WEBVTT 0:00:02.600000 --> 0:00:08.080000 In any enterprise environment, one of the key elements, one of the key 0:00:08.080000 --> 0:00:12.940000 management tools that we now have and that we commonly use, is centralized 0:00:12.940000 --> 0:00:14.480000 security monitoring. 0:00:14.480000 --> 0:00:16.660000 There's many tools out there. 0:00:16.660000 --> 0:00:21.200000 In this video, I'm going to give an introduction to a tool that's built 0:00:21.200000 --> 0:00:26.060000 into Azure, powerful tool that's built into Azure, known as Azure Sentinel. 0:00:26.060000 --> 0:00:32.280000 Now, Azure Sentinel is a relatively new product offering from Microsoft 0:00:32.280000 --> 0:00:36.540000 and Azure. It's powerful, it does many different things. 0:00:36.540000 --> 0:00:40.880000 I mentioned right away that this is an introductory video. 0:00:40.880000 --> 0:00:46.240000 Azure Sentinel itself, certainly to give it full coverage, could span 0:00:46.240000 --> 0:00:49.700000 multiple videos, possibly even its own course. 0:00:49.700000 --> 0:00:52.820000 So we're just going to hit the highlights here, give you a feel for what 0:00:52.820000 --> 0:00:57.180000 Sentinel is, and then frankly, we're going to go ahead and move on a bit. 0:00:57.180000 --> 0:00:58.700000 So what is Sentinel? 0:00:58.700000 --> 0:00:59.980000 What are we going to talk about? 0:00:59.980000 --> 0:01:02.700000 We're going to talk about first of all, well, what it is. 0:01:02.700000 --> 0:01:05.140000 We'll talk about its basic capabilities. 0:01:05.140000 --> 0:01:08.200000 We'll look at different data sources and how you can set those up. 0:01:08.200000 --> 0:01:11.500000 We'll also talk a little bit briefly about some requirements. 0:01:11.500000 --> 0:01:16.240000 Then finally, I'm going to go in and run a brief demonstration of Azure 0:01:16.240000 --> 0:01:20.060000 Sentinel. So let's go ahead and let's move forward. 0:01:20.060000 --> 0:01:22.980000 So first things first, what is Azure Sentinel? 0:01:22.980000 --> 0:01:28.360000 It is Microsoft's security information event management system. 0:01:28.360000 --> 0:01:32.080000 That's obviously a fairly common term, and it's important. 0:01:32.080000 --> 0:01:33.400000 You'll see the SEIM. 0:01:33.400000 --> 0:01:36.380000 I see it all the time when I read MFO sec stuff. 0:01:36.380000 --> 0:01:41.700000 But it's also, and this is pretty cool, and it's relatively straightforward, 0:01:41.700000 --> 0:01:44.420000 security orchestration automated response. 0:01:44.420000 --> 0:01:45.940000 What does that mean? 0:01:45.940000 --> 0:01:47.700000 It's got a great acronym for one. 0:01:47.700000 --> 0:01:52.080000 But beyond having a great acronym, what it also means is that you can 0:01:52.080000 --> 0:01:56.380000 automate responses using this tool. 0:01:56.380000 --> 0:01:58.400000 What does this tool do? 0:01:58.400000 --> 0:01:59.980000 Well, it collects. 0:01:59.980000 --> 0:02:03.860000 You're going to collect data at cloud scale. 0:02:03.860000 --> 0:02:09.080000 You have users, devices, applications, various infrastructure, and this 0:02:09.080000 --> 0:02:10.720000 isn't just in Azure. 0:02:10.720000 --> 0:02:15.980000 This also applies to on-premises environments as well as other cloud environments. 0:02:15.980000 --> 0:02:18.360000 It's going to detect. 0:02:18.360000 --> 0:02:23.580000 Microsoft has advanced analytics, artificial intelligence, that's running 0:02:23.580000 --> 0:02:27.080000 underneath it, that's been developed over many years. 0:02:27.080000 --> 0:02:32.480000 And it's looking at patterns, and it's looking not only to say, okay, 0:02:32.480000 --> 0:02:35.820000 this looks like an incident, but it's looking across the entire threat 0:02:35.820000 --> 0:02:39.900000 chain to see our attack chain, excuse me, kill chain. 0:02:39.900000 --> 0:02:45.160000 There we go. Where those incidents are, how serious they are, whether 0:02:45.160000 --> 0:02:47.420000 things can just be kind of ignored, etc. 0:02:47.420000 --> 0:02:52.740000 So you've got good, very good, again, years of development into the artificial 0:02:52.740000 --> 0:02:56.920000 intelligence, the machine learning that's guiding this detection. 0:02:56.920000 --> 0:03:00.660000 You also have very capable tools to investigate. 0:03:00.660000 --> 0:03:05.280000 Now, the tool in itself is actually all built on top of log analytics. 0:03:05.280000 --> 0:03:11.780000 And log analytics, which has the CUSTO query engine, is this really powerful 0:03:11.780000 --> 0:03:15.400000 querying tool. And so it's going to collect all the data, it's going to 0:03:15.400000 --> 0:03:18.160000 put it in there, and then it's going to write these queries and pull data 0:03:18.160000 --> 0:03:22.960000 back out. And, you know, maybe the first time you've heard of the CUSTO 0:03:22.960000 --> 0:03:27.300000 queries, but it doesn't matter because there's so many built-in capabilities 0:03:27.300000 --> 0:03:33.760000 for doing things like threat hunting and just investigation in general. 0:03:33.760000 --> 0:03:39.560000 And then also, you have the ability to respond, right? 0:03:39.560000 --> 0:03:40.660000 And that's what that is right there. 0:03:40.660000 --> 0:03:46.500000 And the response is based on Azure Monitor workbooks, which are, in turn, 0:03:46.500000 --> 0:03:51.920000 based on log, excuse me, I always say log analytics, logic applications, 0:03:51.920000 --> 0:03:54.360000 two LAs. Never mind. 0:03:54.360000 --> 0:03:57.040000 Logic applications, all right? 0:03:57.040000 --> 0:04:00.300000 So if you know how to build logic applications and we have videos on that, 0:04:00.300000 --> 0:04:05.400000 you can actually tie those logic applications into various incidents or 0:04:05.400000 --> 0:04:08.760000 alerts and have them kick off and do things automatically, which is pretty 0:04:08.760000 --> 0:04:10.240000 cool stuff. All right. 0:04:10.240000 --> 0:04:18.160000 Now, what are some of the capabilities that we have within our log analytics? 0:04:18.160000 --> 0:04:21.160000 And that's what we're going to head to next. 0:04:21.160000 --> 0:04:23.800000 Okay. So what do we have? 0:04:23.800000 --> 0:04:28.720000 Well, first of all, we have intelligent incident analysis. 0:04:28.720000 --> 0:04:33.000000 Okay. In other words, again, it's looking for threat patterns across multiple 0:04:33.000000 --> 0:04:38.400000 activities. It's really compiling data, massive amounts of data, and not 0:04:38.400000 --> 0:04:42.280000 just alerting over every little possible thing, but definitely catching 0:04:42.280000 --> 0:04:47.100000 things that may be very difficult to catch otherwise. 0:04:47.100000 --> 0:04:49.080000 Okay. Now, we have this concept of workbooks. 0:04:49.080000 --> 0:04:54.240000 The workbooks are actually based on monitoring Azure Monitor workbooks. 0:04:54.240000 --> 0:04:57.580000 And really what a workbook is, it's pretty much a dashboard. 0:04:57.580000 --> 0:05:01.460000 Okay. There's many pre -built workbooks. 0:05:01.460000 --> 0:05:04.500000 I'm going to set dashboards there that are in the system. 0:05:04.500000 --> 0:05:07.860000 I'm going to show that to you, but you can also create your own. 0:05:07.860000 --> 0:05:11.640000 Okay. There are a number of hunting tools and, you know, really hunting 0:05:11.640000 --> 0:05:12.620000 you're looking for analytics. 0:05:12.620000 --> 0:05:18.480000 You're looking to go back and look at activities and see what's going 0:05:18.480000 --> 0:05:20.780000 on and recognize patterns. 0:05:20.780000 --> 0:05:25.320000 And there are, again, same kind of thing as the workbooks. 0:05:25.320000 --> 0:05:28.640000 You can write your own queries and you can look for this, but there are 0:05:28.640000 --> 0:05:33.980000 so many built-in queries for common threat hunting scenarios that it's 0:05:33.980000 --> 0:05:38.120000 literally a click of the button and you can see what matches up a variety 0:05:38.120000 --> 0:05:40.140000 of threats. Okay. 0:05:40.140000 --> 0:05:42.260000 Also, they have integrated. 0:05:42.260000 --> 0:05:46.440000 Now, this at the time of recording is in preview. 0:05:46.440000 --> 0:05:49.780000 They have integrated Jupyter Analytics Notebooks. 0:05:49.780000 --> 0:05:53.360000 So if you're used to something called Databricks, you can actually apply 0:05:53.360000 --> 0:06:03.220000 that now. Those concepts, you can apply them to your, your sense of view. 0:06:03.220000 --> 0:06:08.100000 And there are a, as with everything else, there's many built-in, pre-built 0:06:08.100000 --> 0:06:11.200000 examples that you can pull in and you can work with. 0:06:11.200000 --> 0:06:13.500000 It's very interesting things. 0:06:13.500000 --> 0:06:17.780000 Now, at the heart of all of this, really, is down here under configuration. 0:06:17.780000 --> 0:06:20.620000 The first thing that you need is you need data, okay? 0:06:20.620000 --> 0:06:24.420000 As I mentioned, you've got your, your Sentinel. 0:06:24.420000 --> 0:06:28.160000 Sentinel is associated with log analytics and you have to pull data in. 0:06:28.160000 --> 0:06:30.560000 All right, and that's where you set up your data connectors. 0:06:30.560000 --> 0:06:33.900000 And in just a moment, we'll talk a little bit more about what some of 0:06:33.900000 --> 0:06:35.200000 those data sources are. 0:06:35.200000 --> 0:06:36.640000 So really wide range. 0:06:36.640000 --> 0:06:41.880000 And in fact, it uses standards, it uses syslog. 0:06:41.880000 --> 0:06:45.060000 So if you've got something that's reporting to that, it can be integrated, 0:06:45.060000 --> 0:06:48.160000 or it can be integrated via its own API. 0:06:48.160000 --> 0:06:52.240000 There's a number of, a number of security systems, firewalls, that kind 0:06:52.240000 --> 0:06:57.180000 of thing that are already integrated via API, again, as well as syslog. 0:06:57.180000 --> 0:06:58.860000 And we'll get to that in just a moment. 0:06:58.860000 --> 0:07:00.040000 All right, analytics. 0:07:00.040000 --> 0:07:05.020000 And in a sense, the data connections in the analytics are what is at the 0:07:05.020000 --> 0:07:10.260000 heart of Sentinel, because the analytics are given those alert queries, 0:07:10.260000 --> 0:07:14.060000 they're letting, first again, tremendous number of these pre-built, plus 0:07:14.060000 --> 0:07:15.440000 you can build your own. 0:07:15.440000 --> 0:07:19.280000 And they're really looking through that data through, hopefully, that, 0:07:19.280000 --> 0:07:23.960000 you know, a large amount of data that's being collected to define what 0:07:23.960000 --> 0:07:25.700000 it is that you need to do. 0:07:25.700000 --> 0:07:28.000000 All right, our look for, excuse me, playbooks. 0:07:28.000000 --> 0:07:30.400000 Playbooks are simply the automation component. 0:07:30.400000 --> 0:07:37.200000 They're logic-app, and you can automate them as a response to activity 0:07:37.200000 --> 0:07:41.880000 in Sentinel. And I've got one that doesn't actually do anything, but I 0:07:41.880000 --> 0:07:44.380000 wanted to show that to you when I go through demonstration, just so you 0:07:44.380000 --> 0:07:46.860000 get to feel and understand kind of how that's hooked up. 0:07:46.860000 --> 0:07:50.320000 If you understand logic apps, then really all you need to do is see the 0:07:50.320000 --> 0:07:54.760000 trigger mechanism for a Sentinel playbook, and then really what you do 0:07:54.760000 --> 0:07:58.000000 beyond that is up to whatever logic you want to implement. 0:07:58.000000 --> 0:08:01.560000 And again, we're not going to go deep into logic apps in this video, they 0:08:01.560000 --> 0:08:04.620000 are covered elsewhere throughout INE. 0:08:04.620000 --> 0:08:07.100000 All right, now what else do we have? 0:08:07.100000 --> 0:08:08.080000 These data sources. 0:08:08.080000 --> 0:08:11.940000 And I wanted to bring these out because I think this is really critical, 0:08:11.940000 --> 0:08:14.900000 right? Because if you're not collecting this data, Sentinel can't analyze 0:08:14.900000 --> 0:08:19.180000 this data. First of all, we've got a number of service services that are 0:08:19.180000 --> 0:08:24.540000 directly integrated into the Sentinel framework. 0:08:24.540000 --> 0:08:28.020000 Amazon Web Services, if you're using CloudTrail, you can actually ingest 0:08:28.020000 --> 0:08:30.300000 that, Office 365. 0:08:30.300000 --> 0:08:35.000000 You can see quite a number of Azure AD, Azure Activity, which is most 0:08:35.000000 --> 0:08:39.620000 everything. Security Center, Information Protection, Advanced Threat Protection, 0:08:39.620000 --> 0:08:43.140000 all of those can be integrated into Sentinel. 0:08:43.140000 --> 0:08:46.900000 So that data that's being collected from those, and they have their own 0:08:46.900000 --> 0:08:51.800000 independent responsibilities, but you can also pull those in and kind 0:08:51.800000 --> 0:08:54.800000 of integrate across all of these different systems. 0:08:54.800000 --> 0:08:59.480000 Also within Windows, Windows Security Events, Windows Firewall Events, 0:08:59.480000 --> 0:09:02.820000 those all can be directly integrated as well. 0:09:02.820000 --> 0:09:06.140000 And again, that could be an on-premises Windows machine or it could be 0:09:06.140000 --> 0:09:07.700000 a cloud-based Windows machine. 0:09:07.700000 --> 0:09:14.580000 As I mentioned, there are a number of security providers that are already 0:09:14.580000 --> 0:09:17.240000 integrated via their API. 0:09:17.240000 --> 0:09:23.100000 So you can see Barracuda, Symantec, Citrix, Analytics, Security, all of 0:09:23.100000 --> 0:09:25.200000 which, and there's many more. 0:09:25.200000 --> 0:09:31.540000 And then again, anything that's using syslog can be integrated via an 0:09:31.540000 --> 0:09:38.480000 agent that can consume that can, well, consume that information. 0:09:38.480000 --> 0:09:40.740000 There's a link down at the bottom of the slide. 0:09:40.740000 --> 0:09:46.740000 You can also do a search that has a complete list of the currently available 0:09:46.740000 --> 0:09:51.500000 data sources. Again, when I say complete list, of course, if it can use 0:09:51.500000 --> 0:09:55.000000 syslog and can be integrated, then that's really anything that's using 0:09:55.000000 --> 0:09:57.540000 that very common protocol. 0:09:57.540000 --> 0:10:01.940000 Now, there are a few requirements for using Sentinel. 0:10:01.940000 --> 0:10:06.440000 First of all, you need a log analytics workspace, which is fine because 0:10:06.440000 --> 0:10:10.120000 that can be created when you provision Sentinel itself. 0:10:10.120000 --> 0:10:13.940000 You also have to have the subscription contributor role. 0:10:13.940000 --> 0:10:17.520000 And for anything you're going to analyze, you need resource group contributor 0:10:17.520000 --> 0:10:22.340000 or reader. And also understand this is a paid service. 0:10:22.340000 --> 0:10:28.800000 You are paying for the volume of log information that is being processed 0:10:28.800000 --> 0:10:33.660000 and analyzed. And so you absolutely want to take a look at that. 0:10:33.660000 --> 0:10:37.940000 Honestly, for demonstration purposes, I have mine very isolated. 0:10:37.940000 --> 0:10:43.180000 I'm not running much on it because I'm not using for production and I'd 0:10:43.180000 --> 0:10:47.580000 rather not pay for production type functionality. 0:10:47.580000 --> 0:10:53.660000 All right, let's go ahead and speaking of which, let's take a look at 0:10:53.660000 --> 0:10:57.540000 Azure Sentinel. Now, I'm just going to walk through this. 0:10:57.540000 --> 0:11:01.520000 I'm not going to go into depth and everything, as I said, that would be 0:11:01.520000 --> 0:11:03.700000 an extremely long video. 0:11:03.700000 --> 0:11:07.780000 But I just want to give you a sense of what it is and what can be done 0:11:07.780000 --> 0:11:16.720000 with it. So let's go ahead and let's take a look at that. 0:11:16.720000 --> 0:11:18.420000 Here I've got Azure Sentinel. 0:11:18.420000 --> 0:11:22.760000 Now, I've already set up Azure Sentinel and I have already associated 0:11:22.760000 --> 0:11:29.320000 Azure Sentinel with a log analytics workspace. 0:11:29.320000 --> 0:11:31.800000 Now, what I'm going to do is I'm going to come down here first to data 0:11:31.800000 --> 0:11:34.160000 connectors because that's really where things start. 0:11:34.160000 --> 0:11:37.900000 I'm going to jump around a little bit, but this is where you get your 0:11:37.900000 --> 0:11:38.600000 information from. 0:11:38.600000 --> 0:11:43.300000 And here are the ones who, for example, if I had Amazon Web Services and 0:11:43.300000 --> 0:11:47.560000 I wanted to include that, I could open up its connector. 0:11:47.560000 --> 0:11:55.640000 And I could configure the information here and go into AWS. 0:11:55.640000 --> 0:11:59.300000 And of course, I'd have to configure that from both sides. 0:11:59.300000 --> 0:12:02.520000 And you can see certain things like Azure Active Directory. 0:12:02.520000 --> 0:12:06.160000 Obviously, that's going to be very straightforward Azure activity. 0:12:06.160000 --> 0:12:10.780000 I have one that I actually have active down here. 0:12:10.780000 --> 0:12:12.480000 There we go. I have security events. 0:12:12.480000 --> 0:12:18.100000 And those are going to be Windows Server Security events that I'm just 0:12:18.100000 --> 0:12:21.740000 using. So I get a little bit of information that I can demonstrate. 0:12:21.740000 --> 0:12:25.080000 And open up connector page. 0:12:25.080000 --> 0:12:29.680000 That actually tells you what you have to do is you have to download and 0:12:29.680000 --> 0:12:32.040000 configure an agent. 0:12:32.040000 --> 0:12:36.040000 And I can install an agent on a Windows virtual machine or on a non-Azure 0:12:36.040000 --> 0:12:37.500000 Windows machine. 0:12:37.500000 --> 0:12:39.700000 Okay. So those are my data connectors. 0:12:39.700000 --> 0:12:42.700000 That's really where it starts. 0:12:42.700000 --> 0:12:49.160000 Now, the analytics, these are going to be in the rules that are kind of 0:12:49.160000 --> 0:12:51.260000 driving your analytics. 0:12:51.260000 --> 0:12:56.240000 And you're not actually doing much here directly as far as you're not 0:12:56.240000 --> 0:12:58.100000 doing any of the actual analytics here. 0:12:58.100000 --> 0:13:00.980000 This is really defining what's generating the analytics. 0:13:00.980000 --> 0:13:06.400000 All right. So this is a rule that's based on fusion. 0:13:06.400000 --> 0:13:11.020000 Fusion is the underlying logic behind this. 0:13:11.020000 --> 0:13:14.980000 So advanced multi-stage attack detection. 0:13:14.980000 --> 0:13:17.180000 I've got that. Okay. 0:13:17.180000 --> 0:13:22.260000 I can create my own new rules. 0:13:22.260000 --> 0:13:24.840000 Say, I wanted to... 0:13:24.840000 --> 0:13:27.060000 Oh, yeah. That was just it. 0:13:27.060000 --> 0:13:34.000000 There we go. So I'm going to do a query rule or an incident creation rule. 0:13:34.000000 --> 0:13:37.160000 So I could give it a name, description. 0:13:37.160000 --> 0:13:40.060000 All right. I base it on some security service. 0:13:40.060000 --> 0:13:42.280000 Let's say security center. 0:13:42.280000 --> 0:13:46.540000 And there are alerts specific that I can include in this. 0:13:46.540000 --> 0:13:49.840000 I'm not going to that detail, but that's really letting me define kind 0:13:49.840000 --> 0:13:52.460000 of the advanced analytics that are going to occur. 0:13:52.460000 --> 0:13:56.520000 Now I'm going to jump back up to the top because I've got this cool little 0:13:56.520000 --> 0:13:57.720000 overview. All right. 0:13:57.720000 --> 0:14:01.120000 As you might expect, I've got this nice little overview dashboard here. 0:14:01.120000 --> 0:14:04.820000 And what we can see is even with the very little that I am collecting, 0:14:04.820000 --> 0:14:09.580000 and this is actually just collecting from one machine, I've got 12.7... 0:14:09.580000 --> 0:14:14.600000 12.7 thousand events in the last 24 hours. 0:14:14.600000 --> 0:14:19.920000 Okay. And you can see it's kind of interesting how these are really broken 0:14:19.920000 --> 0:14:21.820000 out here. Notice there's this dead space here. 0:14:21.820000 --> 0:14:24.900000 That's because I have all my VMs turn off at 10. 0:14:24.900000 --> 0:14:28.600000 And then I started this one back up around 10 a.m. 0:14:28.600000 --> 0:14:30.620000 Okay. And I'm going to get back to this in a moment. 0:14:30.620000 --> 0:14:35.440000 But you can see that I have zero incidents, zero alerts. 0:14:35.440000 --> 0:14:41.660000 Okay. No malicious events showing up here, which is good. 0:14:41.660000 --> 0:14:45.760000 Okay. And what I want to do is just drill down. 0:14:45.760000 --> 0:14:48.900000 So here I've got this like very large set of data here. 0:14:48.900000 --> 0:14:51.620000 Let's just click on that drill down into it. 0:14:51.620000 --> 0:15:00.320000 And what that does is it generates a log analytics query. 0:15:00.320000 --> 0:15:05.020000 And here are all of my instances. 0:15:05.020000 --> 0:15:10.540000 Now the vast majority of these entries are actually going to be... 0:15:10.540000 --> 0:15:13.640000 All right. That's actually security auditing. 0:15:13.640000 --> 0:15:18.740000 Okay. And yeah, most of these that you'll see here are just key storage 0:15:18.740000 --> 0:15:26.020000 provider, because it's just looking to make sure that it can properly 0:15:26.020000 --> 0:15:31.000000 get to data. Let me close that down and see if I can find... 0:15:31.000000 --> 0:15:33.640000 I know I can because I did this. 0:15:33.640000 --> 0:15:38.960000 So there we go. Notice these two down here, that's a NT authority system. 0:15:38.960000 --> 0:15:44.780000 If I expand that out, that tells me that this is coming from the machine 0:15:44.780000 --> 0:15:51.300000 vulnerable. It's a security incident and it tells me an account was successfully 0:15:51.300000 --> 0:15:52.380000 logged in. That was... 0:15:52.380000 --> 0:15:56.880000 I actually logged in to my... 0:15:56.880000 --> 0:16:01.660000 to a machine. I came in over RDP and I logged into the machine. 0:16:01.660000 --> 0:16:03.740000 And this is one of these down here. 0:16:03.740000 --> 0:16:05.520000 I'm not sure if that's it. 0:16:05.520000 --> 0:16:16.760000 One of these I have an unsuccessful. 0:16:16.760000 --> 0:16:19.900000 I think this is the one that did not... 0:16:19.900000 --> 0:16:21.660000 Oh no, that's boot configuration. 0:16:21.660000 --> 0:16:23.700000 That's when this thing actually loaded. 0:16:23.700000 --> 0:16:25.860000 See if I can find the one that's not successful and then I'm going to 0:16:25.860000 --> 0:16:29.880000 move on. There's a one right above it. 0:16:29.880000 --> 0:16:34.760000 The only problem with having this so large... 0:16:34.760000 --> 0:16:42.720000 All right. That's not showing me. 0:16:42.720000 --> 0:16:45.720000 But somewhere in here I did try to log in unsuccessfully. 0:16:45.720000 --> 0:16:48.840000 At least you can see where I did log in successfully. 0:16:48.840000 --> 0:16:53.680000 If I want to take the time, I could actually go ahead and modify this 0:16:53.680000 --> 0:16:58.680000 query and return specific information. 0:16:58.680000 --> 0:16:59.860000 But that's what it's giving you. 0:16:59.860000 --> 0:17:02.860000 Also, data source anomalies. 0:17:02.860000 --> 0:17:04.840000 So here's my usage. 0:17:04.840000 --> 0:17:05.600000 Here's security events. 0:17:05.600000 --> 0:17:14.160000 I can again go down into that and it's going to give me the various security 0:17:14.160000 --> 0:17:16.700000 events. How many security events happened? 0:17:16.700000 --> 0:17:19.640000 And this is done by I think the hour. 0:17:19.640000 --> 0:17:24.020000 Yeah. On an hourly basis and it's just giving security event counts. 0:17:24.020000 --> 0:17:27.620000 All right. So that is my general overview. 0:17:27.620000 --> 0:17:29.680000 Now I can do things like look at incidents. 0:17:29.680000 --> 0:17:31.560000 I don't have any incidents. 0:17:31.560000 --> 0:17:34.760000 So it hasn't found anything that would rise to the level of incidents. 0:17:34.760000 --> 0:17:39.380000 And if I left this on for another two days or so with an open public IP 0:17:39.380000 --> 0:17:41.360000 address, I guarantee you what I have. 0:17:41.360000 --> 0:17:44.060000 I would have some incidents there, but I don't. 0:17:44.060000 --> 0:17:45.460000 So next I want to go to workbooks. 0:17:45.460000 --> 0:17:52.680000 And again, think of workbooks pretty much as a kind of as a dashboard. 0:17:52.680000 --> 0:17:57.100000 Okay. But it's not just the dashboard because it'll also define the information 0:17:57.100000 --> 0:18:00.160000 and the required data types that it's going to pull in. 0:18:00.160000 --> 0:18:06.200000 So for example, I have three saved workbooks and you can see these other 0:18:06.200000 --> 0:18:14.040000 templates. Azure Security Center, AWS, Azure AD audit logs, Azure firewall, 0:18:14.040000 --> 0:18:16.460000 network watcher. 0:18:16.460000 --> 0:18:18.760000 And you can see the one with the green is one I have. 0:18:18.760000 --> 0:18:20.380000 I forget of my workbooks. 0:18:20.380000 --> 0:18:22.220000 Okay. These are my workbooks. 0:18:22.220000 --> 0:18:26.340000 And if I go to any of these, they're all going to be blank because I'm 0:18:26.340000 --> 0:18:27.960000 not copying the data in. 0:18:27.960000 --> 0:18:32.640000 But if I click on that, I can view saved workbook. 0:18:32.640000 --> 0:18:35.660000 Okay. And so what that's going to do, it's going to come back and there's 0:18:35.660000 --> 0:18:40.100000 absolutely nothing here because I don't have any security events, but 0:18:40.100000 --> 0:18:42.900000 you can actually see hopefully over here. 0:18:42.900000 --> 0:18:45.120000 I'll bring that up even a little bit more. 0:18:45.120000 --> 0:18:48.260000 All right. There's kind of a screenshot of what that's going to look like 0:18:48.260000 --> 0:18:49.980000 if you actually use it. 0:18:49.980000 --> 0:18:55.900000 Now I'm going to go back to not being so dramatically zoomed in because 0:18:55.900000 --> 0:18:56.880000 I couldn't see what I was doing. 0:18:56.880000 --> 0:18:58.260000 But it's going through. 0:18:58.260000 --> 0:19:00.560000 Here's hunting. Okay. 0:19:00.560000 --> 0:19:04.200000 And again, we'll zoom back in on that. 0:19:04.200000 --> 0:19:05.720000 Well, that was too far. 0:19:05.720000 --> 0:19:07.640000 There we go. Okay. 0:19:07.640000 --> 0:19:12.240000 So these are common queries. 0:19:12.240000 --> 0:19:19.140000 All right. So I'm looking at all these different possible hunting, you 0:19:19.140000 --> 0:19:21.960000 know, threat hunting. 0:19:21.960000 --> 0:19:25.960000 So rare audit activity initiated by user. 0:19:25.960000 --> 0:19:29.660000 Okay. So if I think that might be a problem, I can run that query. 0:19:29.660000 --> 0:19:31.460000 Now it tells me zero results. 0:19:31.460000 --> 0:19:34.200000 If there were results, and actually show me the query, I can actually 0:19:34.200000 --> 0:19:35.560000 go and view the results. 0:19:35.560000 --> 0:19:37.320000 So it's a real quick thing. 0:19:37.320000 --> 0:19:39.180000 Multiple password resets. 0:19:39.180000 --> 0:19:40.500000 I run the query. 0:19:40.500000 --> 0:19:42.260000 No results. Right. 0:19:42.260000 --> 0:19:45.600000 Again, if there were results, I could then go ahead and run the query 0:19:45.600000 --> 0:19:50.460000 full on and get the results here and then continue to investigate the 0:19:50.460000 --> 0:19:53.300000 results of that particular hunting. 0:19:53.300000 --> 0:19:54.140000 Okay. Notebooks. 0:19:54.140000 --> 0:19:58.020000 These are the Jupyter Notebooks, and they're similar to workbooks, but 0:19:58.020000 --> 0:20:02.140000 they're in this data bricks slash Jupyter Notebook format. 0:20:02.140000 --> 0:20:06.120000 You can perform analysis by default with Python. 0:20:06.120000 --> 0:20:08.300000 And it's kind of interesting. 0:20:08.300000 --> 0:20:10.420000 Okay. Here's my data connectors. 0:20:10.420000 --> 0:20:13.680000 Okay. And I think I showed you that already. 0:20:13.680000 --> 0:20:14.760000 Yeah, I did. All right. 0:20:14.760000 --> 0:20:18.580000 So the only thing I haven't shown you so far is playbooks. 0:20:18.580000 --> 0:20:21.860000 And what you would do if I wanted to create a playbook and I already have 0:20:21.860000 --> 0:20:24.160000 one, so I'm not going to go through this. 0:20:24.160000 --> 0:20:26.140000 But I said, okay, I'm going to go there. 0:20:26.140000 --> 0:20:30.180000 I'm signed in. It's. 0:20:30.180000 --> 0:20:34.760000 Okay. And it's going to create a logic app. 0:20:34.760000 --> 0:20:42.120000 I'm not going to do anything with it. 0:20:42.120000 --> 0:20:46.980000 But in US East because that's where I do everything and I don't want log 0:20:46.980000 --> 0:20:51.020000 analytics and I review and create. 0:20:51.020000 --> 0:20:57.220000 And I create. All right. 0:20:57.220000 --> 0:20:59.720000 So now that's deploying while that's deploying, I'll show you one I've 0:20:59.720000 --> 0:21:08.720000 already done. It ended up being pretty much the same thing. 0:21:08.720000 --> 0:21:11.800000 Okay. So this is a. 0:21:11.800000 --> 0:21:13.140000 Oh, wait a minute. 0:21:13.140000 --> 0:21:14.480000 That was sent to all. 0:21:14.480000 --> 0:21:16.400000 I'm going to get to my playbook here. 0:21:16.400000 --> 0:21:20.200000 See that it delete me, but I'm going to take a look at this one because 0:21:20.200000 --> 0:21:22.420000 I've already set this up. 0:21:22.420000 --> 0:21:24.500000 Okay. This is a standard logic app. 0:21:24.500000 --> 0:21:27.760000 And again, if you're not familiar with logic apps, take a bit. 0:21:27.760000 --> 0:21:30.620000 We've got, we've got several videos on those at I and E. 0:21:30.620000 --> 0:21:31.760000 But I'm going to go in here. 0:21:31.760000 --> 0:21:33.340000 This is my trigger. 0:21:33.340000 --> 0:21:37.460000 My trigger is when an Azure Security Center alert is created or triggered. 0:21:37.460000 --> 0:21:41.440000 So this is one that's going to go off of an Azure Security Center alert. 0:21:41.440000 --> 0:21:42.840000 And then what's it going to do? 0:21:42.840000 --> 0:21:45.780000 I just have it putting a message into a queue. 0:21:45.780000 --> 0:21:52.760000 Simple as that. And so if a Security Center alert occurs, it's then going 0:21:52.760000 --> 0:21:56.620000 to drop a message in queue, which really is, of course, not particularly 0:21:56.620000 --> 0:21:58.100000 useful in and of itself. 0:21:58.100000 --> 0:22:03.060000 But as a demonstration, if I can do that, then I could integrate with 0:22:03.060000 --> 0:22:08.680000 hundreds of other data sources that can be easily integrated into logic 0:22:08.680000 --> 0:22:12.440000 apps. So again, it very, and this is a fairly lengthy video, but it was 0:22:12.440000 --> 0:22:17.160000 still just a very high level overview of the Azure Sentinel tool, which 0:22:17.160000 --> 0:22:22.920000 is going to be a Security Information Event Monitoring tool as well as 0:22:22.920000 --> 0:22:24.520000 an automated response tool.