1 00:00:01,540 --> 00:00:03,840 Microsoft Sentinel. 2 00:00:03,840 --> 00:00:09,070 Now, one of my goals, it's a self‑stated goal, but it's a goal nonetheless, 3 00:00:09,070 --> 00:00:14,370 is to make sure that you're not only well prepared for your AZ‑801 exam, 4 00:00:14,370 --> 00:00:19,290 but you're also well prepared to discuss Azure in all of its glory and 5 00:00:19,290 --> 00:00:23,040 with all of its warts accurately and intelligently. 6 00:00:23,040 --> 00:00:27,270 Let's take a look again at the recurring concept of Azure product 7 00:00:27,270 --> 00:00:31,550 naming. Now, what's now called Microsoft Sentinel was originally 8 00:00:31,550 --> 00:00:35,700 called Azure Sentinel, all right. So if you sometimes see a 9 00:00:35,700 --> 00:00:37,400 reference to Azure Sentinel, 10 00:00:37,400 --> 00:00:41,360 just substitute in your mind Microsoft Sentinel. And the reason why 11 00:00:41,360 --> 00:00:45,460 Microsoft did that makes a lot of sense. Sentinel is meant to be a 12 00:00:45,460 --> 00:00:50,500 multi‑cloud hybrid cloud security solution, and Azure Sentinel might 13 00:00:50,500 --> 00:00:54,840 lead one to mistakenly believe that you can only use Sentinel in 14 00:00:54,840 --> 00:00:56,410 Azure, and that's not true. 15 00:00:56,410 --> 00:01:00,940 It's a Microsoft technology, so it's called Microsoft Sentinel. 16 00:01:00,940 --> 00:01:07,180 Similarly, the Microsoft Azure hybrid cloud security hygiene tool, 17 00:01:07,180 --> 00:01:11,160 Azure Security Center, went through a number of name changes, 18 00:01:11,160 --> 00:01:14,970 Azure Defender and then Microsoft Defender. 19 00:01:14,970 --> 00:01:17,770 So if you're wondering, well, what's the difference between 20 00:01:17,770 --> 00:01:20,180 Azure Security Center and Azure Sentinel, 21 00:01:20,180 --> 00:01:21,860 hang on. That's one of my goals. 22 00:01:21,860 --> 00:01:24,180 Again, by the end of this lesson, 23 00:01:24,180 --> 00:01:27,790 you'll understand the differentiation very clearly. For here, I'm 24 00:01:27,790 --> 00:01:32,340 just giving you a heads up on these name changes. 25 00:01:32,340 --> 00:01:37,960 Now we'll see that both Microsoft Sentinel and Microsoft Defender rely upon 26 00:01:37,960 --> 00:01:44,640 Azure Log Analytics for log ingestion and querying, etc. Now that collection, 27 00:01:44,640 --> 00:01:49,630 Log Analytics and its related services, at one time originally was called 28 00:01:49,630 --> 00:01:54,520 Operations Management Suite, or OMS. Now it's called Azure Log Analytics with 29 00:01:54,520 --> 00:01:59,250 its various management solutions. And for Windows Server, you'll want to install 30 00:01:59,250 --> 00:02:04,090 the Microsoft Monitoring Agent, also called the Log Analytics agent, originally 31 00:02:04,090 --> 00:02:06,040 called the OMS agent, 32 00:02:06,040 --> 00:02:11,370 to onboard those Windows Server machines into your Log Analytics workspace. Yes, 33 00:02:11,370 --> 00:02:15,490 it's confusing, and yes, it's annoying, but because it's a fact of life, 34 00:02:15,490 --> 00:02:18,520 it's important that you, as a hybrid cloud Windows Server 35 00:02:18,520 --> 00:02:22,090 administrator, know about these so that you can instantly 36 00:02:22,090 --> 00:02:24,140 understand what's being talked about, 37 00:02:24,140 --> 00:02:29,200 whether it's on your AZ‑801 exam or whether it's a blog article or a Stack 38 00:02:29,200 --> 00:02:32,790 Overflow question and answer set that you're examining. 39 00:02:32,790 --> 00:02:36,340 I want to make sure that you're equipped for success. 40 00:02:36,340 --> 00:02:38,060 Let's look at a definition here. 41 00:02:38,060 --> 00:02:40,460 SIEM/SOAR or SIEM/SOAR. 42 00:02:40,460 --> 00:02:43,360 Doesn't matter to me so much what the pronunciation is. 43 00:02:43,360 --> 00:02:47,310 You should know what the acronym means from a definitional standpoint. 44 00:02:47,310 --> 00:02:52,890 Security information and event management, that's SIEM. Security 45 00:02:52,890 --> 00:02:56,640 orchestration, automation, and response, that's SOAR. 46 00:02:56,640 --> 00:03:02,520 This is a unified security solution that has as its 47 00:03:02,520 --> 00:03:04,770 audience InfoSec professionals. 48 00:03:04,770 --> 00:03:07,410 Not just ordinary systems administrators, 49 00:03:07,410 --> 00:03:13,140 developers, and architects, but really full‑time InfoSec team members. 50 00:03:13,140 --> 00:03:18,230 Examples of SIEM/SOAR products include Splunk Enterprise Security, SolarWinds 51 00:03:18,230 --> 00:03:22,750 Security Event Manager, OSSEC, and we're going to see momentarily that 52 00:03:22,750 --> 00:03:27,740 Microsoft Sentinel is Microsoft's SIEM/SOAR solution. 53 00:03:27,740 --> 00:03:30,240 In fact, we're going to see something momentarily 54 00:03:30,240 --> 00:03:33,290 just turned into now. As I said, 55 00:03:33,290 --> 00:03:37,340 Microsoft Sentinel was formally called Azure Sentinel. 56 00:03:37,340 --> 00:03:42,020 It's a SIEM/SOAR solution that supports all environments. 57 00:03:42,020 --> 00:03:45,080 This, again, is why the name was changed to 58 00:03:45,080 --> 00:03:47,840 Microsoft rather than Azure Sentinel. 59 00:03:47,840 --> 00:03:52,380 So you can support cloud‑native deployments in Azure, hybrid cloud, 60 00:03:52,380 --> 00:03:57,190 which means that you can touch your on‑premises infrastructure, as well 61 00:03:57,190 --> 00:04:00,340 as your infrastructure that's located in other clouds. 62 00:04:00,340 --> 00:04:00,960 As I said, 63 00:04:00,960 --> 00:04:06,080 a key differentiator for Microsoft Sentinel is that its toolset is really 64 00:04:06,080 --> 00:04:09,940 intended for dedicated information security personnel. 65 00:04:09,940 --> 00:04:14,610 We're going to see in the demo that the Sentinel platform is heavily extensible. 66 00:04:14,610 --> 00:04:18,460 It uses a connector model where as long as you have a connector 67 00:04:18,460 --> 00:04:22,340 that provides connectivity into a given service, 68 00:04:22,340 --> 00:04:26,460 you can monitor and alert and do threat hunting and all that good stuff 69 00:04:26,460 --> 00:04:31,070 from within one control plane in Sentinel. As I mentioned, 70 00:04:31,070 --> 00:04:35,370 there's tight integration with other Azure services. 71 00:04:35,370 --> 00:04:38,700 You'll need an Azure Log Analytics workspace, for example, 72 00:04:38,700 --> 00:04:43,350 to deploy Microsoft Sentinel. But then we have native integration with 73 00:04:43,350 --> 00:04:48,450 other Azure Resource Manager services like Azure Monitor and Azure Logic 74 00:04:48,450 --> 00:04:52,840 Apps, which are called playbooks in Sentinel. 75 00:04:52,840 --> 00:04:56,550 Here's a lucid chart diagram I've created to help illustrate 76 00:04:56,550 --> 00:05:00,340 some of Microsoft Sentinel's value propositions. Up at the 77 00:05:00,340 --> 00:05:02,010 top of the diagram, as I said, 78 00:05:02,010 --> 00:05:06,280 we've got a one‑to‑one dependency between your Sentinel instance and 79 00:05:06,280 --> 00:05:11,060 your Log Analytics workspace. I would suggest, as I always do, that 80 00:05:11,060 --> 00:05:14,600 you have separate workspaces for your infrastructure monitoring and 81 00:05:14,600 --> 00:05:15,900 your security monitoring. 82 00:05:15,900 --> 00:05:21,450 You can, in fact, configure Windows machines to report to more than one 83 00:05:21,450 --> 00:05:25,240 Log Analytics workspace, so you're not limited there. 84 00:05:25,240 --> 00:05:29,810 And as you can see here, we can tap in, or enroll, our Azure VMs, 85 00:05:29,810 --> 00:05:34,240 both Windows, as well as Linux, into Microsoft Sentinel. 86 00:05:34,240 --> 00:05:39,990 We can touch other clouds, like ingesting Amazon Web Service's CloudTrail logs, 87 00:05:39,990 --> 00:05:43,940 monitoring Amazon EC2 virtual machines. 88 00:05:43,940 --> 00:05:47,130 And then lastly, for your on‑premises data center, 89 00:05:47,130 --> 00:05:50,990 you can monitor physical and virtual servers, as well as 90 00:05:50,990 --> 00:05:59,000 Arc‑enabled servers if you've decided to already enroll certain servers into Azure Arc.