SlideShare a Scribd company logo

do you want to know about what is Microsoft Sentinel.pdf

A
amilsaifi5

The document provides an overview of various security features and tools offered by Microsoft for managing resources across Azure, AWS, and on-premises environments. It covers components such as Microsoft Sentinel for threat detection and automation, vulnerability assessment with Microsoft Defender, access management through Azure Active Directory, and data security measures including encryption and data masking. Additionally, it highlights compliance, auditing, and monitoring capabilities to enhance overall security posture and protect against potential threats.

Devices & Hardware
1 of 73
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
Security
Security Activity Logs – Here you get information on all of the control plane activities. Azure Resource logs – Here you can get insights on the operations performed on the resource itself. Azure Active Directory reports – Here you can get information on the sign-in activity and other aspects when it comes to Azure Active Directory.
Security Virtual Machines – You can get the logs from the underlying Windows and Linux virtual machines. Azure Storage Analytics – This can provide insights onto the requests made to storage accounts. Network Security Group flow – You can get information about the inbound and outbound flows via the Network Security Groups.
Microsoft Sentinel T h r e a t p r o t e c t i o n
This is a cloud service that provides a solution for SEIM ( Security Information Event Management) and SOAR ( Security Orchestration Automated Response) Microsoft Sentinel This provides a solution that helps in the following Collection of data – Here you can collect data across all users, devices, applications and your infrastructure. The infrastructure could be located on-premise and on the cloud. It helps to detect undetected threats.
It helps to hunt for suspicious activities at scale. Microsoft Sentinel It helps to respond to incident rapidly. Once you start using Microsoft Sentinel, you can start collecting data using a variety of connectors. You have connectors for a variety of Microsoft products and other third-party products as well. You can then use in-built workbooks to get more insights on the collected data.
Visibility 32K Microsoft Sentinel Microsoft Sentinel Analytics Hunting Incidents Automation Microsoft Sentinel
Workbooks
Security Here you can visualize and monitor the data. You can use the in-built workbooks available in Microsoft Sentinel. You can create your own workbooks.
Sentinel
1 3 4 2 In addition to being a SIEM Solution (Security Information and Event Management), its also a SOAR Solution(Security Orchestration, Automation and Response) Microsoft Sentinel Automation c You can use Automation rules that help to centrally manage the automation of how incidents are managed. A playbook is a collection of response and remediation actions. This can be used to orchestrate your threat response. Playbooks make use of Azure Logic Apps as a workflow solution. Security SOAR Solution Rules Playbook Logic Apps
Vu l n e rab i l i ty
With Microsoft Defender for Cloud plans, you can deploy a vulnerability assessment solution to your virtual machines. Vulnerability c Vulnerability You can deploy Microsoft Defender for Endpoint which is supported for Azure virtual machines and Azure Arc-enabled machines. This helps to discover vulnerabilities and misconfigurations in real time. Here there is no need of agents or periodic scans.
With Microsoft Defender for Cloud plans, you can also opt to deploy the Qualys scanner. Vulnerability c Vulnerability Here you don’t need a separate Qualys license or account. This is also supported on Azure virtual machines and Azure Arc-enable servers.
An extension to the Azure virtual machine will be deployed when you opt to deploy the vulnerability assessment solution. Vulnerability c Vulnerability The scanning begins automatically as soon as the extension is installed successfully when it comes to the Qualys scanner. For the Qualys scanner, the scan is then run every 12 hours.
Work l oad
1 3 4 2 Examines operating system files, Windows registries, application software, Linux system files. File Integrity Monitoring c The Log Analytics agent sends data reporting the state of items on the machine. You can also mention which files and folders to monitor. You can also connect your machines in your AWS cloud environments. Workload Protection Detect changes Change Tracking Files Cloud
1 3 4 2 This is an intelligent and automated solution that can be used to define an allow list of known-safe applications. Adaptive Application Controls c This then helps to identify any sort of potential malware, outdated or unauthorized applications. Applications can be segregated into groups if they run the similar types of applications. You can define rules to configure how applications are managed when it comes to Adaptive application controls. Workload Protection Applications Identify Groups Rules
1 3 4 2 It helps to harden the Network Security Group rules. Network hardening c It uses internal machine learning algorithms to provide indicators on how to harden the Network Security Groups. Some of the requirements to enable this feature on VM’s – Microsoft Defender for servers, 30 days of traffic data. You get alerts if traffic flowing via the resource is not within the defined IP range. Workload Protection Network Security Groups Identification Requirement Alerts
Entitlement
Entitlement Helps to efficiently manage access to groups, applications and SharePoint Online Sites. Here the access can be granted for internal and external users. c Entitlement management
1 3 4 2 Membership to an Azure AD Security Group Access Package c Membership to Microsoft 365 Groups and Teams Assignment to Azure AD Enterprise applications Membership to SharePoint Online Sites This is a bundle of all resources which the user would need access to Entitlement management
1 3 4 2 Required for members who request for an access package Access Package c Required for members who approve requests for an access package Required for members who review assignments for an access package Required for members who have direct assignment to an access package License requirement – Azure AD Premium P2 licenses Entitlement management
Identity
Identity Has the ability to automatically detect and remediate identity-based risks LEARN NOW c Identity Protection Uses its own threat intelligence to understand identity-based risks
Anonymous IP Address Anonymous IP address – The user is not signing in from a typical IP address Leaked credentials This detects if the users' credentials have been leaked Risks The different risks c User-risk Sign-in risk Sign-in risk Sign-in risk Sign-in risk Sign-in risk Atypical travel Here sign-ins are happening from different geographic locations Malware Here the user’s device could be infected with a malware Password spray Someone is trying out different passwords Unfamiliar sign-in properties Not the typical behavior the user sign ins Identity Protection
Privileged
Control and manage access to key resources. Here you can control access to resources in Azure AD, Azure and Microsoft 365. Here you can ensure that a user only gets access when required. 1 2 3 Control Scope Requirement Privileged c Privileged Identity Management
Timebound Multi-Factor Authentication Approval Just-in-time Here you can provide privileged access to resources whenever they are required Just-in-time You can mention start and end dates for the access. Time-bound Increased level of authentication to activate a role. Multi-Factor Authentication You can ensure approval is required for any role. Approval Privileged Identity Management c Privileged Identity Management
License You need to have Azure AD Premium P2 licenses LEARN NOW c Privileged Identity Management
Conditional
1 3 4 2 Here you can define conditions based on which you want to give access to users for a resource. Azure AD Conditional Access c You can make use of different signals for the conditions – User and their location, device they are logging from, the Application , real-time risk. Based on the condition you can decide whether the user should be allowed access , blocked access or they require the user of MFA. These rules are enforced after the first-factor authentication is complete. Security Conditions Signals Access Enforced
Security This feature requires the use of Azure AD Premium P1 license. To make use of Risk-based policies from within Identity Protection, you need to have Azure AD Premium P2 licenses in place.
Azure
1 3 4 2 This provides a business-to- customer identity as a service. Azure Active Directory B2C c Here customers can sign- into applications using their social identities, enterprise , or local account identities. Normally used when business want to authenticate their end users to their web/mobile applications. Uses the standards when it comes to authentication protocols – Open ID Connect, OAuth 2.0. Security Service Sign-in Purpose Standards
Microsoft
1 3 4 2 This is a Cloud Security Posture and Cloud Workload Protection Platform. You can monitor Azure resources, Amazon Web services resources and on-premises resource. Microsoft Defender for Cloud c It continually assesses the security posture of your resources. It generates a secure score based on the assessment. You get recommendations on how to improve the security of your resources. It can also detect and resolve threats to resources and services. Security Purpose Secure Score Recommendations Threats
Security When it comes to Azure virtual machines, this service will automatically deploy the Log Analytics agent to the virtual machines. The agent will continuously send information the workspace. And then Microsoft Defender for Cloud will analyze the data. For on-premises servers, Microsoft Defender for Cloud will make use of the Azure Arc service. If you have connected your Amazon Web services account to an Azure subscription, you can protect resources in that account as well.
Security It always good to have a benchmark or baseline to see how the security of your resources align with that benchmark. Microsoft has the Azure Security benchmark that provides the best practices and recommendations for securing workloads. The benchmark covers different domains such as Network security, Identity Management, Data protection. If you have connected your Amazon Web services account to an Azure subscription, you can protect resources in that account as well.
Security There is the free plan that is enabled for all Azure subscriptions. Here you get the secure score, be able to apply the security policy and get basic recommendations.
Security And then you have the Enhanced or Paid version. You can use a 30-day free trial. This gives your further protection to your resources. You get Microsoft Defender for Endpoint – This provides endpoint detection and response (EDR). You can carry out vulnerability assessment for virtual machines, SQL resources and container registries. You can protect your resources in Amazon Web Services and Google Cloud Platform.
Microsoft
Security Microsoft Defender for servers can help protect your Windows and Linux machines in Azure, AWS, GCP and on- premises. You get two options when it comes to plans. There is Defender for Servers Plan 2 that gives a lot features. Here you get features such as Integrated vulnerability assessments, threat detection etc.
Security Auto-provisioning feature Here Microsoft Defender for Cloud will automatically install an agent on the Azure virtual machines. The agent will send data to a log analytics workspace. The data collected in the workspace will provide visibility into missing updates, any sort of misconfigured OS security settings, look at the endpoint protection status.
Regulatory
1 3 4 2 Here Microsoft Defender for Cloud will compare the configuration of your resources against industry standards, regulations and benchmarks. Regulatory Compliance c By default, an Azure subscription will have the Azure Security Benchmark assigned. You have other standards available as well. You can make use of the standards but you need to have the Defender for Cloud enhanced security features. You can assign the different standards to the dashboard. Security Compliance Benchmark Standards Dashboard
M i c r o s o f t D e f e n d e r f o r c o n t a i n e r s
You have Microsoft Defender for containers. Security This can perform a vulnerability scan of images in Azure Container registry. When a new image is pushed to the registry, a scan will be performed. Also, weekly scans of any images pulled in the last 30 days are also conducted.
You also get threat protection for your Azure Kubernetes clusters. Security Here the Defender agent performs analysis of Kubernetes audit logs. This can detect activities such as creation of high-privileged roles or the creation of sensitive mounts.
A z u r e B l u e p r i n t s
1 3 4 2 Role assignments – If you need specific roles to be assigned. Azure Blueprints c Azure Blueprints Policy assignments – This is if you need specific policies to be applied. Resource groups – If you need certain resource groups to be in place. Azure Resource Manager templates – If there are resources that need to be deployed.
Definition – Here you define the Blueprint itself. The Blueprint needs to be saved to either a management group or a subscription. Azure Blueprints When you save the Blueprint to a management group, the Blueprint can be assigned to any subscription which is part of the management group. To save the Blueprint definition, you need to have Contributor access to either the management group or the subscription.
Publishing – Once the Blueprint is defined, you can publish it. Here you can assign a version number for the Blueprint. Azure Blueprints Assignment – Here the Blueprint is then assigned to a subscription. You can protect resources deployed via the Blueprint resource locks. Here even if there is a user with the Owner role, still the user will not be able to remove the lock. You can only remove the lock by unassigning the blueprint.
Prote cti n g
Security Domain Controllers should be protected with Trusted Platform Module chips. The volumes on the domain controller servers need to be protected via BitLocker Drive Encryption. Domain Controllers should allow connections only from authorized users and systems. This can be implemented via the use of Group Policy Objects.
Security Manage the updates for the domain controllers. Microsoft Defender for Identity can be used to monitor domain controllers. Microsoft Defender for Identity can capture the network traffic , correlate with Windows events and analyze for any threats.
Microsoft 365
1 3 4 2 It helps to protect your endpoints. It can provide an automated response and investigation. Also, has Vulnerability Management. Microsoft 365 Defender c Safeguards against malicious threats when it comes to email messages , links etc. Helps to protect your identities defined in your on-premises Active Directory. Helps to bring visibility and controls onto the usage of other cloud applications. Security Defender for Endpoint Defender for Office 365 Defender for Identity Defender for Cloud Apps
P r o t e c t i n g d a t a
Once attackers gain access to your network, they can also get access to your data. Security A hacker would first use an account with elevated privileges to gain access to data. The hacker could then copy data across the network to another location. Or the hacker could simply delete the data.
Azure SQL Database Security Implement dynamic data masking to limit the exposure of sensitive data. Ensure that database columns that store sensitive data are encrypted. Enable database-level encryption.
Other data stores Security Azure Virtual Machine Disks – Enable Azure Disk Encryption Azure Storage Accounts – Azure Storage Service Encryption Encryption of data in Azure Cosmos DB
D a t a M a s k i n g
Here the data in the database table can be limited in its exposure to non-privileged users. Data Masking You can create a rule that can mask the data. Based on the rule you can decide on the amount of data to expose to the user.
There are different masking rules Data Masking Credit Card masking rule – This is used to mask the column that contain credit card details. Here only the last four digits of the field are exposed. Email – Here first letter of the email address is exposed. And the domain name of the email address is replaced with XXX.com. Custom text- Here you decide which characters to expose for a field. Random number- Here you can generate a random number for the field.
A u d i t i n g
You can enable auditing for an Azure SQL database and also for Azure Synapse Analytics. Auditing This feature can be used to track database events and write them to an audit log. The logs can be stored in an Azure storage account, Log Analytics workspace or Azure Event Hubs. This helps in regulatory compliance. It helps to gain insights on any anomalies when it comes to database activities. Auditing can be enabled at the database or server level. If it is applied at the server level, then it will be applied to all of the databases that reside on the server.
D a t a c l a s s i f i c a t i o n
The Azure SQL database and Azure Synapse service have the capabilities of Data Discovery and Classification. Security This service can scan the database and identify columns that contain potentially sensitive data. You can also apply sensitive-classification labels to certain columns.
A z u r e S Q L D a t a b a s e E n c r y p t i o n
This feature is used to encrypt the data at rest. Security It carries out the real-time encryption and decryption of the database , its backups and transaction log files. This is enabled by default on all new Azure SQL databases.
The Always Encrypted Feature can be used to encrypt data at rest and in motion. You can encrypt multiple columns located in different tables. You can encrypt multiple columns located in the same table. You can just encrypt one specific column. Security
You have 2 types of encryption Deterministic encryption – Here the same encrypted value is generated for any given plain text value. This is less secure. But it allows for point lookups , equality joins, grouping and indexing on encrypted columns. Randomized encryption – This is the most secure encryption method. But it prevents the searching, grouping , indexing and joining on encrypted columns. Security

More Related Content

PPTX
SC-900 Capabilities of Microsoft Security Solutions
FredBrandonAuthorMCP
 
PDF
Msft cloud architecture_security_commonattacks
Akram Qureshi
 
PDF
Global Azure Bootcamp 2018 - Azure Security Center
Scott Hoag
 
PDF
Thr30117 - Securely logging to Microsoft 365
Robert Crane
 
PPTX
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
Morgan Simonsen
 
PDF
Security management
Dean Iacovelli
 
PPTX
Azure security and Compliance
Karina Matos
 
PDF
366864108 azure-security
ober64
 
SC-900 Capabilities of Microsoft Security Solutions
FredBrandonAuthorMCP
 
Msft cloud architecture_security_commonattacks
Akram Qureshi
 
Global Azure Bootcamp 2018 - Azure Security Center
Scott Hoag
 
Thr30117 - Securely logging to Microsoft 365
Robert Crane
 
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
Morgan Simonsen
 
Security management
Dean Iacovelli
 
Azure security and Compliance
Karina Matos
 
366864108 azure-security
ober64
 

Similar to do you want to know about what is Microsoft Sentinel.pdf (20)

PPTX
Get ahead of cybersecurity with MS Enterprise Mobility + Security
Kjetil Lund-Paulsen
 
PPTX
Power of the Cloud - Introduction to Microsoft Azure Security
Adin Ermie
 
PDF
Microsoft Azure Security Overview
Alert Logic
 
PDF
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
David J Rosenthal
 
PDF
Cloud App Security Customer Presentation.pdf
ErikHof4
 
PPTX
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
SPS Paris
 
PDF
Azure Security Overview
David J Rosenthal
 
PDF
Tour to Azure Security Center
Lalit Rawat
 
PPTX
Azure Fundamentals Part 3
CCG
 
PPTX
Azure security basics
Stas Lebedenko
 
PDF
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
MSAdvAnalytics
 
PPTX
Azure security
Lalit Rawat
 
PDF
Azure Security Center
Microsoft
 
PPTX
Adam ochs sentinel
Adam Ochs
 
PDF
656704621-Against-Threats-and-Secure-Cloud-Environments-Presentation-Slides-F...
mahadikamol123
 
PDF
Security As A Service
Olav Tvedt
 
PPTX
Identity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
Forsyte I.T. Solutions
 
PPTX
SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...
DIWUG
 
PPTX
Power of the cloud - Introduction to azure security
Bruno Capuano
 
PPTX
Cloudbrew 2019 - Azure Security
Tom Janetscheck
 
Get ahead of cybersecurity with MS Enterprise Mobility + Security
Kjetil Lund-Paulsen
 
Power of the Cloud - Introduction to Microsoft Azure Security
Adin Ermie
 
Microsoft Azure Security Overview
Alert Logic
 
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
David J Rosenthal
 
Cloud App Security Customer Presentation.pdf
ErikHof4
 
I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a group...
SPS Paris
 
Azure Security Overview
David J Rosenthal
 
Tour to Azure Security Center
Lalit Rawat
 
Azure Fundamentals Part 3
CCG
 
Azure security basics
Stas Lebedenko
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
MSAdvAnalytics
 
Azure security
Lalit Rawat
 
Azure Security Center
Microsoft
 
Adam ochs sentinel
Adam Ochs
 
656704621-Against-Threats-and-Secure-Cloud-Environments-Presentation-Slides-F...
mahadikamol123
 
Security As A Service
Olav Tvedt
 
Identity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
Forsyte I.T. Solutions
 
SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...
DIWUG
 
Power of the cloud - Introduction to azure security
Bruno Capuano
 
Cloudbrew 2019 - Azure Security
Tom Janetscheck
 
Ad

Recently uploaded (20)

PPTX
西班牙海牙认证瓦伦西亚国际大学毕业证与成绩单文凭复刻快速办理毕业证书
sw6vvn9s
 
PPTX
Final Draft Presentation for dtaa and direct tax
rajbhanushali3981
 
PPTX
DOC-20250728-WAprocess releases large amounts of carbon dioxide (CO₂), sulfur...
samt56673
 
PPTX
Drone.pptx this is the word like a good time to come over and watch the kids
MausamJha6
 
PPTX
INTERNET OF THINGS (IOT) network of interconnected devices.
rp1256748
 
PPT
Susunan & Bagian DRAWING 153UWYHSGDGH.ppt
RezaFbriadi
 
PPTX
原版UMiami毕业证文凭迈阿密大学学费单定制学历在线制作硕士毕业证
jicaaeb0
 
PPTX
PPT on the topic of programming language
dishasindhava
 
PPTX
办理HFM文凭|购买代特莫尔德音乐学院毕业证文凭100%复刻安全可靠的
1cz3lou8
 
PDF
INTEL CPU 3RD GEN.pdf variadas de computacion
juancardozzo26
 
PPTX
Basics of Memristors and fundamentals.pptx
onterusmail
 
PPTX
Boolean Algebra-Properties and Theorems.pptx
bhavanavarri5458
 
PPT
community diagnosis slides show health. ppt
michaelbrucebwana
 
PPTX
2.Important-Definihhhhhhtions18 (1).pptx
trishalasharma7
 
PPTX
Aryanbarot28.pptx Introduction of window os for the projects
aryanbarot004
 
PPTX
13. ANAESTHETICS AND ALCOHOLS.pptx fucking
sriramraja650
 
PPTX
Query and optimizing operating system.pptx
YoomifTube
 
PPTX
Intro_S4HANA_Using_Global_Bike_Slides_SD_en_v4.1.pptx
trishalasharma7
 
PPTX
PHISHING ATTACKS. _. _.pptx[]
kumarrana7525
 
PPTX
G6Q1 WEEK 2 SCIENCE PPT.pptxLVLLLLLLLLLLLLLLLLL
DitaSIdnay
 
西班牙海牙认证瓦伦西亚国际大学毕业证与成绩单文凭复刻快速办理毕业证书
sw6vvn9s
 
Final Draft Presentation for dtaa and direct tax
rajbhanushali3981
 
DOC-20250728-WAprocess releases large amounts of carbon dioxide (CO₂), sulfur...
samt56673
 
Drone.pptx this is the word like a good time to come over and watch the kids
MausamJha6
 
INTERNET OF THINGS (IOT) network of interconnected devices.
rp1256748
 
Susunan & Bagian DRAWING 153UWYHSGDGH.ppt
RezaFbriadi
 
原版UMiami毕业证文凭迈阿密大学学费单定制学历在线制作硕士毕业证
jicaaeb0
 
PPT on the topic of programming language
dishasindhava
 
办理HFM文凭|购买代特莫尔德音乐学院毕业证文凭100%复刻安全可靠的
1cz3lou8
 
INTEL CPU 3RD GEN.pdf variadas de computacion
juancardozzo26
 
Basics of Memristors and fundamentals.pptx
onterusmail
 
Boolean Algebra-Properties and Theorems.pptx
bhavanavarri5458
 
community diagnosis slides show health. ppt
michaelbrucebwana
 
2.Important-Definihhhhhhtions18 (1).pptx
trishalasharma7
 
Aryanbarot28.pptx Introduction of window os for the projects
aryanbarot004
 
13. ANAESTHETICS AND ALCOHOLS.pptx fucking
sriramraja650
 
Query and optimizing operating system.pptx
YoomifTube
 
Intro_S4HANA_Using_Global_Bike_Slides_SD_en_v4.1.pptx
trishalasharma7
 
PHISHING ATTACKS. _. _.pptx[]
kumarrana7525
 
G6Q1 WEEK 2 SCIENCE PPT.pptxLVLLLLLLLLLLLLLLLLL
DitaSIdnay
 
Ad

do you want to know about what is Microsoft Sentinel.pdf

  • 2. Security Activity Logs – Here you get information on all of the control plane activities. Azure Resource logs – Here you can get insights on the operations performed on the resource itself. Azure Active Directory reports – Here you can get information on the sign-in activity and other aspects when it comes to Azure Active Directory.
  • 3. Security Virtual Machines – You can get the logs from the underlying Windows and Linux virtual machines. Azure Storage Analytics – This can provide insights onto the requests made to storage accounts. Network Security Group flow – You can get information about the inbound and outbound flows via the Network Security Groups.
  • 4. Microsoft Sentinel T h r e a t p r o t e c t i o n
  • 5. This is a cloud service that provides a solution for SEIM ( Security Information Event Management) and SOAR ( Security Orchestration Automated Response) Microsoft Sentinel This provides a solution that helps in the following Collection of data – Here you can collect data across all users, devices, applications and your infrastructure. The infrastructure could be located on-premise and on the cloud. It helps to detect undetected threats.
  • 6. It helps to hunt for suspicious activities at scale. Microsoft Sentinel It helps to respond to incident rapidly. Once you start using Microsoft Sentinel, you can start collecting data using a variety of connectors. You have connectors for a variety of Microsoft products and other third-party products as well. You can then use in-built workbooks to get more insights on the collected data.
  • 9. Security Here you can visualize and monitor the data. You can use the in-built workbooks available in Microsoft Sentinel. You can create your own workbooks.
  • 11. 1 3 4 2 In addition to being a SIEM Solution (Security Information and Event Management), its also a SOAR Solution(Security Orchestration, Automation and Response) Microsoft Sentinel Automation c You can use Automation rules that help to centrally manage the automation of how incidents are managed. A playbook is a collection of response and remediation actions. This can be used to orchestrate your threat response. Playbooks make use of Azure Logic Apps as a workflow solution. Security SOAR Solution Rules Playbook Logic Apps
  • 12. Vu l n e rab i l i ty
  • 13. With Microsoft Defender for Cloud plans, you can deploy a vulnerability assessment solution to your virtual machines. Vulnerability c Vulnerability You can deploy Microsoft Defender for Endpoint which is supported for Azure virtual machines and Azure Arc-enabled machines. This helps to discover vulnerabilities and misconfigurations in real time. Here there is no need of agents or periodic scans.
  • 14. With Microsoft Defender for Cloud plans, you can also opt to deploy the Qualys scanner. Vulnerability c Vulnerability Here you don’t need a separate Qualys license or account. This is also supported on Azure virtual machines and Azure Arc-enable servers.
  • 15. An extension to the Azure virtual machine will be deployed when you opt to deploy the vulnerability assessment solution. Vulnerability c Vulnerability The scanning begins automatically as soon as the extension is installed successfully when it comes to the Qualys scanner. For the Qualys scanner, the scan is then run every 12 hours.
  • 17. 1 3 4 2 Examines operating system files, Windows registries, application software, Linux system files. File Integrity Monitoring c The Log Analytics agent sends data reporting the state of items on the machine. You can also mention which files and folders to monitor. You can also connect your machines in your AWS cloud environments. Workload Protection Detect changes Change Tracking Files Cloud
  • 18. 1 3 4 2 This is an intelligent and automated solution that can be used to define an allow list of known-safe applications. Adaptive Application Controls c This then helps to identify any sort of potential malware, outdated or unauthorized applications. Applications can be segregated into groups if they run the similar types of applications. You can define rules to configure how applications are managed when it comes to Adaptive application controls. Workload Protection Applications Identify Groups Rules
  • 19. 1 3 4 2 It helps to harden the Network Security Group rules. Network hardening c It uses internal machine learning algorithms to provide indicators on how to harden the Network Security Groups. Some of the requirements to enable this feature on VM’s – Microsoft Defender for servers, 30 days of traffic data. You get alerts if traffic flowing via the resource is not within the defined IP range. Workload Protection Network Security Groups Identification Requirement Alerts
  • 21. Entitlement Helps to efficiently manage access to groups, applications and SharePoint Online Sites. Here the access can be granted for internal and external users. c Entitlement management
  • 22. 1 3 4 2 Membership to an Azure AD Security Group Access Package c Membership to Microsoft 365 Groups and Teams Assignment to Azure AD Enterprise applications Membership to SharePoint Online Sites This is a bundle of all resources which the user would need access to Entitlement management
  • 23. 1 3 4 2 Required for members who request for an access package Access Package c Required for members who approve requests for an access package Required for members who review assignments for an access package Required for members who have direct assignment to an access package License requirement – Azure AD Premium P2 licenses Entitlement management
  • 25. Identity Has the ability to automatically detect and remediate identity-based risks LEARN NOW c Identity Protection Uses its own threat intelligence to understand identity-based risks
  • 26. Anonymous IP Address Anonymous IP address – The user is not signing in from a typical IP address Leaked credentials This detects if the users' credentials have been leaked Risks The different risks c User-risk Sign-in risk Sign-in risk Sign-in risk Sign-in risk Sign-in risk Atypical travel Here sign-ins are happening from different geographic locations Malware Here the user’s device could be infected with a malware Password spray Someone is trying out different passwords Unfamiliar sign-in properties Not the typical behavior the user sign ins Identity Protection
  • 28. Control and manage access to key resources. Here you can control access to resources in Azure AD, Azure and Microsoft 365. Here you can ensure that a user only gets access when required. 1 2 3 Control Scope Requirement Privileged c Privileged Identity Management
  • 29. Timebound Multi-Factor Authentication Approval Just-in-time Here you can provide privileged access to resources whenever they are required Just-in-time You can mention start and end dates for the access. Time-bound Increased level of authentication to activate a role. Multi-Factor Authentication You can ensure approval is required for any role. Approval Privileged Identity Management c Privileged Identity Management
  • 30. License You need to have Azure AD Premium P2 licenses LEARN NOW c Privileged Identity Management
  • 32. 1 3 4 2 Here you can define conditions based on which you want to give access to users for a resource. Azure AD Conditional Access c You can make use of different signals for the conditions – User and their location, device they are logging from, the Application , real-time risk. Based on the condition you can decide whether the user should be allowed access , blocked access or they require the user of MFA. These rules are enforced after the first-factor authentication is complete. Security Conditions Signals Access Enforced
  • 33. Security This feature requires the use of Azure AD Premium P1 license. To make use of Risk-based policies from within Identity Protection, you need to have Azure AD Premium P2 licenses in place.
  • 34. Azure
  • 35. 1 3 4 2 This provides a business-to- customer identity as a service. Azure Active Directory B2C c Here customers can sign- into applications using their social identities, enterprise , or local account identities. Normally used when business want to authenticate their end users to their web/mobile applications. Uses the standards when it comes to authentication protocols – Open ID Connect, OAuth 2.0. Security Service Sign-in Purpose Standards
  • 37. 1 3 4 2 This is a Cloud Security Posture and Cloud Workload Protection Platform. You can monitor Azure resources, Amazon Web services resources and on-premises resource. Microsoft Defender for Cloud c It continually assesses the security posture of your resources. It generates a secure score based on the assessment. You get recommendations on how to improve the security of your resources. It can also detect and resolve threats to resources and services. Security Purpose Secure Score Recommendations Threats
  • 38. Security When it comes to Azure virtual machines, this service will automatically deploy the Log Analytics agent to the virtual machines. The agent will continuously send information the workspace. And then Microsoft Defender for Cloud will analyze the data. For on-premises servers, Microsoft Defender for Cloud will make use of the Azure Arc service. If you have connected your Amazon Web services account to an Azure subscription, you can protect resources in that account as well.
  • 39. Security It always good to have a benchmark or baseline to see how the security of your resources align with that benchmark. Microsoft has the Azure Security benchmark that provides the best practices and recommendations for securing workloads. The benchmark covers different domains such as Network security, Identity Management, Data protection. If you have connected your Amazon Web services account to an Azure subscription, you can protect resources in that account as well.
  • 40. Security There is the free plan that is enabled for all Azure subscriptions. Here you get the secure score, be able to apply the security policy and get basic recommendations.
  • 41. Security And then you have the Enhanced or Paid version. You can use a 30-day free trial. This gives your further protection to your resources. You get Microsoft Defender for Endpoint – This provides endpoint detection and response (EDR). You can carry out vulnerability assessment for virtual machines, SQL resources and container registries. You can protect your resources in Amazon Web Services and Google Cloud Platform.
  • 43. Security Microsoft Defender for servers can help protect your Windows and Linux machines in Azure, AWS, GCP and on- premises. You get two options when it comes to plans. There is Defender for Servers Plan 2 that gives a lot features. Here you get features such as Integrated vulnerability assessments, threat detection etc.
  • 44. Security Auto-provisioning feature Here Microsoft Defender for Cloud will automatically install an agent on the Azure virtual machines. The agent will send data to a log analytics workspace. The data collected in the workspace will provide visibility into missing updates, any sort of misconfigured OS security settings, look at the endpoint protection status.
  • 46. 1 3 4 2 Here Microsoft Defender for Cloud will compare the configuration of your resources against industry standards, regulations and benchmarks. Regulatory Compliance c By default, an Azure subscription will have the Azure Security Benchmark assigned. You have other standards available as well. You can make use of the standards but you need to have the Defender for Cloud enhanced security features. You can assign the different standards to the dashboard. Security Compliance Benchmark Standards Dashboard
  • 47. M i c r o s o f t D e f e n d e r f o r c o n t a i n e r s
  • 48. You have Microsoft Defender for containers. Security This can perform a vulnerability scan of images in Azure Container registry. When a new image is pushed to the registry, a scan will be performed. Also, weekly scans of any images pulled in the last 30 days are also conducted.
  • 49. You also get threat protection for your Azure Kubernetes clusters. Security Here the Defender agent performs analysis of Kubernetes audit logs. This can detect activities such as creation of high-privileged roles or the creation of sensitive mounts.
  • 50. A z u r e B l u e p r i n t s
  • 51. 1 3 4 2 Role assignments – If you need specific roles to be assigned. Azure Blueprints c Azure Blueprints Policy assignments – This is if you need specific policies to be applied. Resource groups – If you need certain resource groups to be in place. Azure Resource Manager templates – If there are resources that need to be deployed.
  • 52. Definition – Here you define the Blueprint itself. The Blueprint needs to be saved to either a management group or a subscription. Azure Blueprints When you save the Blueprint to a management group, the Blueprint can be assigned to any subscription which is part of the management group. To save the Blueprint definition, you need to have Contributor access to either the management group or the subscription.
  • 53. Publishing – Once the Blueprint is defined, you can publish it. Here you can assign a version number for the Blueprint. Azure Blueprints Assignment – Here the Blueprint is then assigned to a subscription. You can protect resources deployed via the Blueprint resource locks. Here even if there is a user with the Owner role, still the user will not be able to remove the lock. You can only remove the lock by unassigning the blueprint.
  • 55. Security Domain Controllers should be protected with Trusted Platform Module chips. The volumes on the domain controller servers need to be protected via BitLocker Drive Encryption. Domain Controllers should allow connections only from authorized users and systems. This can be implemented via the use of Group Policy Objects.
  • 56. Security Manage the updates for the domain controllers. Microsoft Defender for Identity can be used to monitor domain controllers. Microsoft Defender for Identity can capture the network traffic , correlate with Windows events and analyze for any threats.
  • 58. 1 3 4 2 It helps to protect your endpoints. It can provide an automated response and investigation. Also, has Vulnerability Management. Microsoft 365 Defender c Safeguards against malicious threats when it comes to email messages , links etc. Helps to protect your identities defined in your on-premises Active Directory. Helps to bring visibility and controls onto the usage of other cloud applications. Security Defender for Endpoint Defender for Office 365 Defender for Identity Defender for Cloud Apps
  • 59. P r o t e c t i n g d a t a
  • 60. Once attackers gain access to your network, they can also get access to your data. Security A hacker would first use an account with elevated privileges to gain access to data. The hacker could then copy data across the network to another location. Or the hacker could simply delete the data.
  • 61. Azure SQL Database Security Implement dynamic data masking to limit the exposure of sensitive data. Ensure that database columns that store sensitive data are encrypted. Enable database-level encryption.
  • 62. Other data stores Security Azure Virtual Machine Disks – Enable Azure Disk Encryption Azure Storage Accounts – Azure Storage Service Encryption Encryption of data in Azure Cosmos DB
  • 63. D a t a M a s k i n g
  • 64. Here the data in the database table can be limited in its exposure to non-privileged users. Data Masking You can create a rule that can mask the data. Based on the rule you can decide on the amount of data to expose to the user.
  • 65. There are different masking rules Data Masking Credit Card masking rule – This is used to mask the column that contain credit card details. Here only the last four digits of the field are exposed. Email – Here first letter of the email address is exposed. And the domain name of the email address is replaced with XXX.com. Custom text- Here you decide which characters to expose for a field. Random number- Here you can generate a random number for the field.
  • 66. A u d i t i n g
  • 67. You can enable auditing for an Azure SQL database and also for Azure Synapse Analytics. Auditing This feature can be used to track database events and write them to an audit log. The logs can be stored in an Azure storage account, Log Analytics workspace or Azure Event Hubs. This helps in regulatory compliance. It helps to gain insights on any anomalies when it comes to database activities. Auditing can be enabled at the database or server level. If it is applied at the server level, then it will be applied to all of the databases that reside on the server.
  • 68. D a t a c l a s s i f i c a t i o n
  • 69. The Azure SQL database and Azure Synapse service have the capabilities of Data Discovery and Classification. Security This service can scan the database and identify columns that contain potentially sensitive data. You can also apply sensitive-classification labels to certain columns.
  • 70. A z u r e S Q L D a t a b a s e E n c r y p t i o n
  • 71. This feature is used to encrypt the data at rest. Security It carries out the real-time encryption and decryption of the database , its backups and transaction log files. This is enabled by default on all new Azure SQL databases.
  • 72. The Always Encrypted Feature can be used to encrypt data at rest and in motion. You can encrypt multiple columns located in different tables. You can encrypt multiple columns located in the same table. You can just encrypt one specific column. Security
  • 73. You have 2 types of encryption Deterministic encryption – Here the same encrypted value is generated for any given plain text value. This is less secure. But it allows for point lookups , equality joins, grouping and indexing on encrypted columns. Randomized encryption – This is the most secure encryption method. But it prevents the searching, grouping , indexing and joining on encrypted columns. Security