Implementing A New Microsoft Sentinel Solution (part 4)






To read part 1, please click here
To read part 2, please click here
To read part 3, please click here






Deploying MMAs

Generally, MMA accumulates Windows Security, application, and system event logs along with the web server logs from Microsoft IIS and by deploying MMA on Linux will help in the collection of any syslog message or local logs that follows a consistent naming convention. In fact, any Linux agent installed with MMA can itself act as a syslog collector for the remote syslog log resources. 

Deploying Workbooks

Microsoft Sentinel workbooks offers various functions/applications like several visualization control, conditional formatting, several features of the analytical platform, etc. while it's also capable in retrieving data from multiple sources that might help in the complex integration of various Microsoft services, such as- Azure Log Analytics Workspace, Microsoft Graph, Azure Data Explorer, Azure Resource Manager, and whatnot. 

Deploying User & Entity Behavior Analytics (UEBA)

UEBA depicts the latest technologies of offered by SIEM solutions and generally rely on its machine learning abilities to keep track of the users and entities like hosts, IP addresses, etc., in order to detect as well as investigate any type deviations from the known pattern. Hence, UEBA proves helpful in collecting the various low fidelity signals to build a timeline of an event that can be further used in the better understanding as well as investigation of the entity behavior. 

Deploying Notebooks

Microsoft Sentinel Notebooks have proven very much helpful due to their advanced threat hunting abilities via the collected data as well as the processing capabilities available in many programming languages including but not limited to Python and C#/, .Net. 

Deploying Cyber Threat Intelligence (CTI) Functionality

CTI can be made available via various sources such as open-source data feeds, threat intelligence sharing communities, premium curated feeds, and your own security investigations. CTI when combined with your own data can offer valuable contextual information, that can majorly help in speeding-up the time used in detecting, identifying, and triaging malicious or anomalous activities. 

Deploying Alert Rules

The configuration of detection rules can be considered as the most important component of any Microsoft Sentinel deployments containing many built-in alert rules templates that can easily cover the whole array of a typical log source with continuous addition of new alert rules (that can be easily obtained via Microsoft Sentinel Community in which both the Microsoft as well as the third-party can publish new content). However, the proposed rules always go though community's review permitting only the valuable ones to be published in Microsoft Sentinel. 








To read part 1, please click here
To read part 2, please click here
To read part 3, please click here














































Comments

Popular posts from this blog

Deployment (Part 3)

Project Resourcing (Part 2)

Design Planning (Part 3)