Professional Documents
Culture Documents
Cloud-Native SIEM:
Quick Start Guide to
Azure Sentinel
September Cloud-Native SIEM: Quick Start Guide to 02
2019 Azure Sentinel
05 / 10 Step 2
Connect your data
12 Step 3
Why Azure
Use overview dashboard
Sentinel? and workbooks to get
visibility across enterprise
16 Step 4
08 / Detect threats
19 Step 5
Getting started with Investigate incidents
Azure Sentinel 23 Step 6
09 Step 1 Respond to threats
Access Azure Sentinel 25 Step 7
Hunt for threats
01 /
Why Azure
Sentinel?
September Cloud-Native SIEM: Quick Start Guide to 06
2019 Azure Sentinel
offers tools for all reduce false positives and alert fatigue by
up to 90 percent and can detect complex,
Free storage and analysis for Office 365 Log Analytics uses Kusto query language
data: To help you maximize security (KQL), a rich language designed to be
effectiveness across your enterprise, Azure easy to read and author. It allows you to
Sentinel empowers you to bring in data join data from multiple tables, aggregate
from Microsoft Office 365 for analysis and large sets of data, and perform complex
retain it for free, all in just a few clicks. operations with minimal code. Virtually
any question can be answered quickly
Build on Microsoft’s investment: In and analysis performed as long as the
security, knowledge is power. With Azure supporting data has been collected.
Sentinel, you gain the power of Microsoft’s
decades of experience managing security at Meeting the needs of security roles
a massive global scale. Microsoft solutions
Azure Sentinel offers tools for all members
share insights gained from unparalleled
of your security team. For example, security
threat intelligence that is informed from
operations professionals can get alerts,
analyzing trillions of signals every day. Our
investigate incidents, and remediate using
security experts support proactive threat
automated tools. Security analysts and
hunting with prebuilt queries based on
researchers employ its easy-to-learn query
years of security experience.
language for proactive threat hunting.
Decision makers instantly view data across
The role of Log Analytics
the enterprise using interactive dashboards.
Azure Sentinel is built on the highly scalable, Each toolset saves time and helps people
high performance Azure Monitor Log contribute maximum value in their roles.
Analytics platform. Log Analytics is a proven
analytics platform designed to store and
analyze massive amounts of data in seconds.
September Cloud-Native SIEM: Quick Start Guide to 08
2019 Azure Sentinel
02 /
Click the row for the data source you wish to connect.
After you have clicked Open connector, you will see the configuration
steps for connecting the data source you selected.
September Cloud-Native SIEM: Quick Start Guide to 12
2019 Azure Sentinel
The Overview dashboard provides insight into the security status of your workspace.
Use built-in Workbook templates Click the row for the template source
to get interactive dashboards for you wish to view, make sure you have
specific data sources the relevant data types, and click View
workbook to see the template.
For additional visibility on specific data
sources, you can use built-in templates. If you’re using Azure AD, we recommend
These Workbooks provide contextual that you view the following dashboards:
insights for the data collected and analyzed
• Azure AD sign-ins analyzes sign-ins
from specific sources, including information
over time to see if there are anomalies.
on data collected from Office 365, Azure
Active Directory, Palo Alto Networks, • Azure AD audit logs analyzes admin
Symantec, AWS, and many other sources. activities, such as changes in users,
group creation, and modifications.
In the Azure Sentinel menu under Threat
2. Under the My workbooks tab, you will
management select Workbooks.
be able to see the workbooks that you
have saved or created.
1. You can see the built-in dashboard
templates under the Templates tab.
September Cloud-Native SIEM: Quick Start Guide to 14
2019 Azure Sentinel
Each workbook provides contextual insights for data collected and analyzed from specific sources.
September Cloud-Native SIEM: Quick Start Guide to 15
2019 Azure Sentinel
Get custom views and insights Create a new workbook to get a customized
across different data sources dashboard:
See how many incidents you have, how many are open, how many
you’ve set to In progress, and how many are closed in one view.
September Cloud-Native SIEM: Quick Start Guide to 20
2019 Azure Sentinel
Investigating an incident using the 3. In the Alerts tab, review the alert itself—
Investigation Graph when it was triggered and by how much
it exceeded the thresholds you set. You
1. To begin an investigation, click on a
can see all relevant information about
specific incident. On the right, you can
the alert—the query that triggered the
see detailed information for the incident
alert, the number of results returned per
including its severity and a summary of
query, and the ability to run playbooks
the number of entities involved (based
on the alerts. To drill down even further
on your mapping). Each incident has a
into the incident, click on the number
unique ID. The severity of the incident
of events. This opens the query that
is determined according to the most
generated the results and the results
severe alert included in the incident.
that triggered the alert in Log Analytics.
2. To view more details about the alerts
4. In the Entities tab, you can see all the
and entities in the incident, click on View
entities that you mapped as part of the
full details on the incident page and
alert rule definition.
review the relevant tabs that summarize
the incident information. Full incident 5. If you’re actively investigating an incident,
view consolidates all evidence in the it’s a good idea to set the incident status
alert, the associated alerts, and entities. to In progress until you close it.
7. Click Investigate to view the investigation insights and connections on the entities
graph tool. The investigation graph helps extracted from your alerts. It will then
you understand the scope and identify surface those connections in the live
the root cause of a potential security investigation graph. You can dive deeper
threat by correlating relevant data with and investigate any entity presented in
any involved entity. Azure Sentinel the graph by clicking on it and choosing
analyzes your raw data to find additional between different expansion options.
September Cloud-Native SIEM: Quick Start Guide to 22
2019 Azure Sentinel
8. Select each entity to open the Entities can select the option to open the results
pane so you can review each entity. in Log Analytics to see the raw data
for the incidents. The graph provides
9. Expand your investigation by hovering
you with a list of connections that you
over each entity to reveal a list of
might not have known about, enabling
questions that was designed by our
you to reach full scope of the breach. It
security experts and analysts per entity
also gives you a timeline parallel to the
type to deepen your investigation. For
graph. You can hover over the timeline
example, on a computer you can request
to see which things on the graph
related alerts. The related alerts are
occurred at what point in time.
added to the graph. For each entity, you
Dive deeper into the data to investigate the full scope of a breach.
September Cloud-Native SIEM: Quick Start Guide to 23
2019 Azure Sentinel
6. From here you can either build a new 1. Choose the alert for which you want to
playbook or edit the template. Learn automate the response.
more about creating a playbook with
2. From the Azure Sentinel workspace navigation
Logic Apps.
menu, select Analytics.
Using real-time automation, response 4. In the Edit alert rule page, under the
teams can significantly reduce their Automate responses tab, choose the
workload by fully automating routine Triggered playbook you want to run when
responses to recurring types of alerts. Note this alert rule is matched.
that this requires setting the playbook
5. Select Next: Review.
trigger to Azure Sentinel.
Azure Sentinel’s
built-in hunting
queries guide
you into asking
the right
questions to
find issues in
the data you
already have on
your network.
September Cloud-Native SIEM: Quick Start Guide to 28
2019 Azure Sentinel