%3CLINGO-SUB%20id%3D%22lingo-sub-1278903%22%20slang%3D%22en-US%22%3EHelp%20for%20Security%20Operations%20Centers%20facing%20new%20challenges%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1278903%22%20slang%3D%22en-US%22%3E%3CP%3ECOVID-19%20is%20forcing%20many%20organizations%20to%20adapt%20almost%20overnight%20to%20the%20new%20reality%20of%20social%20distancing%20and%20orders%20to%20stay%20home.%20As%20organizations%20act%20quickly%20to%20enable%20remote%20workers%2C%20students%2C%20customers%2C%20and%20other%20constituents%2C%20many%20are%20turning%20to%20cloud%20services%20and%20platforms%20for%20solutions.%20For%20many%20organizations%2C%20this%20includes%20enabling%20new%20cloud%20technologies%20or%20significantly%20increasing%20use%20of%20existing%20solutions%20almost%20overnight.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20Security%20Operations%20Centers%20tasked%20with%20protecting%20organizations%2C%20this%20can%20create%20significant%20challenges.%20First%2C%20logs%20and%20security%20data%20from%20newly%20deployed%20cloud%20services%20need%20to%20be%20collected%20and%20analyzed%20to%20identify%20and%20investigate%20potential%20threats.%20For%20some%2C%20connecting%20and%20scaling%20on-premises%20Security%20Information%20and%20Event%20Management%20(SIEM)%20systems%20to%20support%20new%20cloud%20data%20sources%20can%20be%20very%20difficult%2C%20especially%20if%20new%20hardware%20is%20required.%20Second%2C%20SOC%20teams%20will%20need%20to%20quickly%20adapt%20their%20detection%20and%20response%20efforts%20to%20support%20cloud%20solutions%20that%20are%20either%20new%20or%20that%20have%20become%20increasingly%20critical.%20Our%20team%20is%20here%20to%20help.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20that%20end%2C%20Azure%20Sentinel%20will%20provide%20the%20following%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EGuidance%20on%20how%20to%20quickly%20start%20collecting%20cloud%20security%20data%3C%2FLI%3E%0A%3CLI%3EAbility%20to%20ingest%20many%20cloud%20data%20sources%20for%20free%20in%20Azure%20Sentinel%3C%2FLI%3E%0A%3CLI%3E30-day%20free%20trial%20for%20new%20customers%2C%20which%20includes%20free%20ingestion%20of%20all%20security%20data%3C%2FLI%3E%0A%3CLI%3EBuilt-in%20workbooks%2C%20hunting%20queries%2C%20analytics%20rules%2C%20and%20more%20to%20help%20gain%20insights%20from%20this%20data%20right%20away%3C%2FLI%3E%0A%3CLI%3EProactive%20monitoring%20of%20new%20COVID-19%20related%20threats%20by%20Microsoft%20security%20experts%20and%20development%20of%20new%20Azure%20Sentinel%20detections%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3ERapid%2C%20low%20cost%20cloud%20data%20collection%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EIf%20you%20aren%E2%80%99t%20already%20using%20Azure%20Sentinel%2C%20it%20only%20takes%20a%20few%20minutes%20to%20set%20up%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20portal%3C%2FA%3E.%20There%20is%20no%20cost%20for%20creating%20an%20Azure%20Sentinel%20workspace%3B%20you%20only%20pay%20for%20the%20data%20you%20ingest.%20A%20free%2030-day%20trial%20combined%20with%20a%20number%20of%20free%20cloud%20data%20sources%20will%20help%20keep%20your%20costs%20down%20%E2%80%93%20more%20on%20that%20later.%20With%20Azure%20Sentinel%2C%20there%20is%20no%20hardware%20to%20procure%2C%20configure%2C%20or%20manage%20and%20the%20service%20will%20scale%20automatically%20as%20you%20add%20new%20data%20sources.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20Azure%20Sentinel%2C%20you%20will%20find%20a%20gallery%20of%20data%20connectors%20which%20simplify%20the%20process%20of%20collecting%20data%20from%20a%20variety%20of%20sources.%20There%20are%20connectors%20for%20Microsoft%20365%20and%20Azure%2C%20as%20well%20as%20other%20clouds%20services%2C%20along%20with%20networks%2C%20endpoints%2C%20and%20more.%20With%20the%20correct%20permissions%2C%20you%20can%20enable%20the%20Microsoft%20365%20and%20Azure%20data%20sources%20in%20a%20single%20click.%20Other%20cloud%20data%20sources%2C%20like%20AWS%2C%20require%20minimal%20additional%20configuration.%20For%20data%20sources%20that%20do%20not%20have%20a%20connector%20in%20Azure%20Sentinel%20yet%2C%20data%20ingestion%20may%20be%20supported%20via%20Azure%20Logic%20Apps%20and%20Azure%20Functions.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EConnect%20cloud%20data%20sources%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWe%20recommend%20you%20start%20by%20connecting%20activity%20and%20audit%20logs%20from%20your%20cloud%20services.%20If%20you%20have%20security%20solutions%20deployed%20for%20these%20services%2C%20enable%20those%20as%20well.%20You%20can%20augment%20this%20with%20network%20or%20other%20data%20sources%20at%20a%20later%20date.%20For%20a%20complete%20list%20of%20built-in%20data%20connectors%20see%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-data-sources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E.%20For%20information%20about%20connecting%20other%20data%20sources%2C%20see%20this%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-syslog-cef-logstash-and-other-3rd-party%2Fba-p%2F803891%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Eblog%20post%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20chart%20below%20provides%20information%20about%20the%20most%20common%20cloud%20data%20sources.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3E%3CSTRONG%3EHow%20to%20Connect%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2220%25%22%3E%3CP%3E%3CSTRONG%3ECost%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3E%3CSTRONG%3EMicrosoft%20365%20and%20Azure%20Logs%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EAzure%20Activity%20Logs%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3EFree%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EOffice%20365%20Exchange%20and%20Exchange%20Activity%20Logs%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3EFree%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EAzure%20Active%20Directory%20Sign-in%20and%20Audit%20Logs%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Fazure-sentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epricing%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EAzure%20Application%20Gateway%20WAF%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Fazure-sentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epricing%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EAzure%20Information%20Protection%20Logs%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Fazure-sentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epricing%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EMicrosoft%20Cloud%20App%20Security%20ShadowIT%20Logs%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Fazure-sentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epricing%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EOffice%20365%20Teams%20activity%20Logs%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%20in%20Progress%2C%20Use%20an%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FDataConnectors%2FO365%2520Data%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Function%3C%2FA%3E%20for%20Now%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Fazure-sentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epricing%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3E%3CSTRONG%3EMicrosoft%20Security%20Solutions%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EAzure%20Advanced%20Threat%20Protection%20Alerts%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3EFree%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EAzure%20AD%20Identity%20Protection%20Alerts%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3EFree%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EAzure%20Information%20Protection%20Alerts%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3EFree%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EAzure%20Security%20Center%20Alerts%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3EFree%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EAzure%20Security%20Center%20for%20IoT%20Alerts%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3EFree%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EMicrosoft%20Cloud%20App%20Security%20Alerts%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3EFree%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EMicrosoft%20Defender%20Advanced%20Threat%20Protection%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3EFree%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3E%3CSTRONG%3EOther%20Cloud%20Services%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EAmazon%20Web%20Services%20(CloudTrail%20logs)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3EFree%20through%20June%2C%202020%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2239%25%22%3E%3CP%3EGoogle%20Cloud%20Platform%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2246%25%22%3E%3CP%3EData%20Connector%20in%20Progress%2C%20Use%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-creating-custom-connectors%2Fba-p%2F864060%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ECustom%20Connectors%3C%2FA%3E%20for%20Now%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2215%25%22%3E%3CP%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Fazure-sentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epricing%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENote%3A%20For%20new%20Azure%20Sentinel%20customers%2C%20any%20data%20source%20can%20be%20ingested%20for%20the%20first%2030%20days%20at%20no%20charge.%20Azure%20Monitor%20Log%20Analytics%20charges%20may%20apply.%20See%20the%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Fazure-sentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epricing%20page%3C%2FA%3E%20to%20learn%20more.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAdditional%20deployment%20assistance%20and%20guidance%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWe%20have%20compiled%20a%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-resource-terminus-board-here%2Fba-p%2F1269252%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ecomprehensive%20list%3C%2FA%3E%20of%20docs%2C%20blogs%2C%20and%20other%20resources%20to%20help%20you%20get%20started%20with%20Azure%20Sentinel.%20And%2C%20we%20are%20here%20to%20help%20you!%20You%20can%20get%20additional%20guidance%20and%20assistance%20through%20the%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fprograms%2Fazure-fasttrack%2F%23overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20FastTrack%3C%2FA%3E%20program.%20If%20you%20encounter%20technical%20issues%2C%20you%20can%20reach%20out%20to%20customer%20support%3A%20%3CA%20href%3D%22http%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkID%3D761093%26amp%3Bclcid%3D0x409%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Support%3C%2FA%3E%20or%20%3CA%20href%3D%22http%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkID%3D733758%26amp%3Bclcid%3D0x409%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Premier%20Support%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3EAdapting%20to%20new%20data%20sources%20and%20emerging%20threats%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CSTRONG%3EGain%20insights%20into%20threats%20using%20your%20cloud%20data%3C%2FSTRONG%3E%3CBR%20%2F%3EOnce%20your%20data%20is%20flowing%20into%20Azure%20Sentinel%2C%20you%20can%20begin%20using%20it%20to%20identify%20and%20investigate%20potential%20threats.%20A%20combination%20of%20workbooks%20(interactive%20dashboards)%2C%20hunting%20queries%2C%20analytics%20rules%20templates%2C%20and%20even%20Jupyter%20notebook%20samples%20are%20available%20out%20of%20the%20box%20to%20help%20you%20quickly%20visualize%20and%20analyze%20your%20data%20in%20Azure%20Sentinel.%20For%20sources%20with%20built-in%20data%20connectors%2C%20you%20can%20easily%20access%20these%20related%20assets%20from%20the%20%E2%80%98next%20steps%E2%80%99%20tab%20for%20each%20connector%2C%20or%20from%20within%20the%20Workbooks%2C%20Hunting%2C%20Notebooks%2C%20and%20Analytics%20blades.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20couple%20of%20recent%20blog%20posts%20highlight%20scenarios%20that%20may%20be%20particularly%20relevant%20today.%20With%20many%20organizations%20taking%20an%20increased%20dependence%20on%20Microsoft%20Teams%20for%20communications%20and%20document%20sharing%2C%20this%20blog%20details%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fprotecting-your-teams-with-azure-sentinel%2Fba-p%2F1265761%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehow%20to%20use%20Azure%20Sentinel%20to%20protect%20Microsoft%20Teams%3C%2FA%3E.%20The%20other%20blog%20I%20recommend%20provides%20an%20example%20of%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fhunting-for-capital-one-breach-ttps-in-aws-logs-using-azure%2Fba-p%2F1019767%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehunting%20over%20AWS%20log%20using%20Azure%20Sentinel%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENew%20COVID-19%20Threats%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ESecurity%20analysts%20from%20the%20Microsoft%20Threat%20Intelligence%20Center%20(MSTIC)%20are%20continuously%20monitoring%20the%20threat%20landscape%20to%20identify%20new%20threats.%20When%20new%20threats%20are%20identified%2C%20MSTIC%20builds%20analytics%20rules%20and%20Jupyter%20notebooks%20samples%20for%20Azure%20Sentinel%20customers%20can%20use%20to%20hunt%20for%20these%20threats%20in%20their%20environments.%20They%20recently%20released%20a%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel-Notebooks%2Fblob%2Fmaster%2FGuided%2520Hunting%2520-%2520Covid-19%2520Themed%2520Threats.ipynb%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eguided%20hunting%20notebook%20for%20COVID-19%20themed%20threats%3C%2FA%3E%2C%20and%20will%20continue%20to%20leverage%20their%20unique%20insights%20and%20intelligence%20to%20help%20you%20protect%20against%20emerging%20threats%20in%20Azure%20Sentinel.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20addition%2C%20MSTIC%20is%20working%20closely%20with%20specialized%20groups%20like%20the%20Microsoft%20Threat%20Protection%20Intelligence%20Team.%20Earlier%20this%20week%2C%20the%20two%20teams%20partnered%20on%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F04%2F01%2Fmicrosoft-works-with-healthcare-organizations-to-protect-from-popular-ransomware-during-covid-19-crisis-heres-what-to-do%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eguidance%20to%20help%20essential%20services%3C%2FA%3E%20protect%20against%20popular%20ransomware%20attacks%2C%20which%20are%20known%20to%20target%20the%20healthcare%20industry.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3ECall%20to%20action%20for%20the%20Azure%20Sentinel%20community%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EOur%20team%20is%20committed%20to%20helping%20customers%20enable%20critical%20protections%20for%20their%20organizations%20and%20users%20during%20these%20challenging%20times%2C%20but%20we%20cannot%20do%20it%20alone.%20We%20have%20an%20amazing%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fthreathunters%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecommunity%20of%20Threat%20Hunters%3C%2FA%3E%20that%20share%20their%20expertise%20by%20contributing%20workbooks%2C%20queries%2C%20analytics%2C%20notebooks%2C%20automation%20playbooks%20and%20so%20much%20more%20on%20our%20GitHub.%20Thank%20you%20for%20those%20who%20have%20already%20contributed.%20We%20hope%20other%20community%20members%20will%20do%20the%20same.%20Here%20are%20some%20examples%20of%20areas%20where%20you%20can%20help%20include%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EParsers%20and%20functions%20for%20cloud%20data%20sources%20not%20already%20supported%20by%20built-in%20data%20connectors%3C%2FLI%3E%0A%3CLI%3EHunting%20queries%2C%20analytics%2C%20and%20Jupyter%20notebooks%20to%20detect%20emerging%20threats%20designed%20to%20capitalize%20on%20COVID-19%20fears%20or%20target%20remote%20workers%20and%20cloud%20applications%3C%2FLI%3E%0A%3CLI%3EPlaybooks%20to%20automatically%20remediate%20the%20above%20threats%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETogether%2C%20we%20hope%20to%20minimize%20risks%20to%20organizations%20and%20users.%20Please%20stay%20in%20touch%20on%20our%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2Fbd-p%2FAzureSentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ETechCommunity%20forum%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fbg-p%2FAzureSentinelBlog%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Eblog%3C%2FA%3E.%20Personally%2C%20I%20will%20try%20to%20keep%20you%20posted%20on%20twitter%20(%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fsarahfender%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40sarahfender%3C%2FA%3E)%20as%20well.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESarah%20Fender%2C%20on%20behalf%20of%20the%20entire%20Azure%20Sentinel%20product%20team%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1278903%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AzureSentinelBlogHeader2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F181903iB3A3E37C3C09AD80%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22AzureSentinelBlogHeader2.png%22%20alt%3D%22AzureSentinelBlogHeader2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ECOVID-19%20forcing%20many%20organizations%20to%20adapt%20their%20operations%20overnight%2C%20Azure%20Sentinel%20can%20help%20SOCs%20keep%20pace%20with%20these%20changes%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1278903%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1289445%22%20slang%3D%22en-US%22%3ERe%3A%20Help%20for%20Security%20Operations%20Centers%20facing%20new%20challenges%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1289445%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F27971%22%20target%3D%22_blank%22%3E%40Sarah%20Fender%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGreat%20initiative%20and%20thanks%20for%20the%20information.%20Can%20you%20confirm%20that%20the%20data%20sources%20in%20the%20chart%20are%20all%20free%20and%20that%20link%20referencing%20the%20pricing%20for%20certain%20data%20sources%20is%20only%20relevant%20after%20after%20the%2030%20day%20trial%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

COVID-19 is forcing many organizations to adapt almost overnight to the new reality of social distancing and orders to stay home. As organizations act quickly to enable remote workers, students, customers, and other constituents, many are turning to cloud services and platforms for solutions. For many organizations, this includes enabling new cloud technologies or significantly increasing use of existing solutions almost overnight.

 

For Security Operations Centers tasked with protecting organizations, this can create significant challenges. First, logs and security data from newly deployed cloud services need to be collected and analyzed to identify and investigate potential threats. For some, connecting and scaling on-premises Security Information and Event Management (SIEM) systems to support new cloud data sources can be very difficult, especially if new hardware is required. Second, SOC teams will need to quickly adapt their detection and response efforts to support cloud solutions that are either new or that have become increasingly critical. Our team is here to help.

 

To that end, Azure Sentinel will provide the following:

  • Guidance on how to quickly start collecting cloud security data
  • Ability to ingest many cloud data sources for free in Azure Sentinel
  • 30-day free trial for new customers, which includes free ingestion of all security data
  • Built-in workbooks, hunting queries, analytics rules, and more to help gain insights from this data right away
  • Proactive monitoring of new COVID-19 related threats by Microsoft security experts and development of new Azure Sentinel detections

 

Rapid, low cost cloud data collection

If you aren’t already using Azure Sentinel, it only takes a few minutes to set up in the Azure portal. There is no cost for creating an Azure Sentinel workspace; you only pay for the data you ingest. A free 30-day trial combined with a number of free cloud data sources will help keep your costs down – more on that later. With Azure Sentinel, there is no hardware to procure, configure, or manage and the service will scale automatically as you add new data sources.

 

In Azure Sentinel, you will find a gallery of data connectors which simplify the process of collecting data from a variety of sources. There are connectors for Microsoft 365 and Azure, as well as other clouds services, along with networks, endpoints, and more. With the correct permissions, you can enable the Microsoft 365 and Azure data sources in a single click. Other cloud data sources, like AWS, require minimal additional configuration. For data sources that do not have a connector in Azure Sentinel yet, data ingestion may be supported via Azure Logic Apps and Azure Functions.

 

Connect cloud data sources

We recommend you start by connecting activity and audit logs from your cloud services. If you have security solutions deployed for these services, enable those as well. You can augment this with network or other data sources at a later date. For a complete list of built-in data connectors see the documentation. For information about connecting other data sources, see this blog post.

 

The chart below provides information about the most common cloud data sources.

 

 

 

How to Connect

Cost

Microsoft 365 and Azure Logs

 

 

Azure Activity Logs

Data Connector

Free

Office 365 SharePoint Activity and Exchange Admin Activity Logs

Data Connector

Free

Azure Active Directory Sign-in and Audit Logs

Data Connector

See pricing

Azure Application Gateway WAF

Data Connector

See pricing

Azure Information Protection Logs

Data Connector

See pricing

Microsoft Cloud App Security ShadowIT Logs

Data Connector

See pricing

Office 365 Teams activity Logs

Data Connector in Progress, Use an Azure Function for Now

See pricing

Microsoft Security Solutions

 

 

Azure Advanced Threat Protection Alerts

Data Connector

Free

Azure AD Identity Protection Alerts

Data Connector

Free

Azure Information Protection Alerts

Data Connector

Free

Azure Security Center Alerts

Data Connector

Free

Azure Security Center for IoT Alerts

Data Connector

Free

Microsoft Cloud App Security Alerts

Data Connector

Free

Microsoft Defender Advanced Threat Protection Alerts

Data Connector

Free

Other Cloud Services

 

 

Amazon Web Services (CloudTrail logs)

Data Connector

Free through June, 2020

Google Cloud Platform

Data Connector in Progress, Use Custom Connectors for Now

See pricing

 

Note: For new Azure Sentinel customers, any data source can be ingested for the first 30 days at no charge. Azure Monitor Log Analytics charges may apply. See the pricing page to learn more.

 

Additional deployment assistance and guidance

We have compiled a comprehensive list of docs, blogs, and other resources to help you get started with Azure Sentinel. And, we are here to help you! You can get additional guidance and assistance through the Microsoft FastTrack program. If you encounter technical issues, you can reach out to customer support: Microsoft Support or Microsoft Premier Support.

 

Adapting to new data sources and emerging threats


Gain insights into threats using your cloud data
Once your data is flowing into Azure Sentinel, you can begin using it to identify and investigate potential threats. A combination of workbooks (interactive dashboards), hunting queries, analytics rules templates, and even Jupyter notebook samples are available out of the box to help you quickly visualize and analyze your data in Azure Sentinel. For sources with built-in data connectors, you can easily access these related assets from the ‘next steps’ tab for each connector, or from within the Workbooks, Hunting, Notebooks, and Analytics blades.

 

A couple of recent blog posts highlight scenarios that may be particularly relevant today. With many organizations taking an increased dependence on Microsoft Teams for communications and document sharing, this blog details how to use Azure Sentinel to protect Microsoft Teams. The other blog I recommend provides an example of hunting over AWS log using Azure Sentinel.

 

New COVID-19 Threats

Security analysts from the Microsoft Threat Intelligence Center (MSTIC) are continuously monitoring the threat landscape to identify new threats. When new threats are identified, MSTIC builds analytics rules and Jupyter notebooks samples for Azure Sentinel customers can use to hunt for these threats in their environments. They recently released a guided hunting notebook for COVID-19 themed threats, and will continue to leverage their unique insights and intelligence to help you protect against emerging threats in Azure Sentinel.

 

In addition, MSTIC is working closely with specialized groups like the Microsoft Threat Protection Intelligence Team. Earlier this week, the two teams partnered on guidance to help essential services protect against popular ransomware attacks, which are known to target the healthcare industry.

 

Call to action for the Azure Sentinel community

Our team is committed to helping customers enable critical protections for their organizations and users during these challenging times, but we cannot do it alone. We have an amazing community of Threat Hunters that share their expertise by contributing workbooks, queries, analytics, notebooks, automation playbooks and so much more on our GitHub. Thank you for those who have already contributed. We hope other community members will do the same. Here are some examples of areas where you can help include:

  • Parsers and functions for cloud data sources not already supported by built-in data connectors
  • Hunting queries, analytics, and Jupyter notebooks to detect emerging threats designed to capitalize on COVID-19 fears or target remote workers and cloud applications
  • Playbooks to automatically remediate the above threats

 

Together, we hope to minimize risks to organizations and users. Please stay in touch on our TechCommunity forum and blog. Personally, I will try to keep you posted on twitter (@sarahfender) as well.

 

Sarah Fender, on behalf of the entire Azure Sentinel product team

2 Comments
Occasional Visitor

Hi @Sarah Fender ,

 

Great initiative and thanks for the information. Can you confirm that the data sources in the chart are all free and that link referencing the pricing for certain data sources is only relevant after after the 30 day trial?  

Microsoft

@lukek79 You are correct that no data is charged in Azure Sentinel during the free trial. A minor correction, the free trial is offered for 31 days instead of 30. Also, it applies to Azure Sentinel charges only. Charges related to Azure Monitor Log Analytics for data ingestion and additional capabilities for automation and bring your own machine learning are still applicable during the free trial. The Azure Sentinel pricing page has all of the details.