Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Microsoft Sentinel in Action

You're reading from   Microsoft Sentinel in Action Architect, design, implement, and operate Microsoft Sentinel as the core of your security solutions

Arrow left icon
Product type Paperback
Published in Feb 2022
Publisher Packt
ISBN-13 9781801815536
Length 478 pages
Edition 2nd Edition
Arrow right icon
Authors (2):
Arrow left icon
Richard Diver Richard Diver
Author Profile Icon Richard Diver
Richard Diver
Gary Bushey Gary Bushey
Author Profile Icon Gary Bushey
Gary Bushey
Arrow right icon
View More author details
Toc

Table of Contents (23) Chapters Close

Preface 1. Section 1: Design and Implementation
2. Chapter 1: Getting Started with Microsoft Sentinel FREE CHAPTER 3. Chapter 2: Azure Monitor – Introduction to Log Analytics 4. Section 2: Data Connectors, Management, and Queries
5. Chapter 3: Managing and Collecting Data 6. Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel 7. Chapter 5: Using the Kusto Query Language (KQL) 8. Chapter 6: Microsoft Sentinel Logs and Writing Queries 9. Section 3: Security Threat Hunting
10. Chapter 7: Creating Analytic Rules 11. Chapter 8: Creating and Using Workbooks 12. Chapter 9: Incident Management 13. Chapter 10: Configuring and Using Entity Behavior 14. Chapter 11: Threat Hunting in Microsoft Sentinel 15. Section 4: Integration and Automation
16. Chapter 12: Creating Playbooks and Automation 17. Chapter 13: ServiceNow Integration for Alert and Case Management 18. Section 5: Operational Guidance
19. Chapter 14: Operational Tasks for Microsoft Sentinel 20. Chapter 15: Constant Learning and Community Contribution 21. Assessments 22. Other Books You May Enjoy

SOC platform components

As described earlier, the SOC platform includes a range of technologies to assist with the proactive and reactive procedures carried out by various teams. Each of these solutions should help the SOC analysts to perform their duties at the most efficient level to ensure a high degree of protection, detection, and remediation.

The core components of the SOC include log management and SIEM, SOAR, vulnerability management, threat intelligence, and incident response. All these components are addressed by the deployment of Microsoft Sentinel. Additional solutions will be required, and integrated, for other SOC platform capabilities such as intrusion prevention/detection, file integrity monitoring, and disaster recovery.

An SOC deployment using Microsoft Sentinel comprises the following components:

  • Azure Monitor Log Analytics workspaces are created for data collection and analysis. These were originally created to ensure a cloud-scale log management solution for both cloud-based and physical data center-based workloads. Once the data is collected, a range of solutions can then be applied to analyze the data for health, performance, and security considerations. Some solutions were created by Microsoft, and others were created by partners.
  • Microsoft Sentinel was developed to address the need for a cloud-native solution as an alternative to existing server-based SIEM solutions that have become a mainstay of security and compliance over the last decade. Microsoft Sentinel is built upon the existing services of Azure Monitor and Log Analytics. It is also integrated with other services such as Logic Apps and Azure Data Explorer.

    The popularity of cloud services provides some key advantages, including reduced storage costs, rapid scale compute, automated service maintenance, and continuous improvement as Microsoft creates new capabilities based on customer and partner feedback.

    One of the immediate benefits of deploying Microsoft Sentinel is rapid enablement without the need for costly investment in the supporting infrastructure, such as servers, storage, and complex licensing. The Microsoft Sentinel service is charged based on data consumption, per gigabyte per month. This allows the initial deployment to start small and grow as needed until full-scale deployment and maturity can be achieved.

    Ongoing maintenance is also simplified as there are no servers to maintain or licenses to renew. You will want to ensure regular optimization of the solution by reviewing the data ingestion and retention for relevance and suitability. This will keep costs reasonable and improve the quality of data used for threat hunting.

  • Logic Apps provides integration with a vast array of enterprise solutions, ensuring workflows are connected across the multiple cloud platforms and to existing on-premises solutions. This is a core part of the integration and automation (SOAR) capabilities of the platform.

Logic Apps is a standards-based solution that provides a robust set of capabilities. You can also use third-party SOAR solutions if you have already invested in one of those platforms.

The SOC platform components are a starting point, but there may be several other services you will want to deploy in your SOC implementation. In the next section, we will look at an approach to mapping the SOC architecture's current state and requirements.

You have been reading a chapter from
Microsoft Sentinel in Action - Second Edition
Published in: Feb 2022
Publisher: Packt
ISBN-13: 9781801815536
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image