1 00:00:01,540 --> 00:00:02,800 In Microsoft Sentinel, 2 00:00:02,800 --> 00:00:05,960 you start by creating a Sentinel workspace and those 3 00:00:05,960 --> 00:00:10,040 need a Log Analytics workspace, they write on top of them. 4 00:00:10,040 --> 00:00:13,700 So this is why I recommend having a separate infrastructure Log 5 00:00:13,700 --> 00:00:16,200 Analytics workspace and then one for Sentinel. 6 00:00:16,200 --> 00:00:20,360 I've already created a Sentinel instance and put it on top 7 00:00:20,360 --> 00:00:22,870 of the Sentinel workspace I created. 8 00:00:22,870 --> 00:00:26,290 So if we go into my created Sentinel workspace, 9 00:00:26,290 --> 00:00:28,390 we can see that the interface is very, 10 00:00:28,390 --> 00:00:32,940 very different from the Log Analytics infrastructure interface. 11 00:00:32,940 --> 00:00:36,630 We can see these heat maps, these geo images, 12 00:00:36,630 --> 00:00:39,280 there are a lot of visualizations right out of the 13 00:00:39,280 --> 00:00:41,980 box that you can take advantage of. 14 00:00:41,980 --> 00:00:44,460 We've got events, alerts, 15 00:00:44,460 --> 00:00:48,250 and what I think are particularly powerful in Sentinel is where 16 00:00:48,250 --> 00:00:52,540 Sentinel can correlate events and alerts and roll them into incidents 17 00:00:52,540 --> 00:00:57,140 which can make it easier to see a true story as opposed to just these 18 00:00:57,140 --> 00:01:00,940 otherwise disparate events and alerts, you see. 19 00:01:00,940 --> 00:01:04,150 But step one, of course, is we want to connect our data. 20 00:01:04,150 --> 00:01:07,640 So if we go under Configuration, Data connectors, 21 00:01:07,640 --> 00:01:10,960 I want you to see here that there is an enormous library of these 22 00:01:10,960 --> 00:01:13,600 and these go to Azure and non‑Azure services. 23 00:01:13,600 --> 00:01:15,450 We can bring in, for example, 24 00:01:15,450 --> 00:01:21,540 Azure Active Directory to take a look at sign‑in behavior as you can see, 25 00:01:21,540 --> 00:01:24,640 Azure Active Directory identity protection. 26 00:01:24,640 --> 00:01:29,950 We can even bring in Microsoft Defender services is no surprise, 27 00:01:29,950 --> 00:01:34,250 I'm sure, Defender for Cloud, Defender for Endpoint, 28 00:01:34,250 --> 00:01:41,640 for Identity, and we can surface all of that data in one spot here in Sentinel. 29 00:01:41,640 --> 00:01:43,220 Now there are some other assets. 30 00:01:43,220 --> 00:01:45,220 We don't really need to go much deeper here, 31 00:01:45,220 --> 00:01:49,360 by the way, on Sentinel, it's just a question of understanding basic use case, 32 00:01:49,360 --> 00:01:51,250 basic setup behavior. 33 00:01:51,250 --> 00:01:54,580 When we load in a connector, Workbooks, which again, 34 00:01:54,580 --> 00:01:58,900 are Microsoft curated visualizations, queries, 35 00:01:58,900 --> 00:02:00,170 those are Kusto queries, 36 00:02:00,170 --> 00:02:05,440 we use Kusto here just as we do in Log Analytics infrastructure monitoring, 37 00:02:05,440 --> 00:02:09,440 and then we have rules templates for creating alert rules. 38 00:02:09,440 --> 00:02:12,880 Now lastly, you can get to third‑party services here as well. 39 00:02:12,880 --> 00:02:15,920 It's not just Microsoft and not just Azure. 40 00:02:15,920 --> 00:02:16,640 For example, 41 00:02:16,640 --> 00:02:21,440 notice that you can monitor Amazon Web Services to get your CloudTrail logs, 42 00:02:21,440 --> 00:02:25,020 as well as looking at the simple storage service specifically. 43 00:02:25,020 --> 00:02:26,340 Nice. 44 00:02:26,340 --> 00:02:28,400 So once you get your data connectors in, 45 00:02:28,400 --> 00:02:32,370 then it's a question of going through some of the other threat management, 46 00:02:32,370 --> 00:02:36,740 content management options and working with Sentinel from there. 47 00:02:36,740 --> 00:02:41,540 Let's finish this consideration by revisiting Microsoft Defender for Cloud. 48 00:02:41,540 --> 00:02:46,160 Remember that the idea here is that this is general purpose security hygiene, 49 00:02:46,160 --> 00:02:49,600 not necessarily just for InfoSec professionals. 50 00:02:49,600 --> 00:02:53,540 We have this security posture that we can click into where we 51 00:02:53,540 --> 00:02:56,980 can see the secure score that our currently deployed 52 00:02:56,980 --> 00:03:00,540 infrastructure meets with Defender for Cloud, 53 00:03:00,540 --> 00:03:03,230 and we'll be given a number of recommendations to 54 00:03:03,230 --> 00:03:06,120 improve the security of our environment. 55 00:03:06,120 --> 00:03:08,710 Let's take a look at my Azure subscription which has 56 00:03:08,710 --> 00:03:12,740 a current secure score of 54%. 57 00:03:12,740 --> 00:03:15,430 What you'll find on these recommendations is that they are 58 00:03:15,430 --> 00:03:17,770 written in a nice user‑friendly way. 59 00:03:17,770 --> 00:03:21,090 MFA should be enabled on accounts with owner permissions. 60 00:03:21,090 --> 00:03:23,140 Well that sounds pretty important. 61 00:03:23,140 --> 00:03:26,170 It shows us the unhealthy resources, in this case, 62 00:03:26,170 --> 00:03:29,540 it's my subscription, and then it gives us an enumeration, 63 00:03:29,540 --> 00:03:32,290 in this case, of the affected user accounts. 64 00:03:32,290 --> 00:03:35,740 And you'll also, depending upon the recommendation, 65 00:03:35,740 --> 00:03:39,760 you could either have Azure remediate itself, or if it can't do that, 66 00:03:39,760 --> 00:03:41,540 which in this case it can't, 67 00:03:41,540 --> 00:03:45,560 you get manual remediation steps here or you and your 68 00:03:45,560 --> 00:03:47,610 developers can create a playbook, 69 00:03:47,610 --> 00:03:52,110 basically a logic app that does this operation, and then 70 00:03:52,110 --> 00:03:54,630 when this recommendation comes up, 71 00:03:54,630 --> 00:03:58,570 the person resolving the recommendation can trigger that logic app 72 00:03:58,570 --> 00:04:01,860 from here to auto remediate those recommendations. 73 00:04:01,860 --> 00:04:10,000 A lot to think about, but hopefully I've inspired you and got you thinking of different possibilities.