SlideShare a Scribd company logo

7 Experts on Implementing Azure Sentinel

Mighty Guides, Inc.
Mighty Guides, Inc.

https://mightyguides.com/bluevoyant-7-experts-on-implementing-azure-sentinel/

Technology
1 of 27
Download to read offline
2 INTRODUCTION © 2021 Mighty Guides, Inc. I 9920 Moorings Drive I Jacksonville, Florida 32257 I 516-840-0244 I www.mightyguides.com 2 One big challenge for many security teams is consolidating and analyzing the data generated in a networked environment. Organizations attempt to address this challenge by using a security information and event management (SIEM) system to collect that data for analysis. In addition to being a best-in-class SIEM system, Azure Sentinel is a platform for security orchestration, automation, and response capable of automating playbooks; monitoring both Windows and Linux environments; and monitoring Amazon, Google, and Azure clouds—and that’s just for starters. Azure is a powerful tool that is easy to set up, but optimizing it requires security analysis skills and knowledge. To learn more about setup and optimization, with the generous support of BlueVoyant, we asked seven experts the following question: Given your experience with Azure Sentinel, what advice can you offer for transitioning to and optimizing this solution? The experts tell us that one key to getting the most out of Azure Sentinel is choosing the right data. You don’t want to ingest too much, which increases costs, or too little. Also, taking full advantage of the automation features in Azure Sentinel is critical for rapid detection and response. This ebook provides good advice from seasoned Azure Sentinel users that will help point you in the right direction for your own Azure Sentinel implementation. David Rogelberg Editor Mighty Guides, Inc. Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty.
3 FOREWORD New approaches to cybersecurity are needed more than ever! The pandemic has led to exponential growth in remote employees, expanding the attack surface for companies big and small. Security teams struggle to cobble together solutions consisting of technologies from multiple vendors, many of which were only designed to operate in legacy environments. Integration complexities, a lack of security resources, and unrelenting attacks from cyber criminals have made securing the organization a seemingly unattainable goal. So what is the solution to eliminating this pain while also providing the security your company needs in a cloud-first world? We believe a cloud-native, fully integrated security solution is what makes the most sense. To bring our vision to life, we partnered with Microsoft to build consulting, implementation, and managed security services around their SIEM and XDR tools that deliver the outcomes needed by companies operating in today’s dangerous, highly interconnected world. This Mighty Guide, one of three in a series, was written to help you better understand how specific Microsoft security tools are being used by companies today and help you benefit from the lessons they have learned. Enjoy the book! Milan Patel Global Head of Managed Security Services BlueVoyant BlueVoyant is an expert-driven cybersecurity services company whose mission is to proactively defend organizations of all sizes against today’s constant, sophisticated attackers and advanced threats. Led by CEO - Jim Rosenthal, BlueVoyant’s highly skilled team includes former government cyber officials with extensive frontline experience in responding to advanced cyber threats on behalf of the National Security Agency, Federal Bureau of Investigation, Unit 8200, and GCHQ, together with private sector experts. BlueVoyant services utilize large real- time datasets with industry-leading analytics and technologies. Founded in 2017 by Fortune 500 executives and former Government cyber officials and headquartered in New York City, BlueVoyant has offices in Maryland, Tel Aviv, San Francisco, London, and Latin America.
MEET OUR EXPERTS SHARJEEL QAYYUM KHAN edotco Group, IT Security Operation Lead, pg. 24 RAJESH KUMAWAT Mastercard, Information Security Analyst, pg. 21 MAARTEN LEYMAN delaware BeLux, Senior Security Consultant, pg. 12 LAWK SALIH Independent Community Bankers of America, Vice President, Technology Systems and Services, pg. 9 REBECCA WYNN Global CISO & Chief Privacy Officer, pg. 15 MICHAEL KAVKA R.J. O’Brien, Sr. Security Engineer, pg. 18 OSCAR MONGE Rabobank, Security Solutions Architect, pg. 6
6 “For new users, the biggest challenge will be learning how best to use the technology and data connections to produce the security protection they need.” Microsoft Azure Sentinel Provides Total Integration of Detection and Response Microsoft Azure Sentinel is a security information event management solution hosted in the Azure public cloud. It integrates with Microsoft’s portfolio of security products, which enables you to send security data into a common Azure Sentinel workspace-essentially a big bucket of information. There, you can tell Azure Sentinel how to query the data, apply analytical rules to it, and trigger alerts and other actions. With Azure Sentinel, you can correlate data, create thresholds, create alarms, and integrate the tool with a ticketing system. In that way, if Azure Sentinel identifies an incident, it can immediately turn it into a ticket that goes to the first-line security operations center (SOC) so that the analysts can investigate and respond. You can also orchestrate and automate responses to alerts and automate playbooks. Azure Sentinel is native to the Microsoft security ecosystem, but it also integrates with Amazon Web Services (AWS). For example, application programming interfaces enable you to configure Azure Sentinel to consume Oscar Monge is a seasoned information security professional with more than seventeen years of experience. He is a Security Solutions Architect at Rabobank, where he helps shape security monitoring direction and technology integration. Oscar is passionate about technology and its alignment to IT business needs. Oscar Monge, Rabobank, Security Solutions Architect
AWS CloudTrail and Amazon GuardDuty logs. Microsoft is adding integrations with other cloud providers as well. For new users, the biggest challenge will be learning how best to use the technology and data connections to produce the security protection they need. Azure Sentinel is artificial intelligence driven, so it is always in learning mode and monitoring activity to identify trends and look for deviations from those trends. It’s important to collect the data you need to provide the level of monitoring, alerting, and orchestration your organization requires. Azure Sentinel is easy to enable, but choosing the right data requires careful thought because the tool’s costs are tied to the amount of data it consumes. Choosing the right data is a continuous process. In addition to selecting the right data sources and types, you must learn how to apply analytics rules to the data. Azure Sentinel has many built-in rules that are easy to use, but you may need to adjust them so that they work more effectively in your environment. You will also likely want to create custom queries that are more specific to your monitoring environment. In addition to querying and analyzing data, Azure Sentinel can automate many detection and response functions. To get the most out of this capability, you need an understanding of Azure Logic Apps, which helps with application and data integrations, and workflow scheduling. Azure Logic Apps is useful for scaling Azure Sentinel in your environment and creating the more complex automations that make up playbooks. 7 Azure Sentinel is only as good as the data it consumes, but you have to pay for that data.
8 Azure Sentinel is only as good as the data it consumes, but you have to pay for that data. To get the most value from the product, avoid sending it unimportant activity data while providing the data that is important for detecting potentially threatening activity so that Azure Sentinel can detect and act on those data patterns. Choosing the right data is a continuous effort because organizations and IT groups are always changing. When refining the data Azure Sentinel collects, always be looking at recognized information sources within the network environment as well as potentially new sources of valuable security data. Key Points 1 2 Azure Sentinel enables you to correlate data, create thresholds, create alarms, orchestrate and automate responses to alerts, and automate playbooks. You can also integrate the tool with a ticketing system. Choosing the right data is important because Azure Sentinel costs are based on the data it consumes. A knowledgeable security consultant can help you optimize data sources and types for peak security performance while managing data-ingestion costs. 8 Oscar Monge, Rabobank, Security Solutions Architect
9 “Azure Sentinel correlates data from all those logs and presents events in real time in a single pane of glass.” Many Eyes Reviewing Security Logs Generates a Big Advantage A couple of years ago, we made the decision to move to the Microsoft Azure cloud. It was a strategic initiative to move all of our premise servers to the cloud. This was a strategic initiative to adopt the cloud for hosting of applications, data warehouse, and key infrastructure components. This move has made it easier to standardize on Microsoft’s security tools to monitor, protect, and alert on cyberthreats. One of the key services we use within the Microsoft Azure stack is Azure Sentinel. Sentinel has enabled us to consolidate most of our security logs in one single Security Information and Event Management (SIEM) to ingest logs from multiple security controls such as firewall, endpoint protection, collaboration suites, active directories, DNS traffic, DDoS protection, and others. We began feeding Azure Sentinel log data from virtual machines; Microsoft 365 Defender (formerly Microsoft Threat Protection); Microsoft Cloud App Security; and Microsoft 365, including OneDrive, Exchange Online, Microsoft SharePoint, and Microsoft Teams. We are monitoring all those tools in Azure Sentinel through data connections available from the Sentinel dashboard. In addition Lawk Salih is Vice President of Technology Systems and Services for Independent Community Bankers of America (ICBA). In his role, Lawk leads cloud migration efforts, the cybersecurity program, infrastructure, and customer service support in alignment with the ICBA’s strategic goals. He has more than twenty years of experience in IT, including fifteen years with nonprofit organizations and trade associations. Lawk Salih, Independent Community Bankers of America, Vice President, Technology Systems and Services
10 to an extensive list of connections to Microsoft technologies, Azure Sentinel has connections to many non-Microsoft vendors, such as Cisco, Check Point, Barracuda, Citrix, and Amazon Web Services. These connections would be beneficial to anyone with a more complex or multi-cloud infrastructure. To keep cost at a minimum while protecting the environment, it’s important to recognize that ingesting logs can become costly. At the moment, we are on pay-as- you-go as we assess the needs of our security operations. As we mature, we will consider purchasing resources on a retention basis to save costs in the long run. Azure Sentinel provides great visibility. It consolidates and correlates everything into one display, which is a huge advantage. Having one dashboard, and the eyes of your whole team on the same display at different times, is the key to a successful cybersecurity program. Azure Sentinel correlates data from all those logs and presents events in real time in a single pane of glass. When an alert comes in, Azure Sentinel provides a full description of the alert, events involved in the event such as entities, and a detailed timeline of the incident. Having such key information available without much digging is key to saving time during an investigation process. One challenge in setting up Azure Sentinel is managing remediations, particularly when you want to automate playbooks. The question becomes, what are the best actions to take under certain circumstances? For instance, if Azure Sentinel detects suspicious activity on a computer, do you immediately isolate that machine, or will you take granulated steps such as TCP disruption? How do you disrupt rogue IP connections without bringing down a whole system? In the case of a user, certain alerts and playbooks can completely isolate the endpoint from the world wide web until an investigation is complete. As such, false positives can be a headache until a full resolution is determined. One challenge in setting up Azure Sentinel is managing remediations, particularly when you want to automate playbooks.
11 Key Points 1 2 Having one dashboard, and the eyes of your whole team on the same display at different times, is the key to a successful cyber screening program. To take full advantage of Azure Sentinel’s automation capabilities, you need to understand how best to create auto-remediations that can run without disrupting production servers or bringing down systems. For us, Azure Sentinel has been a wonderful experience. We are learning as we go while Microsoft continues to enhance the product with many partnerships in the pipeline. We will consider engaging an Managed Security Service Provider (MSSP) to help monitor our Azure Sentinel 24/7 similar to a virtual security operations center. Lawk Salih, Independent Community Bankers of America, Vice President, Technology Systems and Services
12 “The machine learning and automation capabilities in Azure Sentinel are much further developed than in traditional SIEM solutions.” Azure Sentinel Provides One View of Your Entire Environment Microsoft Azure Sentinel is a security information and event management (SIEM) system for security orchestration automated response. Azure Sentinel is most useful when you have data coming in from many tools or when your environment includes more than just Microsoft technologies. It provides a central security view of computer systems, applications, cloud instances, firewalls, and other networking components. The machine learning and automation capabilities in Azure Sentinel are much further developed than in traditional SIEM solutions. It also has advantages over the Microsoft Defender Security Center dashboard, including the ability to incorporate data from many non-Microsoft technologies; develop more involved playbook automations; and run more advanced, in-depth log investigations and perform threat hunting. When an incident occurs, Azure Sentinel provides all the details you need to remediate it. You can see all the logs and alerts and follow every action related to that incident. You can also create your own process automations. For example, say that Azure Sentinel detects something and creates an incident alert. You get the IP address Maarten Leyman is a Senior Security Consultant with experience in the full Microsoft 365 security suite and Azure security. In 2013, he started his career at delaware BeLux, where he performs security assessments and conducts workshops at customer sites to identify security risks. He also helps fine-tune IT architecture and implementations to increase overall security at customer locations and mitigate possible threats. Maarten Leyman, delaware BeLux, Senior Security Consultant
from that incident, log the IP address in Office 365 and block it, and then send an email to the IT department detailing the changes that were made. You can automate this whole process in Azure Sentinel. The first step is getting data into Azure Sentinel, which requires making data connections. With one click, Azure Sentinel is up and running; with a few more clicks, you can make connections to begin receiving data. Azure Sentinel has built-in data connections to Microsoft security tools and to many third-party tools. For example, Microsoft has worked with many of its partners, including Cisco, Barracuda, and Citrix, to build data connections for their products. As you configure data connections, it’s important to keep in mind that pricing is based on data consumption. As such, you can pay as you go or pay in advance for a specific amount of data. For instance, you can pay for a full 100 gigabytes of data; per gigabyte, that package costs less than paying as you go for the same amount of data. Of course, when you pay in advance, you must calculate how much data you will actually feed into Azure Sentinel so that you don’t buy more than you need. To control costs, send only necessary security data to Azure Sentinel. For example, firewalls have rules that typically include a deny rule. This deny rule catches a lot because active internet scanning produces a hit each time someone is prevented from connecting. Logging all that deny rule activity in Azure Sentinel doesn't add value, so you don’t want to pay for that. You need expertise with the tools you want to connect to Azure Sentinel. Also, tuning and maintaining Azure Sentinel automations require continuous monitoring and refinement. When done properly, though, Azure Sentinel is a powerful tool for managing detections and response. If you don’t have the necessary IT personnel to set up and tune Azure Sentinel, a managed security service provider (MSSP) can help. 13 You need expertise with the tools you want to connect to Azure Sentinel.
Many MSSPs have automated templates that speed the process of coding everything for your environment. They can also help with detection and response activities. Azure Sentinel makes it easy to transfer all this work to a service provider if you need that support. 14 Key Points 1 2 The first step in implementation is getting data into Azure Sentinel. Azure Sentinel has built-in data connections to Microsoft’s security tools and connects to many third- party vendors, such as Cisco, Barracuda, and Citrix. Tuning and maintaining Azure Sentinel automations requires continuous monitoring and refinement, but when done properly, Azure Sentinel is a powerful tool for managing detections and response. Maarten Leyman, delaware BeLux, Senior Security Consultant
15 “Think about the quickest way to get from where you are now to where you want to be using Azure Sentinel.” Before You Deploy Microsoft Azure Sentinel, Know What You Want to Accomplish When implementing Microsoft Azure Sentinel, you must • understand what you want to accomplish through Microsoft Azure Sentinel, which both monitors and orchestrates automated responses to events; • understand the IT assets in your environment, endpoints, servers, network devices, clouds, and applications. Think about how much data from your environment Azure Sentinel must consume to achieve your objectives; and • think about the quickest way to get from where you are now to where you want to be using Azure Sentinel. Azure Sentinel pulls in data from many sources, which makes it uniquely effective for managing security from a single portal—especially important as companies move more of their assets into the cloud. Azure Sentinel works with more than Microsoft products, as well. It can monitor Amazon Web Dr. Rebecca Wynn received the 2017 Cybersecurity Professional of the Year– Cybersecurity Excellence Award, was Chief Privacy Officer of SC Magazine, is a Global Privacy and Security by Design International Council member, and was 2018 Women in Technology Business Role Model of the Year. She is lauded as a “gifted polymath and game- changer who is ten steps ahead in developing and enforcing cybersecurity and privacy best practices and policies.” Rebecca Wynn, Global CISO & Chief Privacy Officer
Services (AWS), Google Cloud Platform (GCP), and other clouds with application programming interface hooks. Being able to see Azure, AWS, and GCP in one place is valuable because most corporate models today use multiple clouds. Some security information event management solutions have this capability on their technology roadmap, but Microsoft is already there. Microsoft makes it easy to deploy Azure Sentinel, too. Good documentation and many videos show you how to make data connections to devices and virtual machines and help you determine which data to ingest. Microsoft also provides Azure Blueprints, which are templated configurations for different types of environments. These blueprints simplify configuration, especially for environments that must comply with regulatory regimes such as the Health Insurance Portability and Accountability Act and Payment Card Industry. When you begin configuring Azure Sentinel, you will start seeing events and notifications quickly. The biggest challenges in deploying Azure Sentinel are making sure that Azure Sentinel ingests only the data you need to meet your security objectives and using automations effectively to make detection and response faster. Processing more data through Azure Sentinel than you actually need costs money and is counterproductive to your security strategy because oversubscribing prevents your company from using that money for more effective threat mitigation. Configuring and optimizing Azure Sentinel for your environment require analytical expertise. Whether you are working with a consultant or hiring people for your team, they must be critical thinkers and root cause analysts. Azure Sentinel 16 Processing more data through Azure Sentinel than you actually need costs money and is counterproductive to your security strategy.
17 enables you to look at the details of an event, drill into log data for that event, and be more mindful about how you analyze and respond to the events you are seeing. The tool augments your team, and it is the mindful use of that tool that enables you to work more intelligently with other teams in your organization. 17 Key Points 1 2 You must understand the IT assets in your environment, endpoints, servers, network devices, clouds, and applications. Think about how much data from your environment Azure Sentinel must consume to achieve your objectives. The biggest challenges in deploying Azure Sentinel are making sure that Azure Sentinel ingests the data you need to meet your security objectives and using automations effectively to make detection and response faster. Rebecca Wynn, Global CISO & Chief Privacy Officer
18 “Implementing Azure Sentinel is straightforward, coming down to implementing your data connections and deciding how much space to allocate for data storage.” Microsoft Azure Sentinel Delivers Visibility and Insight Microsoft Azure Sentinel combines security information event management and security orchestration automated response functionality in one tool, making it much easier to have all security data and controls in one place. That consolidated platform simplifies monitoring, correlating, and automating security functions such as detections, alerting, and playbooks. Implementing Azure Sentinel is straightforward, coming down to implementing your data connections and deciding how much space to allocate for data storage. Both are important because they can have a big impact on the tool’s operational cost. Regarding data storage, Azure Sentinel defaults to holding log data for 30 days, which will be plenty for most companies. Some high-risk businesses that represent attractive targets, such as financial services firms, may want to hold data longer. The longer you store data, however, the more space it consumes, which increases costs. The amount of data Azure Sentinel consumes also comes with costs, but you can monitor and analyze a lot of data for free. For example, it costs nothing to ingest data from other Microsoft security products, such as the Microsoft 365 Defender suite (Microsoft Defender for Endpoint [formerly Michael Kavka has been an IT professional for more than 20 years. He contributes to the community, helping run the Burbsec set of infosec meetups in the Chicago area, and volunteers for Hak4Kidz, a kids-orientated STEM conference. He is currently a Security Engineer; his areas of focus include security information and event management, Microsoft security technologies, and vulnerability assessment. Michael is a CISSP and a GCIH. Michael Kavka, R.J. O’Brien, Sr. Security Engineer
19 Microsoft Advanced Threat Protection], Microsoft Cloud App Security, and others). Monitoring these tools is easy: In the Azure portal, select Azure Sentinel, select Data connections, and then turn on the data connections for those tools. If you have a largely Microsoft environment and are using these tools, turning all that data on enables Azure Sentinel to provide you with a lot of visibility into what’s happening in your environment. It takes only a few minutes to start seeing results. One of the most challenging aspects of Azure Sentinel is balancing costs against benefits. It’s easy to activate built-in connectors to other technology in your environment, such as Cisco, Citrix, and Amazon Web Services, but importing that data can incur costs depending on the amount. You can gain amazing insights from cloud data imported into Azure Sentinel, but the amounts of data can vary and be difficult to predict, especially if you are transitioning to the cloud or ramping up cloud computational activity. One month you may have two cloud servers, and then suddenly you could have five, ten, twenty, or thirty. Each is an individual cost, in addition to log transaction costs and the costs of Microsoft SQL Server instances. There are intricacies to the cost structure that can be confusing, and it can get out of hand quickly if you’re not careful. Many of these questions are ongoing as you use Azure Sentinel and modify it to keep it operating optimally for your environment. Most of your maintenance and optimization work will focus on reporting; automations for queries, alerts, and responses; and reviewing incidents. Set reporting schedules that make sense in relation to automated querying so that you don’t waste resources with unnecessary reporting. In addition, you must continually adjust these features to adapt to your changing environment and usage patterns. 19 There are intricacies to the cost structure that can be confusing, and it can get out of hand quickly if you’re not careful.
20 For some companies, it makes a lot of sense to work with a managed security service provider (MSSP) or consultant to hammer out these details. The choice depends on your staffing, budget, and environment size. If you have a solid team but don’t have a security operations center (SOC), or you have a SOC that would be overwhelmed with a one- or two-person team, then using an MSSP to augment your staff can be fantastic. If you're a small business without a security department, a service provider can be invaluable. Like everything else, you must balance the costs against the services and benefits you receive. 20 Key Points 1 2 Azure Sentinel can monitor and analyze a lot of data for free. For example, it costs nothing to ingest data from Microsoft security products such as those in the Microsoft 365 Defender suite. You can gain amazing insights from cloud data imported into Azure Sentinel, but the amounts of data can vary and be difficult to predict, especially if you are transitioning to the cloud or ramping up cloud computational activity. Michael Kavka, R.J. O’Brien, Sr. Security Engineer
21 21 “Azure Sentinel automatically performs the analytical work on alerts and provides a clear, straightforward presentation of the incident history and event relationships.” Microsoft Azure Sentinel Is a Different Kind of SIEM System The most important part of implementing Microsoft Azure Sentinel is knowing your objectives because Azure Sentinel differs from traditional security information event management (SIEM) tools in two key ways: • Sentinel is smart. Many companies that use SIEM tools know their traditional role as security data aggregators. The SIEM system collects raw logs and provides the data to analysts in the security operations center, who look at that data and use other analytical tools to determine its meaning. Azure Sentinel automatically performs the analytical work on alerts and provides a clear, straightforward presentation of the incident history and event relationships. It does a lot of the analytical work for analysts. An analyst can choose an incident off the Azure Sentinel incident list and within seconds have a complete view of what happened. • Azure Sentinel also provides security orchestration and automated response. These features enable you to build automated playbooks into your Azure Sentinel implementation. Azure Sentinel has no preconfigured playbooks. Instead, you use the tool’s analytical rules, triggers, and logic Rajesh Kumawat has four years of experience working as an Information Security Analyst. He completed his Engineering in E&TC studies from Pune. Rajesh is passionate about infosec and its domains like cyber forensics, cloud security, incident management, and IT compliance. He likes to engage in freelancing projects and do bug bounty hunting in his spare time, which mostly focuses on web application security. Rajesh Kumawat, Mastercard, Information Security Analyst
22 apps to create your own playbooks based on your requirements. You can then run these playbooks manually or automatically. Playbooks make Azure Sentinel a powerful security automation tool. These capabilities make Azure Sentinel a different kind of SIEM system, and to get the most out of it, you need to know what you want it to do for you. One other aspect of Azure Sentinel that can affect how you implement it is continuous synchronization with Microsoft Defender for Endpoint (formerly Microsoft Advanced Threat Protection). Continuous synchronization means that you can set up Microsoft Defender for Endpoint so that if it assigns an incident, the same incident is assigned in Azure Sentinel. Then, after you resolve the incident and close the incident in Microsoft Defender for Endpoint, it also closes in Azure Sentinel— something not possible with any other SIEM system. When implementing Azure Sentinel, pay attention to the data connections you create to make sure that you are collecting the right data and not too much data. In some cases, such as for on-premises servers, you will need to install an agent that connects to Azure Sentinel, which is cloud based. In addition, spend time working on the analytics rules. Microsoft includes default rules, but you should edit and test them to make sure that they meet your requirements. Azure Sentinel also has allow list capabilities that permit actions that may otherwise trigger an alert. To make your Azure Sentinel implementation more capable and more powerful, you must engineer every alert; then, with time, the rules you use will become more effective. 22 Playbooks make Azure Sentinel a powerful security automation tool.
23 The best way to keep Azure Sentinel in optimum condition to defend your network is continuous monitoring of incidents. If the tool’s ability to catch incidents provides value, then it’s a good tool. But if it’s producing a lot of false positives, you have to work on editing the rules. Maintaining Azure Sentinel involves continuously tuning the rules, saving them, watching how they perform, and learning how to make them deliver better results. 23 Rajesh Kumawat, Mastercard, Information Security Analyst Key Points 1 2 Use Azure Sentinel analytical rules, triggers, and logic apps to create your own playbooks based on your requirements. You can then run these playbooks manually or automatically. To keep Azure Sentinel in optimum condition to defend your network, continuously monitor for incidents. If the tool’s ability to catch incidents provides value, then it’s a good tool. But if it's producing a lot of false positives, you have to work on editing the rules.
24 24 “The most challenging aspect of Azure Sentinel deployment is deciding what you need the system to tell you, and then configuring data collection and analytics so that you can extract that information.” You Must Understand What You Want to Extract from Azure Sentinel Effective security monitoring and analysis require a security information event management solution such as Microsoft Azure Sentinel, but that tool must be configured properly. You can configure data collection and analysis for Azure Sentinel in many ways. Which way you choose depends on your security needs and what is in your environment. A configuration management tool such as Microsoft Endpoint Configuration Manager (formerly System Center Configuration Manager) is essential for deploying Azure Sentinel. Before you can deploy Azure Sentinel, you must install the correct monitoring agents on the servers in your environment, whether on-premises servers or virtual servers deployed in the cloud. Microsoft provides monitoring agents for Windows and Linux operating systems, and agents are available that work in Azure, Amazon Web Services, and other providers’ clouds. Microsoft monitoring agents are mandatory for getting log data into the Azure Sentinel analytics workspace. The most challenging aspect of Azure Sentinel deployment is deciding what you need the system to tell you, and then configuring data collection and analytics Sharjeel Qayyum Khan has ten years of experience in IT. His focus is on enhancing business alignment and growth by deploying stable cloud environments and adopting best practices for security. Sharjeel regulates security operations and technologies, including end security, security information event management, incident response, and NIST compliance reporting. His areas of expertise include cybersecurity, system architecture design, vulnerability evaluation, risk management, and configuration management. Sharjeel Qayyum Khan, edotco Group, IT Security Operation Lead
25 so that you can extract that information. Azure Sentinel enables you to integrate all your data monitoring into one tool in the Azure portal. That can speed up mean time to detection and mean time to response, but you need to know what you are looking for. This determines which data you will collect, which analytical rules you will use, and which automations you will configure. When deciding on data collection, eliminate noise that does not contribute to the information you are trying to extract from the system. Use data connectors to pull in the important data, and enable rules for analysis and behavior tracking. Collecting too much data increases the operational cost of using Azure Sentinel. Microsoft makes it easy to implement data connectors for its own products and for many third-party tools. For example, data collectors are available for Cisco networking solutions that can also monitor virtual routing and forwarding. Azure Sentinel has a list of preconfigured data collectors; you just select the ones you want to use. Properly configuring Azure Sentinel for your environment enables broad visualization. If an attacker is trying to access your environment, you can see who the attacker is, which virtual machines they have run, and the data the attacker is trying to exfiltrate. Azure Sentinel shows you who has been compromised and what the impact of that compromise might be. 25 It’s important to recognize that Azure Sentinel requires ongoing monitoring and adjustment to changes in your environment.
26 It’s important to recognize that Azure Sentinel requires ongoing monitoring and adjustment to changes in your environment. It is not a tool that you can configure once and then leave alone. You must check analytical rules, detections, and your automations because technology in your environment changes every day, and the tool itself is evolving. Microsoft has built 200 preconfigured detections for Azure Sentinel, but it regularly updates them. Continuously check the detections you use to see if new ones can improve your security operations. 26 26 Key Points 1 2 Azure Sentinel enables you to integrate all your data monitoring into one tool in the Azure portal. That can speed up mean time to detection and mean time to response, but you need to know what you are looking for. With Azure Sentinel, you can collect and analyze data in ways that meet your security needs and fit your environment. A configuration management tool such as Microsoft Endpoint Configuration Manager is essential for deploying Azure Sentinel. Sharjeel Qayyum Khan, edotco Group, IT Security Operation Lead
7 Experts on Implementing Azure Sentinel

Recommended

Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure SentinelBGA Cyber Security
 
Journey to Azure Sentinel
Journey to Azure SentinelJourney to Azure Sentinel
Journey to Azure SentinelCheah Eng Soon
 
Introduction to Azure Sentinel
Introduction to Azure SentinelIntroduction to Azure Sentinel
Introduction to Azure Sentinelarnaudlh
 
Getting Started with Azure Sentinel
Getting Started with Azure SentinelGetting Started with Azure Sentinel
Getting Started with Azure SentinelSamik Roy
 
Azure Sentinel Tips
Azure Sentinel Tips Azure Sentinel Tips
Azure Sentinel Tips Mario Worwell
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxAmrMousa51
 
Azure Sentinel.pptx
Azure Sentinel.pptxAzure Sentinel.pptx
Azure Sentinel.pptxMohit Chhabra
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinelMarius Sandbu
 

Recommended

Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure SentinelBGA Cyber Security
 
Journey to Azure Sentinel
Journey to Azure SentinelJourney to Azure Sentinel
Journey to Azure SentinelCheah Eng Soon
 
Introduction to Azure Sentinel
Introduction to Azure SentinelIntroduction to Azure Sentinel
Introduction to Azure Sentinelarnaudlh
 
Getting Started with Azure Sentinel
Getting Started with Azure SentinelGetting Started with Azure Sentinel
Getting Started with Azure SentinelSamik Roy
 
Azure Sentinel Tips
Azure Sentinel Tips Azure Sentinel Tips
Azure Sentinel Tips Mario Worwell
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxAmrMousa51
 
Azure Sentinel.pptx
Azure Sentinel.pptxAzure Sentinel.pptx
Azure Sentinel.pptxMohit Chhabra
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinelMarius Sandbu
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelDavid J Rosenthal
 
introduction to Azure Sentinel
introduction to Azure Sentinelintroduction to Azure Sentinel
introduction to Azure SentinelRobert Crane
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure SentinelCheah Eng Soon
 
Modernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelModernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelCheah Eng Soon
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityBruno Capuano
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Azure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private LinksAzure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private LinksMatthias Güntert
 
TechEvent Infrastructure as Code on Azure
TechEvent Infrastructure as Code on AzureTechEvent Infrastructure as Code on Azure
TechEvent Infrastructure as Code on AzureTrivadis
 
Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Matt Soseman
 
Microsoft Azure - Introduction
Microsoft Azure - IntroductionMicrosoft Azure - Introduction
Microsoft Azure - IntroductionPranav Ainavolu
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
Azure Site Recovery Bootcamp
Azure Site Recovery BootcampAzure Site Recovery Bootcamp
Azure Site Recovery BootcampAsaf Nakash
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Microsoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloudMicrosoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloudAtanas Gergiminov
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure SentinelKumton Suttiraksiri
 
7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 DefenderMighty Guides, Inc.
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 

More Related Content

What's hot

Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelDavid J Rosenthal
 
introduction to Azure Sentinel
introduction to Azure Sentinelintroduction to Azure Sentinel
introduction to Azure SentinelRobert Crane
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
Modernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelModernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelCheah Eng Soon
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityBruno Capuano
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Azure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private LinksAzure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private LinksMatthias Güntert
 
TechEvent Infrastructure as Code on Azure
TechEvent Infrastructure as Code on AzureTechEvent Infrastructure as Code on Azure
TechEvent Infrastructure as Code on AzureTrivadis
 
Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Matt Soseman
 
Microsoft Azure - Introduction
Microsoft Azure - IntroductionMicrosoft Azure - Introduction
Microsoft Azure - IntroductionPranav Ainavolu
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
Azure Site Recovery Bootcamp
Azure Site Recovery BootcampAzure Site Recovery Bootcamp
Azure Site Recovery BootcampAsaf Nakash
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Microsoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloudMicrosoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloudAtanas Gergiminov
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 

What's hot (20)

Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure Sentinel
 
introduction to Azure Sentinel
introduction to Azure Sentinelintroduction to Azure Sentinel
introduction to Azure Sentinel
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure Sentinel
 
Modernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelModernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure Sentinel
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Azure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private LinksAzure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private Links
 
TechEvent Infrastructure as Code on Azure
TechEvent Infrastructure as Code on AzureTechEvent Infrastructure as Code on Azure
TechEvent Infrastructure as Code on Azure
 
Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck
 
Microsoft Azure - Introduction
Microsoft Azure - IntroductionMicrosoft Azure - Introduction
Microsoft Azure - Introduction
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
Azure Site Recovery Bootcamp
Azure Site Recovery BootcampAzure Site Recovery Bootcamp
Azure Site Recovery Bootcamp
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Microsoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloudMicrosoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloud
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure Sentinel
 

Similar to 7 Experts on Implementing Azure Sentinel

7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 DefenderMighty Guides, Inc.
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 
Avoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityAvoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityMighty Guides, Inc.
 
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...Planning and implementing. Unveiling the advanced technology of Microsoft Azu...
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...Prometix Pty Ltd
 
Three Ways To Secure Cloud Migration.pdf
Three Ways To Secure Cloud Migration.pdfThree Ways To Secure Cloud Migration.pdf
Three Ways To Secure Cloud Migration.pdfEnterprise Insider
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdfJose R
 
Microsoft 365 eEnterprise E5 Overview
Microsoft 365 eEnterprise E5 OverviewMicrosoft 365 eEnterprise E5 Overview
Microsoft 365 eEnterprise E5 OverviewDavid J Rosenthal
 
Exploration Draft Document- CEM Machine Learning & AI Project 2018
Exploration Draft Document- CEM Machine Learning & AI Project 2018Exploration Draft Document- CEM Machine Learning & AI Project 2018
Exploration Draft Document- CEM Machine Learning & AI Project 2018Leslie McFarlin
 
Securing_your_Internet_of_Things_from_the_ground_up_white_paper_EN_US
Securing_your_Internet_of_Things_from_the_ground_up_white_paper_EN_USSecuring_your_Internet_of_Things_from_the_ground_up_white_paper_EN_US
Securing_your_Internet_of_Things_from_the_ground_up_white_paper_EN_USIngrid Fernandez, PhD
 
Microsoft Security adoptionguide for the enterprise
Microsoft Security adoptionguide for the enterpriseMicrosoft Security adoptionguide for the enterprise
Microsoft Security adoptionguide for the enterprisessuserd58af7
 
Accelerite Sentient Executive Briefing
Accelerite Sentient Executive BriefingAccelerite Sentient Executive Briefing
Accelerite Sentient Executive BriefingAccelerite
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
eBook: 5 Steps to Secure Cloud Data Governance
eBook: 5 Steps to Secure Cloud Data GovernanceeBook: 5 Steps to Secure Cloud Data Governance
eBook: 5 Steps to Secure Cloud Data GovernanceKim Cook
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019Ulf Mattsson
 
The Fundamentals and Significance of Security Orchestration Tools
The Fundamentals and Significance of Security Orchestration ToolsThe Fundamentals and Significance of Security Orchestration Tools
The Fundamentals and Significance of Security Orchestration Toolssecuraa
 

Similar to 7 Experts on Implementing Azure Sentinel (20)

7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 
Avoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityAvoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to Security
 
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...Planning and implementing. Unveiling the advanced technology of Microsoft Azu...
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...
 
SecOps.pdf
SecOps.pdfSecOps.pdf
SecOps.pdf
 
Three Ways To Secure Cloud Migration.pdf
Three Ways To Secure Cloud Migration.pdfThree Ways To Secure Cloud Migration.pdf
Three Ways To Secure Cloud Migration.pdf
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf
 
Microsoft 365 eEnterprise E5 Overview
Microsoft 365 eEnterprise E5 OverviewMicrosoft 365 eEnterprise E5 Overview
Microsoft 365 eEnterprise E5 Overview
 
Exploration Draft Document- CEM Machine Learning & AI Project 2018
Exploration Draft Document- CEM Machine Learning & AI Project 2018Exploration Draft Document- CEM Machine Learning & AI Project 2018
Exploration Draft Document- CEM Machine Learning & AI Project 2018
 
Securing_your_Internet_of_Things_from_the_ground_up_white_paper_EN_US
Securing_your_Internet_of_Things_from_the_ground_up_white_paper_EN_USSecuring_your_Internet_of_Things_from_the_ground_up_white_paper_EN_US
Securing_your_Internet_of_Things_from_the_ground_up_white_paper_EN_US
 
Security operations center inhouse vs outsource
Security operations center inhouse vs outsourceSecurity operations center inhouse vs outsource
Security operations center inhouse vs outsource
 
Security operations center inhouse vs outsource
Security operations center inhouse vs outsourceSecurity operations center inhouse vs outsource
Security operations center inhouse vs outsource
 
go secure cloud.pdf
go secure cloud.pdfgo secure cloud.pdf
go secure cloud.pdf
 
Microsoft Security adoptionguide for the enterprise
Microsoft Security adoptionguide for the enterpriseMicrosoft Security adoptionguide for the enterprise
Microsoft Security adoptionguide for the enterprise
 
Sqrrl
SqrrlSqrrl
Sqrrl
 
Accelerite Sentient Executive Briefing
Accelerite Sentient Executive BriefingAccelerite Sentient Executive Briefing
Accelerite Sentient Executive Briefing
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
eBook: 5 Steps to Secure Cloud Data Governance
eBook: 5 Steps to Secure Cloud Data GovernanceeBook: 5 Steps to Secure Cloud Data Governance
eBook: 5 Steps to Secure Cloud Data Governance
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019
 
The Fundamentals and Significance of Security Orchestration Tools
The Fundamentals and Significance of Security Orchestration ToolsThe Fundamentals and Significance of Security Orchestration Tools
The Fundamentals and Significance of Security Orchestration Tools
 

More from Mighty Guides, Inc.

7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for Endpoint7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for EndpointMighty Guides, Inc.
 
8 Experts on Flawless App Delivery
8 Experts on Flawless App Delivery8 Experts on Flawless App Delivery
8 Experts on Flawless App DeliveryMighty Guides, Inc.
 
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience 7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience Mighty Guides, Inc.
 
Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?Mighty Guides, Inc.
 
Workfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign ExecutionWorkfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign ExecutionMighty Guides, Inc.
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company StrategyWorkfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company StrategyMighty Guides, Inc.
 
Citrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee ExperienceCitrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee ExperienceMighty Guides, Inc.
 
7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)Mighty Guides, Inc.
 
15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field Marketing15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field MarketingMighty Guides, Inc.
 
Kyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating LiquidityKyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating LiquidityMighty Guides, Inc.
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersMighty Guides, Inc.
 
11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI 11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI Mighty Guides, Inc.
 
Defining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You HowDefining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You HowMighty Guides, Inc.
 
7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROI7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROIMighty Guides, Inc.
 
Iron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace TransformationIron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace TransformationMighty Guides, Inc.
 
Avoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesAvoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesMighty Guides, Inc.
 
Resetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudResetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudMighty Guides, Inc.
 
Ntiva: 8 Experts on Outsourcing IT for Strategic Advantage
Ntiva: 8 Experts on Outsourcing IT for Strategic AdvantageNtiva: 8 Experts on Outsourcing IT for Strategic Advantage
Ntiva: 8 Experts on Outsourcing IT for Strategic AdvantageMighty Guides, Inc.
 
Iron Mountain: The Essential Guide To Understanding Digital Transformation
Iron Mountain: The Essential Guide To Understanding Digital TransformationIron Mountain: The Essential Guide To Understanding Digital Transformation
Iron Mountain: The Essential Guide To Understanding Digital TransformationMighty Guides, Inc.
 

More from Mighty Guides, Inc. (20)

7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for Endpoint7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for Endpoint
 
8 Experts on Flawless App Delivery
8 Experts on Flawless App Delivery8 Experts on Flawless App Delivery
8 Experts on Flawless App Delivery
 
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience 7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
 
Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?
 
Workfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign ExecutionWorkfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign Execution
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
 
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company StrategyWorkfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
 
Citrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee ExperienceCitrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee Experience
 
7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)
 
15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field Marketing15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field Marketing
 
Kyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating LiquidityKyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating Liquidity
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
 
11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI 11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI
 
Defining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You HowDefining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You How
 
7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROI7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROI
 
Iron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace TransformationIron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace Transformation
 
Avoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesAvoiding Container Vulnerabilities
Avoiding Container Vulnerabilities
 
Resetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public CloudResetting Your Security Thinking for the Public Cloud
Resetting Your Security Thinking for the Public Cloud
 
Ntiva: 8 Experts on Outsourcing IT for Strategic Advantage
Ntiva: 8 Experts on Outsourcing IT for Strategic AdvantageNtiva: 8 Experts on Outsourcing IT for Strategic Advantage
Ntiva: 8 Experts on Outsourcing IT for Strategic Advantage
 
Iron Mountain: The Essential Guide To Understanding Digital Transformation
Iron Mountain: The Essential Guide To Understanding Digital TransformationIron Mountain: The Essential Guide To Understanding Digital Transformation
Iron Mountain: The Essential Guide To Understanding Digital Transformation
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Recently uploaded (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

7 Experts on Implementing Azure Sentinel

  • 1.
  • 2. 2 INTRODUCTION © 2021 Mighty Guides, Inc. I 9920 Moorings Drive I Jacksonville, Florida 32257 I 516-840-0244 I www.mightyguides.com 2 One big challenge for many security teams is consolidating and analyzing the data generated in a networked environment. Organizations attempt to address this challenge by using a security information and event management (SIEM) system to collect that data for analysis. In addition to being a best-in-class SIEM system, Azure Sentinel is a platform for security orchestration, automation, and response capable of automating playbooks; monitoring both Windows and Linux environments; and monitoring Amazon, Google, and Azure clouds—and that’s just for starters. Azure is a powerful tool that is easy to set up, but optimizing it requires security analysis skills and knowledge. To learn more about setup and optimization, with the generous support of BlueVoyant, we asked seven experts the following question: Given your experience with Azure Sentinel, what advice can you offer for transitioning to and optimizing this solution? The experts tell us that one key to getting the most out of Azure Sentinel is choosing the right data. You don’t want to ingest too much, which increases costs, or too little. Also, taking full advantage of the automation features in Azure Sentinel is critical for rapid detection and response. This ebook provides good advice from seasoned Azure Sentinel users that will help point you in the right direction for your own Azure Sentinel implementation. David Rogelberg Editor Mighty Guides, Inc. Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty.
  • 3. 3 FOREWORD New approaches to cybersecurity are needed more than ever! The pandemic has led to exponential growth in remote employees, expanding the attack surface for companies big and small. Security teams struggle to cobble together solutions consisting of technologies from multiple vendors, many of which were only designed to operate in legacy environments. Integration complexities, a lack of security resources, and unrelenting attacks from cyber criminals have made securing the organization a seemingly unattainable goal. So what is the solution to eliminating this pain while also providing the security your company needs in a cloud-first world? We believe a cloud-native, fully integrated security solution is what makes the most sense. To bring our vision to life, we partnered with Microsoft to build consulting, implementation, and managed security services around their SIEM and XDR tools that deliver the outcomes needed by companies operating in today’s dangerous, highly interconnected world. This Mighty Guide, one of three in a series, was written to help you better understand how specific Microsoft security tools are being used by companies today and help you benefit from the lessons they have learned. Enjoy the book! Milan Patel Global Head of Managed Security Services BlueVoyant BlueVoyant is an expert-driven cybersecurity services company whose mission is to proactively defend organizations of all sizes against today’s constant, sophisticated attackers and advanced threats. Led by CEO - Jim Rosenthal, BlueVoyant’s highly skilled team includes former government cyber officials with extensive frontline experience in responding to advanced cyber threats on behalf of the National Security Agency, Federal Bureau of Investigation, Unit 8200, and GCHQ, together with private sector experts. BlueVoyant services utilize large real- time datasets with industry-leading analytics and technologies. Founded in 2017 by Fortune 500 executives and former Government cyber officials and headquartered in New York City, BlueVoyant has offices in Maryland, Tel Aviv, San Francisco, London, and Latin America.
  • 4.
  • 5. MEET OUR EXPERTS SHARJEEL QAYYUM KHAN edotco Group, IT Security Operation Lead, pg. 24 RAJESH KUMAWAT Mastercard, Information Security Analyst, pg. 21 MAARTEN LEYMAN delaware BeLux, Senior Security Consultant, pg. 12 LAWK SALIH Independent Community Bankers of America, Vice President, Technology Systems and Services, pg. 9 REBECCA WYNN Global CISO & Chief Privacy Officer, pg. 15 MICHAEL KAVKA R.J. O’Brien, Sr. Security Engineer, pg. 18 OSCAR MONGE Rabobank, Security Solutions Architect, pg. 6
  • 6. 6 “For new users, the biggest challenge will be learning how best to use the technology and data connections to produce the security protection they need.” Microsoft Azure Sentinel Provides Total Integration of Detection and Response Microsoft Azure Sentinel is a security information event management solution hosted in the Azure public cloud. It integrates with Microsoft’s portfolio of security products, which enables you to send security data into a common Azure Sentinel workspace-essentially a big bucket of information. There, you can tell Azure Sentinel how to query the data, apply analytical rules to it, and trigger alerts and other actions. With Azure Sentinel, you can correlate data, create thresholds, create alarms, and integrate the tool with a ticketing system. In that way, if Azure Sentinel identifies an incident, it can immediately turn it into a ticket that goes to the first-line security operations center (SOC) so that the analysts can investigate and respond. You can also orchestrate and automate responses to alerts and automate playbooks. Azure Sentinel is native to the Microsoft security ecosystem, but it also integrates with Amazon Web Services (AWS). For example, application programming interfaces enable you to configure Azure Sentinel to consume Oscar Monge is a seasoned information security professional with more than seventeen years of experience. He is a Security Solutions Architect at Rabobank, where he helps shape security monitoring direction and technology integration. Oscar is passionate about technology and its alignment to IT business needs. Oscar Monge, Rabobank, Security Solutions Architect
  • 7. AWS CloudTrail and Amazon GuardDuty logs. Microsoft is adding integrations with other cloud providers as well. For new users, the biggest challenge will be learning how best to use the technology and data connections to produce the security protection they need. Azure Sentinel is artificial intelligence driven, so it is always in learning mode and monitoring activity to identify trends and look for deviations from those trends. It’s important to collect the data you need to provide the level of monitoring, alerting, and orchestration your organization requires. Azure Sentinel is easy to enable, but choosing the right data requires careful thought because the tool’s costs are tied to the amount of data it consumes. Choosing the right data is a continuous process. In addition to selecting the right data sources and types, you must learn how to apply analytics rules to the data. Azure Sentinel has many built-in rules that are easy to use, but you may need to adjust them so that they work more effectively in your environment. You will also likely want to create custom queries that are more specific to your monitoring environment. In addition to querying and analyzing data, Azure Sentinel can automate many detection and response functions. To get the most out of this capability, you need an understanding of Azure Logic Apps, which helps with application and data integrations, and workflow scheduling. Azure Logic Apps is useful for scaling Azure Sentinel in your environment and creating the more complex automations that make up playbooks. 7 Azure Sentinel is only as good as the data it consumes, but you have to pay for that data.
  • 8. 8 Azure Sentinel is only as good as the data it consumes, but you have to pay for that data. To get the most value from the product, avoid sending it unimportant activity data while providing the data that is important for detecting potentially threatening activity so that Azure Sentinel can detect and act on those data patterns. Choosing the right data is a continuous effort because organizations and IT groups are always changing. When refining the data Azure Sentinel collects, always be looking at recognized information sources within the network environment as well as potentially new sources of valuable security data. Key Points 1 2 Azure Sentinel enables you to correlate data, create thresholds, create alarms, orchestrate and automate responses to alerts, and automate playbooks. You can also integrate the tool with a ticketing system. Choosing the right data is important because Azure Sentinel costs are based on the data it consumes. A knowledgeable security consultant can help you optimize data sources and types for peak security performance while managing data-ingestion costs. 8 Oscar Monge, Rabobank, Security Solutions Architect
  • 9. 9 “Azure Sentinel correlates data from all those logs and presents events in real time in a single pane of glass.” Many Eyes Reviewing Security Logs Generates a Big Advantage A couple of years ago, we made the decision to move to the Microsoft Azure cloud. It was a strategic initiative to move all of our premise servers to the cloud. This was a strategic initiative to adopt the cloud for hosting of applications, data warehouse, and key infrastructure components. This move has made it easier to standardize on Microsoft’s security tools to monitor, protect, and alert on cyberthreats. One of the key services we use within the Microsoft Azure stack is Azure Sentinel. Sentinel has enabled us to consolidate most of our security logs in one single Security Information and Event Management (SIEM) to ingest logs from multiple security controls such as firewall, endpoint protection, collaboration suites, active directories, DNS traffic, DDoS protection, and others. We began feeding Azure Sentinel log data from virtual machines; Microsoft 365 Defender (formerly Microsoft Threat Protection); Microsoft Cloud App Security; and Microsoft 365, including OneDrive, Exchange Online, Microsoft SharePoint, and Microsoft Teams. We are monitoring all those tools in Azure Sentinel through data connections available from the Sentinel dashboard. In addition Lawk Salih is Vice President of Technology Systems and Services for Independent Community Bankers of America (ICBA). In his role, Lawk leads cloud migration efforts, the cybersecurity program, infrastructure, and customer service support in alignment with the ICBA’s strategic goals. He has more than twenty years of experience in IT, including fifteen years with nonprofit organizations and trade associations. Lawk Salih, Independent Community Bankers of America, Vice President, Technology Systems and Services
  • 10. 10 to an extensive list of connections to Microsoft technologies, Azure Sentinel has connections to many non-Microsoft vendors, such as Cisco, Check Point, Barracuda, Citrix, and Amazon Web Services. These connections would be beneficial to anyone with a more complex or multi-cloud infrastructure. To keep cost at a minimum while protecting the environment, it’s important to recognize that ingesting logs can become costly. At the moment, we are on pay-as- you-go as we assess the needs of our security operations. As we mature, we will consider purchasing resources on a retention basis to save costs in the long run. Azure Sentinel provides great visibility. It consolidates and correlates everything into one display, which is a huge advantage. Having one dashboard, and the eyes of your whole team on the same display at different times, is the key to a successful cybersecurity program. Azure Sentinel correlates data from all those logs and presents events in real time in a single pane of glass. When an alert comes in, Azure Sentinel provides a full description of the alert, events involved in the event such as entities, and a detailed timeline of the incident. Having such key information available without much digging is key to saving time during an investigation process. One challenge in setting up Azure Sentinel is managing remediations, particularly when you want to automate playbooks. The question becomes, what are the best actions to take under certain circumstances? For instance, if Azure Sentinel detects suspicious activity on a computer, do you immediately isolate that machine, or will you take granulated steps such as TCP disruption? How do you disrupt rogue IP connections without bringing down a whole system? In the case of a user, certain alerts and playbooks can completely isolate the endpoint from the world wide web until an investigation is complete. As such, false positives can be a headache until a full resolution is determined. One challenge in setting up Azure Sentinel is managing remediations, particularly when you want to automate playbooks.
  • 11. 11 Key Points 1 2 Having one dashboard, and the eyes of your whole team on the same display at different times, is the key to a successful cyber screening program. To take full advantage of Azure Sentinel’s automation capabilities, you need to understand how best to create auto-remediations that can run without disrupting production servers or bringing down systems. For us, Azure Sentinel has been a wonderful experience. We are learning as we go while Microsoft continues to enhance the product with many partnerships in the pipeline. We will consider engaging an Managed Security Service Provider (MSSP) to help monitor our Azure Sentinel 24/7 similar to a virtual security operations center. Lawk Salih, Independent Community Bankers of America, Vice President, Technology Systems and Services
  • 12. 12 “The machine learning and automation capabilities in Azure Sentinel are much further developed than in traditional SIEM solutions.” Azure Sentinel Provides One View of Your Entire Environment Microsoft Azure Sentinel is a security information and event management (SIEM) system for security orchestration automated response. Azure Sentinel is most useful when you have data coming in from many tools or when your environment includes more than just Microsoft technologies. It provides a central security view of computer systems, applications, cloud instances, firewalls, and other networking components. The machine learning and automation capabilities in Azure Sentinel are much further developed than in traditional SIEM solutions. It also has advantages over the Microsoft Defender Security Center dashboard, including the ability to incorporate data from many non-Microsoft technologies; develop more involved playbook automations; and run more advanced, in-depth log investigations and perform threat hunting. When an incident occurs, Azure Sentinel provides all the details you need to remediate it. You can see all the logs and alerts and follow every action related to that incident. You can also create your own process automations. For example, say that Azure Sentinel detects something and creates an incident alert. You get the IP address Maarten Leyman is a Senior Security Consultant with experience in the full Microsoft 365 security suite and Azure security. In 2013, he started his career at delaware BeLux, where he performs security assessments and conducts workshops at customer sites to identify security risks. He also helps fine-tune IT architecture and implementations to increase overall security at customer locations and mitigate possible threats. Maarten Leyman, delaware BeLux, Senior Security Consultant
  • 13. from that incident, log the IP address in Office 365 and block it, and then send an email to the IT department detailing the changes that were made. You can automate this whole process in Azure Sentinel. The first step is getting data into Azure Sentinel, which requires making data connections. With one click, Azure Sentinel is up and running; with a few more clicks, you can make connections to begin receiving data. Azure Sentinel has built-in data connections to Microsoft security tools and to many third-party tools. For example, Microsoft has worked with many of its partners, including Cisco, Barracuda, and Citrix, to build data connections for their products. As you configure data connections, it’s important to keep in mind that pricing is based on data consumption. As such, you can pay as you go or pay in advance for a specific amount of data. For instance, you can pay for a full 100 gigabytes of data; per gigabyte, that package costs less than paying as you go for the same amount of data. Of course, when you pay in advance, you must calculate how much data you will actually feed into Azure Sentinel so that you don’t buy more than you need. To control costs, send only necessary security data to Azure Sentinel. For example, firewalls have rules that typically include a deny rule. This deny rule catches a lot because active internet scanning produces a hit each time someone is prevented from connecting. Logging all that deny rule activity in Azure Sentinel doesn't add value, so you don’t want to pay for that. You need expertise with the tools you want to connect to Azure Sentinel. Also, tuning and maintaining Azure Sentinel automations require continuous monitoring and refinement. When done properly, though, Azure Sentinel is a powerful tool for managing detections and response. If you don’t have the necessary IT personnel to set up and tune Azure Sentinel, a managed security service provider (MSSP) can help. 13 You need expertise with the tools you want to connect to Azure Sentinel.
  • 14. Many MSSPs have automated templates that speed the process of coding everything for your environment. They can also help with detection and response activities. Azure Sentinel makes it easy to transfer all this work to a service provider if you need that support. 14 Key Points 1 2 The first step in implementation is getting data into Azure Sentinel. Azure Sentinel has built-in data connections to Microsoft’s security tools and connects to many third- party vendors, such as Cisco, Barracuda, and Citrix. Tuning and maintaining Azure Sentinel automations requires continuous monitoring and refinement, but when done properly, Azure Sentinel is a powerful tool for managing detections and response. Maarten Leyman, delaware BeLux, Senior Security Consultant
  • 15. 15 “Think about the quickest way to get from where you are now to where you want to be using Azure Sentinel.” Before You Deploy Microsoft Azure Sentinel, Know What You Want to Accomplish When implementing Microsoft Azure Sentinel, you must • understand what you want to accomplish through Microsoft Azure Sentinel, which both monitors and orchestrates automated responses to events; • understand the IT assets in your environment, endpoints, servers, network devices, clouds, and applications. Think about how much data from your environment Azure Sentinel must consume to achieve your objectives; and • think about the quickest way to get from where you are now to where you want to be using Azure Sentinel. Azure Sentinel pulls in data from many sources, which makes it uniquely effective for managing security from a single portal—especially important as companies move more of their assets into the cloud. Azure Sentinel works with more than Microsoft products, as well. It can monitor Amazon Web Dr. Rebecca Wynn received the 2017 Cybersecurity Professional of the Year– Cybersecurity Excellence Award, was Chief Privacy Officer of SC Magazine, is a Global Privacy and Security by Design International Council member, and was 2018 Women in Technology Business Role Model of the Year. She is lauded as a “gifted polymath and game- changer who is ten steps ahead in developing and enforcing cybersecurity and privacy best practices and policies.” Rebecca Wynn, Global CISO & Chief Privacy Officer
  • 16. Services (AWS), Google Cloud Platform (GCP), and other clouds with application programming interface hooks. Being able to see Azure, AWS, and GCP in one place is valuable because most corporate models today use multiple clouds. Some security information event management solutions have this capability on their technology roadmap, but Microsoft is already there. Microsoft makes it easy to deploy Azure Sentinel, too. Good documentation and many videos show you how to make data connections to devices and virtual machines and help you determine which data to ingest. Microsoft also provides Azure Blueprints, which are templated configurations for different types of environments. These blueprints simplify configuration, especially for environments that must comply with regulatory regimes such as the Health Insurance Portability and Accountability Act and Payment Card Industry. When you begin configuring Azure Sentinel, you will start seeing events and notifications quickly. The biggest challenges in deploying Azure Sentinel are making sure that Azure Sentinel ingests only the data you need to meet your security objectives and using automations effectively to make detection and response faster. Processing more data through Azure Sentinel than you actually need costs money and is counterproductive to your security strategy because oversubscribing prevents your company from using that money for more effective threat mitigation. Configuring and optimizing Azure Sentinel for your environment require analytical expertise. Whether you are working with a consultant or hiring people for your team, they must be critical thinkers and root cause analysts. Azure Sentinel 16 Processing more data through Azure Sentinel than you actually need costs money and is counterproductive to your security strategy.
  • 17. 17 enables you to look at the details of an event, drill into log data for that event, and be more mindful about how you analyze and respond to the events you are seeing. The tool augments your team, and it is the mindful use of that tool that enables you to work more intelligently with other teams in your organization. 17 Key Points 1 2 You must understand the IT assets in your environment, endpoints, servers, network devices, clouds, and applications. Think about how much data from your environment Azure Sentinel must consume to achieve your objectives. The biggest challenges in deploying Azure Sentinel are making sure that Azure Sentinel ingests the data you need to meet your security objectives and using automations effectively to make detection and response faster. Rebecca Wynn, Global CISO & Chief Privacy Officer
  • 18. 18 “Implementing Azure Sentinel is straightforward, coming down to implementing your data connections and deciding how much space to allocate for data storage.” Microsoft Azure Sentinel Delivers Visibility and Insight Microsoft Azure Sentinel combines security information event management and security orchestration automated response functionality in one tool, making it much easier to have all security data and controls in one place. That consolidated platform simplifies monitoring, correlating, and automating security functions such as detections, alerting, and playbooks. Implementing Azure Sentinel is straightforward, coming down to implementing your data connections and deciding how much space to allocate for data storage. Both are important because they can have a big impact on the tool’s operational cost. Regarding data storage, Azure Sentinel defaults to holding log data for 30 days, which will be plenty for most companies. Some high-risk businesses that represent attractive targets, such as financial services firms, may want to hold data longer. The longer you store data, however, the more space it consumes, which increases costs. The amount of data Azure Sentinel consumes also comes with costs, but you can monitor and analyze a lot of data for free. For example, it costs nothing to ingest data from other Microsoft security products, such as the Microsoft 365 Defender suite (Microsoft Defender for Endpoint [formerly Michael Kavka has been an IT professional for more than 20 years. He contributes to the community, helping run the Burbsec set of infosec meetups in the Chicago area, and volunteers for Hak4Kidz, a kids-orientated STEM conference. He is currently a Security Engineer; his areas of focus include security information and event management, Microsoft security technologies, and vulnerability assessment. Michael is a CISSP and a GCIH. Michael Kavka, R.J. O’Brien, Sr. Security Engineer
  • 19. 19 Microsoft Advanced Threat Protection], Microsoft Cloud App Security, and others). Monitoring these tools is easy: In the Azure portal, select Azure Sentinel, select Data connections, and then turn on the data connections for those tools. If you have a largely Microsoft environment and are using these tools, turning all that data on enables Azure Sentinel to provide you with a lot of visibility into what’s happening in your environment. It takes only a few minutes to start seeing results. One of the most challenging aspects of Azure Sentinel is balancing costs against benefits. It’s easy to activate built-in connectors to other technology in your environment, such as Cisco, Citrix, and Amazon Web Services, but importing that data can incur costs depending on the amount. You can gain amazing insights from cloud data imported into Azure Sentinel, but the amounts of data can vary and be difficult to predict, especially if you are transitioning to the cloud or ramping up cloud computational activity. One month you may have two cloud servers, and then suddenly you could have five, ten, twenty, or thirty. Each is an individual cost, in addition to log transaction costs and the costs of Microsoft SQL Server instances. There are intricacies to the cost structure that can be confusing, and it can get out of hand quickly if you’re not careful. Many of these questions are ongoing as you use Azure Sentinel and modify it to keep it operating optimally for your environment. Most of your maintenance and optimization work will focus on reporting; automations for queries, alerts, and responses; and reviewing incidents. Set reporting schedules that make sense in relation to automated querying so that you don’t waste resources with unnecessary reporting. In addition, you must continually adjust these features to adapt to your changing environment and usage patterns. 19 There are intricacies to the cost structure that can be confusing, and it can get out of hand quickly if you’re not careful.
  • 20. 20 For some companies, it makes a lot of sense to work with a managed security service provider (MSSP) or consultant to hammer out these details. The choice depends on your staffing, budget, and environment size. If you have a solid team but don’t have a security operations center (SOC), or you have a SOC that would be overwhelmed with a one- or two-person team, then using an MSSP to augment your staff can be fantastic. If you're a small business without a security department, a service provider can be invaluable. Like everything else, you must balance the costs against the services and benefits you receive. 20 Key Points 1 2 Azure Sentinel can monitor and analyze a lot of data for free. For example, it costs nothing to ingest data from Microsoft security products such as those in the Microsoft 365 Defender suite. You can gain amazing insights from cloud data imported into Azure Sentinel, but the amounts of data can vary and be difficult to predict, especially if you are transitioning to the cloud or ramping up cloud computational activity. Michael Kavka, R.J. O’Brien, Sr. Security Engineer
  • 21. 21 21 “Azure Sentinel automatically performs the analytical work on alerts and provides a clear, straightforward presentation of the incident history and event relationships.” Microsoft Azure Sentinel Is a Different Kind of SIEM System The most important part of implementing Microsoft Azure Sentinel is knowing your objectives because Azure Sentinel differs from traditional security information event management (SIEM) tools in two key ways: • Sentinel is smart. Many companies that use SIEM tools know their traditional role as security data aggregators. The SIEM system collects raw logs and provides the data to analysts in the security operations center, who look at that data and use other analytical tools to determine its meaning. Azure Sentinel automatically performs the analytical work on alerts and provides a clear, straightforward presentation of the incident history and event relationships. It does a lot of the analytical work for analysts. An analyst can choose an incident off the Azure Sentinel incident list and within seconds have a complete view of what happened. • Azure Sentinel also provides security orchestration and automated response. These features enable you to build automated playbooks into your Azure Sentinel implementation. Azure Sentinel has no preconfigured playbooks. Instead, you use the tool’s analytical rules, triggers, and logic Rajesh Kumawat has four years of experience working as an Information Security Analyst. He completed his Engineering in E&TC studies from Pune. Rajesh is passionate about infosec and its domains like cyber forensics, cloud security, incident management, and IT compliance. He likes to engage in freelancing projects and do bug bounty hunting in his spare time, which mostly focuses on web application security. Rajesh Kumawat, Mastercard, Information Security Analyst
  • 22. 22 apps to create your own playbooks based on your requirements. You can then run these playbooks manually or automatically. Playbooks make Azure Sentinel a powerful security automation tool. These capabilities make Azure Sentinel a different kind of SIEM system, and to get the most out of it, you need to know what you want it to do for you. One other aspect of Azure Sentinel that can affect how you implement it is continuous synchronization with Microsoft Defender for Endpoint (formerly Microsoft Advanced Threat Protection). Continuous synchronization means that you can set up Microsoft Defender for Endpoint so that if it assigns an incident, the same incident is assigned in Azure Sentinel. Then, after you resolve the incident and close the incident in Microsoft Defender for Endpoint, it also closes in Azure Sentinel— something not possible with any other SIEM system. When implementing Azure Sentinel, pay attention to the data connections you create to make sure that you are collecting the right data and not too much data. In some cases, such as for on-premises servers, you will need to install an agent that connects to Azure Sentinel, which is cloud based. In addition, spend time working on the analytics rules. Microsoft includes default rules, but you should edit and test them to make sure that they meet your requirements. Azure Sentinel also has allow list capabilities that permit actions that may otherwise trigger an alert. To make your Azure Sentinel implementation more capable and more powerful, you must engineer every alert; then, with time, the rules you use will become more effective. 22 Playbooks make Azure Sentinel a powerful security automation tool.
  • 23. 23 The best way to keep Azure Sentinel in optimum condition to defend your network is continuous monitoring of incidents. If the tool’s ability to catch incidents provides value, then it’s a good tool. But if it’s producing a lot of false positives, you have to work on editing the rules. Maintaining Azure Sentinel involves continuously tuning the rules, saving them, watching how they perform, and learning how to make them deliver better results. 23 Rajesh Kumawat, Mastercard, Information Security Analyst Key Points 1 2 Use Azure Sentinel analytical rules, triggers, and logic apps to create your own playbooks based on your requirements. You can then run these playbooks manually or automatically. To keep Azure Sentinel in optimum condition to defend your network, continuously monitor for incidents. If the tool’s ability to catch incidents provides value, then it’s a good tool. But if it's producing a lot of false positives, you have to work on editing the rules.
  • 24. 24 24 “The most challenging aspect of Azure Sentinel deployment is deciding what you need the system to tell you, and then configuring data collection and analytics so that you can extract that information.” You Must Understand What You Want to Extract from Azure Sentinel Effective security monitoring and analysis require a security information event management solution such as Microsoft Azure Sentinel, but that tool must be configured properly. You can configure data collection and analysis for Azure Sentinel in many ways. Which way you choose depends on your security needs and what is in your environment. A configuration management tool such as Microsoft Endpoint Configuration Manager (formerly System Center Configuration Manager) is essential for deploying Azure Sentinel. Before you can deploy Azure Sentinel, you must install the correct monitoring agents on the servers in your environment, whether on-premises servers or virtual servers deployed in the cloud. Microsoft provides monitoring agents for Windows and Linux operating systems, and agents are available that work in Azure, Amazon Web Services, and other providers’ clouds. Microsoft monitoring agents are mandatory for getting log data into the Azure Sentinel analytics workspace. The most challenging aspect of Azure Sentinel deployment is deciding what you need the system to tell you, and then configuring data collection and analytics Sharjeel Qayyum Khan has ten years of experience in IT. His focus is on enhancing business alignment and growth by deploying stable cloud environments and adopting best practices for security. Sharjeel regulates security operations and technologies, including end security, security information event management, incident response, and NIST compliance reporting. His areas of expertise include cybersecurity, system architecture design, vulnerability evaluation, risk management, and configuration management. Sharjeel Qayyum Khan, edotco Group, IT Security Operation Lead
  • 25. 25 so that you can extract that information. Azure Sentinel enables you to integrate all your data monitoring into one tool in the Azure portal. That can speed up mean time to detection and mean time to response, but you need to know what you are looking for. This determines which data you will collect, which analytical rules you will use, and which automations you will configure. When deciding on data collection, eliminate noise that does not contribute to the information you are trying to extract from the system. Use data connectors to pull in the important data, and enable rules for analysis and behavior tracking. Collecting too much data increases the operational cost of using Azure Sentinel. Microsoft makes it easy to implement data connectors for its own products and for many third-party tools. For example, data collectors are available for Cisco networking solutions that can also monitor virtual routing and forwarding. Azure Sentinel has a list of preconfigured data collectors; you just select the ones you want to use. Properly configuring Azure Sentinel for your environment enables broad visualization. If an attacker is trying to access your environment, you can see who the attacker is, which virtual machines they have run, and the data the attacker is trying to exfiltrate. Azure Sentinel shows you who has been compromised and what the impact of that compromise might be. 25 It’s important to recognize that Azure Sentinel requires ongoing monitoring and adjustment to changes in your environment.
  • 26. 26 It’s important to recognize that Azure Sentinel requires ongoing monitoring and adjustment to changes in your environment. It is not a tool that you can configure once and then leave alone. You must check analytical rules, detections, and your automations because technology in your environment changes every day, and the tool itself is evolving. Microsoft has built 200 preconfigured detections for Azure Sentinel, but it regularly updates them. Continuously check the detections you use to see if new ones can improve your security operations. 26 26 Key Points 1 2 Azure Sentinel enables you to integrate all your data monitoring into one tool in the Azure portal. That can speed up mean time to detection and mean time to response, but you need to know what you are looking for. With Azure Sentinel, you can collect and analyze data in ways that meet your security needs and fit your environment. A configuration management tool such as Microsoft Endpoint Configuration Manager is essential for deploying Azure Sentinel. Sharjeel Qayyum Khan, edotco Group, IT Security Operation Lead