Connectors

• Microsoft Sentinel comes with several data connectors for Microsoft and non-Microsoft products to help get your data onboarded
• These data connectors are available out of the box and provide real-time integration

Built-in connectors

• Azure AD
• Azure Firewall logs
• Application Gateway WAF logs
• Microsoft Defender for Cloud
• Microsoft 365 sources
• Microsoft 365 Defender
• Complete list:

Connectors for non-Microsoft solutions

• Common Event Format (CEF)
• Syslog
• REST-API

Analytics

• The Analytics blade is where detection engineers can craft and enable analytics rules, either out-of-the-box or customized
• Analytics helps you detect, investigate, and remediate cybersecurity threats
• Microsoft Sentinel Analytics to set up analytics rules and queries to detect issues in your environment

Analytics Rule

• Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached
• Analytics rules provide alerts that point to relevant SOC actions via incidents
• Rule logic is implemented as KQL query
• Analytics rule runs on data and detect threats
• Analytics rule creates incidents based on alerts generated in another Microsoft security service
• Discovers threats and anomalous behaviors that are present in the environment
• By using analytics rules, you can trigger alerts based on the attack techniques that are used by known malicious actors

Alert

• Alerts are generated by a particular analytics rule
  • Runs underlaying KQL query on data in log analytics workspace
  • If matched, creates alert (logs threat as alert)
• When an analytics rule is matched, an alert is generated

Incident

• Incidents are groups of related alerts that together create an actionable possible-threat that you can investigate and resolve
• Microsoft Sentinel incidents are containers of threats in your organization – alerts, entities and any additional related evidence
• An incident is created based on alerts that you have defined in the security analytics page. The properties related to the alerts, such as severity and status are set at the incident level
• Incidents are automatically created as a result of alerts triggered based on detections defined in “Security analytics”

Automation rule

• Automation rules allow users to centrally manage the automation of incident handling, simplifying complex workflows for incident orchestration processes
• Automation rules allow you to centrally manage all the automation of incident handling
• Automation rules are triggered by the creation of incidents
• Automation rules streamline automation use in Microsoft Sentinel and enable you to simplify complex workflows for your incident orchestration processes
• The mechanism by which we can run playbooks in response to incidents
• By using analytics rules, you can trigger alerts based on the attack techniques that are used by known malicious actors
• Types of analytics rules:
  • Anomaly
  • Fusion
  • Microsoft security
  • Machine learning (ML) behavior analytics
  • Scheduled alerts

Playbook

• Based on workflows built in Azure Logic Apps
• Used to automate incident response (immediately respond to threats, with minimal human dependencies)
• Playbooks are collections of procedures that can be run from Microsoft Sentinel in response to an alert or incident
• A playbook is a collection of remediation actions that can be run as a routine
• A playbook can help automate and orchestrate threat response
• It can be run manually or set to run automatically in response to specific alerts or incidents
• Can ne triggered by an analytics rule or an automation rule

A business playbook contains all the pieces and parts that make up company’s go-to approach for getting things done. A playbook includes process workflows, standard operating procedures, and cultural values that shape a consistent response - the play

Automated Response

• Setting automated response means that every time an analytics rule is triggered, in addition to creating an alert, the rule will run a playbook, which will receive as an input the alert created by the rule
• If the alert creates an incident, the incident will trigger an automation rule which may in turn run a playbook, which will receive as an input the incident created by the alert

Workbooks

• Workbook is Azure Monitor component which is basically interactive report
  • Workbooks are displayed differently in Microsoft Sentinel
  • Comes with built-in workbook templates
• Workbooks are best used for high-level views of Microsoft Sentinel data

Notebooks

• Jupyter notebooks in Azure Machine Learning workspaces
• Notebooks are used to extend the scope of what we can do with Microsoft Sentinel data
• Sentinel notebooks are intended for threat hunters or Tier 2-3 analysts, incident investigators, data scientists, and security researchers
• Best for more complex chains of repeatable tasks, ad-hoc procedural controls, machine learning and custom analysis
• Jupyter notebooks allow us to supercharge your threat hunting by enabling documents that contain live code, equations, visualizations and narrative text through markdown that can be used to codify your hunts and investigations

Hunting Queries

• Hunting queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel
• To proactively hunt for security threats
• It provides built-in and customized hunting queries to identify anomalous activities in your environment
• Hunting queries use KQL and are sourced from the Microsoft Sentinel Community Github

Content Hub and Solution

Content Hub

• To centrally discover, install, enable and manage out-of-the-box content and solutions for Microsoft Sentinel
• Microsoft Sentinel content is Security Information and Event Management (SIEM) content that enables customers to ingest data, monitor, alert, hunt, investigate, respond, and connect with different products, platforms, and services in Microsoft Sentinel
• Microsoft Sentinel solutions are packages of Microsoft Sentinel content or Microsoft Sentinel API integrations, which fulfill an end-to-end product, domain, or industry vertical scenario in Microsoft Sentinel
• Content hub provides centralized discoverability, single-step deployment, and enablement of end-to-end product, domain, and/or vertical out-of-the-box solutions and content in Microsoft Sentinel

Solution:

• Microsoft Sentinel solutions are packaged content or integrations that deliver end-to-end product value for one or more domain or vertical scenarios
• Microsoft Sentinel solutions are packages of Microsoft Sentinel content or Microsoft Sentinel API integrations, which fulfill an end-to-end product, domain, or industry vertical scenario in Microsoft Sentinel.

See: https://docs.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog

Repositories

• Sentinel Repositories helps us automatically deploy and manage Microsoft Sentinel content that’s stored in your central repositories, outside of Microsoft Sentinel
• Connect your GitHub or Azure DevOps content repositories by selecting “Add new” and following the steps in the connection creation page

Threat intelligence

• The Threat Intelligence Research Blade enables Tier 2 and Tier 3 SOC personnel to curate their cyber threat intelligence (CTI) within Azure Sentinel through tagging existing data as well as generating new CTI directly inside of Sentinel*
• This feature fully supports the STIX open standard format and provides a rich view, filter, sort, and update user interface, allowing SOC analysts to assess CTI performance in a single view

Entity behavior

• Search for account and host entities
• Search results include all known entities from the data sources
• Select an entity from among the search results to see its full details
• Search compares your input string against Azure Active Directory and security alert log entries for users, and against Log Analytic Agent logs and security alert log entries for hosts.