Introduction
This article is a collection of resources for Azure Sentinel designed to get you up and running with the service as quickly as possible. It is organized by broad topic area to allow you quickly navigate to your area of interest. Most topics are broken down into groups of related articles.
Most of the resources in this article are listed in tables with a short title and a link to the resource. The final two columns in the table show the type of resource and an indication if the topic is relatively advanced or specialized.
Blog | |
Azure Document | |
GitHub Location | |
Video/Webinar |
Advanced articles are indicated with a bold A.
Note: many of the video/webinar links have a companion deck. You view the full list here.
Contents
- Overview
- Creating Your Azure Sentinel Workspace
- Onboarding Data
- Monitoring Activity
- Detections
- Investigations
- Hunting
- Remediation and Automation
- Community Articles and Resources
- Other Resources
Overview
If you are new to Azure Sentinel or need a refresher on the core components you should read this overview document.
https://docs.microsoft.com/en-us/azure/sentinel/overview
If you find terms in this document that you are not familiar with, you should refer back to the Azure Sentinel Overview to clarify them.
This webinar is also useful, more technical, overview of Azure Sentinel Features
Azure Sentinel webinar: Understanding Azure Sentinel features and functionality deep dive – YouTube
Azure Sentinel Community and Contributing
You can contribute detections, hunting queries, workbooks, Jupyter notebooks and playbooks to the Azure Sentinel user community. Find out more about this here:
https://github.com/Azure/Azure-Sentinel/wiki
The Wiki is part of the Azure Sentinel GitHub, which is the central repository for Microsoft and community contributions to Azure Sentinel: https://github.com/Azure/Azure-Sentinel
Creating Your Azure Sentinel Workspace
Most of you reading this will have already set up your Workspace. If not, here is a quick introduction:
https://docs.microsoft.com/en-us/azure/sentinel/quickstart-onboard
Automating Azure Sentinel Setup
Even though this article is focused on setting up a lab environment, it contains a lot of information about automating workspace creation and configuration with Azure Resource Manager (ARM) templates.
Other Azure Sentinel Design and Deployment Articles
These articles are all relatively advanced topics.
Cloud & on-prem architecture | A | ||
Managing Multiple tenants with Azure Lighthouse | A | ||
Architect your Sentinel Deployment | A | ||
Running Sentinel alongside Splunk | A | ||
Table Level Role Based Access Control | https://techcommunity.microsoft.com/t5/azure-sentinel/table-level-rbac-in-azure-sentinel/ba-p/965043 | A | |
Deploying and Managing Azure Sentinel as Code | A | ||
Combining Lighthouse with Sentinel DevOps | A |
Onboarding Data
Identifying Critical Data
The data that is critical to identifying malicious activity will vary from organization to organization. It will likely include many of the following categories:
Category | Examples |
Host/Endpoint Logs | Log Analytics Agent, Syslog, Auditd, Windows Event Collection |
Authentication Logs | Azure Active Directory, AWS CloudTrail |
Cloud Infrastructure | Azure Activity, AWS CloudTrail, Azure Storage |
Cloud Application Logs | Office 365 |
Network Infrastructure and Device Logs | Syslog, Azure Network Analytics, OMS Wiredata |
Identifying what data is already Onboarded
How do you know what data you may have already available in Azure Log Analytics? You can use the Workspace Usage workbook for an overview of data usage in your workspace. Alternatively, use the Log Analytics query tool to browse around your data tables and their schema. The KQL search is useful to get a view of how much data you have of each type:
More details of about querying data in Azure Sentinel can be found in this article:
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overview.
Costs of Data in Azure Sentinel
Office 365, Azure AD and AWS data are free | https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/ |
| |
Calculate data storage costs | https://azure.microsoft.com/en-us/pricing/calculator/?service=azure-sentinel |
| |
Custom retention periods for data | A |
Onboarding new data
These articles cover the general operation and setup of data connectors and ingestion of data into Azure Sentinel.
Quick Start | https://docs.microsoft.com/en-us/azure/sentinel/quickstart-onboard |
| |
Getting data into Azure Sentinel | https://www.youtube.com/watch?v=4HuxC-eCegs |
| |
Built-in Connectors | https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources |
| |
Custom Connectors |
|
Common Data Sources
Azure Sentinel documentation has many articles covering ingesting data from hosts, Microsoft Security Services and Cloud Services and other common sources. The following table highlights some of these.
Windows Security Events | https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events |
| |
AWS | https://docs.microsoft.com/en-us/azure/sentinel/connect-aws |
| |
Azure Active Directory | https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory |
| |
Office 365 | https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365 |
| |
Microsoft Teams |
| ||
Azure Security Center alerts | https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center |
| |
Microsoft Defender alerts |
| ||
Cloud App Security (MCAS) | https://docs.microsoft.com/en-us/azure/sentinel/connect-cloud-app-security |
| |
Azure Activity | https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-activity |
| |
Syslog | https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog |
| |
CEF (Common Event Format) | https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format |
|
In the same section as the references in the previous, you can also find instructions on other data sources such as Azure ATP, Windows Firewall, Azure Information Protection, Barracuda, Citrix, F5, ForcePoint, Squandra, Symantec and others.
Other Data Sources
Other references on importing log data into Azure Sentinel.
Linux Auditd ingestion and monitoring |
| ||
Best Practices for bringing in Common Event Framework data |
| ||
Understanding the Log Analytics Agent | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent |
| |
Bringing in Proofpoint TAP logs to Azure Sentinel | A |
Threat Intelligence Data
Threat intelligence data can enhance your ability to detect malicious actions in detections, investigations and hunting.
Bring your own Threat Intel |
| ||
Deep Dive in Threat Intelligence |
|
Monitoring Activity
Basic information about your workspace is available in the Overview panel. The Incidents pane is also a key view where you can see current unresolved incidents from alerts (see Detections section later in the document).
Workbooks
Workbooks are one of the most useful tools in monitoring ongoing operations. Workbooks are a type of interactive and customizable dashboard view that gather multiple views and visualizations of data into a single pane.
They can include queried data from any Azure Sentinel table although are often designed to show multiple facets of one specific data set. You can choose from a variety of workbooks available within Azure Sentinel and a larger selection in the Azure Sentinel GitHub repo.
Workbooks | https://docs.microsoft.com/en-us/azure/sentinel/tutorial-monitor-your-data |
| |
GitHub available Workbooks | https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks |
|
Detections
Azure Sentinel has many built-in detections. You can supplement these with alerts from your other detection services such as Azure Security Center, Office365 ATP, WDATP and Azure ATP. You can also create your own detection rules or import them from other sources.
Enabling Azure Sentinel Detections
These references describe the Azure Sentinel built-in detection rules and some other common detection sources. For building your own custom detection rules see also the articles in the
Log Queries and the Kusto Query Language section later in the document.
Built-in Detections | https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-built-in |
| |
Custom Analytics | https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom |
| |
Create Incidents from Alerts | https://docs.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts |
| |
URL Detonation |
| ||
Azure Security Center |
| ||
Office 365 Alerts |
| ||
Multistage attack detection | https://docs.microsoft.com/en-us/azure/sentinel/fusion |
| |
Detection Details and public repository | https://github.com/Azure/Azure-Sentinel/tree/master/Detections |
|
External Detection Rule Sources and Providers
You can also integrate with other threat detection services to Sigma rules are a particularly useful source of detection logic. The Proofpoint TAP blog shows a general mechanism for importing alerts from a REST API. This can be used to bring Alerts from many providers into Azure Sentinel. Many of the data providers listed
Importing Sigma Rules to Azure Sentinel |
| ||
Sigma and SOCPrime integration |
| ||
Ingesting AlienVault OTX into Azure Sentinel | A |
Investigations
Overview
End-to-End SOC scenario | https://www.youtube.com/watch? |
|
Investigation Graph
The investigation graph is the hub around which many investigation tasks pivot. It gives you an interactive graphical view of connected alerts and entities related to a single investigation. You can explore the context of each item in the investigation panel, add related entities and view the timeline of the attack.
Investigation Graph | https://docs.microsoft.com/en-us/azure/sentinel/tutorial-investigate-cases |
|
Log Queries and the Kusto Query Language
The core of Azure Sentinel is the query engine. Detections, Workbooks, Hunting and Investigation tools are all powered by the Log Analytics query engine. You will need to have some understanding of Kusto in order to ad hoc querying or create new detection alerts.
Introduction to Log Query | https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overview |
| |
Azure Sentinel Correlation – Join operator |
| ||
Azure Sentinel Correlation – make_list/in |
| ||
Deep dive on correlation Rules |
| ||
KQL Functions | A | ||
KQL Reference | https://docs.microsoft.com/en-us/azure/kusto/query/ |
| |
Introduction to KQL (Pluralsight) | https://app.pluralsight.com/library/courses/kusto-query-language-kql-from-scratch/table-of-contents |
| |
Including external data in your queries | A |
Workbooks
Using workbooks to show multiple views of related data can help you understand the context of different elements involved in a potential attack. If an attack is confirmed, they can also help you understand the connections and further understand blast radius.
Workbooks | https://docs.microsoft.com/en-us/azure/sentinel/tutorial-monitor-your-data |
| |
GitHub available Workbooks | https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks |
|
Hunting
Threat hunting can identify previously undetected malicious activity in your environment. As well as spotting potentially malicious activities. You can use your hunting findings to create detection rules that will alert on these patterns in the future.
Threat Hunting and Investigation Techniques
General Threat Hunting |
| ||
Using Bookmarks in hunting | https://docs.microsoft.com/en-us/azure/sentinel/bookmarks |
| |
Using Livestream in hunting | https://docs.microsoft.com/en-us/azure/sentinel/livestream |
| |
Tracking High Value Accounts |
| ||
Using Time series analysis to detect anomalous patterns |
| A | |
Identifying Network Beaconing | A | ||
Office 365 specific threat hunting | A | ||
Taking a known breach and looking at your environment – Capital One Breach | A | ||
GitHub available Hunting queries | https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries |
|
Workbooks
Workbooks can help you easily identify trends, blast radius and identify areas of further investigation.
Mapping your users travel |
| ||
Map security events across the globe |
| ||
GitHub available Workbooks | https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks |
|
Jupyter Notebooks
Jupyter Notebooks for advance investigations allow for extensive customization, bringing in multiple disparate tools and methods available across the cyber security landscape.
Getting started with Jupyter Notebooks | https://docs.microsoft.com/en-us/azure/sentinel/notebooks |
| |
Using Jupyter notebooks in an investigation | A | ||
3 part series on Security Investigations using Jupyter Notebooks | A | ||
Linux Host Explorer | A | ||
Using Threat Intel in your Jupyter Notebook | A | ||
Jupyter Notebook repository | https://github.com/Azure/Azure-Sentinel-Notebooks | A | |
MSTICPY – InfoSec defenders Python library for Jupyter Notebooks | https://github.com/Microsoft/msticpy | A |
Remediation and Automation
Respond to threats automatically using Playbooks to allow for rapid response and blocking of attacks. Playbooks are implemented using Azure Logic Apps. Using them you can create complex workflows involving notifications, requesting approvals, reading from and updating data sources using a variety of services such as Teams, Office 365, Service Now and others.
How to run a playbook in Azure Sentinel | https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook |
| |
Playbooks available on GitHub | https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks |
| |
Azure Logic Apps overview | https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-overview |
|
Community Articles and Resources
The following table is a list of articles from the Azure Sentinel Community Wiki. New content is being added frequently so be sure to check this location directly.
https://github.com/Azure/Azure-Sentinel/wiki/Community-Publications
Other Resources
General
Azure Sentinel Documentation | https://docs.microsoft.com/en-us/azure/sentinel/ |
Azure Sentinel Technical Community Blog | https://techcommunity.microsoft.com/t5/forums/postpage/board-id/AzureSentinelBlog
|
Azure Sentinel Community Publications | https://github.com/Azure/Azure-Sentinel/wiki/Community-Publications |
Security Community Webinars |
Customer Stories
Conclusion
We hope that you have found this article a useful guide to documentation and resources for Azure Sentinel. This article is not intended to replace a central document resources like Azure Docs. We will try update this with new and changed resources until something more permanent is in place. We welcome any feedback on additional content to include.
Contributions