Notes from the Field: Microsoft Sentinel in real-life

[MUSIC PLAYING] All right, good afternoon. Welcome, everybody. My name is Thijs and I'm going to be walking you through a session called Notes from the Field Microsoft Sentinel in Real Life. The goal of this session is really to have a hands-on view of what Microsoft Sentinel is, and not just talking about what do you see in Microsoft, learn in a Microsoft talk that we try to showcase from a real-world experience how it's done. Just as a reminder, I AM currently live in the session as well and I'm ready to answer questions in the Q&A. And be sure to jump into the live Q&A after the session as well where we can talk about Sentinel more in great detail. So maybe just a small introduction from my side. My name is Thijs. I am a Microsoft MVP located in Belgium and I currently work for a company called The collective Consulting. This is a Microsoft partner focused on security. And my role within The Collective is a team leader of the SOC. So our security operation center is something I manage, and day in and day out, I work with the SOC. And the SOC is entirely based on top of Microsoft Sentinel. So that's why I can showcase some really nice real-world examples on how Sentinel can be used in a SOC. You can find me on Twitter, LinkedIn, but I'm also writing a book with a couple of other MVPs, and I blog as well on my own blog, but also [INAUDIBLE] on Practical 365. So be sure to check those out as well. So small overview what are we going to be doing today is we're going to first have a small overview of the architecture of Microsoft Sentinel. What does it look like? What are the different components? And then I'm going to be diving right in with some tips and tricks on data ingestion and how to get data into Microsoft Sentinel. We're going to see how to create incidents, how these incidents end up in Microsoft Sentinel, but also how to do incident response on those with some small tips and tricks from our own SOC, then see into automating those incident response and using playbooks and logic apps to automate some of the things you do manually. And finally, I'm going to be showing a sample architecture of a real-world example of Microsoft Sentinel. So really to help you see how can Microsoft Sentinel be used in the company as a real SIEM. So I said SIEM. It's important generally that we have SIEM and SOAR. A SIEM is a security information and management and event management system, and a SOAR is a security orchestration automation and response product. What's the difference between the two? Well, in the SIEM, we'll push out all of the content, all of the logs that we have in environments. All of your security logs will end up in a SIEM where we can correlate them, query them, and have an entire overview of the entire environment. A SOAR is where we will do incident response, but also automation of an incident response. So not only manual actions, but also automating those actions. It is important to note that some products are a SIEM or a SOAR, or both of them. And Microsoft Sentinel, in our case, is both. So within this session, you will see things vote about pushing data into the SIEM, getting logs into a Sentinel system, but also using Microsoft Sentinel to respond to those incidents and to automate the incident response. And that's just an important step to know Sentinel is both a SIEM and a SOAR product. Now let's see how it looks like. It's important to know that Microsoft Sentinel is a cloud-native SIEM and entirely based on top of existing Azure resources. So at the heart of Microsoft's Sentinel what do we have? We have Log Analytics. You might know Log Analytics as an existing Azure resource and it's been used, for example, for Azure virtual machines to dump the performance logs in, but also in Application Insights to get insights into the exceptions in an environment. This is where we have the Sentinel system of logging and Microsoft Sentinel as a solution on top of Log Analytics. So it builds on top of that. What does it build on top is we first of all have data collection. So through data collection, we will get data from outside, from different sources, and push that into Sentinel. That's the SIEM part, of course, getting all the data into a central place. Then we also have detection and investigation. That's still the SIEM part. We'll look into creating rules to create incidents and alerts, which we will notify the SOC team and respond to that. And this is the where the SOAR comes in. It's in the investigation. This investigation can be OK, we see from the data a malicious activity. Let's put this over to the SOC and the SOC will investigate this. And they can look into it and provide a verdict, is this truly malicious activity or is it not. And then finally, we can respond an automated response through Azure logic apps, which I'll talk about in a bit. So here we can see an overview of the left data collection, then the incident, the incident response, and then the automation. And these are also the four parts which we'll be returning throughout this presentation. So first of all, data sources. It is important to know that within Microsoft Sentinel, we have lots of different kinds of data sources. And the kind of data sources depend on what type of data you want to put into it and it also will dictate one, the cost, and two, how easy it is to integrate. And there is a big difference between first party data sources, which are natively integrated. These are mainly Microsoft cloud