounts of data with the speed enabled by cloud-native SIEM.
You can leverage built-in UEBA for deeper insights into individual entities.
And Microsoft Sentinel includes everything you need for advanced, custom hunting, like built-in Jupyter Notebooks.
What’s the result of all of these things in sum? A SecOps team that’s empowered, efficient, and better equipped to protect the organization.
Here are just a few examples of the efficiency gains Microsoft Sentinel brings to your security operations:
It is more cost effective, shown to be 48% less expensive than traditional SIEMs.
It results in a 79% decrease in false positives over three years.
It is 67% quicker to deploy than legacy SIEMs, helped by its extensive pre-built content and out-of-the-box functionality
It results in a 56% reduction in management effort by eliminating infratstructure management.
Its AI capabilities and investigation tooling result in an 80% reduction in investigation labor effort
Talk track:
In its first year to market, Microsoft Sentinel has been recognized as a leader in the latest Forrester Wave™: Security Analytics Platform report, Q4 2020. The report highlights Sentinel’s ease of integration across other Microsoft technologies, automation, and the ability to ingest Microsoft Azure and Microsoft 365 activity logs at no cost as some of the key benefits that help make it a leader in this evaluation. Of the vendors evaluated, Microsoft also received the highest score in the Strategy category.
It’s not only analysts recognizing these benefits. Microsoft Sentinel today has more than 10,000 paying customers who are analyzing an average of five petabytes of data per month. Our customers include leading organizations across a broad spectrum of verticals.
Talk track:
It all starts with visibility. With Microsoft Sentinel, you can collect data from any source with more than 150 out of the box integrations, no matter whether those data sources are coming from Azure, other clouds, or on-prem. You can easily visualize all of this data with customizable visualizations.
One-click integration with Microsoft solutions
Data connectors for growing list of other technologies – on-premises and cross-cloud
Support for standard log formats (CEF/Syslog and WEF)
Specialized TAXII and Graph connectors for threat intelligence data
REST API for connecting to cloud solutions
Proven log analytics platform with more than 10Pb of daily data ingestion
We’re constantly adding more out of the box connectors. Today, Microsoft Sentinel includes more than 150 out of the box integrations, with more always on the way.
Interactive dashboards
Combines multiple kinds of visualizations – including graphs and maps
Provides deep insights into a single data source or combining multiple sources
Powered by KQL queries, making workbooks easy to build and customize
Talk track:
Now that we’ve shown you how we secure your identities and use authentication, let’s discuss how we further secure your organization from today’s evolving threat landscape with Microsoft’s threat protection solutions.
In today’s complex organizations, Microsoft’s industry-leading threat protection solutions help you defend across modern attack vectors. Microsoft’s threat protection empowers your organization’s defenders by putting the right tools and intelligence in the hands of the right people. The nature of attacks is constantly evolving. The way we think about defense must keep up.
Stay ahead of attackers with a unified SecOps experience: Threat-protection solutions from Microsoft deliver best-in-suite, integrated, automated security to help defend against modern attacks
Gain insights across your entire organization, end-to-end, with our cloud-native Security Information and Event Management tool (SIEM) Microsoft Sentinel
Detect and respond across attack vectors with Microsoft 365 Defender and Microsoft Defender for Cloud, our extended detection and response (XDR) solutions
Let’s take a closer look at how these integrated threat protection solutions work together.
We ingest raw activities from various cloud services such as O365 and Azure, along with the anomalous signals from security products like M365 Defender
We analyze millions of these anomalous signals to produce hundreds of suspicious candidates using advanced graph powered machine learning and probabilistic kill chain,
To reduce noise further, we apply one more round of machine learning analysis that yields high fidelity security incidents
It uses machine learning and a basic probability model to constrain edges. It builds connections using a stochastic process similar to how epidemics and outbreaks are modeled. It calculates the kill-chain connectivity metric which is then used for scoring.
In the 320 subgraphs example, we include: Identity detection, Credential access, New service principal created, SP added as admin Persistance
More than 100 built-in alert rules were developed by Microsoft and community security experts
A wizard enables you to create your own analytics rules using KQL queries
Thresholds can be set to alert when activity levels exceed normal patterns
Correlation events with your threat intelligence and now with Microsoft intel about malicious URLs.
Microsoft has unparalleled view of evolving threat landscape
Customers can now match Microsoft URL TI with network logs
Matched MS indicators are added to the TI table for use like any other indicator
Retrospective lookbacks that match TI against historical event data and more TI types will be coming soon.
Alerts can be used to trigger automated playbooks
In September, Microsoft Sentinel launched User and Entity Behavioral Analytics.
Microsoft Sentinel’s UEBA builds comprehensive entity profiles across time and peer group, identifying anomalies that indicate never-before-seen threats and insider risks
Leverage these entity analytics insights for threat hunting and detection using built-in queries and analytics rules
Unlike other UEBA solutions, you can onboard data sources in minutes.
Plus, get a unified view of a user or host with new entity profiles:
See UEBA insights for a particular entity
Get contextual information
See a timeline of activities and alerts across the most relevant data sources
Make decisions based on informed insights
Talk track:
Built-in threat hunting queries developed by Microsoft and community experts
Run threat hunting queries and see the results without prior query experience
Create your own threat hunting queries unique to your environment using KQL
Start investigations directly from hunting queries
You can now launch Azure Notebooks directly from Microsoft Sentinel, making it easy to create and execute Jupyter notebooks to analyze your data. Notebooks combine live code, graphics, visualizations, and text, making them a valuable tool for threat hunters. Choose from a built-in gallery of notebooks developed by Microsoft security analysts or import others from GitHub to get started. These notebooks are the same professional-strength hunting solutions Microsoft’s own threat hunters use every day.
Hosted in the Azure cloud so accessible anytime from anywhere
Investigation workflow and data can be saved as sharable HTML/JSON document
Query Microsoft Sentinel data directly in the notebook
Bring external data sources such as threat Intelligence into your investigations
Supports Python, SQL, KQL, R, and other languages
Container for alerts, events, and bookmarks related to a particular security threat
Automatically created from alerts or initiated by a security analyst when threat hunting
Can be assigned to analysts for further investigation and status can be tracked
Analysts can easily tag incidents and add comments
Trigger automated playbooks from incidents
Automatically correlate entities across different data sources and alerts
Expand the scope of your investigation using built-in exploration queries
View a timeline of related alerts, events, and bookmarks
Click on any node to see detailed information
Gain deep insights into related entities – users, domains, and more
Automatically detonate URLs to speed investigation
Microsoft Sentinel customers can now use the power of URL detonation to enrich alerts and quickly discover threats related to malicious URLs. When creating scheduled alerts, any URL data in the query results can be mapped to a new URL entity type. Whenever an alert containing a URL entity is generated, the mapped URL will be automatically detonated, and the investigation graph will be immediately enriched with the detonation results. A verdict, final URL and screen shot (especially useful for identifying phishing) can be used to quickly assess a potential threat. To use this feature, make sure you’ve enabled URL logging (e.g. threat logging) for your secure web gateways, web proxies, firewalls or legacy IDS/IPS. You can try this feature during the preview at no cost.
Microsoft Sentinel is introducing URL Entities
Use alert rules to automatically trigger URL detonation
Enrich alerts with Verdicts, Final URLs and Screen Shots (e.g. for phishing sites)
Talk track:
Now that we’ve shown you how we secure your identities and use authentication, let’s discuss how we further secure your organization from today’s evolving threat landscape with Microsoft’s threat protection solutions.
In today’s complex organizations, Microsoft’s industry-leading threat protection solutions help you defend across modern attack vectors. Microsoft’s threat protection empowers your organization’s defenders by putting the right tools and intelligence in the hands of the right people. The nature of attacks is constantly evolving. The way we think about defense must keep up.
Stay ahead of attackers with a unified SecOps experience: Threat-protection solutions from Microsoft deliver best-in-suite, integrated, automated security to help defend against modern attacks
Gain insights across your entire organization, end-to-end, with our cloud-native Security Information and Event Management tool (SIEM) Microsoft Sentinel
Detect and respond across attack vectors with Microsoft 365 Defender and Microsoft Defender for Cloud, our extended detection and response (XDR) solutions
Let’s take a closer look at how these integrated threat protection solutions work together.
While AI sharpens your focus on finding problems, once you have solved the problem you don’t want to keep finding the same problems over and over – rather you want to automate to address common issues. Microsoft Sentinel provides built-in automation with pre-defined or custom playbooks to solve repetitive tasks and to respond to threats quickly. Microsoft Sentinel will augment existing enterprise defense and investigation tools, including best-of-breed security products, homegrown tools, and other systems like HR management applications and workflow management systems like ServiceNow.
Powered by Azure Logic Apps and fully integrated with Microsoft Sentinel
Build automated and scalable playbooks that integrate across tools
Choose from a library of samples or create your own using more than 200+ built-in connectors plus generic connectors like HTTPS
Trigger a playbook from an alert or incident investigation