Ninja Cat Giveaway: Episode 3 | Sentinel integration

Microsoft

For this episode, your opportunity to win a plush ninja cat is the following -

Reply to this thread with: what was your favorite feature Javier presented? Oh and what does UEBA stand for? 

 

This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14th, 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.

38 Replies

@HeikeRitter 

 

UEBA stands for User and Entity Behavior Analytics. My favourite feature are the analytics rules.

Definitely the automation part! Great to remediate incidents with a click of a button.

UEBA = User and Entity Behavior Analytics

@HeikeRitter a lot to like aggregated data, analytics, alerts, automated response, but I appreciate the alerting on incidents.  Knowing you have a problem is key to thoughtful response and automating fixes.

 

@HeikeRitter 

 

My favorite features were automation and Sentinel having not only data connectors for Microsoft services but also for Amazon and other third party.

 

and UEBA is abbreviation of User and Entity Behavior Analytics

As others have mentioned, UEBA is usually User and Entity Behavior Analytics.

I liked learning about the various Data Connectors, in particular Threat Intelligence. I also liked the comment that the automations are built like Power Automate- that makes them feel more approachable.

Appreciate another great show!

@HeikeRitter 

Favourite Features:

 

  1. Ability to integrate 3rd party applications using connectors.
  2. Fusion Rules (which combines signals from different services to generate an alert).
  3. MITRE ATT&CK (Preview) heat maps.
  4. Playbook templates under Automation. Block AAD user is great to prevent account compromise.

UEBA stands for User and Entity Behaviour Analytics.
Basis the data collected by Sentinel (logs/alerts), Sentinel creates a baseline profile for entities.
These baselines profiles can then be utilised by Sentinel to detect anomalies (like login from a new/suspicious location).

UEBA = User and Entity Behavior Analytics. Favourite part was the "next steps" in the Data Connectors section. Been using Sentinel for a while now and did not know about this! Thanks Javier! 

 

Looking forward to the next show, @HeikeRitter.

 

Cheers!

@HeikeRitter 

My favourite feature is Hunting, it's a powerful feature that can return a lot of data which helps provide extra insight and information when looking at an incident. :cool:

UEBA means User and Entity Behavior Analytics, some call it User Entity and Behavior Analytics. 


@HeikeRitter and Javier great show! I liked seeing the playbook templates. I had not seen them before. It's great how you can filter them to find what you need, then configure them in the logic app creator. Nice!

UEBA is User and Entity Behavior Analytics.

@HeikeRitter 

Hello,

 

My favorite feature was the automation rules & the playbooks

 

UEBA means User and Entity Behaviour Analytics.

 

Thank you

Hi Heike,

My favorite features Javier presented today are the following:

1. Data connectors. {collecting different data from other MS services or third-party applications.}
2. Analytic rules. {The way to start detecting is enabling analytics rules, you always want to start from enabling necessary rules (NOT everything) as a best practice. }
3. Content hub (Preview) {a solution gallery}
4. Bi-direction synchronization between MS Sentinel and MS 365 Defender
5. MITRE ATT&CK (Preview) {a comprehensive heat map}
6. Playbook template for automating threat response {Logic app designer}

UEBA stands for User and Entity Behavior Analytics. It is used for collecting and analyzing data that Sentinel collects from different data sources, then being trained, and set some baselines for entities.

Thank you!
Excellent presentation by Javier. I especially enjoyed the section on leveraging Fusion ML and fusing multiple alerts from different providers and sources and raise severity to best reflect the potential impact of a threat. As well as sections on Content Hub and 282 connectors that we can access by filtering on a variety of categories and of course the MITRE ATT&CK dashboard and HIIT map. Can't wait to spend more time on these areas.

@HeikeRitter 

Hi, Thank you for your great video 🙂


In this video part, I've understood that there are many data connectors in sentinel, NOT ONLY FOR microsoft solutions.

It can help every users to ingest logs to sentinel, it's so EASY !!

And, in sentinel, there are many detection mechanism like ML and TI.

Through creating fusion rules, sentinel can detect advanced threats.

Admin can see the detection overview on MITRE ATT&CK page, based on this, admin can understand attack technics that is NOW happening !

 

Sentinel has soooo many features to realize Modern SOC for every company.

My favorite feature is the Bi-direction synchronization because I did not know it's there and it's something been plaguing my team.
UEBA = User and Entity Behavior Analytics
UEBA means User and Entity Behavior Analytics
What is my favourite feature (there are more than one...) is for sure automation and specially the playbook templates that help to be very more efficient quickly.
Cheers
my favorite feature is fusion that automatically fuse together all alerts using ML and AI
UEBA = User and Entity Behavior Analytics
Definietly the Automation section! I'm currently working on it in my organization, so the information from the episode came in handy.
UEBA - User and Entity Behavior Analytics

@HeikeRitter 

Hello Heike, great show!  Thank you for having Javier on.

EBA == User and Entity Behavior Analytics
UEBA uses Artificial Intelligence (AI) and Machine Learning (ML) algorithms used to
establish a user and entity baselines and then monitor/identify anomalies, impossible travel,
and/or any other inconsistent behaviors from established baselines. Originated from FinTech as a means to minimize credit card fraud.

 

SOAR == Security, Orchestration, Automation, and Response is needed as SOC analysts have to do more with less. SOAR can also reduce alert fatigue in Analysts by handling common activities / alert and when a certain threshold is exceeded, alert the SOC Analyst to events they should really focus on. This is a critical capability.

 

One of my favorite features of Sentinel is the Fusion Analytic correlation engine that uses 10's of trillions of signals (daily) with AI/ML to produce low noise, high fidelity alerts. This dynamic content feeding Sentinel raises the bar from static on-premises manual processes into a continuous cloud powered platform!

 

I particularly like how Sentinel can bring in visibility from other Defender Security solutions, cloud providers, on-premises infrastructure via Azure Arc and provide dashboards with dynamic displays in a single pane of glass. I also like how Kusto Query Langauge (KQL) can be used in M365 Defender, Sentinel, Log Analytics, and Azure Data Explorer. One common language used to deeply explore, enrich, and correlate information across various Azure security solutions (MDE,MDI,MDC,MDO, etc).


Lastly the automation demonstration through logic apps and the Microsoft 365 Defender connector in Sentinel was great!  This cross-functional integration of telemetry woven into and through the Azure security solution stack is impressive and very useful when it comes to event/alert enrichment, correlation, thus illuminating the operational environment folks are responsible for defending.

EUBA is threat hunting using behavior analytics. One of the things I found incredibly helpful is the connectors with the various non MS products. This helps build Sentinel as the SIEM that will make data coorilations for me.