(Last updated April 20th 2021)
In this blog post, I try to walk you through Azure Sentinel level 400 training and help you become an Azure Sentinel master.
Already did the Ninja Training? check what's new.
This training program includes 16 modules. The post includes a presentation for each module, preferably recorded (when still not, we are working on the recording) and supporting information: relevant product documentation, blog posts, and other resources.
The modules listed below are split into five groups following the life cycle of a SOC:
- Module 0: Other learning and support options
- Module 1: Get started with Azure Sentinel
- Module 2: How is Azure Sentinel used?
- Module 3: Workspace and tenant architecture
- Module 4: Data collection
- Module 5: Log Management
- Module 6: Enrichment: TI, Watchlists, and more
- Modele X: Migration
- Module 7: The Kusto Query Language (KQL)
- Module 8: Analytics
- Module 9: SOAR
- Module 10: Workbooks, reporting, and visualization
- Module Y: Notebooks
- Module 11: Use cases and solutions
- Module 12: A day in a SOC analyst's life, incident management, and investigation
- Module 13: Hunting
- Module 14: User and Entity Behavior Analytics (UEBA)
- Module 15: Monitoring Azure Sentinel's health
- Module 16: Extending and Integrating using Azure Sentinel APIs
- Module 17: Bring your own ML
The Ninja training is a level 400 training. If you don't want to go as deep or have a specific issue, other resources might be more suitable:
Short on time? Watch the Fall Ignite presentation
Already know? The Spring Ignite session focuses on what's new and an how to use demo
Get deeper? Watch the Webinar: MP4, YouTube,Presentation
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response (read more).
If you want to get an initial overview of Azure Sentinel's technical capabilities, the latest Ignite presentation is a good starting point. You might also find the Quick Start Guide to Azure Sentinel useful (requires registration). A more detailed overview, however somewhat dated, can be found in this webinar: MP4, YouTube, Presentation.
Lastly, want to try it yourself? The Azure Sentinel All-In-One Accelerator (blog, Youtube, MP4, deck) presents an easy way to get you started. To learn how to start yourself, review the onboarding documentation, or watch Insight's Sentinel setup and configuration video.
Thousands of organizations and service providers are using Azure Sentinel. As usual with security products, most do not go public about that. Still, there are some.
Short on time? read this presentation
Many users use Azure Sentinel as their primary SIEM. Most of the modules in this course cover this use case. In this module, we present a few additional ways to use Azure Sentinel.
Use Sentinel, Azure Defender, Microsoft 365 Defender in tandem to protect your Microsoft workloads, including Windows, Azure, and Office:
The cloud is (still) new and often not monitored as extensively as on-prem workloads. Read this presentation to learn how Azure Sentinel can help you close the cloud monitoring gap across your clouds.
Either for a transition period or a longer term, if you are using Azure Sentinel for your cloud workloads, you may be using Azure Sentinel alongside your existing SIEM. You might also be using both with a ticketing system such as Service Now.
There are three common scenarios for side by side deployment:
You can also send the alerts from Azure Sentinel to your 3rd party SIEM or ticketing system using the Graph Security API, which is simpler but would not enable sending additional data.
Since it eliminates the setup cost and is location agnostics, Azure Sentinel is a popular choice for providing SIEM as a service. You can find a list of MISA (Microsoft Intelligent Security Association) member MSSPs using Azure Sentinel. Many other MSSPs, especially regional and smaller ones, use Azure Sentinel but are not MISA members.
To start your journey as an MSSP, you should read the Azure Sentinel Technical Playbooks for MSSPs. More information about MSSP support is included in the next Module, cloud architecture, and multi-tenant support.
While the previous section offers options to start using Azure Sentinel in a matter of minutes, before you start a production deployment, you need to plan. This section walks you through the areas that you need to consider when architecting your solution, as well as provides guidelines on how to implement your design:
Short on time? Watch the Nick Dicoala's Ignite presentation (first 11 Minutes)
Get Deeper? Watch the Webinar: MP4, YouTube, Presentation
An Azure Sentinel instance is called a workspace. The workspace is the same as a Log Analytics workspace and supports any Log Analytics capability. You can think of Sentinel as a solution that adds SIEM features on top of a Log Analytics workspace.
Multiple workspaces are often necessary and can act together as a single Azure Sentinel system. A special use case is providing service using Azure Sentinel, for example, by an MSSP (Managed Security Service Provider) or by a Global SOC in a large organization.
To learn more about why use multiple workspaces and use them as one Azure Sentinel system, read Extend Azure Sentinel across workspaces and tenants or, if you prefer, the Webinar version: MP4, YouTube, Presentation.
There are a few specific areas that require your consideration when using multiple workspaces:
The Azure Setninel Technical Playbook for MSSPs provides detailed guidelines for many of those topics, and is useful also for large organizations, not just to MSSPs.
Short on time? Watch the Nick Dicoala's Ignite presentation (Mid 11 Minutes)
Get Deeper? Watch the Webinar: YouTube, MP4, Deck.
The foundation of a SIEM is collecting telemetry: events, alerts, and contextual enrichment information such as Threat Intelligence, vulnerability data, and asset information. You can find a list of sources you can connect here:
How you connect each source falls into several categories or source types. Each source type has a distinct setup effort but once deployed, it serves all sources of that type. The Grand List specifies for each source what its type is. To learn more about those categories, watch the Webinar (includes Module 3): YouTube, MP4, Deck.
The types are:
If your source is not available, you can create a custom connector. Custom connectors use the ingestion API and therefore are similar to direct sources. Custom connectors are most often implemented using Logic Apps, offering a codeless option, or Azure Functions.
While how many and which workspaces to use is the first architecture question to ask, there are additional log management architectural decisions:
One of the important functions of a SIEM is to apply contextual information to the event steam, enabling detection, alert prioritization, and incident investigation. Contextual information includes, for example, threat intelligence, IP intelligence, host and user information, and watchlists.
Azure Sentinel provides comprehensive tools to import, manage, and use threat intelligence. For other types of contextual information, Azure Sentinel provides Watchlists, as well as alternative solutions.
Short on time? watch the Ignite session (28 Minutes)
Get Deeper? Watch the Webinar: YouTube, MP4, Presentation
Threat Intelligence is an important building block of a SIEM.
In Azure Sentinel, you can integrate threat intelligence (TI) using the built-in connectors from TAXII servers or through the Microsoft Graph Security API. Read more on how to in the documentation. Refer to the data collection modules for more information about importing Threat Intelligence.
Once imported, Threat Intelligence is used extensively throughout Azure Sentinel and is weaved into the different modules. The following features focus on using Threat Intelligence:
Watch the Webinar: YouTube, MP4, Presentation
In many (if not most) cases, you already have a SIEM and need to migrate to Azure Sentinel. While it may be a good time to start over and rethink your SIEM implementation, it makes sense to utilize some of the assets you already built in your current implementation. To start watch our webinar describing best practices for converting detection rules from Splunk, QRadar, and ArcSight to Azure Sentinel Rules: YouTube, MP4, Presentation, blog.
You might also be interested in some of the resources presented in the blog:
What is Azure Sentinel's content?
Azure Sentinel security value is a combination of its built-in capabilities such as UEBA, Machine Learning, or out-of-the-box analytics rules and your capability to create custom capabilities and customize built-in ones. Customized SIEM capabilities are often referred to as "content" and include analytic rules, hunting queries, workbooks, playbooks, and more.
In this section, we grouped the modules that help you learn how to create such content or modify built-in-content to your needs. We start with KQL, the Lingua Franca of Azure Sentinel. The following modules discuss one of the content building blocks such as rules, playbooks, and workbooks. We wrap up by discussing use cases, which encompass elements of different types to address specific security goals such as threat detection, hunting, or governance.
Short on time? Start at the beginning and go as far as time allows.
Most Azure Sentinel capabilities use KQL or Kusto Query Language. When you search in your logs, write rules, create hunting queries, or design workbooks, you use KQL. Note that the next section on writing rules explains how to use KQL in the specific context of SIEM rules.
We suggest you follow this Sentinel KQL journey:
You might also find the following reference information useful as you learn KQL:
Short on time? watch the Webinar: MP4, YouTube, Presentation
Azure Sentinel enables you to use built-in rule templates, customize the templates for your environment, or create custom rules. The core of the rules is a KQL query; however, there is much more than that to configure in a rule.
To learn the procedure for creating rules, read the documentation. To learn how to write rules, i.e., what should go into a rule, focusing on KQL for rules, watch the webinar: MP4, YouTube, Presentation.
SIEM rules have specific patterns. Learn how to implement rules and write KQL for those patterns:
To blog post "Blob and File Storage Investigations" provides a step by step example of writing a useful analytic rule.
Short on time? watch the Machine Learning Webinar: MP4, YouTube, Presentation
Before embarking on your own rule writing, you should take advantage of the built-in analytics capabilities. Those do not require much from you, but it is worthwhile learning about them:
In modern SIEMs such as Azure Sentinel, SOAR (Security Orchestration, Automation, and Response) comprises the entire process from the moment an incident is triggered and until it is resolved. This process starts with an incident investigation and continues with an automated response. The blog post "How to use Azure Sentinel for Incident Response, Orchestration and Automation" provides an overview of common use cases for SOAR.
Automation rules are the starting point for Azure Sentinel automation. They provide a lightweight method for central automated handling of incidents, including suppression, false-positive handling, and automatic assignment.
To provide robust workflow based automation capabilities, automation rules use Logic App playbooks:
You can find dozens of useful Playbooks in the Playbooks folder on the Azure Sentinel GitHub, or read "A playbook using a watchlist to Inform a subscription owner about an alert" for a Playbook walkthrough.
While Azure Sentinel is a cloud-native SIEM, its automation capabilities do extend to on-prem environments, either using the Logic Apps on-prem gateway or using Azure Automation as described in "Automatically disable On-prem AD User using a Playbook triggered in Azure"
As the nerve center of your SOC, you need Azure Sentinel to visualize the information it collects and produces. Use workbooks to visualize data in Azure Sentinel.
Workbooks can be interactive and enable much more than just charting. With Workbooks, you can create apps or extension modules for Azure Sentinel to complement built-in functionality. We also use workbooks to extend the features of Azure Sentinel. Few examples of such apps you can both use and learn from are:
You can find dozens of workbooks in the Workbooks folder in the Azure Sentinel GitHub. Some of those are available in the Azure Sentinel workbooks gallery and some are not.
Workbooks can serve for reporting. For more advanced reporting capabilities such as reports scheduling and distribution or pivot tables, you might want to use:
Short on time? watch the short introduction video
Get Deeper? Watch the Webinar: YouTube, MP4, Presentation
Jupyter notebooks are fully integrated with Azure Sentinel. While usually considered an important tool in the hunter's tool chest and discussed the webinars in the hunting section below, their value is much broader. Notebooks can serve for advanced visualization, an investigation guide, and for sophisticated automation.
An important part of the integration is implemented by MSTICPY, a Python library developed by our research team for use with Jupyter notebooks that adds Azure Sentinel interfaces and sophisticated security capabilities to your notebooks.
Using connectors, rules, playbooks, and workbooks enables you to implement use cases: the SIEM term for a content pack intended to detect and respond to a threat. You can deploy Sentinel built-in use cases by activating the suggested rules when connecting each Connector. A solution is a group of use cases addressing a specific threat domain.
Another very relevant solution area is protecting remote work. Watch our ignite session on protection remote work, and read more on the specific use cases:
And lastly, focusing on recent attacks, learn how to monitor the software supply chain with Azure Sentinel.
After building your SOC, you need to start using it. The "day in a SOC analyst life" webinar (YouTube, MP4, Presentation) walks you through using Azure Sentinel in the SOC to triage, investigate and respond to incidents.
You might also want to read the documentation article on incident investigation. As part of the investigation, you will also use the entity pages to get more information about entities related to your incident or identified as part of your investigation.
Incident investigation in Azure Sentinel extends beyond the core incident investigation functionality. We can build additional investigation tools using Workbooks and Notebooks (the latter are discussed later, under hunting). You can also build additional investigation tools or modify ours to your specific needs. Examples include:
Short on time? watch the Webinar: YouTube, MP4, Deck
(Note that the Webinar starts with an update on new features, to learn about hunting, start at slide 12. The Youtube link is already set to start there)
While most of the discussion so far focused on detection and incident management, hunting is another important use case for Azure Sentinel. Hunting is a proactive search for threats rather than a reactive response to alerts.
To understand more about what hunting is and how Azure Sentinel supports it, Watch the hunting intro Webinar (YouTube, MP4, Deck). Note that the Webinar starts with an update on new features. To learn about hunting, start at slide 12. The Youtube link is already set to start there.
While the intro webinar focuses on tools, hunting is all about security. Our security research team webinar on hunting (MP4, YouTube, Presentation) focuses on how to actually hunt. The follow-up AWS Threat Hunting using Sentinel Webinar (MP4, YouTube, Presentation) really drives the point by showing an end-to-end hunting scenario on a high-value target environment. Lastly, you can learn how to do SolarWinds Post-Compromise Hunting with Azure Sentinel and WebShell hunting motivated by the latest recent vulnerabilities in on-premises Microsoft Exchange servers.
Azure Sentinel newly introduced User and Entity Behavior Analytics (UEBA) module enables you to identify and investigate threats inside your organization and their potential impact - whether a compromised entity or a malicious insider.
Short on time? watch the videos on monitoring connector
, security operations health or workspace audit.
Part of operating a SIEM is making sure it works smoothly and an evolving area in Azure Sentinel. Use the following to monitor Azure Sentinel's health:
Short on time? watch the video (5 minutes)
Get deeper? Watch the Webinar: MP4, YouTube, Presentation
As a cloud-native SIEM, Azure Sentinel is an API first system. Every feature can be configured and used through an API, enabling easy integration with other systems and extending Sentinel with your own code. If API sounds intimidating to you, don't worry; whatever is available using the API is also available using PowerShell.
To learn more about Azure Sentinel APIs, watch the short introductory video and blog post. To get the details, watch the deep dive Webinar (MP4, YouTube, Presentation) and read the blog post Extending Azure Sentinel: APIs, Integration, and management automation.
Short on time? watch the video
Azure Sentinel provides a great platform for implementing your own Machine Learning algorithms. We call it Bring Your Own ML or BYOML for short. Obviously, this is intended for advanced users. If you are looking for built-in behavioral analytics, use our ML Analytic rules, UEBA module, or write your own behavioral analytics KQL based analytics rules.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.