Microsoft Sentinel Dashboard

The Overview page of Microsoft Sentinel gives a snapshot of your security operations. At the top, you can find trends relating to events, alerts, and incidents. Next to these trends, the dashboard displays the status distribution of incidents. The middle section provides a graphical timeline of events and alerts, while the bottom section shows a map indicating potentially harmful event sources and destinations. On the right side, a summary of recent incidents and anomalies detected from data sources is presented.

The navigation menu on the left is categorized into four main areas:

1. General: This section includes general information such as the overview dashboard, event logs, and security news and guides published by Microsoft.
2. Threat Management: This is where analysts can find valuable features and data, including incident management tools, investigation and analysis capabilities such as hunting queries, workbooks, and notebooks, along with entity behavior baselining and threat intelligence.
3. Content Management: Engineers will find useful features here, including packages of workbooks, queries, playbooks, and automation rules.
4. Configuration: This area is focused on engineers, where they can manage data sources, detection rules, automation, and watchlists.

Roles in Microsoft Sentinel

Microsoft Sentinel employs a role-based access control (RBAC) model, categorizing users into different roles based on job functions. Each role has specific permissions assigned. The available roles include:

• Microsoft Sentinel Reader: This role is limited to viewing data, incidents, workbooks, and other resources without editing capabilities, suitable for users needing to observe security operations.
• Microsoft Sentinel Responder: In addition to reader permissions, this role can manage incidents, making it ideal for security analysts involved in triaging alerts and analyzing incidents.
• Microsoft Sentinel Contributor: This role encompasses all capabilities of the Responder, along with the ability to create and edit resources, typically suited for security engineers.
• Microsoft Sentinel Automation Contributor: This role can perform all functions of the Contributor and add playbooks and automation rules, usually not intended for user accounts.

Log Analytics

Monitoring and analyzing logs is essential in security operations. Microsoft Sentinel integrates Log Analytics to facilitate the editing and execution of queries on collected data. These queries are formulated using Kusto Query Language (KQL).

Kusto Query Language (KQL)

KQL is the language used by Microsoft Sentinel for data analysis, focusing solely on querying data without the ability to modify it. It is structured similarly to SQL, with data organized in databases, tables, and columns. Users can craft queries to extract specific information.

For example, to count the number of successful logins indicated by Event ID 4624, the following KQL query can be employed:

prerecorded_CL

Threat Management

Microsoft Sentinel provides a suite of tools for managing threats within your organization, including:

• Incident Management: Handle and respond to incidents effectively.
• Workbooks: Utilize interactive dashboards for deeper investigation.
• Hunting: Apply predefined or custom rules to initiate hunting investigations.
• Notebooks: Leverage Python for log analysis.
• Entity Behavior: Establish baseline activity for monitoring anomalies.
• Threat Intelligence: Collect and organize relevant threat data.

What Constitutes an Incident?

In Microsoft Sentinel, an incident serves as a container for threats, encapsulating alerts, entities, and supporting evidence. Incidents are automatically generated based on predefined alerts, and their properties—such as severity and status—are maintained at the incident level.

How Incidents Operate

Incidents are created as alerts trigger detections defined in the Security analytics section. Users can view detailed information regarding each incident, including its creation time and status.

The first video, "KQL Tutorial Series | KQL Cheat Sheet Walk-Through | EP3 - YouTube," offers a comprehensive guide to KQL, aiding users in mastering the query language for efficient data analysis.

Workbooks for Investigation

Workbooks serve as interactive collections of visualizations that facilitate incident investigations or threat hunting. Users can choose from Microsoft or third-party templates, or create customized workbooks tailored to their organizational needs.

Threat Hunting Strategies

Navigate to Threat Management > Hunting for a compilation of queries grouped by tactics. Although these queries might yield more false positives compared to those used for rules, they are excellent starting points for investigations.

The second video, "Azure Sentinel webinar: KQL part 2 of 3 - KQL hands-on lab exercises - YouTube," provides hands-on exercises to enhance your KQL skills within Azure Sentinel.