Azure Security Center and Azure Sentinel Overview (AZ-500)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

how do you highlight in Azure Portal? I mean using those rectangles using an extension? Or is part of you monitor?

Thanks

👍︎︎ 1 👤︎︎ u/karlochacon 📅︎︎ Mar 03 2021 🗫︎ replies

Hello,

One of our clients is considering Azure Sentinel. However, their security team has come back saying that they have Splunk and they don't see a lot of advantages of Sentinel over Splunk. I highlighted SIEM v SOAR but they were still not convinced. Do you usually face issues like these? If so, how do you bring forth differentiators between on-prem SIEM solutions like Splunk and Azure Sentinel?

👍︎︎ 1 👤︎︎ u/komAnt 📅︎︎ Apr 11 2021 🗫︎ replies

Captions

hey everyone welcome to this video really providing an overview of azure security center and really how that fits in with azure sentinel it's been a topic a lot of people have requested so i thought it was about time i actually went and did this overview and the s stands for security as always if this is useful a like subscribe comment and share would be appreciated now when i think about security in azure or really anywhere we always think defense in depth i want multiple layers of protection hey if i'm thinking about networking i want distributed denial of service protection i want web application firewalls i want to make sure my traffic's encrypted in transit and then when i've got data stored i want to make sure it's encrypted at rest there's all these different layers of things and so i can think about there are steps i take that are proactive to making sure i've got the right configurations the right policies in place then i think about well things i do to react so that there is something happening you can really think about that distinction between azure security center as a lot more of that proactive type of technology and then sentinel is a lot more about reacting if something happens so we'll start with the idea that we have this azure security center component and that's doing a huge amount of different things but we can really think about a huge part of that is kind of that assessment and that kind of remediate and so to start with obviously we have to turn on azure security center now one thing i will say up front one of the things you'll see a lot is log analytics when we talk about sentinel we're always talking about log analytics workspace when you turn on azure security center yes it does use a log analytics workspace but that's really only leveraged for hey when i have virtual machines and i need to get certain data from the vm most of what azure security center is actually powered by is azure policy and that's what feeds a lot of what it knows about in terms of hey any of these remediations you're missing these particular things so let's actually go and look at this so to get started you would actually just go to security center so i could think about well if i was kind of on home i could just go and search for security and there we can see security center now if you're accessing this for the first time it's going to say hey we're going to go through we're going to set up some basic things it's going to use a log analytics workspace now if you have one already you could use an existing log analytics workspace if you don't it will create one for you again that log analytics workspace is just there for those vm based alerts it's not using it for many of the other things now one thing i will say is when i talk about kind of that agent you can configure that to kind of automatically deploy if i go under management and you can kind of see this pricing and settings well through here i can go to each of my different subscriptions let's say dev and i'm going to come back to what defender is don't worry about that for right now but you see this second option of auto provisioning and here this is where i can go and do things like hey look turn on the log analytics agent for virtual machines so we'll automatically go and deploy that i could do things like edit the configuration i.e which workspace and i can also turn on that auto provisioning for other types of extensions that are used for other things like kubernetes like that dependency agent you can also do things like look if there are alerts i can set up the different types of email notification now you will know i kind of said well there's these azure defender plans don't worry about this yet so i'm going to focus on the free part so that's with azure defender off and what you can see is telling me is look i'm going to get this continuous access and security recommendation and this azure secure score so this is really all about thinking that i want those good initial policies in place to make sure i'm checking i have those right things to make sure i'm really doing good things and really that's powered by as i kind of drew here policy so policy is something we use to define the certain aspects of configurations of resource i'm looking at i can bundle those into initiatives which are sets of policies and then assign that to a certain scope for example a subscription so what azure security center does is exactly that it has its own initiatives that it assigns to the subscriptions and it's through that compliance report it can then give you a secure score say how well you're doing and prioritize certain things and show me my all up kind of compliance so we can go back and look at this so here in my kind of azure security center i'll actually go and just start on the overview and i can see straight away i have this kind of secure score i also have these kind of regulatory compliance things over here now again this is all driven by policy under the hood so there's this actual azure security baseline that's actually being leveraged now and that azure security benchmark replaces this old azure security center default policy thing it used to have but we'll talk more about that later on but we can see i have this idea of a secure score and i can see hey i'm got 33 percent out of a lot of points so really i'm not doing too well now one of the nice things i could actually do here is i could select this secure score and it shows me i will actually buy subscriptions and then it actually is going to give me recommendations now these are the same recommendations i'm seeing down here in the bottom right corner as i would just see from the recommendations view so if i go to recommendations it's going to show me a whole bunch of different things so here we can see things like enable mfa remediate vulnerabilities enable encryption at rest now if it says preview it's a configuration that is coming but it's not quite ga yet so it's not going to impact that secure score but i still want to remediate it now before it's part of the secure score and you can kind of see the relative importance of the things by how many points is it going to give me hey look mfa gives me 10 points that must be a really important thing i need to do over immediate vulnerabilities again an important thing and then get smaller amounts of points so probably not such a big deal now some of these things will actually have kind of a quick fix so storage account public access should be disallowed so if these quick fixes it will actually push through a configuration to actually remediate those things or actually go and change that setting azure policy remember doesn't just have to audit or audit if something does not exist which is by default what azure security center does it can also kind of deploy if not exists it can fix things so these quick fixes can actually let me remediate certain things i actually have here now one of the things you might also have noticed it's obviously working on what it knows it shows me the overall resource health it's telling me hey look you don't have these things now maybe you do have this mitigated through something else so one of the things i can actually do is i'm just going to pick one at random you'll see this option to exempt so this is up here in the top corner so when i exempt i can either exempt entire subscriptions i can exempt specific resources if i have those available here i give a reason and i say why is it exempt is it exempt because it's mitigated i i have a different solution doing this or it's mitigated because i just don't care i'm accepting the risk i don't want you to show this to me anymore and then once you actually do one of these exemptions this resource that you've exempted either the subscription or the resource specific will no longer show so for example storage accounts should use customer managed key i'm kind of down here you see 29 out of 30. what would actually happen here notice i've got an exempted resource it's showing me one exempted resource over here and it shows under the not applicable resources and it will show me why so it's actually going to show me how it's exempt because they did the waiver and i could if i wanted go manage that exemption i i could remove it edit it whatever i want to do so if there are recommendations that i really just don't care about i don't want to see them i can actually do that exemption and then i can still track that in the future now the other thing we actually have in here is you do have the option to have kind of workflow automations so these are these kind of exemption things but also notice down here under management i have workflow automation so i can use workflow automations to do various things for example i could call this automation when i get maybe a certain type of threat detection when i get certain levels of recommendations when i get a new regulatory compliance standard implemented for example so i can actually instead of maybe just exempting things well maybe i actually want to do something and my action is i can call these logic apps remember logic apps are these really nice graphical kind of flow of steps i'm going to take that are triggered by something it's a serverless technology so it's triggered by something in this case maybe it's a web hook or a schedule event event grid something is going to trigger this workbook to go and do something so this is great i have this great security center i have all these recommendations um so what's powering this what's that magic and as i kind of talked about it's it's azure policy and we can see this so if we jump back over what i can actually do is go to security policy so under management i can go security policy here it's actually going to show me hey look i have assigned my azure security center policy that baseline policy that it uses that azure security benchmark and it's very comprehensive it's assigned both dev and lab so if i kind of click that assignment there i can see yes i've got that assignment and also i can see these additional regulatory standards so yes i can see the azure security benchmark that is that default that powers azure security center recommendations and secure score there are others i can also add additional ones so more are provided out of the box that i could go and add if i wanted to track them so i can actually go and add them there i can also add these just via regulatory compliance manage compliance policies up here at the top and then once again select the subscription and say hey i want to go and add some more standards or you can even import additional ones but fundamentally what we saw there is the idea that my security policy has been assigned so it is just a regular azure policy so if i now just go and look at azure policy it will actually start on well firstly if i look at just my overview you can see there's this asc default non-compliant that i'm really not doing very well on if i look at my assignments once again i can see there's this assignment this asc default assigned to the subscription here and here my two subscriptions and so that's an initiative if i go to my definitions and just look at initiatives and then we'll order them by the number of policies so it's not the top one there is this nist sp 800 is the top one but then there is my azure security benchmark so that's the one i was telling you about that is now the default and if we select that initiative we'll actually be able to see well what exactly is making that up and it's big so it's taking a while it's going through and then we can see all the different policies that are actually used by this initiative and what we'll see is for the assignments we can see there are those assignments to our subscription but for the parameters i what is it passing to each of those policies it's all going to be audit if not exists or audit and if i'm doing something else it's going to have a disabled now when i did those exemptions remember i had that option to do the exemption so the exemption is doing something special behind the scenes so what the exemption is actually doing there's this azure policy exemption object and that will actually set the code to not applicable with a cause of exempt so when i do an exemption it's doing an azure policy exemption behind the scenes but now i can see everything it's doing is all about these auditing if not exist it's not deploying if not exists it's not changing anything it just is looking and essentially reporting i can see the default values i can see everything it can do but it's fundamentally just looking at stuff that's really all i'm doing now while i'm here looking at this so it has that initiative if you want to easily just turn on azure security center for everything so here if i search for enable azure security there we go there's actually a built-in policy that can actually do this deploy if not exists i.e it can go and turn on azure security center for me there are many other things i can actually do in here so again this is all about giving me the information to security center so it can generate that secure score so it can give me the recommendations it's basically just looking at the compliance state of that initiative and then give me all of this great feedback now i can also take some of these pieces of information and send it somewhere else i can integrate with another sim system a source solution log analytics it's going to automatically integrate with azure sentinel and once again in this pricing and settings you'll see there's this option for a continuous export and i can do this both to an event hub so remember an event hub is that published subscribe mechanism i can push things to it and something else can subscribe to it so what i'm saying here is hey from azure security center i can do this push to an event hub and another sim solution could be on the other side of that to then take that information i can also do a log analytics workspace and you'll notice for both of these i have options around what do i want to send recommendations secure score alerts compliance and i can stream real time or i can send like a weekly snapshot so i have these different options of exactly what i want to continuously export so this is this is all great so this is really all about that idea of assessing and remediating i identifying this is really about identify i'm going to find the different threats now there's an additional step well i actually want to do protection and so this is when you start to get into more of it it still has a security center so it's still asc so actually i'll expand that line out a bit it's still part of azure security center but now we're getting more into defender so there used to be something called azure security center kind of standard that's been rebranded as azure defender really for servers is really a bulk that functionality so what defender does is it gives me this whole set of technologies to actually protect my workloads implement different types of protection by looking at different types of signal now this does not actually run on log analytics there's not really a log analytics workspace there are certain things part of sql that uses log analytics workspace but for the most part the defender solutions are just hooking on the back end to various types of telemetry and this actually offers a whole bunch of different solutions both very deep for particular technologies like sql and azure container registry and iot and then there are more broad solutions like azure dns azure resource manager and this i actually have to go and turn on now if we remember the the regular just azure security center without defender is free when i turn on defender well i'm going to start paying some money for that so if we go and look we can see what we then get if we actually turn on defender so let's jump over here so here we can see once again those azure defender plans and if we turn azure defender on it gives us a whole set of additional solutions here so just in time vm access adaptive controls and network hardening regulatory compliance dashboards and reports threat protections threat protection for certain pas services so i turn this on and then what i can actually do is then turn it on for specific azure defender types of resource protection so here i can see oh yeah well servers and app services and sql database and sql machines storage account kubernetes container registries key vault then azure resource manager azure dns and you'll see they have a cost so for each instance i pay a certain amount of money for those actual things so realize now there is a dollar associated with these and once i actually have this turned on well now i can jump over to my security center and it does show like in the overview you can see here i've got things like regulatory compliance i can see my azure defender coverage i can kind of see those insights but now i can actually go to azure defender so now it's showing me my overall coverage so what do i actually have in terms of resources and what am i protecting i can see what alerts i have now alerts are never generated by default i have to actually go and turn on alerts and although you have security alerts just up here really without defender i'm i'm not going to see anything there there's nothing really is going to be generating alerts by default um just from the regular free now there are things i can do for example i'll talk more about that in a little bit but really these alerts going to come from defender they're going to give me this capability to actually do various things um i guess while i'm here so i mean if you did want alerts for like the free things like if there was some kind of recommendation remember i showed you workflow automations so i could generate a workflow automation to call a logic app to actually then go and kind of fire off that alert or i could also remember that continuous export i could send the data saying like log analytics and i could trigger kind of alerts from there so there are ways to get things for the free but when i'm looking at alerts national security center these are really things coming from the various defender components now you see i've got a lot of alerts um some of these i i set up you see this kind of attacked virtual machine at the bottom here this is when i was testing the kind of azure dns solution so i did a script to fake a bunch of things but if you want to test your responses to alerts there's actually this sample alerts button at the top and this will actually go and generate you a bunch of alerts you can pick which sets of technologies you want alerts for and it will then do all of these great things you're seeing here and you can see well have i got the right kind of responses in place maybe it's a a workflow automation to respond in that some way maybe it's an email you can see it exactly what's going to happen so i've got all those nice uh alerts down there also you've got remember that inventory which is going to show information about my resources and hey what recommendations apply to them but if i actually go back over to my security alerts i can see all those different things that are happening in my environment and now if i actually go back on overview for a second no go back to my defender that's right if you actually scroll to the right you'll actually see your most attacked resources so i can see prevalent security alerts and i can see my most attacked resources over here so it's a nice way to quickly go and see what's happening okay so we know how to turn these things on i can see my coverage i can see security alerts that have been triggered by various things from azure defender so what else does it give me she'll see this advanced protection down the bottom and these are really those main elements that we have as part of the azure defender solution so you can see for example vm vulnerability assessment so this is actually using qualis so quality is kind of a third-party solution and it's going to use that to find vulnerabilities within your workloads that i've enabled this for and just-in-time vm access is all about manipulating network security groups so if we remember if i have a resource like this virtual machine that virtual machine actually lives on a virtual network so that's kind of living in a virtual network and what we do is we apply network security groups at the subnet level typically but i can put it at the nic as well to limit the traffic that can go in and out now maybe i want to rdp to that virtual machine i don't want to leave that pool open all the time so what justin time does is it actually lets me configure i'll show this quick i can enable a policy so that well i have to request access so here i've enabled it for this resource you can see here i can configure exactly well i've just done it for 33.89 but i could add additional ports as well and i can conf i can delete it here or i can change it so i can say which protocol and what am i allowing is it just one ip or a block that i'm defining so at the request i can specify which ip i mine and i can pick a maximum duration so now when i actually want to use this i as the user would have to say okay i'll go back to my just in time vm access i would select the resource and say request access will only open up those holes in the nsg for the ipi specifier for a limited amount of time i could also just go to the vm directly and select it i could say connect and i can say request access and i can say was it all configured ips my ip and then that will call the just in time and open up the nsg to let me be able to actually connect to it so that's really what that is doing then we have adaptive application control so what this is doing is using machine learning to look at what are the processes that commonly run on the operating systems and basically create a loud list of apps and then i can use that to actually alerts me if other types of process run maybe it's a malware that wasn't picked up by the anti-malware solution i can group these things together so it's going to look at what's running and then alert me when something else runs we have the container image scanning so what that will actually do is for my azure container registry when i check in an image it will actually grab that image and hydrate it somewhere and scan it using the qualis engine to look for vulnerabilities and also periodically it will actually go and look at the image grab it and scan it as well so i i know my images are healthy um i don't know if i've actually got much in this one so look so if we look here oh actually it's showing me so i've got an unhealthy registry it's a sad day and i can see hey yeah i've got a one vulnerable image and it's actually showing me what the vulnerabilities are actually in the image so that would obviously would help me now go okay i should probably do a pull request update something and get that healthy again that's obviously not a good place and that i want to be but it's giving me that kind of information it might show me things like remediation steps so there we go i can even see well which particular repository is it talking about and there's the actual image that is causing me the problem and then i can see the digest about it there's eight registry level findings so i can really dive in and get all of that detail about well why is it unhealthy so then going back again so we have adaptive network harding so remember those network security groups i talked about well there's a set of rules a set of ip addresses and ports and protocols so what the adaptive network hardening does is it it looks at those exceptions you have that allow things through and says joey you're not using those so let's lock that down so it's going to recommend tightening up your nsg's if i'm really not using gaps i have in the nsg sql vulnerability assessment is going to go and scan your sql deployments and look for common types of misconfiguration for vulnerabilities file integrity monitoring so it will actually look at the files in your vms be it windows or linux because windows will look at the registry as well and it will use change tracking to see how your core files being modified which might indicate something negative and then alert a network map helps me actually see vulnerabilities on my network so here right now it's kind of saying there are no resources found if i go over and let's say everything and let's look at all so here we can see i've got one virtual machine that has a public facing ip here and i can kind of track then subnet it's in the network it's in and the subscription it's in so it's showing me that complete tracking but right now that that's healthy it's actually kind of locked down i can select that i can see yes it has a public ip but it has just in time protection i can look at allow traffic for example what is it allowed to talk to i get a lot of great information but what i can actually do is i can actually just show me everything so i'm going to change the view so now i can once again see all the different subnets i have and what's talking to those different subnets i can see the peerings i have it's given me alerts for example hey look you don't have an nsg assigned to this nsg to this subnet for example and then once again i can see the resources that actually hang off of it i can see hey if there's system updates or system configuration it's just a nice way to be able to go and see everything about my environment so again you kind of pick hey is it everything is it i just care about internet facing okay it's showing me the tracking of the nic to the subnet to the network to the subscription and then outside of that then we kind of have internet of things so internet of things a view of all the internet-based devices i have those internet of things devices and again these defender solutions are really just talking to the backend resources i'm not paying additional money for log analysis workspace here i'm paying for whatever resources i've enabled i'm paying for the plan that enables that i'm not then paying for like a log analytics workspace so we have these very deep solutions around sql and iot and servers than these broader kind of dns arm solutions so if i'm really thinking about so my azure security center was very proactive i'm identifying things and i'm protecting things i remember one of the big things we could kind of get out of here was kind of these alerts so then we get into azure sentinel so we now have kind of this azure sentinel solution and that absolutely sits on top of a log analytics workspace i can really think about i can feed things into that log analytics workspace so it has a whole bunch of connectors so we have these kind of connectors that come from a huge range of different solutions and again i can feed those alerts here as well so if i think of azure security center as defender it's fairly narrow in its scope you kind of saw the things i could turn it on for for sentinel i can feed in a massive number of different things from here so i have all these connectors to all these different types of systems so if this is about identifying and protecting i can think about well this is now more about actually detecting so i'm identifying if i've got misconfigurations this is detecting an attack this is about responding to an attack and also it helps me recover kind of from that attack so this is how they really build together so very proactive very reactive there is some proactive stuff over here as well i can do around hunting but really that's the way they really work together and i can think about feeding things in the sentinel so let's actually go and look at it so the first step is if i actually go over here and let's go and look at sentinel now i have to get those logs in so it's going to use a log analytics workspace and you can see straight away i have this kind of nice overview and this is really super super broad this is adding all these different connectors so typically where the place would start i can see over here from the overview hey events over time i can see the different potential malicious events that are happening configuration data but you're going to start over here once you've turned this on and enabled it you're going to have these data connectors now remember you're going to hear lots of terms like sim and saw and xdr so sim is a security incident and event management solution so this is sentinel it's getting these incidents these events and then a saw is a security orchestration automated response the ability to do something when there is an incident and this is where we're going to get into things like playbooks and just extended detection and response xdr so these are the data connectors you can see there's 94 connectors look at the breadth of what this can actually get signals from and again this goes beyond what log analytics can do on its own sentinel is adding additional connectors to bring data into that log analytics workspace so we have these huge numbers of connectors that are available and so you're going to turn these on for the systems you have to get the data in now realize there is obviously a cost to that i pay for that data ingestion and i kind of pay for that data storage so that's where the cost element of sentinel is going to actually come in so i'm paying for that there are capacity reservations i can use um but fundamentally this is where i'm paying the money for that kind of log analytics workspace to get the data in and the whole point of what sentinel is doing for me so yes it's that sim that saw a solution is it's looking at log analytics workspace and it adds things like machine learning so it's doing smart stuff to actually identify i can get all the signals in the world i can get feeds and feeds of logs coming into me it's pretty much useless just getting feeds of logs is meaningless unless i can correlate them and do something intelligent to really meanwhile look that and that and that together means this so that's what sentinel is doing sentinel is taking those huge feeds of logs from all these different places and has the intelligence to correlate them and then draw some meaningful alert from them for example we can do analysis which triggers those alerts so we have the connectors we turn on to get stuff into log analytics workspace that now sentinel can do something so what does it do so i just said it we have to do that analysis so the first thing we have here is once we have the connectors we can do analytics so analytics you can think about are rules these are rules that are built on the cousteau query language remember kuso is what we use to query log analytics so i write these rules which are going to generate alerts now i can create these from scratch i can create a scheduled i can do it in response to something else um but i'll show you both those quickly notice and one of the things you have is an incident settings so i could actually make it generate an incident when this is triggered and i can even automatically group them so i could group to say hey if i get a certain number within a certain amount of time and they have some common entity and group them together under the incident but rather than me manually trying to generate this rule there are all templates and there are a lot of them so most of the common things you're probably going to want to alert from it has here and what it will actually do is i can see details if i do this one like mfa disabled for a user it's showing me the cousteau query language the kql is going to use to find it and it's going to show me what is required so if it's for azure ad it needs the audit logs and that's green that means i have that turned on when it's gray i.e from aws i i don't have it which means i wouldn't be able to trigger for aws it would still let me turn it on but realize hey that that's not going to work that well then i can do things like hey hear a brute force attack well hey i need the azure id signing logs i've got those i'll be good and it's showing me the query all that and i could create that role so we can just go and turn that on quickly and then when i turn that on it lets me do those things like the raw logic i could customize things i could set hey yes i want to create instant i want to group them together do i want an automated response um i just skip all of that and i'll say create so i can actually now go and create rules to actually help me go and find those brute force attacks so the rule templates will show me what it needs either data that has to be coming in for me to actually work that stuff out if it's actually happening in my environment so those things those raw templates are the things i'm most likely actually going to want to alert so i can think about well the step kind of one in this would be that analytics so hey i got kind of my analytics so those are kind of my rules now then i may want to do something remember those rules can do things like alerts incidents well now i might want to actually do something um yes it's great to alert me and i'll see it in the portal but i actually want to do something so now what i can actually do is kind of fire off i can have these playbooks and like many things a playbook is a logic app you're going to see that kind of in most things we're going to use these logic apps so now if i jump over so next step would be okay i'm going to create a playbook to automatically do something and i can do add a playbook and i'm going to create a logic app is essentially what's going to happen here i create the the logic app that i'm then going to call what's that's fairly tough in a way to actually know what to do but i can cheat so there is a github repository and these are a huge number of azure sentinel playbooks from here i can do things like block and azure ad user block and exchange ip block an on-prem id user uh close an incident uh comment on something i can enrich different things and i can do emails um huge numbers of different things that i can do and i can click on one so i can click it and say deploy so this will actually go and now create that logic app for me that i can now use i can use that now to trigger and automatically do something so when we think about that all up idea where for detecting great i'm detecting stuff in my analytics hey i want to respond well they can be my playbooks my playbooks will actually now help me respond i can automatically do something when those things actually happen so i'm putting those different things together so they're two of the biggest things you're going to do i absolutely have to get my analytics in place to get the rules for things i care about and if i want to do automated response i have to play even without that remember i can still go into my azure sentinel and i can still go and look at what incidents do i have i can just go and kind of see those things i don't have any right now which is awesome but there's also workbooks so if i think a workbook is really is powered by kql that lets me present information in different ways and again these are really just azure monitor workbooks so here once again there's a huge number of templates available and what they're going to need is certain pieces of information so once again i have this required data type so i need azure diagnostics so this is azure distributed denial of service protection workbook i can view the template and i can see well what would it show me so it gives me this kind of view of stuff this one's not super interesting i've got this azure ad audit activity and sign in logs and this one i can see i've got these three different sources of data and i actually have that one under my workbook so that's one i selected and i kind of saved it that's over there and i can actually view my saved workbook and there it is and the great thing is because it's a workbook it's got this data kind of pre-packaged so i can very nicely see all these pieces of information but it is a workbook i can edit this if it's not exactly what i want i can customize it because i remember i've saved it now i can actually edit this and change anything i want in here so it exactly matches what i want so yes they have a whole set of kind of templates that i can just go and view straight away to see information but i can also save it edit it do exactly what i want so that's what i think about okay so great i've got kind of that overview i can go and directly run kql queries against logs i can see my instance my workbooks now the next thing i can actually do is hunting so this is where well i'm being proactive i'm looking for things that may not ordinarily have analytics rules but may be indicative of something unusual happening you can see all these well consent to applications rare audit activity initiated by an application and it's just kql queries i can run the query and then view the results so it's just a whole bunch of kql that might indicate well something's not quite right so it lets me actually go hunting looking for signs of things that i want to know about so there's a whole bunch of these you can go and look for grouped by different types of attacks and once again it kind of shows me what the various data sources are that i would actually need to be able to run this then you have notebooks so notebooks this is really kind of a i guess bring your own machine learning it's a jupyter notebook which is a way to actually write machine learning in various languages like python and it's really similar to hunting but with machine learning it's still querying data so once again i still need the right connectors you can see here hey the utilized data types over here to actually be able to utilize this and then go and get this behavior around whatever the particular topic is um i guess the other major thing obviously is like entity behavior so this is about getting meaningful insights by profiling the different behaviors of users and various entities and then threat intelligence so sentinel has its own set of kind of intelligence about threats but they were like research people there are threat intelligence vendors that can provide indicators of compromise maybe it's known bad ips or dns or whatever that is this actually enables me to add some new feeds and these typically come in this taxi format trusted automated exchange of intelligence information and i can kind of go and add these for this kind of new feed you can see the types of threats valid etc and so this is where i can actually go and add just these various informations from so that i guess from a very high level is how i think about a lot of these different functionalities and really how they fit together so again we we have the idea of azure security center is phenomenal in terms of identifying where maybe i've not got the right configuration uh really assessing and helping remediate misconfigurations really through azure policy then we have these enhanced protections really through those defender add-ons and then we can actually move into well to detect the responding the recovering through the various connectors to get the feeds of information into log analytics workspace then we apply various queries and machine learning to trigger rules for analytics i can automatically do things through playbooks and then we have kind of the the workbooks and the hunting um at notebooks and more to actually then maybe go and look for things that are maybe indicative of something bad happening but that's kind of that the high level view um i hope that helped go and try it out again you've got the free azure security center you can at minimum get a lot of benefit from that so use that go and find things with those high scores for your secure score to make the biggest difference do those things first um there's a troll for defender so you could get that i think it's 30 days of saying so you can go and see that you can turn on for different things there's things you care about more and then again go and look at the sentinel and again you pay for the data ingested and that retention so depending on how much you bring in that will change what you pay for the central solution so that's it go and get secure until next time take care you

Info

Channel: John Savill's Technical Training

Views: 29,975

Rating: 4.9615846 out of 5

Keywords: azure, azure cloud, azure security, security, azure security center, azure sentinel, siem, soar, az-500

Id: rE-qgIgDCq8

Channel Id: undefined

Length: 48min 31sec (2911 seconds)

Published: Tue Mar 02 2021