Summary
In this episode, Henrik Wojcik, a Microsoft MVP, joins the hosts to discuss Microsoft Sentinel and provide a deep dive into its deployment and usage. They cover topics such as data residency and compliance considerations, separating operational logs and security logs, connectors for data ingestion, analytics rules and alert fatigue, scheduled queries and user and entity behavior analytics (UEBA), playbooks and automation, workbooks and data visualization, and advanced hunting with KQL queries.
Takeaways
- Consider data residency and compliance requirements when deploying Microsoft Sentinel.
- Separate operational logs and security logs to optimize cost and focus on relevant data.
- Use connectors to ingest data from various sources into Microsoft Sentinel.
- Tune analytics rules to avoid alert fatigue and focus on valuable alerts.
- Utilize scheduled queries and UEBA to identify suspicious behavior and automate investigations.
- Leverage playbooks and automation to streamline incident response and reduce manual effort.
- Create workbooks for data visualization and customize them to display relevant information.
- Explore advanced hunting with KQL queries to proactively search for threats and investigate incidents.
-------------------------------------------
Youtube Video Link: https://youtu.be/n9dDfmX-A9Q
-------------------------------------------
Documentation:
https://learn.microsoft.com/en-us/azure/sentinel/data-connectors-reference
https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector
https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=simplified%2Ccommitment-tiers#free-data-sources
Henrik Wojcik:
https://www.linkedin.com/in/henrikfrandswojcik/
https://twitter.com/henrikwojcik
----------------------
Contact Us:
Website: https://bluesecuritypod.com
Twitter: https://twitter.com/bluesecuritypod
Threads: https://www.threads.net/@bluesecuritypodcast
Linkedin: https://www.linkedin.com/company/bluesecpod
Youtube: https://www.youtube.com/c/BlueSecurityPodcast
Twitch: https://www.twitch.tv/bluesecuritypod
-------------------------------------------
Andy Jaw
Mastodon: https://infosec.exchange/@ajawzero
Twitter: https://twitter.com/ajawzero
LinkedIn: https://www.linkedin.com/in/andyjaw/
Email: andy@bluesecuritypod.com
-------------------------------------------
Adam Brewer
Twitter: https://twitter.com/ajbrewer
LinkedIn: https://www.linkedin.com/in/adamjbrewer/
Email: adam@bluesecuritypod.com
