Microsoft Sentinel 101: Using a Cloud Native SIEM
Organizations' infrastructures are becoming more complex. As the new landscape expands into the cloud and third-party PaaS and SaaS services, it has become more of a challenge to maintain proper visibility and aggregation of logs into a single pane of glass. While Security Information and Event Management (SIEM) systems have been around for years, the complexity of new data sources, infrastructure, and business needs require a scalable approach. Sentinel is a scalable cloud-native solution that can ingest sources from both cloud and on-prem.
Sentinel: This 2-hour introduction demonstration will provide a high-level understanding of the user interface, Sentinel architecture, log ingestion, rule creation process, and different methods used to investigate and correlate logs in Sentinel.
Skills Learned:
- Knowledge of how Sentinel is deployed
- Create analytics rules (detection rules)
- Knowledge of the available methods of ingesting logs
- Knowledge of Data connectors and Content Hub
- Creation of parsers
- Ability to navigate Sentinel and use logs, entities, and the investigation page to investigate alerts
Prerequisites
The workshop is an introduction to Sentinel. Students will not need to have prior experience with Sentinel or KQL (Kusto Query Language).
The following are courses or equivalent experiences that are prerequisites for the workshop:
- SANS SEC488: Cloud Security Essentials or hands-on experience using Microsoft Azure Cloud.
- Students must have basic familiarity with Azure IAM.
- Understand basic cloud resources such as virtual machines, storage services, and Identity Access Management
Laptop Requirements
Attendees need to have:
- A laptop with a web browser (i.e. Edge, Firefox, Chrome). The laptop should have unrestricted access to the Internet and full administrative access.
John Alves
John Alves is a cloud security principal with just shy of a decade of experience in information security across network engineering, systems administration, compliance, and cloud security. He leads the cloud security practice at CyberOne Security and is a subject matter expert across Azure and Microsoft 365. He holds multiple certifications from various certifying bodies, most notably GPCS, GCWN, GSEC, and Microsoft Certified Trainer, Microsoft Solutions Architect, Microsoft Cybersecurity Architect. Over the course of his career he has demonstrated deep technical understanding of security practices, and has consistently delivered robust solutions to enterprises. @cyberlowdown | Linkedin.com/in/alves-john/
