▶Book Description
Azure Sentinel is a Security Information and Event Management (SIEM) tool developed by Microsoft to integrate cloud security and artificial intelligence (AI). Azure Sentinel not only helps clients identify security issues in their environment, but also uses automation to help resolve these issues. With this book, you'll implement Azure Sentinel and understand how it can help find security incidents in your environment with integrated artificial intelligence, threat analysis, and built-in and community-driven logic.
This book starts with an introduction to Azure Sentinel and Log Analytics. You'll get to grips with data collection and management, before learning how to create effective Azure Sentinel queries to detect anomalous behaviors and patterns of activity. As you make progress, you'll understand how to develop solutions that automate the responses required to handle security incidents. Finally, you'll grasp the latest developments in security, discover techniques to enhance your cloud security architecture, and explore how you can contribute to the security community.
By the end of this book, you'll have learned how to implement Azure Sentinel to fit your needs and be able to protect your environment from cyber threats and other security issues
▶What You Will Learn
- Understand how to design and build a security operations center
- Discover the key components of a cloud security architecture
- Manage and investigate Azure Sentinel incidents
- Use playbooks to automate incident responses
- Understand how to set up Azure Monitor Log Analytics and Azure Sentinel
- Ingest data into Azure Sentinel from the cloud and on-premises devices
- Perform threat hunting in Azure Sentinel
▶Key Features
- Secure your network, infrastructure, data, and applications on Microsoft Azure effectively
- Integrate artificial intelligence, threat analysis, and automation for optimal security solutions
- Investigate possible security breaches and gather forensic evidence to prevent modern cyber threats
▶Who This Book Is For
This book is for solution architects and system administrators who are responsible for implementing new solutions in their infrastructure. Security analysts who need to monitor and provide immediate security solutions or threat hunters looking to learn how to use Azure Sentinel to investigate possible security breaches and gather forensic evidence will also benefit from this book. Prior experience with cloud security, particularly Azure, is necessary.
▶What this book covers
- Chapter 1, Getting Started with Azure Sentinel, will give an overview of Azure Sentinel, including coverage of the current cloud landscape, the cloud security reference framework, Security Operations Center (SOC) platform components, and how to map the architecture. You will also learn about integrating on-premises infrastructure into Azure Sentinel as well as how Azure Sentinel is priced.
- Chapter 2, Azure Monitor – Log Analytics, will cover Azure Monitor Log Analytics, including planning your Log Analytics instance, how to create a new instance, and how to attach an instance to Azure Sentinel. You will also learn about the advanced settings for Log Analytics and about the Azure Sentinel overview page.
- Chapter 3, Data Collection and Management, will explain how to determine what data you need to ingest into Azure Sentinel and how to connect to various data sources to get that information. You will also learn how to adjust data retention plans and how data retention is priced.
- Chapter 4, Integrating Threat Intelligence, will introduce you to threat intelligence and how to ingest different threat intelligence feeds into Azure Sentinel.
- Chapter 5, Using Kusto Query Language (KQL), will discuss Kusto Query Language (KQL) and will explain out how to write your own queries.
- Chapter 6, Azure Sentinel Logs and Writing Queries, will introduce you to Azure Sentinel’s Logs page and will teach you how to use it to start writing your KQL queries against the data you have ingested.
- Chapter 7, Creating Analytic Rules, will teach you how to create analytic rules that will search for anomalies in your environment. It will discuss analytic rule templates and how you can use them to create your own rules as well as how to create them from scratch.
- Chapter 8, Introducing Workbooks, will cover Azure Sentinel’s workbook page, workbook templates, and how you can create a workbook from a template or from scratch.
- Chapter 9, Incident Management, will explain how to manage incidents that your analytic rules create. You will learn about the incident page, how to view an incident’s full details, and how to start investigating an incident using Azure Sentinel’s Investigate GUI interface.
- Chapter 10, Threat Hunting in Azure Sentinel, will introduce you to Azure Sentinel’s Hunting page, which will allow you to start your threat hunting activities. It will also briefly discuss Azure Notebook, which is Azure’s hosted Jupyter resource. There will also be a discussion of the steps needed to perform your investigation.
- Chapter 11, Creating Playbooks and Logic Apps, will introduce you to Azure Sentinel’s playbooks and explain how they relate to Logic Apps. You will learn about the logic app Azure Sentinel connector and go through a walk-through about creating your own playbook.
- Chapter 12, ServiceNow Integration, will provide an introduction to Information Technology Service Management (ITSM), the ServiceNow application, and how to create a simple Azure Sentinel playbook to create a new ticket in ServiceNow using information from your Azure Sentinel incident.
- Chapter 13, Operational Tasks for Azure Sentinel, will cover the steps needed to keep your Azure Sentinel instance running smoothly. The steps will be broken up between your SOC analytics and your SOC engineers, as each have different aspects of Azure Sentinel that they will be responsible for.
- Chapter 14, Constant Learning and Community Contributions, contains a list of various places you can go to continuing learning about Azure Sentinel and its supporting resources, including Logic Apps, Jupyter Notebook, KQL, and Fusion.
