Ninja Cat Giveaway: Episode 3 | Sentinel integration

For me the best part is the automation rules and playbooks.

UEBA is User and Entity Behavior Analytics 😁👍

First of all, it was a great presentation even for me who's been working with Sentinel for a couple of years.

I really liked the MITRE ATT&CK heat map. That's a great addition to the service so we can see where our gaps are.

UEBA is User and Entity Behaviour Analytics.

And I was the one who replied to you on LinkedIn mentioning that a dog person giving away cats for free 😉 Since the Ninja cat was chased by a dog at 18:27 I'd like to adopt one to keep it safe from harm. And as you can see on my avatar, I need a sidekick on our superhero endeavours fighting cybercrime and annoying antagonists on a daily-basis.

One of my favorite features presented by Javier in the video was the threat-hunting module in Microsoft Sentinel which enables security analysts to proactively search for security threats within an organization's IT environment. 

I find the threat-hunting module a powerful tool that allows organizations to proactively detect and respond to potential threats before they escalate into more serious security incidents.

UEBA stands for User and Entity Behavior Analytics. It is a type of cybersecurity technology that uses machine learning algorithms to analyze and identify anomalous behavior patterns in users and entities accessing a computer network. The goal is to detect potential insider threats or external attacks that may be missed by traditional security measures.

HeikeRitter 

Hello Heike, great show!  Thank you for having Javier on.

EBA == User and Entity Behavior Analytics
UEBA uses Artificial Intelligence (AI) and Machine Learning (ML) algorithms used to
establish a user and entity baselines and then monitor/identify anomalies, impossible travel,
and/or any other inconsistent behaviors from established baselines. Originated from FinTech as a means to minimize credit card fraud.

SOAR == Security, Orchestration, Automation, and Response is needed as SOC analysts have to do more with less. SOAR can also reduce alert fatigue in Analysts by handling common activities / alert and when a certain threshold is exceeded, alert the SOC Analyst to events they should really focus on. This is a critical capability.

One of my favorite features of Sentinel is the Fusion Analytic correlation engine that uses 10's of trillions of signals (daily) with AI/ML to produce low noise, high fidelity alerts. This dynamic content feeding Sentinel raises the bar from static on-premises manual processes into a continuous cloud powered platform!

I particularly like how Sentinel can bring in visibility from other Defender Security solutions, cloud providers, on-premises infrastructure via Azure Arc and provide dashboards with dynamic displays in a single pane of glass. I also like how Kusto Query Langauge (KQL) can be used in M365 Defender, Sentinel, Log Analytics, and Azure Data Explorer. One common language used to deeply explore, enrich, and correlate information across various Azure security solutions (MDE,MDI,MDC,MDO, etc).

Lastly the automation demonstration through logic apps and the Microsoft 365 Defender connector in Sentinel was great!  This cross-functional integration of telemetry woven into and through the Azure security solution stack is impressive and very useful when it comes to event/alert enrichment, correlation, thus illuminating the operational environment folks are responsible for defending.