1
00:00:01,040 --> 00:00:04,910
The general Microsoft Sentinel setup workflow works like this. You'll

2
00:00:04,910 --> 00:00:09,480
want the Log Analytics workspace in place. Then you'll lay in an

3
00:00:09,480 --> 00:00:12,640
instance of the Microsoft Sentinel service.

4
00:00:12,640 --> 00:00:14,870
Once you've got it up and running, it's then time

5
00:00:14,870 --> 00:00:16,630
to wire up your data collectors.

6
00:00:16,630 --> 00:00:18,940
These are going to be your data sources.

7
00:00:18,940 --> 00:00:23,230
You then can set up watch lists, you can use the Kusto Query

8
00:00:23,230 --> 00:00:27,640
Language to do threat hunting, and you can create automations,

9
00:00:27,640 --> 00:00:30,540
what are called playbook automation.

10
00:00:30,540 --> 00:00:36,200
As a matter of fact, I forgot to explain the holistic nature of Sentinel.

11
00:00:36,200 --> 00:00:39,090
I want to come back temporarily to this slide, but I want to

12
00:00:39,090 --> 00:00:42,070
draw your attention to the right side where I provide an

13
00:00:42,070 --> 00:00:44,990
attribution to the source at microsoft.com.

14
00:00:44,990 --> 00:00:47,340
This is a great marketing diagram.

15
00:00:47,340 --> 00:00:52,560
It is outdated inasmuch as it says Azure Sentinel, but those four pillars

16
00:00:52,560 --> 00:00:56,870
of the service are just as relevant today as they were when Microsoft

17
00:00:56,870 --> 00:01:00,490
released this. So let's go in a clockwise fashion,

18
00:01:00,490 --> 00:01:02,590
starting at the 12 o'clock position.

19
00:01:02,590 --> 00:01:05,710
As I said, the data collection is pretty universal.

20
00:01:05,710 --> 00:01:09,420
So the value prop is that instead of having a patchwork of

21
00:01:09,420 --> 00:01:11,680
different security monitoring solutions,

22
00:01:11,680 --> 00:01:16,220
you may be able to do everything all under one roof, as it were, with

23
00:01:16,220 --> 00:01:20,400
Microsoft Sentinel. The detection means that you're able to tap into

24
00:01:20,400 --> 00:01:26,700
Microsoft's Intelligent Security Graph, as well as any AI or capabilities

25
00:01:26,700 --> 00:01:31,540
that are coming from your data sources themselves to give you and your team a

26
00:01:31,540 --> 00:01:34,220
proactive heads up on anomalous behavior,

27
00:01:34,220 --> 00:01:35,810
active threat events,

28
00:01:35,810 --> 00:01:40,100
whatever, vulnerabilities that may exist in software on some of your machines,

29
00:01:40,100 --> 00:01:45,020
etc. Investigate, at the 6 o'clock position, means that Sentinel

30
00:01:45,020 --> 00:01:48,760
works with Jupyter Notebooks, if you're familiar with those. These

31
00:01:48,760 --> 00:01:53,770
are specialized web pages that integrate a runtime environment with

32
00:01:53,770 --> 00:01:59,160
Markdown so that you and your teammates can actually assign events

33
00:01:59,160 --> 00:02:00,470
and assign tasks.

34
00:02:00,470 --> 00:02:06,150
It's basically a ticketing work item system built into Sentinel. It's

35
00:02:06,150 --> 00:02:10,840
really an all under one roof kind of situation here.

36
00:02:10,840 --> 00:02:13,530
And the Jupyter Notebooks are great because, as I said,

37
00:02:13,530 --> 00:02:17,420
you can blend live source code investigation where you can run

38
00:02:17,420 --> 00:02:20,810
the code in the context of the notebook and then keep your

39
00:02:20,810 --> 00:02:25,670
documentation using Markdown syntax in there as well, and then

40
00:02:25,670 --> 00:02:29,120
use those notebooks as a vehicle,

41
00:02:29,120 --> 00:02:33,400
as a deliverable, for your reports and presentations and so on.

42
00:02:33,400 --> 00:02:38,310
And then lastly, in the 9 o'clock position, the concept of the playbook. If

43
00:02:38,310 --> 00:02:44,290
you're not familiar with Azure Logic Apps, they're using the same engine as

44
00:02:44,290 --> 00:02:49,380
what was called Microsoft Flow and is now called Power Automate, where you

45
00:02:49,380 --> 00:02:56,430
can stitch together various APIs, REST APIs, in an event‑driven way such

46
00:02:56,430 --> 00:03:00,640
that you can configure a playbook that when a certain alert is triggered or

47
00:03:00,640 --> 00:03:04,700
when a certain KQL query, a threat hunting query, that you have configured

48
00:03:04,700 --> 00:03:10,370
to run on a loop triggers, the playbook/Azure Logic App is then kicked into

49
00:03:10,370 --> 00:03:13,820
action, and it can do a number of different things.

50
00:03:13,820 --> 00:03:18,540
I mean you could have events get posted into your Microsoft Teams channel

51
00:03:18,540 --> 00:03:22,140
or your Slack channel. You can trigger code to run.

52
00:03:22,140 --> 00:03:24,280
You can create a ticket.

53
00:03:24,280 --> 00:03:31,000
You know, it allows you to, again, create these business workflows for automated response.