Modernize your SIEM in the cloud with Azure Sentinel Cristhofer Romeo

78 Slides4.50 MB

Modernize your SIEM in the cloud with Azure Sentinel Cristhofer Romeo Muñoz Program Manager II, C AI Division

Smart cities Vehicles Sensors Energy systems Equipment Marketplace s t Expanding digital estate Partner s Security Operations Challenges Citizens Customer s Supply chains Manufacturers On-premises Mobile devices

Sophistication Sophistication of of threats threats IT IT deployment deployment & & maintenance maintenance 44% 44% 76% 76% of of alerts alerts are are never never investigated investigated report report increasing increasing security security data* data* Security operations challenges Too Too many many disconnected disconnected products products 3.5M 3.5M unfilled unfilled security security jobs jobs in in 2021 2021 *ESG: Security Analytics and Operations: Industry Trends in the Era of Cloud Computing 2019 Lack Lack of of automation automation

Introducing Azure Sentinel I N T E L L I G E N T , C L O U D - N AT I V E S I E M Delivers Delivers instant instant value value to to your your defenders defenders

Introducing Azure Sentinel I N T E L L I G E N T , C L O U D - N AT I V E S I E M Delivers Delivers instant instant value value to to your your defenders defenders Scales Scales to to support support your your growing growing digital digital estate estate

Introducing Azure Sentinel I N T E L L I G E N T , C L O U D - N AT I V E S I E M Delivers Delivers instant instant value value to to your your defenders defenders Scales Scales to to support support your your growing growing digital digital estate estate Uses Uses AI AI and and automation automation to to improve improve effectiveness effectiveness

End-to-end solution for security operations Collect Visibility Visibility Detect Analytics Analytics Investigate Hunting Hunting Incidents Incidents Powered by community backed by Microsoft’s security experts Respond Automation Automation

10 10 steps steps to to Modernize Modernize your your SIEM SIEM

Visibility Visibility

1 Collect security data at cloud scale from any source AZURE MICROSOFT 365 Security Alerts, Activity Data COLLECTORS CEF, Syslog, Windows, Linux AZURE SENTINEL TAXII MS Graph Threat Indicators APIs Custom Logs AZURE MONITOR LOG ANALYTICS

2 Use workbooks to power interactive dashboards Choose from a gallery of workbooks Customize or create your own workbooks using queries Take advantage of rich visualization options Gain insight into one or more data sources

DEMO DEMO

QUESTION What data can you ingest in Azure Sentinel at no cost?

ANSWER Azure Activity Logs, Office 365 Activity Logs, Alerts from Microsoft Threat Protection are available at no cost.

Analytics Analytics

3 Leverage analytics to detect threats Choose from more than 100 built-in analytics rules Customize and create your own rules using KQL queries Correlate events with your threat intelligence and now with Microsoft URL intelligence Trigger automated playbooks

3 a Tap into the power of ML increase your catch rate without increasing noise Use built–in models – no ML experience required Detects anomalies using transferred learning Fuses data sources to detect threats that span the kill chain Simply connect your data and learning begins Bring your own ML models (coming soon)

DEMO DEMO

Hunting Hunting

4 Start hunting over security data with fast, flexible queries Run built-in threat hunting queries no prior query experience required Customize and create your own hunting queries using KQL Integrate hunting and investigations

5 Use bookmarks and live stream to manage your hunts Bookmark notable data Start an investigation from a bookmark or add to an existing incident Monitor a live stream of new threat related activity

5 Use Jupyter notebooks for advanced hunting Run in the Azure cloud Save as sharable HTML/JSON Query Azure Sentinel data Bring external data sources Use your language of choice Python, SQL, KQL, R,

DEMO DEMO

QUESTION Where can you find and share hunting queries for Azure Sentinel?

ANSWER Hundreds of contributions, including data connectors, workbooks, analytics rules, queries, notebooks, parsers, functions, and playbooks are available on GitHub.

DEMO DEMO

Incidents Incidents

7 Start and track investigations from prioritized, actionable security incidents Use incident to collect related alerts, events, and bookmarks Manage assignments and track status Add tags and comments Trigger automated playbooks

8 Visualize the entire attack to determine scope and impact Navigate the relationships between related alerts, bookmarks, and entities Expand the scope using exploration queries View a timeline of related alerts, events, and bookmarks Gain deep insights into related entities – users, domains, and more

9 Gain deeper insight with built-in automated detonation Configure URL Entities in analytics rules Automatically trigger URL detonation Enrich alerts with Verdicts, Final URLs and Screen Shots (e.g. for phishing sites)

DEMO DEMO

QUESTION “Defenders think in . Attackers think in .” John Lambert, Microsoft Threat Intelligence Center

ANSWER “Defenders think in lists. Attackers think in graphs.” John Lambert, Microsoft Threat Intelligence Center

Automation Automation

10 Automate and orchestrate security operations using integrated Azure Logic Apps Build automated and scalable playbooks that integrate across tools Choose from a library of samples Create your own playbooks using 200 built-in connectors Trigger a playbook from an alert or incident investigation

Example playbooks Incident IncidentManagement Management Enrichment Enrichment Investigation Investigation Remediation Remediation Assign Assignan anIncident Incidentto toan anAnalyst Analyst Open OpenaaTicket Ticket(ServiceNow/Jira) (ServiceNow/Jira) Lookup LookupGeo Geofor foran anIPIP Trigger TriggerDefender DefenderATP ATPInvestigation Investigation Block Blockan anIPIPAddress Address Block BlockUser UserAccess Access Keep KeepIncident IncidentStatus StatusininSync Sync Post PostininaaTeams Teamsor orSlack SlackChannel Channel Send SendValidation ValidationEmail Emailto toUser User Trigger TriggerConditional ConditionalAccess Access Isolate IsolateMachine Machine

DEMO DEMO

Roadmap Delivered Since Public Preview Coming Soon Microsoft and 3P Data Connectors – Defender ATP, Cloud App Security, Zscaler, and More Additional Data Connectors – More Microsoft Services, Logstash, 100 Build-In Detections – Rule-Based and ML New Built-In Detections – Rule-Based and ML Investigation Graph and Entities Additional Detections Powered by Microsoft Threat Intelligence Workbooks with Improved Data Visualizations Bring Your Own ML Models Support for Incident Automation Threat Intelligence Research, Including Full STIX Objects Embedded Azure Notebooks Live Stream Monitoring of Notable Events GitHub Integration URL Detonation Entity Pages – Users, Domains, IPs And much more

Thank you! Cristhofer Romeo Munoz Program Manager II, C AI [email protected]

Modernize your SIEM in the cloud with Azure Sentinel Cristhofer Romeo Muñoz Program Manager II, C AI Division

Smart cities Vehicles Sensors Energy systems Equipment Marketplace s t Expanding digital estate Partner s Security Operations Challenges Citizens Customer s Supply chains Manufacturers On-premises Mobile devices

Sophistication Sophistication of of threats threats IT IT deployment deployment & & maintenance maintenance 44% 44% 76% 76% of of alerts alerts are are never never investigated investigated report report increasing increasing security security data* data* Security operations challenges Too Too many many disconnected disconnected products products 3.5M 3.5M unfilled unfilled security security jobs jobs in in 2021 2021 *ESG: Security Analytics and Operations: Industry Trends in the Era of Cloud Computing 2019 Lack Lack of of automation automation

Introducing Azure Sentinel I N T E L L I G E N T , C L O U D - N AT I V E S I E M Delivers Delivers instant instant value value to to your your defenders defenders

Introducing Azure Sentinel I N T E L L I G E N T , C L O U D - N AT I V E S I E M Delivers Delivers instant instant value value to to your your defenders defenders Scales Scales to to support support your your growing growing digital digital estate estate

Introducing Azure Sentinel I N T E L L I G E N T , C L O U D - N AT I V E S I E M Delivers Delivers instant instant value value to to your your defenders defenders Scales Scales to to support support your your growing growing digital digital estate estate Uses Uses AI AI and and automation automation to to improve improve effectiveness effectiveness

End-to-end solution for security operations Collect Visibility Visibility Detect Analytics Analytics Investigate Hunting Hunting Incidents Incidents Powered by community backed by Microsoft’s security experts Respond Automation Automation

10 10 steps steps to to Modernize Modernize your your SIEM SIEM

Visibility Visibility

1 Collect security data at cloud scale from any source AZURE MICROSOFT 365 Security Alerts, Activity Data COLLECTORS CEF, Syslog, Windows, Linux AZURE SENTINEL TAXII MS Graph Threat Indicators APIs Custom Logs AZURE MONITOR LOG ANALYTICS

2 Use workbooks to power interactive dashboards Choose from a gallery of workbooks Customize or create your own workbooks using queries Take advantage of rich visualization options Gain insight into one or more data sources

DEMO DEMO

QUESTION What data can you ingest in Azure Sentinel at no cost?

ANSWER Azure Activity Logs, Office 365 Activity Logs, Alerts from Microsoft Threat Protection are available at no cost.

Analytics Analytics

3 Leverage analytics to detect threats Choose from more than 100 built-in analytics rules Customize and create your own rules using KQL queries Correlate events with your threat intelligence and now with Microsoft URL intelligence Trigger automated playbooks

3 a Tap into the power of ML increase your catch rate without increasing noise Use built–in models – no ML experience required Detects anomalies using transferred learning Fuses data sources to detect threats that span the kill chain Simply connect your data and learning begins Bring your own ML models (coming soon)

DEMO DEMO

Hunting Hunting

4 Start hunting over security data with fast, flexible queries Run built-in threat hunting queries no prior query experience required Customize and create your own hunting queries using KQL Integrate hunting and investigations

5 Use bookmarks and live stream to manage your hunts Bookmark notable data Start an investigation from a bookmark or add to an existing incident Monitor a live stream of new threat related activity

5 Use Jupyter notebooks for advanced hunting Run in the Azure cloud Save as sharable HTML/JSON Query Azure Sentinel data Bring external data sources Use your language of choice Python, SQL, KQL, R,

DEMO DEMO

QUESTION Where can you find and share hunting queries for Azure Sentinel?

ANSWER Hundreds of contributions, including data connectors, workbooks, analytics rules, queries, notebooks, parsers, functions, and playbooks are available on GitHub.

DEMO DEMO

Incidents Incidents

7 Start and track investigations from prioritized, actionable security incidents Use incident to collect related alerts, events, and bookmarks Manage assignments and track status Add tags and comments Trigger automated playbooks

8 Visualize the entire attack to determine scope and impact Navigate the relationships between related alerts, bookmarks, and entities Expand the scope using exploration queries View a timeline of related alerts, events, and bookmarks Gain deep insights into related entities – users, domains, and more

9 Gain deeper insight with built-in automated detonation Configure URL Entities in analytics rules Automatically trigger URL detonation Enrich alerts with Verdicts, Final URLs and Screen Shots (e.g. for phishing sites)

DEMO DEMO

QUESTION “Defenders think in . Attackers think in .” John Lambert, Microsoft Threat Intelligence Center

ANSWER “Defenders think in lists. Attackers think in graphs.” John Lambert, Microsoft Threat Intelligence Center

Automation Automation

10 Automate and orchestrate security operations using integrated Azure Logic Apps Build automated and scalable playbooks that integrate across tools Choose from a library of samples Create your own playbooks using 200 built-in connectors Trigger a playbook from an alert or incident investigation

Example playbooks Incident IncidentManagement Management Enrichment Enrichment Investigation Investigation Remediation Remediation Assign Assignan anIncident Incidentto toan anAnalyst Analyst Open OpenaaTicket Ticket(ServiceNow/Jira) (ServiceNow/Jira) Lookup LookupGeo Geofor foran anIPIP Trigger TriggerDefender DefenderATP ATPInvestigation Investigation Block Blockan anIPIPAddress Address Block BlockUser UserAccess Access Keep KeepIncident IncidentStatus StatusininSync Sync Post PostininaaTeams Teamsor orSlack SlackChannel Channel Send SendValidation ValidationEmail Emailto toUser User Trigger TriggerConditional ConditionalAccess Access Isolate IsolateMachine Machine

DEMO DEMO

Roadmap Delivered Since Public Preview Coming Soon Microsoft and 3P Data Connectors – Defender ATP, Cloud App Security, Zscaler, and More Additional Data Connectors – More Microsoft Services, Logstash, 100 Build-In Detections – Rule-Based and ML New Built-In Detections – Rule-Based and ML Investigation Graph and Entities Additional Detections Powered by Microsoft Threat Intelligence Workbooks with Improved Data Visualizations Bring Your Own ML Models Support for Incident Automation Threat Intelligence Research, Including Full STIX Objects Embedded Azure Notebooks Live Stream Monitoring of Notable Events GitHub Integration URL Detonation Entity Pages – Users, Domains, IPs And much more

Thank you! Cristhofer Romeo Munoz Program Manager II, C AI [email protected]

Back to top button