Abstract image of a woman sitting on books and studying on a laptop

Adam ochs sentinel

Download as PPTX, PDF
A
Adam Ochs

This document introduces Microsoft Azure Sentinel, a cloud-native security information and event management (SIEM) and security orchestration, automation and response (SOAR) solution. It provides intelligent security analytics by collecting and analyzing security data from across an organization. It uses built-in and customizable analytics, investigations, and automated responses to detect, investigate, and respond to threats. It also integrates with Microsoft services and third-party tools to provide a single solution for security operations challenges.

Technology
1 of 35
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Investigate and Respond to security events in the cloud with Azure Sentinel
Introducing Microsoft Azure Sentinel Cloud-native SIEM for intelligent security analytics for your entire enterprise Limitless Office 365 + M365 Alerts for Free existing tools AI by your side Respond Rapidly and automate protection Detect Threats with vast threat intelligence & AI Collect Security data across your enterprise Investigate Critical incidents guided by AI Azure Sentinel Cloud-native SIEM+SOAR
How it works Microsoft Services Analyze & Detect Investigate & Hunt Automate & Orchestrate Response Visibility Data Ingestion Data Repository Data Search Enrichment Azure Monitor Integrate Dashboard Machine learning, Pre-defined Queries, Azure Notebook Playbooks Collect Security solutions Apps, users, infrastructure Public Clouds ServiceNow Community Other tools
Security Operations Challenges Expanding digital estate
Too many disconnected products 76% report increasing security data* 3.5M unfilled security jobs in 2021 Lack of automation 44% of alerts are never investigated IT deployment & maintenance Sophistication of threats Security operations challenges
Introducing Azure Sentinel INTELLIGENT, CLOUD-NATIVE SIEM Delivers instant value to your defenders
Scales to support your growing digital estate Introducing Azure Sentinel INTELLIGENT, CLOUD-NATIVE SIEM Delivers instant value to your defenders
Uses AI and automation to improve effectiveness Scales to support your growing digital estate Introducing Azure Sentinel INTELLIGENT, CLOUD-NATIVE SIEM Delivers instant value to your defenders
Analytics End-to-end solution for security operations DetectCollect Incidents AutomationVisibility Hunting Investigate Respond Powered by community + backed by Microsoft’s security experts
10 steps to Modernize your SIEM
Visibility
Collect security data at cloud scale from any source1
Choose from a gallery of workbooks Customize or create your own workbooks using queries Take advantage of rich visualization options Gain insight into one or more data sources Use workbooks to power interactive dashboards2
New data connectors and workbooks announced at ignite Barracuda CloudGen Firewall Citrix Analytics ExtraHop Reveal(x) F5 Firewall One Identity Safeguard TrendMicro Deep Security Zscaler Internet Access Threat Intelligence TAXII Servers (supporting STIX format)
Workspace Design (Single Tenant)
DEMO Linking with O365 (mine is linked… but lets take a look!) And Workbooks!
All the ways data gets in Workspace Azure Sentinel Custom App Appliances (Integrated) Azure Services (Diagnostic Logs) AAD, AAD IP, Azure Activity, AIP, ASC, AzWAF, … Threat Intelligence (via Graph Security API) MISP, Palo Alto…. Logic App – Send Data Connector Cloud Services w/ Connector O365, MCAS, AATP, MDATP, AWS Windows Agent Linux Agent Linux Agent – Configured for CEF Appliances (CEF) P U S H P U S H P U S H P U L L Rest API P U S H
Data Collectors (Quick Wins) Enable 1st Party Connectors that are running in the environment Most are free  O365  Azure Activity  1st Party Alerts – MCAS, AATP, MDATP, AAD IP Connect AWS Connect / Configure Azure Diagnostic Logs (Policy) Deploy Windows/Linux Agent in Azure (built-in Policy)
Data Collectors (Next Steps) Deploy Windows/Linux Agent on-prem / other clouds Deploy CEF Collection  Configure CEF collector using configuration script  Configure source devices – ensure they support RFC and CEF.  See the “Grand List” https://techcommunity.microsoft.com/t5/Azure- Sentinel/Azure-Sentinel-The-Syslog-and-CEF-source- configuration-grand/ba-p/803891 Integrate Threat Intelligence Ask vendors to directly integrate!
CEF architecture On prem Syslog Over UDP, TCP, or TLS default port: 514
Leverage analytics to detect threats Choose from more than 100 built-in analytics rules Customize and create your own rules using KQL queries Correlate events with your threat intelligence and now with Microsoft URL intelligence Trigger automated playbooks 3
Analytics You got data… now what? Create Analytics to detect suspicious activity Enable Microsoft Security rules Enable built-in rules Use Github Build custom detections
Tap into the power of ML increase your catch rate without increasing noise Use built–in models – no ML experience required Detects anomalies using transferred learning Fuses data sources to detect threats that span the kill chain Simply connect your data and learning begins Bring your own ML models (coming soon) 3a
Start hunting over security data with fast, flexible queries Run built-in threat hunting queries - no prior query experience required Customize and create your own hunting queries using KQL Integrate hunting and investigations 4
Use bookmarks and live stream to manage your hunts Bookmark notable data Start an investigation from a bookmark or add to an existing incident Monitor a live stream of new threat related activity 5
Use Jupyter notebooks for advanced hunting Run in the Azure cloud Save as sharable HTML/JSON Query Azure Sentinel data Bring external data sources Use your language of choice - Python, SQL, KQL, R, … 6
Adam ochs sentinel
Adam ochs sentinel
Start and track investigations from prioritized, actionable security incidents Use incident to collect related alerts, events, and bookmarks Manage assignments and track status Add tags and comments Trigger automated playbooks 7
Visualize the entire attack to determine scope and impact Navigate the relationships between related alerts, bookmarks, and entities Expand the scope using exploration queries View a timeline of related alerts, events, and bookmarks Gain deep insights into related entities – users, domains, and more 8
Gain deeper insight with built-in automated detonation Configure URL Entities in analytics rules Automatically trigger URL detonation Enrich alerts with Verdicts, Final URLs and Screen Shots (e.g. for phishing sites) 9
Automate and orchestrate security operations using integrated Azure Logic Apps Build automated and scalable playbooks that integrate across tools Choose from a library of samples Create your own playbooks using 200+ built-in connectors Trigger a playbook from an alert or incident investigation 10
Example playbooks Assign an Incident to an Analyst Open a Ticket (ServiceNow/Jira) Keep Incident Status in Sync Post in a Teams or Slack Channel Lookup Geo for an IP Trigger Defender ATP Investigation Send Validation Email to User Block an IP Address Block User Access Trigger Conditional Access Isolate Machine Incident Management Enrichment + Investigation Remediation
Delivered Since Public Preview Coming Soon Additional Data Connectors – More Microsoft Services, Logstash, … New Built-In Detections – Rule-Based and ML Additional Detections Powered by Microsoft Threat Intelligence Bring Your Own ML Models Threat Intelligence Research, Including Full STIX Objects Entity Pages – Users, Domains, IPs And much more… Roadmap Microsoft and 3P Data Connectors – Defender ATP, Cloud App Security, Zscaler, and More 100+ Build-In Detections – Rule-Based and ML Investigation Graph and Entities Workbooks with Improved Data Visualizations Support for Incident Automation Embedded Azure Notebooks Live Stream Monitoring of Notable Events GitHub Integration URL Detonation
Take actions today—Get started with Azure Sentinel To learn more, visit https://aka.ms/AzureSentinel Create Azure Sentinel instance Connect data sources Start Microsoft Azure trial

More Related Content

PDF
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
azuredayit
 
PPTX
Document fingerprinting in Microsoft 365 Compliance
Matt Soseman
 
PPTX
Azure sentinel
Marius Sandbu
 
PPTX
Remediate and secure your organization with azure sentinel
Samik Roy
 
PPTX
Azure Sentinel with Office 365
Cheah Eng Soon
 
PPTX
Protect Office 365 with Azure Sentinel
Nanddeep Nachan
 
PPTX
Azure Sentinel Jan 2021 overview deck
Matt Soseman
 
PPTX
Modernize your Security Operations with Azure Sentinel
Cheah Eng Soon
 
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
azuredayit
 
Document fingerprinting in Microsoft 365 Compliance
Matt Soseman
 
Azure sentinel
Marius Sandbu
 
Remediate and secure your organization with azure sentinel
Samik Roy
 
Azure Sentinel with Office 365
Cheah Eng Soon
 
Protect Office 365 with Azure Sentinel
Nanddeep Nachan
 
Azure Sentinel Jan 2021 overview deck
Matt Soseman
 
Modernize your Security Operations with Azure Sentinel
Cheah Eng Soon
 

What's hot (20)

PPTX
Getting Started with Azure Sentinel
Samik Roy
 
PPTX
Azure sentinal
Allied Consultants
 
PPTX
Azure Sentinel
Cheah Eng Soon
 
PDF
Introduction to Azure Sentinel
arnaudlh
 
PDF
Haal de mist uit de monitoring van je cloud met System Center 2012 R2 Operati...
wwwally
 
PPTX
Journey to Azure Sentinel
Cheah Eng Soon
 
PDF
Elastic SIEM (Endpoint Security)
Kangaroot
 
PPTX
Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...
Carolyn Duby
 
PDF
Elastic Security: Proteção Empresarial construída sobre o Elastic Stack
Elasticsearch
 
PPTX
MCAS High Level Architecture May 2021
Matt Soseman
 
PPTX
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
PPTX
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
Cisco DevNet
 
PDF
Getting Started with Azure Security Center
Cheah Eng Soon
 
PDF
Elastic Security: Enterprise Protection Built on the Elastic Stack
Elasticsearch
 
PPTX
A streaming architecture for Cyber Security - Apache Metron
Simon Elliston Ball
 
PDF
Global Azure Bootcamp 2018 - Azure Security Center
Scott Hoag
 
PDF
Automate threat detections and avoid false positives
Elasticsearch
 
PPTX
CCI2018 - Azure Security Center - Stato dell’arte e roadmap
walk2talk srl
 
PPTX
How McGraw Hill Uses Sumo Logic and AWS for Operational and Security Intellig...
Sumo Logic
 
PPT
Cisco Security Technical Alliances
Cisco DevNet
 
Getting Started with Azure Sentinel
Samik Roy
 
Azure sentinal
Allied Consultants
 
Azure Sentinel
Cheah Eng Soon
 
Introduction to Azure Sentinel
arnaudlh
 
Haal de mist uit de monitoring van je cloud met System Center 2012 R2 Operati...
wwwally
 
Journey to Azure Sentinel
Cheah Eng Soon
 
Elastic SIEM (Endpoint Security)
Kangaroot
 
Providence Future of Data Meetup - Apache Metron Open Source Cybersecurity Pl...
Carolyn Duby
 
Elastic Security: Proteção Empresarial construída sobre o Elastic Stack
Elasticsearch
 
MCAS High Level Architecture May 2021
Matt Soseman
 
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
Cisco DevNet
 
Getting Started with Azure Security Center
Cheah Eng Soon
 
Elastic Security: Enterprise Protection Built on the Elastic Stack
Elasticsearch
 
A streaming architecture for Cyber Security - Apache Metron
Simon Elliston Ball
 
Global Azure Bootcamp 2018 - Azure Security Center
Scott Hoag
 
Automate threat detections and avoid false positives
Elasticsearch
 
CCI2018 - Azure Security Center - Stato dell’arte e roadmap
walk2talk srl
 
How McGraw Hill Uses Sumo Logic and AWS for Operational and Security Intellig...
Sumo Logic
 
Cisco Security Technical Alliances
Cisco DevNet
 
Ad

Similar to Adam ochs sentinel (20)

PPTX
07 - Defend Against Threats with SIEM Plus XDR Workshop - Microsoft Sentinel ...
carlitocabana
 
PDF
L400-P1 Overview.pdf
FadhilMuhammad80
 
PDF
introduction to Azure Sentinel
Robert Crane
 
PPTX
Azure Sentinel.pptx
Mohit Chhabra
 
PPTX
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
PDF
Azure Sentinel Tips
Mario Worwell
 
PPTX
Microsoft Sentinel and Its Components.pptx
Infosectrain3
 
PDF
Azure Security Overview
David J Rosenthal
 
PPTX
TechTalksUtah-Sentinel-20191108.pptx
JustineGarcia32
 
PPTX
Sumo Logic Cert Jam - Security Analytics
Sumo Logic
 
PDF
Azure Sentinel
Kumton Suttiraksiri
 
PDF
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Sumo Logic
 
PDF
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...
Prometix Pty Ltd
 
PDF
Microsoft Build 2023 Updates – Copilot Stack and Azure OpenAI Service (Machin...
Naoki (Neo) SATO
 
DOCX
Overall Security Process Review CISC 6621Agend.docx
karlhennesey
 
PPTX
Enterprise Sec + User Bahavior Analytics
Splunk
 
PDF
Azure Security Center
Microsoft
 
PDF
Getting Started with Splunk Enterprise
Splunk
 
PPTX
Securing Your Public Cloud Infrastructure
Qualys
 
PDF
do you want to know about what is Microsoft Sentinel.pdf
amilsaifi5
 
07 - Defend Against Threats with SIEM Plus XDR Workshop - Microsoft Sentinel ...
carlitocabana
 
L400-P1 Overview.pdf
FadhilMuhammad80
 
introduction to Azure Sentinel
Robert Crane
 
Azure Sentinel.pptx
Mohit Chhabra
 
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
Azure Sentinel Tips
Mario Worwell
 
Microsoft Sentinel and Its Components.pptx
Infosectrain3
 
Azure Security Overview
David J Rosenthal
 
TechTalksUtah-Sentinel-20191108.pptx
JustineGarcia32
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic
 
Azure Sentinel
Kumton Suttiraksiri
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Sumo Logic
 
Planning and implementing. Unveiling the advanced technology of Microsoft Azu...
Prometix Pty Ltd
 
Microsoft Build 2023 Updates – Copilot Stack and Azure OpenAI Service (Machin...
Naoki (Neo) SATO
 
Overall Security Process Review CISC 6621Agend.docx
karlhennesey
 
Enterprise Sec + User Bahavior Analytics
Splunk
 
Azure Security Center
Microsoft
 
Getting Started with Splunk Enterprise
Splunk
 
Securing Your Public Cloud Infrastructure
Qualys
 
do you want to know about what is Microsoft Sentinel.pdf
amilsaifi5
 
Ad

More from Adam Ochs (7)

PPTX
Adam ochs groups
Adam Ochs
 
PPTX
Adam ochs onenoteworkingsession
Adam Ochs
 
PPTX
Roadmap
Adam Ochs
 
PPTX
Adam Ochs - Office 365 Roadmap
Adam Ochs
 
PPTX
Learning to go with the Microsoft Flow - Ottawa
Adam Ochs
 
PPTX
The top 10 things I wish I had known about O365 groups
Adam Ochs
 
PPTX
So you have been asked to Perform an Exchange Migration
Adam Ochs
 
Adam ochs groups
Adam Ochs
 
Adam ochs onenoteworkingsession
Adam Ochs
 
Roadmap
Adam Ochs
 
Adam Ochs - Office 365 Roadmap
Adam Ochs
 
Learning to go with the Microsoft Flow - Ottawa
Adam Ochs
 
The top 10 things I wish I had known about O365 groups
Adam Ochs
 
So you have been asked to Perform an Exchange Migration
Adam Ochs
 

Recently uploaded (20)

PDF
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
PPTX
TEXTILE technology diploma scope and career opportunities
kriti38
 
PPTX
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PPTX
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
PDF
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
PDF
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
Mustafa Kuğu
 
PPTX
Internet of Everything -Basic concepts details
sendilkumar66
 
PDF
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
TEXTILE technology diploma scope and career opportunities
kriti38
 
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
Configure Apache Mutual Authentication
Antonino Piraino
 
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
Mustafa Kuğu
 
Internet of Everything -Basic concepts details
sendilkumar66
 
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 

Adam ochs sentinel

  • 1. Investigate and Respond to security events in the cloud with Azure Sentinel
  • 2. Introducing Microsoft Azure Sentinel Cloud-native SIEM for intelligent security analytics for your entire enterprise Limitless Office 365 + M365 Alerts for Free existing tools AI by your side Respond Rapidly and automate protection Detect Threats with vast threat intelligence & AI Collect Security data across your enterprise Investigate Critical incidents guided by AI Azure Sentinel Cloud-native SIEM+SOAR
  • 3. How it works Microsoft Services Analyze & Detect Investigate & Hunt Automate & Orchestrate Response Visibility Data Ingestion Data Repository Data Search Enrichment Azure Monitor Integrate Dashboard Machine learning, Pre-defined Queries, Azure Notebook Playbooks Collect Security solutions Apps, users, infrastructure Public Clouds ServiceNow Community Other tools
  • 5. Too many disconnected products 76% report increasing security data* 3.5M unfilled security jobs in 2021 Lack of automation 44% of alerts are never investigated IT deployment & maintenance Sophistication of threats Security operations challenges
  • 6. Introducing Azure Sentinel INTELLIGENT, CLOUD-NATIVE SIEM Delivers instant value to your defenders
  • 7. Scales to support your growing digital estate Introducing Azure Sentinel INTELLIGENT, CLOUD-NATIVE SIEM Delivers instant value to your defenders
  • 8. Uses AI and automation to improve effectiveness Scales to support your growing digital estate Introducing Azure Sentinel INTELLIGENT, CLOUD-NATIVE SIEM Delivers instant value to your defenders
  • 9. Analytics End-to-end solution for security operations DetectCollect Incidents AutomationVisibility Hunting Investigate Respond Powered by community + backed by Microsoft’s security experts
  • 10. 10 steps to Modernize your SIEM
  • 12. Collect security data at cloud scale from any source1
  • 13. Choose from a gallery of workbooks Customize or create your own workbooks using queries Take advantage of rich visualization options Gain insight into one or more data sources Use workbooks to power interactive dashboards2
  • 14. New data connectors and workbooks announced at ignite Barracuda CloudGen Firewall Citrix Analytics ExtraHop Reveal(x) F5 Firewall One Identity Safeguard TrendMicro Deep Security Zscaler Internet Access Threat Intelligence TAXII Servers (supporting STIX format)
  • 16. DEMO Linking with O365 (mine is linked… but lets take a look!) And Workbooks!
  • 17. All the ways data gets in Workspace Azure Sentinel Custom App Appliances (Integrated) Azure Services (Diagnostic Logs) AAD, AAD IP, Azure Activity, AIP, ASC, AzWAF, … Threat Intelligence (via Graph Security API) MISP, Palo Alto…. Logic App – Send Data Connector Cloud Services w/ Connector O365, MCAS, AATP, MDATP, AWS Windows Agent Linux Agent Linux Agent – Configured for CEF Appliances (CEF) P U S H P U S H P U S H P U L L Rest API P U S H
  • 18. Data Collectors (Quick Wins) Enable 1st Party Connectors that are running in the environment Most are free  O365  Azure Activity  1st Party Alerts – MCAS, AATP, MDATP, AAD IP Connect AWS Connect / Configure Azure Diagnostic Logs (Policy) Deploy Windows/Linux Agent in Azure (built-in Policy)
  • 19. Data Collectors (Next Steps) Deploy Windows/Linux Agent on-prem / other clouds Deploy CEF Collection  Configure CEF collector using configuration script  Configure source devices – ensure they support RFC and CEF.  See the “Grand List” https://techcommunity.microsoft.com/t5/Azure- Sentinel/Azure-Sentinel-The-Syslog-and-CEF-source- configuration-grand/ba-p/803891 Integrate Threat Intelligence Ask vendors to directly integrate!
  • 20. CEF architecture On prem Syslog Over UDP, TCP, or TLS default port: 514
  • 21. Leverage analytics to detect threats Choose from more than 100 built-in analytics rules Customize and create your own rules using KQL queries Correlate events with your threat intelligence and now with Microsoft URL intelligence Trigger automated playbooks 3
  • 22. Analytics You got data… now what? Create Analytics to detect suspicious activity Enable Microsoft Security rules Enable built-in rules Use Github Build custom detections
  • 23. Tap into the power of ML increase your catch rate without increasing noise Use built–in models – no ML experience required Detects anomalies using transferred learning Fuses data sources to detect threats that span the kill chain Simply connect your data and learning begins Bring your own ML models (coming soon) 3a
  • 24. Start hunting over security data with fast, flexible queries Run built-in threat hunting queries - no prior query experience required Customize and create your own hunting queries using KQL Integrate hunting and investigations 4
  • 25. Use bookmarks and live stream to manage your hunts Bookmark notable data Start an investigation from a bookmark or add to an existing incident Monitor a live stream of new threat related activity 5
  • 26. Use Jupyter notebooks for advanced hunting Run in the Azure cloud Save as sharable HTML/JSON Query Azure Sentinel data Bring external data sources Use your language of choice - Python, SQL, KQL, R, … 6
  • 29. Start and track investigations from prioritized, actionable security incidents Use incident to collect related alerts, events, and bookmarks Manage assignments and track status Add tags and comments Trigger automated playbooks 7
  • 30. Visualize the entire attack to determine scope and impact Navigate the relationships between related alerts, bookmarks, and entities Expand the scope using exploration queries View a timeline of related alerts, events, and bookmarks Gain deep insights into related entities – users, domains, and more 8
  • 31. Gain deeper insight with built-in automated detonation Configure URL Entities in analytics rules Automatically trigger URL detonation Enrich alerts with Verdicts, Final URLs and Screen Shots (e.g. for phishing sites) 9
  • 32. Automate and orchestrate security operations using integrated Azure Logic Apps Build automated and scalable playbooks that integrate across tools Choose from a library of samples Create your own playbooks using 200+ built-in connectors Trigger a playbook from an alert or incident investigation 10
  • 33. Example playbooks Assign an Incident to an Analyst Open a Ticket (ServiceNow/Jira) Keep Incident Status in Sync Post in a Teams or Slack Channel Lookup Geo for an IP Trigger Defender ATP Investigation Send Validation Email to User Block an IP Address Block User Access Trigger Conditional Access Isolate Machine Incident Management Enrichment + Investigation Remediation
  • 34. Delivered Since Public Preview Coming Soon Additional Data Connectors – More Microsoft Services, Logstash, … New Built-In Detections – Rule-Based and ML Additional Detections Powered by Microsoft Threat Intelligence Bring Your Own ML Models Threat Intelligence Research, Including Full STIX Objects Entity Pages – Users, Domains, IPs And much more… Roadmap Microsoft and 3P Data Connectors – Defender ATP, Cloud App Security, Zscaler, and More 100+ Build-In Detections – Rule-Based and ML Investigation Graph and Entities Workbooks with Improved Data Visualizations Support for Incident Automation Embedded Azure Notebooks Live Stream Monitoring of Notable Events GitHub Integration URL Detonation
  • 35. Take actions today—Get started with Azure Sentinel To learn more, visit https://aka.ms/AzureSentinel Create Azure Sentinel instance Connect data sources Start Microsoft Azure trial

Editor's Notes