Use a bookmark to share an event with others. While hunting, create bookmarks to return to interesting events later. Then, surface those insights as alerts to your security incident responders. Create custom detection rules based on your hunting query. Use Microsoft Sentinel's powerful hunting search-and-query tools, based on the MITRE framework, which enable you to proactively hunt for security threats across your organization’s data sources, before an alert is triggered. Hunt for security threats by using built-in queries You can choose an entity on the interactive graph to ask interesting questions for a specific entity, and drill down into that entity and its connections to get to the root cause of the threat. Microsoft Sentinel deep investigation tools help you to understand the scope and find the root cause of a potential security threat. Investigate the scope and root cause of security threats Playbooks aren't suitable for ad-hoc or complex task chains, or for documenting and sharing evidence. Playbooks work best with single, repeatable tasks, and don't require coding knowledge. Playbooks are intended for SOC engineers and analysts of all tiers, to automate and simplify tasks, including data ingestion, enrichment, investigation, and remediation. These connectors allow you to apply any custom logic in your workflow, for example:įor example, if you use the ServiceNow ticketing system, use Azure Logic Apps to automate your workflows and open a ticket in ServiceNow each time a particular alert or incident is generated. To build playbooks with Azure Logic Apps, you can choose from a constantly expanding gallery with many hundreds of connectors for various services and systems. Microsoft Sentinel's automation and orchestration solution provides a highly extensible architecture that enables scalable automation as new technologies and threats emerge. These analytics connect the dots, by combining low fidelity alerts about different entities into potential high-fidelity security incidents.Īutomate and orchestrate common tasks by using playbooksĪutomate your common tasks and simplify security orchestration with playbooks that integrate with Azure services and your existing tools. Microsoft Sentinel also provides machine learning rules to map your network behavior and then look for anomalies across your resources. Use the built-in correlation rules as-is, or use them as a starting point to build your own. Incidents are groups of related alerts that together indicate an actionable possible-threat that you can investigate and resolve. To help you reduce noise and minimize the number of alerts you have to review and investigate, Microsoft Sentinel uses analytics to correlate alerts into incidents. Correlate alerts into incidents by using analytics rules But you can't integrate workbooks with external data. Workbooks are best used for high-level views of Microsoft Sentinel data, and don't require coding knowledge. Workbooks are intended for SOC engineers and analysts of all tiers to visualize data. Microsoft Sentinel also comes with built-in workbook templates to allow you to quickly gain insights across your data as soon as you connect a data source. Microsoft Sentinel allows you to create custom workbooks across your data. But it may be useful for you to see how to create a workbook in Azure Monitor. Workbooks display differently in Microsoft Sentinel than in Azure Monitor. You can also use common event format, Syslog, or REST-API to connect your data sources with Microsoft Sentinel.įor more information, see Find your data connector.Ĭreate interactive reports by using workbooksĪfter you onboard to Microsoft Sentinel, monitor your data by using the integration with Azure Monitor workbooks. Microsoft Sentinel has built-in connectors to the broader security and applications ecosystems for non-Microsoft solutions. Azure service sources like Azure Active Directory, Azure Activity, Azure Storage, Azure Key Vault, Azure Kubernetes service, and more.Microsoft sources like Microsoft 365 Defender, Microsoft Defender for Cloud, Office 365, Microsoft Defender for IoT, and more.Microsoft Sentinel comes with many connectors for Microsoft solutions that are available out of the box and provide real-time integration. To on-board Microsoft Sentinel, you first need to connect to your data sources. This service supports Azure Lighthouse, which lets service providers sign in to their own tenant to manage subscriptions and resource groups that customers have delegated.
0 Comments
Leave a Reply. |