AzureFunBytes Episode 64 – Building SOC Efficiency with @Azure Sentinel with @rodtrent
AzureFunBytes is a weekly opportunity to learn more about the fundamentals and foundations that make up Azure. It’s a chance for me to understand more about what people across the Azure organization do and how they do it. Every week we get together at 11 AM Pacific on Microsoft LearnTV and learn more about Azure.
It’s been a few weeks but AzureFunBytes is back with a new episode all about mitigating risk in the cloud by using tools provided by Azure. If you’re currently deploying workloads in the cloud, how they handle potential intrusions and attacks is crucial. By preventing these security incidents you can build trust with those who may access your applications and IT solutions.
Microsoft documentation defines the role of the security operation teams (also known as Security Operations Center (SOC), or SecOps) is to detect, prioritize, and triage potential attacks. The central SecOps team monitors and analyses security-related telemetry data. Any communication, investigation, or hunting actions must be coordinated with the application team.
This week we’ll investigate the use cases for implementing the first cloud-native Security and Event Management service (SIEM) Microsoft Sentinel. Microsoft Sentinel includes a number of connectors for Microsoft solutions that are ready to use and provide real-time integration, such as Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions and Microsoft 365 sources such as Office 365, Azure AD, Microsoft Defender for Identity (formerly Azure ATP), and Microsoft Defender for Cloud Apps, among others. There are also built-in interfaces for non-Microsoft security solutions to the broader security ecosystem. You can also link your data sources to Microsoft Sentinel using common event formats, Syslog, or REST-API.
Microsoft Sentinel exists today, in part, because of the gaps in existing tools that were identified as Microsoft began its own journey to the cloud. One of those gaps is around efficiency and scale. In this session, we’ll talk about how Microsoft Sentinel was intentionally and mindfully developed to allow security teams to do more things more quickly without a drain on resources.
With Sentinel we can:
- Collect data at cloud scale
- Detect threats
- Investigate threats
- Respond to incidents
To help me with my journey into deploying Microsoft Sentinel I’ll be joined by Microsoft Senior Cloud Security Advocate Rod Trent this week to see how we can build SOC efficiency with Microsoft Sentinel. Rod will help me better understand how Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise
00:00:00 – Intro
00:03:15 – Welcome back to AzureFunBytes
00:05:15 – Let’s meet Rod Trent
00:06:16 – So how’d you get here?
00:08:52 – Four pillars of Microsoft Sentinel
00:11:43 – How does our SOC fit in?
00:13:34 – Let’s learn about Microsoft Sentinel
00:21:09 – SLAs
00:22:10 – Daily Must-do’s
00:23:50 – Current SOC Efficiency Hunt Complaints
00:26:14 – A look at what’s in the demo
00:28:27 – Can Microsoft Sentinel integrate with other Microsoft security tools?
00:30:40 – Does Microsoft Sentinel only work with Microsoft products and clouds?
00:32:42 – What can be automated in Microsoft Sentinel?
00:37:02 – Demo time!
00:51:16 – Must Learn KQL
Our agenda includes:
- Azure Sentinel is the Tofu tool for monitoring security for the entire environment.
- Azure Sentinel is the sluice box of the Microsoft security platform.
- Azure Sentinel is the Cyclorama for the connected entities.
About Rod Trent:
Rod Trent is a Senior Cloud Security Advocate for Microsoft and an Azure Sentinel global SME helping customers migrate from existing SIEMs to #AzureSentinel to achieve the promise of better security through improved efficiency without compromise. He is a husband, dad, and first-time grandfather (so speak slow and loud). He spends his spare time (if such a thing does truly exist) simultaneously watching Six Million Dollar Man TV show episodes and writing KQL queries.
Learn about Azure fundamentals with me!
Live stream is normally found on Twitch, YouTube, and LearnTV at 11 AM PT / 2 PM ET Thursday. You can also find the recordings here as well:
AzureFunBytes on Twitch
AzureFunBytes on YouTube
Azure DevOps YouTube Channel
Follow AzureFunBytes on Twitter
Get $200 in free Azure Credit
Microsoft Learn: Introduction to Azure fundamentals
Security Operations in Azure
Microsoft Sentinel Overview
What is Microsoft Sentinel?
Microsoft Learn: Introduction to Microsoft Sentinel
Microsoft Learn: SC-200: Configure your Microsoft Sentinel environment
Pre-deployment activities and prerequisites for deploying Microsoft Sentinel
Quickstart: On-board Microsoft Sentinel
Best practices for Microsoft Sentinel
Tutorial: Use playbooks with automation rules in Microsoft Sentinel
Tutorial: Create a Power BI report from Microsoft Sentinel data
Forrester: The Total Economic Impact™ Of Microsoft Azure Sentinel
Weekly Microsoft Sentinel newsletter
Microsoft Sentinel community on LinkedIn
Microsoft Sentinel product blog
Rod Trent’s blog
Happy Friday everyone. Let’s wrap up January with some great community posts about pipelines and organization moves!
For those that missed it or had to walk away to do actual work during the event, here’s the Building SOC Efficiency with Microsoft Sentinel talk for AzureFunBytes.
One of these days, I’d love to complete this talk. It really deserves 3-4 hours instead of the 1 hour allotted for this event. But it was still enormously fun. I want to thank all those involved with AzureFunBytes, the LearnTV crew, and a big thanks to Jay Gordon for the opportunity to talk about some of my favorite things.
Happy Friday, may your deploys go as planned and your weekend be fun!