Azure Sentinel is a cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution. It collects data from across an organization, uses built-in analytics and threat intelligence to detect threats, enables investigation of incidents with AI, and automates responses. Azure Sentinel provides visibility across users, devices, applications, and infrastructure both on-premises and in multiple clouds. It detects previously unknown threats, minimizes false positives, and allows hunting for suspicious activities at scale. Responses can be automated through built-in orchestration of common tasks. Azure Sentinel has no infrastructure setup or maintenance costs and scales automatically with unlimited compute and storage resources.
Microsoft Azure Sentinel is a new Cloud native SIEM service with built-in AI for analytics that removes the cost and complexity of achieving a central and focused near real-time view of the active threats in your environment.
Get comprehensive protection across all your platforms and clouds
Protect your organization from threats across devices, identities, apps, data and clouds. Get unmatched visibility into your multiplatform environment that unifies Security Information and Event Management (SIEM) and Extended Detection and Response (XDR). Simplify your security stack with Azure Sentinel and Microsoft Defender.
Microsoft Azure Sentinel is a new Cloud native SIEM service with built-in AI for analytics that removes the cost and complexity of achieving a central and focused near real-time view of the active threats in your environment.
Get comprehensive protection across all your platforms and clouds
Protect your organization from threats across devices, identities, apps, data and clouds. Get unmatched visibility into your multiplatform environment that unifies Security Information and Event Management (SIEM) and Extended Detection and Response (XDR). Simplify your security stack with Azure Sentinel and Microsoft Defender.
This presentation walks through the Security and Compliance functionality to customers leveraging Azure as a compute environment. It includes deep-dive references to detailed information on each topic presented.
Azure Sentinel is Microsoft cloud-native SIEM and SOAR. Say goodbye to 6 months SIEM solution setup and architecture - get started with visibility on you environement just now, and use the rich ecosystem of connectors to extend intelligence to your complete security suite.
Microsoft 365 provides holistic security across these four aspects of security.
By helping enterprise businesses secure corporate data and manage risk in today’s mobile-first, cloud-first world Microsoft 365 enables customers to digitally transform by unifying user productivity and enterprise security tools into a single suite that enables the modern workplace.
Identity & Access Mgmt
Secure identities to reach zero trust
Threat Protection
Help stop damaging attacks with integrated and automated security
Information Protection
Protect sensitive information anywhere it lives
Security Management
Strengthen your security posture with insights and guidance
Cyberspace is the new battlefield:
We’re seeing attacks on civilians and organizations from nation states. Attacks are no longer just against governments or enterprise systems directly. We’re seeing attacks against private property—the mobile devices we carry around everyday, the laptop on our desks—and public infrastructure. What started a decade-and-a-half ago as a sense that there were some teenagers in the basement hacking their way has moved far beyond that. It has morphed into sophisticated international organized crime and, worse, sophisticated nation state attacks.
Personnel and resources are limited:
According to an annual survey of 620 IT professional across North America and Western Europe from ESG, 51% respondents claim their organization had a problem of shortage of cybersecurity skills—up from 23% in 2014.1 The security landscape is getting more complicated and the stakes are rising, but many enterprises don’t have the resources they need to meet their security needs.
Virtually anything can be corrupted:
The number of connected devices in 2018 is predict to top 11 billion – not including computers and phones. As we connect virtually everything, anything can be disrupted. Everything from the cloud to the edge needs to be considered and protected.2
We live in a time where digital technology is profoundly impacting our lives, from the way we connect with each other to how we interpret our world. First and foremost, this digital transformation is causing a tsunami of data. In fact, IDC estimates that in 2025, the world will create and replicate 163ZB of data, representing a tenfold increase from the amount of data created in 2016. In the past, organizations primarily dealt with documents and emails. But now they’re also dealing with instant messaging, text messaging, video files, images, and DIO files. The internet of things, or IOT, will only add to this explosion in data.
Managing this data overload and the variety of devices from which it is created is complicated and onerous as the market for solutions is fragmented and confusing. There are many categories of solutions, and within each, there are even more solutions to choose from. Many companies are struggling to decide how many of those solutions they need and where to start. Additionally, using multiple solutions means they won’t be integrated, so companies end up managing multiple applications from multiple disparate interfaces.
The question we often get asked is, “How can Microsoft 365 help me?”
here's where Microsoft has invested, across these areas: identity and access management, apps and data security, network security, threat protection, and security management.
We’ve put a tremendous amount of investment into these areas and the way it shows up is across a pretty broad array of product areas and features.
Our Identity and Access Management tools enable you to take an identity-based approach to security, and establish truly conditional access policies
Our App and Data Security help you protect your apps and your data as it moves around—both inside and outside your organization
Azure includes a robust networking infrastructure with built-in security controls for your application and service connectivity.
Our Threat Protection capabilities are built in and fully integrated, so you can strengthen both pre-breach protection with deep capabilities across e-mail, collaboration services, and end points including hardware based protection; and post-breach detection that includes memory and kernel based protection and response with automation.
And our Security Management tools give you the visibility and more importantly the guidance to manage policy centrally
Platform + Intelligence + Partners
This new understanding has led us to build new solutions for our customers. It informs our entire approach across three critical elements:
Building a platform that looks holistically across all the critical end-points we talked about – building security into our platform as well as providing security tools and technologies to you
Acting on the Intelligence that comes from our security-related signals and insights – helps you and us to detect threats more quickly
Fostering a vibrant ecosystem of partners who help us raise the bar across the industry – we know we’re not your only security vendor, and we want to work with the industry and take a holistic approach to technology
Microsoft 365 provides holistic security that is aligned to these four pillars of security.
By helping enterprise businesses secure corporate data and manage risk in today’s mobile-first, cloud-first world Microsoft 365 E5 enables customers to digitally transform by unifying user productivity and enterprise security tools into a single suite that enables the modern workplace.
Identity & Access Mgmt
Protect users’ identities and control access to valuable resources based on user risk level
Information Protection
Ensure documents and emails are seen only by authorized people
Threat Protection
Protect against advanced threats and recover quickly when attacked
Security Management
Gain visibility and control over security tools
Here's the slide deck from my session titled "Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps" which was presented on the Modern Workplace Conference Paris 2022 Virtual event.
Overall Security Process Review CISC 6621Agend.docxkarlhennesey
Overall Security Process Review
CISC 662
1
Agenda
Review of the following technologies and current products:
SIEM
CASB
EDR (Enterprise Detection and Response)
NGFW (Next Generation Firewalls)
Threat Intelligence
Summary of Term
SANS Technology Institute - Candidate for Master of Science Degree
What is a SIEM?
SIEM - Security Information Event Management
Logging and Event Aggregation
Network (router,switch,firewall,etc)
System (Server,workstation,etc)
Application (Web, DB )
Correlation Engine
2+ related events = higher alarm (1+1=3)
3
At first glance SIEM's appliances and software look like an event aggregator. While a SIEM has the advantage of aggregating logs what puts them apart from the event aggregator market are the correlation engines.
The correlation engines allow the ability to uncover threats/attacks across multiple related events which by themselves would not be a cause for alarm.
SIEM
4
What is a SIEM?
5
Security information and event management (SIEM) is the technology that can tie all your systems together and give you a comprehensive view of IT security.
IT security is typically a patchwork of technologies – firewalls, intrusion prevention, endpoint protection, threat intelligence and the like – that work together to protect an organization’s network and data from hackers and other threats. Tying all those disparate systems together is another challenge, however, and that’s where SIEM can help.
SIEM systems manage and make sense of security logs from all kinds of devices and carry out a range of functions, including spotting threats, preventing breaches before they occur, detecting breaches, and providing forensic information to determine how a security incident occurred as well as its possible impact.
Using SIEM
How do SIEM Products help the following Security concerns?
Countermeasures to detect attempts to infect internal system
Identification of infected systems trying to exfiltrate information
Mitigation of the impact of infected systems
Detection of outbound sensitive information ( DLP)
6
These questions are a core part of a companies overall security architecture. If a SIEM isn't providing answers or solutions to these questions what is it doing?
If you aren't using your SIEM to solve issues like these it may just be an expensive log aggregator/collection system sitting in your network collecting dust.
SIEM Advantages
Correlation of data from multiple systems and from different events detecting security and operational conditions
Anomaly detection by using a baseline of events over time to find deviations from expected or normal behavior
Comprehensive view into an environment based on event types, protocols, log sources, etc
APT (advanced persistent threat) protection through detection of protocol and application anomalies
Prioritization based on risk of threat to assets, staff can triage the most vulnerable targets
Alerting and monitoring on events of interest to escalate pri ...
This presentation walks through the Security and Compliance functionality to customers leveraging Azure as a compute environment. It includes deep-dive references to detailed information on each topic presented.
Azure Sentinel is Microsoft cloud-native SIEM and SOAR. Say goodbye to 6 months SIEM solution setup and architecture - get started with visibility on you environement just now, and use the rich ecosystem of connectors to extend intelligence to your complete security suite.
Microsoft 365 provides holistic security across these four aspects of security.
By helping enterprise businesses secure corporate data and manage risk in today’s mobile-first, cloud-first world Microsoft 365 enables customers to digitally transform by unifying user productivity and enterprise security tools into a single suite that enables the modern workplace.
Identity & Access Mgmt
Secure identities to reach zero trust
Threat Protection
Help stop damaging attacks with integrated and automated security
Information Protection
Protect sensitive information anywhere it lives
Security Management
Strengthen your security posture with insights and guidance
Cyberspace is the new battlefield:
We’re seeing attacks on civilians and organizations from nation states. Attacks are no longer just against governments or enterprise systems directly. We’re seeing attacks against private property—the mobile devices we carry around everyday, the laptop on our desks—and public infrastructure. What started a decade-and-a-half ago as a sense that there were some teenagers in the basement hacking their way has moved far beyond that. It has morphed into sophisticated international organized crime and, worse, sophisticated nation state attacks.
Personnel and resources are limited:
According to an annual survey of 620 IT professional across North America and Western Europe from ESG, 51% respondents claim their organization had a problem of shortage of cybersecurity skills—up from 23% in 2014.1 The security landscape is getting more complicated and the stakes are rising, but many enterprises don’t have the resources they need to meet their security needs.
Virtually anything can be corrupted:
The number of connected devices in 2018 is predict to top 11 billion – not including computers and phones. As we connect virtually everything, anything can be disrupted. Everything from the cloud to the edge needs to be considered and protected.2
We live in a time where digital technology is profoundly impacting our lives, from the way we connect with each other to how we interpret our world. First and foremost, this digital transformation is causing a tsunami of data. In fact, IDC estimates that in 2025, the world will create and replicate 163ZB of data, representing a tenfold increase from the amount of data created in 2016. In the past, organizations primarily dealt with documents and emails. But now they’re also dealing with instant messaging, text messaging, video files, images, and DIO files. The internet of things, or IOT, will only add to this explosion in data.
Managing this data overload and the variety of devices from which it is created is complicated and onerous as the market for solutions is fragmented and confusing. There are many categories of solutions, and within each, there are even more solutions to choose from. Many companies are struggling to decide how many of those solutions they need and where to start. Additionally, using multiple solutions means they won’t be integrated, so companies end up managing multiple applications from multiple disparate interfaces.
The question we often get asked is, “How can Microsoft 365 help me?”
here's where Microsoft has invested, across these areas: identity and access management, apps and data security, network security, threat protection, and security management.
We’ve put a tremendous amount of investment into these areas and the way it shows up is across a pretty broad array of product areas and features.
Our Identity and Access Management tools enable you to take an identity-based approach to security, and establish truly conditional access policies
Our App and Data Security help you protect your apps and your data as it moves around—both inside and outside your organization
Azure includes a robust networking infrastructure with built-in security controls for your application and service connectivity.
Our Threat Protection capabilities are built in and fully integrated, so you can strengthen both pre-breach protection with deep capabilities across e-mail, collaboration services, and end points including hardware based protection; and post-breach detection that includes memory and kernel based protection and response with automation.
And our Security Management tools give you the visibility and more importantly the guidance to manage policy centrally
Platform + Intelligence + Partners
This new understanding has led us to build new solutions for our customers. It informs our entire approach across three critical elements:
Building a platform that looks holistically across all the critical end-points we talked about – building security into our platform as well as providing security tools and technologies to you
Acting on the Intelligence that comes from our security-related signals and insights – helps you and us to detect threats more quickly
Fostering a vibrant ecosystem of partners who help us raise the bar across the industry – we know we’re not your only security vendor, and we want to work with the industry and take a holistic approach to technology
Microsoft 365 provides holistic security that is aligned to these four pillars of security.
By helping enterprise businesses secure corporate data and manage risk in today’s mobile-first, cloud-first world Microsoft 365 E5 enables customers to digitally transform by unifying user productivity and enterprise security tools into a single suite that enables the modern workplace.
Identity & Access Mgmt
Protect users’ identities and control access to valuable resources based on user risk level
Information Protection
Ensure documents and emails are seen only by authorized people
Threat Protection
Protect against advanced threats and recover quickly when attacked
Security Management
Gain visibility and control over security tools
Here's the slide deck from my session titled "Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps" which was presented on the Modern Workplace Conference Paris 2022 Virtual event.
Overall Security Process Review CISC 6621Agend.docxkarlhennesey
Overall Security Process Review
CISC 662
1
Agenda
Review of the following technologies and current products:
SIEM
CASB
EDR (Enterprise Detection and Response)
NGFW (Next Generation Firewalls)
Threat Intelligence
Summary of Term
SANS Technology Institute - Candidate for Master of Science Degree
What is a SIEM?
SIEM - Security Information Event Management
Logging and Event Aggregation
Network (router,switch,firewall,etc)
System (Server,workstation,etc)
Application (Web, DB )
Correlation Engine
2+ related events = higher alarm (1+1=3)
3
At first glance SIEM's appliances and software look like an event aggregator. While a SIEM has the advantage of aggregating logs what puts them apart from the event aggregator market are the correlation engines.
The correlation engines allow the ability to uncover threats/attacks across multiple related events which by themselves would not be a cause for alarm.
SIEM
4
What is a SIEM?
5
Security information and event management (SIEM) is the technology that can tie all your systems together and give you a comprehensive view of IT security.
IT security is typically a patchwork of technologies – firewalls, intrusion prevention, endpoint protection, threat intelligence and the like – that work together to protect an organization’s network and data from hackers and other threats. Tying all those disparate systems together is another challenge, however, and that’s where SIEM can help.
SIEM systems manage and make sense of security logs from all kinds of devices and carry out a range of functions, including spotting threats, preventing breaches before they occur, detecting breaches, and providing forensic information to determine how a security incident occurred as well as its possible impact.
Using SIEM
How do SIEM Products help the following Security concerns?
Countermeasures to detect attempts to infect internal system
Identification of infected systems trying to exfiltrate information
Mitigation of the impact of infected systems
Detection of outbound sensitive information ( DLP)
6
These questions are a core part of a companies overall security architecture. If a SIEM isn't providing answers or solutions to these questions what is it doing?
If you aren't using your SIEM to solve issues like these it may just be an expensive log aggregator/collection system sitting in your network collecting dust.
SIEM Advantages
Correlation of data from multiple systems and from different events detecting security and operational conditions
Anomaly detection by using a baseline of events over time to find deviations from expected or normal behavior
Comprehensive view into an environment based on event types, protocols, log sources, etc
APT (advanced persistent threat) protection through detection of protocol and application anomalies
Prioritization based on risk of threat to assets, staff can triage the most vulnerable targets
Alerting and monitoring on events of interest to escalate pri ...
Organizations need to apply security analytics to obtain seamless visibility and monitoring across both their on-premises and cloud environments. These challenges can be solved with comprehensive detection rules and behavioral analytics to ensure you detect potential threats.
Join FireEye and AWS to learn how Threat Analytics Platform (TAP) helped unify a major U.S. financial company’s on-premises and cloud-based Security Operations Centers (SOCs) by providing a single, cloud-based solution for monitoring their hybrid IT environment. FireEye’s TAP provides seamless visibility, detection and investigation across your on-premises and AWS Cloud environments ensuring actionable insight into threats targeting your company.
Join us to learn:
• How TAP ingests and analyzes AWS CloudTrail log files, providing visibility into both your AWS environment and the applications running on it
• TAP's best practices workflow to guide and inform your threat investigation
• How a major U.S. financial company unified their on-premises and cloud-based SOCs in to a single, cloud-based security operation
Who should attend: Directors and Managers of Security, IT Administrators, IT Architects, and IT Security Engineers
Knowledge is power. This session will explore the rich real-time telemetry and tools available in Windows and in our cloud services for analyzing security activity in your IT environment.
IntroSpect User and Entity Behavior Analytics (UEBA) uses AI-based machine learning to spot changes in user behavior that often indicate inside attacks that have evaded perimeter defenses. Security teams are armed with insights into malicious, compromised or negligent users, systems and devices – cutting off the threat before it does damage.
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...Prometix Pty Ltd
Your trusted and certified partner for comprehensive SharePoint consulting services in Sydney. With a profound commitment to excellence, our skilled team of professionals brings you unparalleled insights and solutions tailored to your unique business needs.
RSA-Pivotal Security Big Data Reference ArchitectureEMC
This paper talks about how customers can use RSA and Pivotal to get better visibility into their environments, more context to help them prioritize issues, and actionable intelligence from a diverse set of sources
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …Andris Soroka
World's #1 SIEM technology in GRC (Governance, Risk, Compliance). QRadar Risk Manager provides organizations with a pre-exploit solution that allows network security professionals to assess what risks exist during and after an attack, while also answering many "What if?" questions ahead of time, which can greatly improve operational efficiency and reduce network security risks.
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...azuredayit
We will create a security playbook, that is a collection of procedures that can be run from Azure Sentinel in response to an alert. It will help automate and orchestrate that response, and can be run manually or set to run automatically when specific alerts are triggered
AWS re:Invent 2016: Predictive Security: Using Big Data to Fortify Your Defen...Amazon Web Services
In a rapidly changing IT environment, detecting and responding to new threats is more important than ever. This session shows you how to build a predictive analytics stack on AWS, which harnesses the power of Amazon Machine Learning in conjunction with Amazon Elasticsearch Service, AWS CloudTrail, and VPC Flow Logs to perform tasks such as anomaly detection and log analysis. We also demonstrate how you can use AWS Lambda to act on this information in an automated fashion, such as performing updates to AWS WAF and security groups, leading to an improved security posture and alleviating operational burden on your security teams.
Similar to Azure Sentinel Jan 2021 overview deck (20)
Intune MDM Enrollment: Android enterprise work profile Matt Soseman
This is a click thru demo of screenshots of how to enroll an Android device into Intune Mobile Device Management (MDM) using an Android Enterprise Work Profile
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
3. Introducing Azure Sentinel
Birds-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks,
increasing volumes of alerts, and long resolution time frames.
Collect data at cloud scale across all users, devices,
applications, and infrastructure, both on-premises and in
multiple clouds
Detect previously undetected threats, and minimize false
positives using Microsoft's analytics and unparalleled
threat intelligence
Investigate threats with artificial intelligence, and hunt
for suspicious activities at scale, tapping into years of
cyber security work at Microsoft
Respond to incidents rapidly with built-in
orchestration and automation of common tasks
4. About Azure Sentinel
No infrastructure setup or maintenance
SIEM+SOAR service available in Azure portal
Scale automatically, put no limits to
compute or storage resources
Bring your own insights, machine learning
models, and threat intelligence
Tap into our security community to build on
detections, threat intelligence, and response
automation.
Robust interactive dashboards to visualize
and analyze data
6. Multi-Tenant Capable (MSSP)
Uses Azure Lighthouse to combine multiple
tenants
Manage your customers’ Sentinel resources
directly from your own Azure tenant –
without connecting to the customer’s tenant
View incidents from all selected workspaces
and tenants in a unified list
Ensures data isolation between tenants
Create cross-tenant Workbooks (dashboards),
Playbooks (automation) and threat hunting
queries
7. Traditional
Pricing
No infrastructure costs, only pay for
what you use
Bring your Office 365 Data at no cost
Predictable Billing with capacity
reservations
Sentinel
Cloud-native, scalable SIEMHardware
setup
Maintenance Software
setup
Azure Sentinel Pricing | Microsoft Azure
8. Forrester TEI study: Azure Sentinel delivers 201 percent ROI over 3 years
and a payback of less than 6 months
A three-year 201 percent return on
investment (ROI) with a payback period of
less than six months.
A 48 percent reduction in costs compared
to legacy SIEM solutions, saving on
expenses like licensing, storage, and
infrastructure costs.
A 79 percent reduction in false positives
and 80 percent reduction in the amount
of labor associated with investigation,
reducing mean time to resolution (MTTR)
over three years.
A 67 percent decrease in time to
deployment compared to legacy on-
premises SIEMs.
Link to Forrester TEI Study
10. Collect security data from all sources across the organization
Out-of-the-box integration with Microsoft
solutions
Connectors for many non-Microsoft solutions
Standard log format support for all sources
(CEF,Syslog,REST-API)
Supports integrated threat intelligence
platforms: MISP, Anomali, Palo Alto,
ThreatConnect, ExlecticIQ, ThreatQ (Public
Preview)
Import your organization’s threat indicators
More information: Connect data sources to Azure Sentinel
11. What can be ingested at no cost with Azure Sentinel?
• Azure Activity Logs
• Office 365 Audit Logs (all SharePoint activity and Exchange admin activity)
• Microsoft Defender products
• Azure Defender
• Microsoft 365 Defender
• Microsoft Defender for Office 365
• Microsoft Defender for Identity
• Microsoft Defender for Endpoint
• Azure Security Center
• Microsoft Cloud App Security
• Azure Information Protection can be ingested at no additional cost into both Azure
Sentinel, and Azure Monitor Log Analytics.
Note: Azure Active Directory (AAD) audit data is not free and is billed for ingestion into
both Azure Sentinel, and Azure Monitor Log Analytics.
Azure Sentinel Pricing
12. Detect threats out-of-the-box
Out-of-the-box, built-in templates to create
threat detection rules
Identifies common attack vectors, suspicious
activity escalation chains, known threats and
more
Advanced multi-stage attack detection using
machine learning
Create custom rules to search for specific
behavior, suspicious activities, or criteria
Alerts can be automatically correlated and
added to incidents
13. Investigate threats with AI and hunt suspicious activities at scale
Visualize context from raw data to
Get prioritized alerts and automated
expert guidance
Visualize the entire attack and its impact
Hunt for suspicious activities using pre-built
queries and Azure Notebooks
Correlates data to understand scope, identify
root cause of potential threats
14. Visualize and monitor your data
Create interactive custom dashboards and
reports to bring new insights to your data
Based on Azure Monitor Workbooks
Dozens of pre-built out of the box workbooks
Sentinel can also use PowerBI for dashboards
and reports
15. Respond rapidly with built-in orchestration and automation
Automatically or manually respond to an
alert with a collection of procedures
Integrate with triggers and actions across
multiple Microsoft and 3rd party tools and
services
Based on Azure Logic Apps
Examples:
• Automatically create service desk tickets
• Automatically isolate a device if suspicious
behavior detected
17. Proactively hunt for threats across the organization
Built-in queries to guide you in finding new
anomalies that weren’t detected by security
apps, using your existing data
Developed and maintained by Microsoft
security researchers on a continuous basis
Get notified of potential or current threats to
your organization via threat data feeds
Aligns with MITRE ATT&CK
18. Jupyter notebooks to hunt for security threats
Combines full programmability with huge
collection of libraries for machine learning,
visualization and data analysis
Enrich data using external sources such as
threat intelligence, and other network
databases (e.g. VirusTotal, GeoIP,etc)
Automate common investigative steps such
as gathering additional host and network
details, triggering host actions like collecting
an investigative package, or running anti-virus
scans.
Use your own Machine Learning for data
processing and analysis
19. User & Entity Behavior Analytics
Builds baseline behavioral profiles of entities within the
organization
Clear understanding of anomalous activities in context
in comparison of the baseline
Identifies anomalous activity to determine if an asset
has been compromised
Evaluate potential impact (“blast radius”)
Aligned with MITRE ATT&CK
Types of entities include: users, hosts, IPs,files, processes,
URLs, mailboxes, registry keys, domain names, SaaS
apps and more!
20. Out-of-the-box and customizable SOC incident metrics
Workbook template to measure SOC
operational metrics:
• Incidents created over time
• Incidents created by closing classification,
severity, owner, and status
• Mean time to triage
• Mean time to closure
• Incidents created by severity, owner, status,
product, and tactics over time
• Time to triage percentiles
• Time to closure percentiles
• Mean time to triage per owner
• Recent activities
• Recent closing classifications
21. Watchlists (Preview)
Investigating threats and responding to incidents quickly
with the rapid import of IP addresses, file hashes, and
other data. Use in alert rules, threat hunting, workbooks,
notebooks, and general queries
Importing business data as a watchlists. For example,
import user lists with privileged system access, or
terminated employees, and then use the watchlist to
create allow and deny lists used to detect or prevent those
users from logging in to the network
Reducing alert fatigue Create allow lists to suppress alerts
from a group of users, such as users from authorized IP
addresses that perform tasks that would normally trigger
the alert, and prevent benign events from becoming alerts
Enriching event data. Use watchlists to enrich your event
data with name-value combinations derived from external
data sources
Enables collection of data from external data sources for correlation with events in Sentinel
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
Azure Sentinel is your birds-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.
Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
Detect previously undetected threats, and minimize false positives using Microsoft's analytics and unparalleled threat intelligence.
Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cyber security work at Microsoft.
Respond to incidents rapidly with built-in orchestration and automation of common tasks.
Building on the full range of existing Azure services, Azure Sentinel natively incorporates proven foundations, like Log Analytics, and Logic Apps. Azure Sentinel enriches your investigation and detection with AI, and provides Microsoft's threat intelligence stream and enables you to bring your own threat intelligence.
What is Azure Sentinel? | Microsoft Docs
Ownership of data remains with each managed tenant.
Supports requirements to store data within geographical boundaries.
Ensures data isolation, since data for multiple customers isn't stored in the same workspace.
Prevents data exfiltration from the managed tenants, helping to ensure data compliance.
Related costs are charged to each managed tenant, rather than to the managing tenant.
Data from all data sources and data connectors that are integrated with Azure Sentinel (such as Azure AD Activity Logs, Office 365 logs, or Microsoft Threat Protection alerts) will remain within each customer tenant.
Reduces network latency.
Easy to add or remove new subsidiaries or customers.
Manage Azure Sentinel workspaces at scale - Azure Lighthouse | Microsoft Docs
With Azure Sentinel you can aggregate all security data with built-in connectors, native integration of Microsoft signals and support for industry standard log formats. Microsoft 365 customers can import their Office 365 activity data for free to gain deeper insights. We continue to collaborate with many partners in the Microsoft Intelligent Security Association and support easy connectors and customizable dashboards for popular solutions including Palo Alto Networks, F5, Symantec, Fortinet and many more to come . Azure Sentinel is based on Azure Monitor that uses a proven and scalable log analytics database that ingests more than 10 petabytes everyday and provides a very fast query engine that can sort through millions of records in seconds. Azure Sentinel also integrates with Graph Security API to enable customers to import their own threat intelligence feeds.
Connect data sources to Azure Sentinel | Microsoft Docs
SIEM/SOC teams can be inundated with security alerts on a regular basis. The volume of alerts generated is so huge, that available security admins are overwhelmed. This results all too often in situations where many alerts can't be investigated, leaving the organization vulnerable to attacks that go unnoticed.
Many, if not most, of these alerts conform to recurring patterns that can be addressed by specific and defined remediation actions. Azure Sentinel already enables you to define your remediation in playbooks. It is also possible to set real-time automation as part of your playbook definition to enable you to fully automate a defined response to particular security alerts. Using real-time automation, response teams can significantly reduce their workload by fully automating the routine responses to recurring types of alerts, allowing you to concentrate more on unique alerts, analyzing patterns, threat hunting, and more.
Azure Monitor Workbooks Overview - Azure Monitor | Microsoft Docs
Tutorial: Run a playbook in Azure Sentinel | Microsoft Docs
If you're an investigator who wants to be proactive about looking for security threats, Azure Sentinel powerful hunting search and query tools to hunt for security threats across your organization's data sources. But your systems and security appliances generate mountains of data that can be difficult to parse and filter into meaningful events. To help security analysts look proactively for new anomalies that weren't detected by your security apps, Azure Sentinel' built-in hunting queries guide you into asking the right questions to find issues in the data you already have on your network.
For example, one built-in query provides data about the most uncommon processes running on your infrastructure - you wouldn't want an alert about each time they are run, they could be entirely innocent, but you might want to take a look at the query on occasion to see if there's anything unusual.
With Azure Sentinel hunting, you can take advantage of the following capabilities:
Built-in queries: To get you started, a starting page provides preloaded query examples designed to get you started and get you familiar with the tables and the query language. These built-in hunting queries are developed by Microsoft security researchers on a continuous basis, adding new queries, and fine-tuning existing queries to provide you with an entry point to look for new detections and figure out where to start hunting for the beginnings of new attacks.
Powerful query language with IntelliSense: Built on top of a query language that gives you the flexibility you need to take hunting to the next level.
Create your own bookmarks: During the hunting process, you may come across matches or findings, dashboards, or activities that look unusual or suspicious. In order to mark those items so you can come back to them in the future, use the bookmark functionality. Bookmarks let you save items for later, to be used to create an incident for investigation. For more information about bookmarks, see Use bookmarks in hunting.
Use notebooks to automate investigation: Notebooks are like step-by-step playbooks that you can build to walk through the steps of an investigation and hunt. Notebooks encapsulate all the hunting steps in a reusable playbook that can be shared with others in your organization.
Query the stored data: The data is accessible in tables for you to query. For example, you can query process creation, DNS events, and many other event types.
Links to community: Leverage the power of the greater community to find additional queries and data sources.
Hunting capabilities in Azure Sentinel | Microsoft Docs
The foundation of Azure Sentinel is the data store; it combines high-performance querying, dynamic schema, and scales to massive data volumes. The Azure portal and all Azure Sentinel tools use a common API to access this data store. The same API is also available for external tools such as Jupyter notebooks and Python. While many common tasks can be carried out in the portal, Jupyter extends the scope of what you can do with this data. It combines full programmability with a huge collection of libraries for machine learning, visualization, and data analysis. These attributes make Jupyter a compelling tool for security investigation and hunting.
Use notebooks with Azure Sentinel for security hunting | Microsoft Docs
Identifying threats inside your organization and their potential impact - whether a compromised entity or a malicious insider - has always been a time-consuming and labor-intensive process. Sifting through alerts, connecting the dots, and active hunting all add up to massive amounts of time and effort expended with minimal returns, and the possibility of sophisticated threats simply evading discovery. Particularly elusive threats like zero-day, targeted, and advanced persistent threats can be the most dangerous to your organization, making their detection all the more critical.
The UEBA capability in Azure Sentinel eliminates the drudgery from your analysts’ workloads and the uncertainty from their efforts, and delivers high-fidelity, actionable intelligence, so they can focus on investigation and remediation.
As Azure Sentinel collects logs and alerts from all of its connected data sources, it analyzes them and builds baseline behavioral profiles of your organization’s entities (users, hosts, IP addresses, applications etc.) across time and peer group horizon. Using a variety of techniques and machine learning capabilities, Sentinel can then identify anomalous activity and help you determine if an asset has been compromised. Not only that, but it can also figure out the relative sensitivity of particular assets, identify peer groups of assets, and evaluate the potential impact of any given compromised asset (its “blast radius”). Armed with this information, you can effectively prioritize your investigation and incident handling.
Identify advanced threats with User and Entity Behavior Analytics (UEBA) in Azure Sentinel | Microsoft Docs
As a Security Operations Center (SOC) manager, you need to have overall efficiency metrics and measures at your fingertips to gauge the performance of your team. You'll want to see incident operations over time by many different criteria, like severity, MITRE tactics, mean time to triage, mean time to resolve, and more. Azure Sentinel now makes this data available to you with the new SecurityIncident table and schema in Log Analytics and the accompanying Security operations efficiency workbook. You'll be able to visualize your team's performance over time and use this insight to improve efficiency. You can also write and use your own KQL queries against the incident table to create customized workbooks that fit your specific auditing needs and KPIs.
Manage your SOC better with incident metrics in Azure Sentinel | Microsoft Docs
Azure Sentinel watchlists enable the collection of data from external data sources for correlation with the events in your Azure Sentinel environment. Once created, you can use watchlists in your search, detection rules, threat hunting, and response playbooks. Watchlists are stored in your Azure Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency.
Use Azure Sentinel watchlists | Microsoft Docs