Microsoft Sentinel- a cloud native SIEM & SOAR.pdf

Microsoft Sentinel - a cloud-native SIEM & SOAR
Knowledge Sharing Session
By
Kranthi Aragonda
Privileged & Confidential |©2022, Network Intelligence. All Rights Reserved

Agenda:
• What is SOAR
• Important SOAR capabilities
• Benefits & Drawbacks
• SIEM vs SOAR
• Microsoft Sentinel
• Data Connectors
• Workbooks
• Analytics
• Security automation & orchestration
• Investigation
• Hunting
• Notebooks
• Resources & Certifications.

What is SOAR
• SOAR is a stack of compatible software programs that enables an organization to collect data about security threats and respond to
security events without human assistance. SOAR platforms have three main components: security orchestration, security automation
and security response.
• The goal of using a SOAR platform is to improve the efficiency of physical and digital security operations.

Important SOAR capabilities
• Security incident response platforms, which include capabilities such as vulnerability management, case management, incident
management, workflows, incident knowledge base, auditing and logging capabilities, reporting and more;
• Security orchestration and automation, which include integrations, workflow automation, playbooks, playbook management, data
gathering, log analysis and account lifecycle management; and
• Threat intelligence platforms, which include threat intelligence aggregation, analysis and distribution, alert context enrichment and
threat intelligence visualization.

Benefits & drawbacks of SOAR tool
• SOAR is not a replacement for other security tools, but rather is a complementary technology. SOAR platforms are also not a
replacement for human analysts, but instead augment their skills and workflows for more effective incident detection and response.
• Faster incident detection.
• Better threat context.
• Simplified management.
• Boosting analysts’ productivity.
Benefits Drawbacks
• failure to remediate a broader security strategy.
• conflated expectations.
• deployment and management complexity.
• lack of or limited metrics.

SIEM vs SOAR
• SIEM systems collect data, identify deviations,
rank threats and generate alerts.
• SIEM systems only alert security analysts of a
potential event
SIEM SOAR
• SOAR systems also handle these tasks but have
additional capabilities.
• First, SOAR platforms integrate with a wider range
of internal and external applications, both security
and non-security.
• Second, SOAR platforms use automation, AI and
machine learning to provide greater context and
automated responses to those threats.

Microsoft Sentinel
• Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration,
automation, and response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across
the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response.
• Collect data at cloud scale across all
users, devices, applications, and
infrastructure, both on-premises and in
multiple clouds.
• Respond to incidents rapidly with built-
in orchestration and automation of
common tasks.
• Detect previously undetected threats
and minimize false positives using
Microsoft's analytics and unparalleled
threat intelligence.
• Investigate threats with artificial
intelligence, and hunt for suspicious
activities at scale, tapping into years of
cyber security work at Microsoft.

Data Connectors
• Microsoft Sentinel comes with several connectors for Microsoft solutions, available and providing real-time integration, including
Microsoft 365 Defender solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity, and
Microsoft Defender for Cloud Apps, and more.
• In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use common
event format, Syslog or REST-API to connect your data sources with Microsoft Sentinel as well.

Data Connectors

Workbooks
• we can monitor the data using the Microsoft Sentinel integration with Azure Monitor Workbooks, which provides
versatility in creating custom workbooks.

Workbooks
• Microsoft Sentinel Workbooks allow security analysts and admins to view data about security in their environment using graphical
displays.

Analytics
Microsoft Sentinel uses analytics to correlate alerts into incidents. Incidents are groups of related alerts that together create an
actionable possible-threat that you can investigate and resolve

Analytics
• Detect previously undetected threats and minimize false positives using Microsoft's analytics and unparalleled threat intelligence.

Security automation & orchestration
• Automation of common tasks and simplify security orchestration with playbooks that integrate with Azure services and
existing tools
• Playbooks are intended for SOC engineers and analysts of all tiers, to automate and simplify tasks, including data
ingestion, enrichment, investigation, and remediation

Sample Playbook

Investigation
Microsoft Sentinel deep investigation tools helps to understand the scope and find the root cause, of a potential security threat. we can
choose an entity on the interactive graph to ask interesting questions for a specific entity, and drill down into that entity and its
connections to get to the root cause of the threat.

Hunting
• Microsoft Sentinel's hunting search-and-query tools, based on the MITRE framework, which enables to proactively hunt
for security threats across organization’s data sources, before an alert is triggered.
• After discovering which hunting query provides high-value insights into possible attacks, we can create custom detection
rules based on your query, and surface those insights as alerts to security incident responders

Notebooks
• Microsoft Sentinel notebooks are intended for threat hunters or Tier 2-3 analysts, incident investigators, data
scientists, and security researchers.
• Notebooks provide queries to both Microsoft Sentinel and external data, features for data enrichment, investigation,
visualization, hunting, machine learning, and big data analytics.
• Notebooks require a higher learning curve and coding knowledge and have limited automation support.

Resources & Certifications
• Microsoft Sentinel documentation
• SC-900: Microsoft Security, Compliance, and Identity Fundamentals
• SC-200: Microsoft Security Operations Analyst
• Microsoft Sentinel Ninja: The complete level 400 training

Microsoft Sentinel- a cloud native SIEM & SOAR.pdf

More Related Content

What's hot

Similar to Microsoft Sentinel- a cloud native SIEM & SOAR.pdf

Recently uploaded

Microsoft Sentinel- a cloud native SIEM & SOAR.pdf