Microsoft Sentinel 101: Using a Cloud Native SIEM

Organizations' infrastructures are becoming more complex. As the new landscape expands into the cloud and third-party PaaS and SaaS services, it has become more of a challenge to maintain proper visibility and aggregation of logs into a single pane of glass. While Security Information and Event Management (SIEM) systems have been around for years, the complexity of new data sources, infrastructure, and business needs require a scalable approach. Sentinel is a scalable cloud-native solution that can ingest sources from both cloud and on-prem.

Sentinel: This 2-hour introduction demonstration will provide a high-level understanding of the user interface, Sentinel architecture, log ingestion, rule creation process, and different methods used to investigate and correlate logs in Sentinel.

Skills Learned:

• Knowledge of how Sentinel is deployed
• Create analytics rules (detection rules)
• Knowledge of the available methods of ingesting logs
• Knowledge of Data connectors and Content Hub
• Creation of parsers

Ability to navigate Sentinel and use logs, entities, and the investigation page to investigate alerts

Prerequisites

The workshop is an introduction to Sentinel. Students will not need to have prior experience with Sentinel or KQL (Kusto Query Language).

The following are courses or equivalent experiences that are prerequisites for the workshop:

• SANS SEC488: Cloud Security Essentials or hands-on experience using Microsoft Azure Cloud.
• Students must have basic familiarity with Azure IAM.
• Understand basic cloud resources such as virtual machines, storage services, and Identity Access Management

Laptop Requirements

Attendees need to have:

• A laptop with a web browser (i.e. Edge, Firefox, Chrome). The laptop should have unrestricted access to the Internet and full administrative access.