Microsoft Tech Talks (MTT) | Practical Sentinel : A Day in the Life of a Sentinel Analyst

%3CLINGO-SUB%20id%3D%22lingo-sub-2122204%22%20slang%3D%22en-US%22%3ERE%3A%20Microsoft%20Tech%20Talks%20(MTT)%20%7C%20Practical%20Sentinel%20%3A%20A%20Day%20in%20the%20Life%20of%20a%20Sentinel%20Analyst%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2122204%22%20slang%3D%22en-US%22%3EWe%20are%20setting%20the%20table%20and%20getting%20ready%20to%20serve%20the%20smorgasbord%20of%20knowledge%20and%20experience%20from%20Rod%20Trent.%20Join%20us%20tomorrow%20!!%20Tell%20a%20friend!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2129688%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Tech%20Talks%20(MTT)%20%7C%20Practical%20Sentinel%20%3A%20A%20Day%20in%20the%20Life%20of%20a%20Sentinel%20Analyst%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2129688%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20the%20sole%20Sentinel%20Analyst%20at%20my%20company.%20I%20have%20been%20having%20a%20hard%20time%20with%20false%20positives%20and%20haven't%20been%20using%20the%20product%20because%20of%20that.%20I%20have%20most%20of%20the%20analytic%20rules%20set%20up%20but%20like%20I%20said%20since%20I'm%20the%20only%20person%20using%20it%20and%20most%20are%20false%20positives%20I%20don't%20feel%20like%20I'm%20using%20Sentinel%20to%20its%20fullest%20potential.%20Do%20you%20have%20any%20recommendations%20for%20solving%20this%20problem%20and%20also%20what%20kind%20of%20training%20or%20help%20would%20you%20suggest%20for%20someone%20looking%20to%20get%20better%20at%20sentinel%3F%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F151507%22%20target%3D%22_blank%22%3E%40Peter%20Gray%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2076178%22%20slang%3D%22en-US%22%3EMicrosoft%20Tech%20Talks%20(MTT)%20%7C%20Practical%20Sentinel%20%3A%20A%20Day%20in%20the%20Life%20of%20a%20Sentinel%20Analyst%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2076178%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3E%3CU%3E%3CSTRONG%3E%3CFONT%20size%3D%225%22%3EPractical%20Azure%20Sentinel%20%3A%20A%20Day%20in%20the%20Life%20of%20a%20Sentinel%20Analyst%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FU%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFriday%20-%20February%2012th%2C%202021%20-%201%3A00PM%20-%202%3A30PM%20CST%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20session%20brings%20it%20all%20together%20and%20provides%20real-world%20examples%20of%20utilizing%20Azure%20Sentinel%20features%20as%20a%20security%20analyst.%20The%20attendee%20is%20able%20to%20picture%20themselves%20in%20the%20role%20of%20analyst%20and%20get%20an%20understanding%20of%20the%20specific%20tasks%20required%20to%20accomplish%20their%20daily%20workload%20-%20all%20based%20on%20an%20industry%20standard%20SOC%20workflow.%20It%20applies%20specific%20tasks%20with%20specific%20Azure%20Sentinel%20features.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EEVENT%20AGENDA%3A%3CBR%20%2F%3E1%3A00%20PM%20%E2%80%93%20Opening%20%2F%20Welcome%20%3CBR%20%2F%3E1%3A10%20PM%20-%20Featured%20Topic%20%E2%80%93%20Speaker%3CBR%20%2F%3E2%3A00%20PM%20-%20Q%26amp%3BA%3C%2FP%3E%0A%3CP%3EEVENT%20SPEAKER%20BIO%3A%3CBR%20%2F%3ERod%20Trent%20is%20an%20Azure%20Sentinel%20global%20SME%20helping%20customers%20migrate%20from%20existing%20SIEMs%20to%20%23AzureSentinel%20to%20achieve%20the%20promise%20of%20better%20security%20through%20improved%20efficiency%20without%20compromise.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EMicrosoft%20Teams%20Live%20Event%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2129703%22%20slang%3D%22en-US%22%3ERE%3A%20Microsoft%20Tech%20Talks%20(MTT)%20%7C%20Practical%20Sentinel%20%3A%20A%20Day%20in%20the%20Life%20of%20a%20Sentinel%20Analyst%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2129703%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F151507%22%20target%3D%22_blank%22%3E%40Peter%20Gray%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20you%20able%20to%20give%20any%20insight%20on%20how%20to%20tackle%20unfamiliar%20sign-ins%20from%20AAD%20IP%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20seeing%201000s%20of%20these%20events%20every%20day%20to%20the%20point%20where%20we%20have%20had%20to%20disable%20them%2C%20it%20would%20be%20great%20to%20get%20your%20take%20on%20how%20we%20can%20tackle%20this%20event%20type%20and%20make%20them%20useful%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20event%20that%20I%20am%20interested%20to%20know%20how%20you%20might%20tackle%20is%20New%20UserAgent%20discovered%20which%20we%20get%2030%2B%20entities%20a%20day%2C%20each%20time%20a%20guest%20logs%20in%20via%20AAD%20B2B%20or%20a%20user's%20browser%20gets%20updated.%20Please%20could%20you%20give%20some%20pointers%20on%20how%20we%20can%20add%20more%20context%20to%20this%20alert%20type%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20Thanks.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Practical Azure Sentinel : A Day in the Life of a Sentinel Analyst 

 

 

Friday - February 12th, 2021 - 1:00PM - 2:30PM CST

 

This session brings it all together and provides real-world examples of utilizing Azure Sentinel features as a security analyst. The attendee is able to picture themselves in the role of analyst and get an understanding of the specific tasks required to accomplish their daily workload - all based on an industry standard SOC workflow. It applies specific tasks with specific Azure Sentinel features.


EVENT AGENDA:
1:00 PM – Opening / Welcome
1:10 PM - Featured Topic – Speaker
2:00 PM - Q&A

EVENT SPEAKER BIO:
Rod Trent is an Azure Sentinel global SME helping customers migrate from existing SIEMs to #AzureSentinel to achieve the promise of better security through improved efficiency without compromise.


Microsoft Teams Live Event

8 Replies
We are setting the table and getting ready to serve the smorgasbord of knowledge and experience from Rod Trent. Join us tomorrow !! Tell a friend!

I am the sole Sentinel Analyst at my company. I have been having a hard time with false positives and haven't been using the product because of that. I have most of the analytic rules set up but like I said since I'm the only person using it and most are false positives I don't feel like I'm using Sentinel to its fullest potential. Do you have any recommendations for solving this problem and also what kind of training or help would you suggest for someone looking to get better at sentinel?@Peter Gray 

@Peter Gray @rodtrent 

 

Are you able to give any insight on how to tackle unfamiliar sign-ins from AAD IP? 

 

We are seeing 1000s of these events every day to the point where we have had to disable them, it would be great to get your take on how we can tackle this event type and make them useful?

 

Another event that I am interested to know how you might tackle is New UserAgent discovered which we get 30+ entities a day, each time a guest logs in via AAD B2B or a user's browser gets updated. Please could you give some pointers on how we can add more context to this alert type? 

 

Many Thanks. 

Is there a recording? I would like to watch it again and pass along to additional associates @Peter Gray 

@RadRob unfortunately recordings can't be made publicly available. We are looking into a solution that would allow Premier and Unified Support customers to be able to access them, but we are probably 2 months out on that.

 

Good news though, Rod wants to present again on more topics so keep an eye out for that!

@twessel Any chance you've identified the Analytics Rules that are contributing the most to your false positives? Are they coming from MCAS, possibly? What source?

Yes, Most of our false positives come from MCAS. @rodtrent 

@twessel Connecting MCAS to Sentinel enables a bridge between the two services so that only the originating service's (MCAS) alerts are synched to the Sentinel console. So, this would actually be a situation where MCAS policies need to be tuned on what and how often alerts are generated.