Implementing and Managing Azure Sentinel
Dwayne Natwick
1 h 35 m
Lecture Overview
With the continuous adoption of digital transformation and exposure of more and more business-critical workloads to the cloud, getting a clear view on your organization’s security posture is critical.If your organization gets compromised, your business can lose trust, customers, and revenue. Cyber defense is not good enough anymore, and security officers and IT departments need to step up their game. Instead of relying on a defensive strategy, switching to a more proactive approach to detect and mitigate risk will get you there. Organizations must have the possibility to connect to cloud and on-premises running workloads and collect system and security-related data from all systems.The more traditional Security Information and Event Management (SIEM) solutions that have been around in the on-premises data centers just cannot keep up with today’s challenges, with the fast pace of data center expansion and the massive amounts of structured and unstructured telemetry generated by various workloads. And even more important, they cannot keep up with detecting and identifying near-future threats. Because of the lack of flexibility and scale, together with the high cost of implementing and configuring, these SIEM solutions are often becoming a threat themselves, giving organizations a fake impression of their security posture.That’s where Microsoft’s cloud-born Azure Sentinel comes in: a cloud-based Security Information and Event Management (SIEM) solution, built for growth, capable of absorbing large amounts of different data sources, powered by machine learning, to provide accurate, to-the-point views on your organization’s security posture. Starting from collecting data, it allows for detecting known threats, but also providing investigation engines to detect unknown threats and patterns. Next, it starts from a proactive approach in mind, bringing features like hunting and responding to incidents to the table.It’s that exact process flow we use as the structure for this condensed, yet complete course on how to implement and manage Azure Sentinel.

Related Learning Path(s):
Implementing Azure Security with Security Center and Sentinel
  • What is SIEM (Security Information and Events Management
  • Introduction to Azure Sentinel
  • Deploying and configuring Azure Sentinel service
  • Analyzing data and running analytics and investigations
  • Detecting and responding to security threats by using Sentinel Workbooks
  • Configuring Data Sources by using Data Connectors
  • Microsoft Account with Azure Subscription
  • Familiarity with Azure and overall network and application security
  • Familiarity with Azure Monitor and Azure Log Analytics
Lecture Modules
Module 1 starts with an introduction of SIEM (Security Information and Event Management) concepts, and what features such solution should offer. Quickly followed by highlighting the core characteristics of Azure Sentinel, and where it fits in the broader Azure hybrid data center world. At the end of this module, students learn how to set up the Azure Sentinel service in Azure and get an understanding on the pricing model.
In Module 2, the focus is on deploying and going over the base configuration of Azure Sentinel, what are the different capabilities and corresponding settings to use, as well as understanding its dependencies to other services in Azure, like Azure Monitor and Azure Log Analytics. Students learn how to configure Data Sources, how to analyze data using the Dashboard Views and Workbooks. 
Module 3 helps students in understanding how to detect risks and threats, by identifying suspicious activity amongst your data sources. Azure Sentinel provides several built-in templates, enabling you to do this and get notified of such threats. These templates were designed by Microsoft’s team of security experts and analysts based on known threats, common attack vectors, and suspicious activity escalation chains. After you enable these templates, they will automatically search for suspicious activity across your environment. 
Assuming certain threats have been detected in your environment, the next step involves creating incidents. Which is the core objective of Module 4. Incidents are an aggreation of evidence of a specific investigation. Using the Azure Sentinel Investigation Graph, students learn how to run investigations, set up alerts and notifications, as well as how to assign owners to perform further investigation and mitigate risk and solve the incident. 
The last step in the process flow, is responding to threats, by deploying and configuring Security Playbooks which is covered in Module 5 of this course. Security Playbooks rely on Azure Logic Apps, a business workflow engine, offering logic IFTT process steps. Another capability provided by Azure Sentinel to help responding to threats is hunting. Hunting involves executing pre-configured scripts, answering questions that allow for detecting threats that previously remained undetected. 
Try Risk Free

Start a free trial

Skill Me Up subscriptions include unlimited access to on-demand courses with live lab lab environments with our Real Time Labs feature for hands-on lab access.

Subscription Benefits
  • Access to Real Time Lab environments and lab guides
  • Course Completion Certificates when you pass assessments