Azure Sentinel summary SC-200 module

 

Threat Intelligence

TIP and TAXI for Internal Server

• Utilize TIP and TAXI for an internal server to enhance threat intelligence.

Incident Manager

• Use an incident manager to track and manage security incidents.

Entity-Based Threat Detection

• Implement entity-based threat detection to identify threats to various entities, such as IP addresses, applications, user accounts, and locations.

Investigation in Azure Sentinel

• Use Azure Sentinel to investigate security incidents.
• Follow the incident, investigation, and API renewal process to renew entities on the graph and expand cross-reference entries to find relevant details.

Threat Response with Playbooks in Sentinel

• Build a threat response system with the help of playbooks in Azure Sentinel.

Data Connector

• Ingest and consume data from diverse sources with a data connector.
• Use events, analytical rules for SOAR, alerts, and incidents.

Simulation Steps

• Create an activity policy for the API on MCAS.
• When tokens are created on MCAS, create an alert.
• Create an analytical rule in Azure Sentinel to continuously monitor for role membership changes and generate alerts.

Alternatively Verify AAD Log

• Export AAD logs and integrate with the appropriate Log Analytics Workspace (LAW) in Azure Sentinel.

Query Example

• Use a query to create an incident in Azure Sentinel when a user is added to the global admin group.

SOAR Automated Response Using Analytical Rule

• Use an analytical rule based on KQL to automate responses to alerts in Azure Sentinel.
• Use playbooks to automate alert responses.

Steps to Onboard Community Work from Sentinel

• Automate the process of onboarding community work from Sentinel.
• Use an auto log, LAW, Sentinel playbook, and messaging on the team.

Sentinel UEBA + TAXI

• Use User Entity Behavior Analytics (UEBA) and Threat Analytics (TAXI) in Azure Sentinel to identify and prioritize threats.
• Focus on five cases: identity behavior, threat activities (e.g., employee data exfiltration), incident prioritization, entity analysis, and diverse data source analytics.

AI & MI Historical Activity

• Utilize AI and MI to analyze historical activity across various data sources, such as servers, switches, routers, and IoT devices, using CEF or Syslog or vendor-specific protocols.

Expand Entity and Investigate

• Use UEBA to investigate entities related to various entities, such as IP addresses, users, applications, hosts, services, malware, and different threat sources.
• Generate graphical reports to investigate entities in Azure Sentinel.

Sentinel Monitoring, Query & Visualize Using Workbook

• Use workbooks to monitor, query, and visualize data in Azure Sentinel.
• Build workbooks from scratch with KQL or use templates or the community to create workbooks.
• Use advanced settings, style, and the advanced editor to modify workbooks in Azure Sentinel.

Sentinel Threat Hunting

• Use both Azure Sentinel and Microsoft Cloud App Security (MCAS) for defender threat hunting.
• Use KQL queries for incident and analytical types of hunting.

Proactive Hunting

• Use proactive hunting to search for threats based on defined hypotheses.
• Develop a threat hypothesis that is achievable, narrow, time-bound, useful and efficient, related to the threat model, and repeatable.
• Use input/output to refine the hypothesis.
• Use Tactics and Techniques defined in https://attack.mitre.org to create a hypothesis.

Jupyter Notebook

• Use Jupyter Notebook for data cleaning, transformation, simulation, statistical modeling, and machine learning.
• Clone existing notebooks or create a new one in Azure Sentinel.
• Create an Azure Sentinel resource group that includes a storage account, key vault, application insights, and container registration.