New Dynamic, New Tools
Get familiar with the new tools to troubleshoot and triage issues. For Teams, that means the
Call Quality Diagnostic tool. If users experience poor quality, help desks can use the Call Quality Diagnostic (CQD) tool to ID where the issue
lies (i.e. headset, network, or service). If it
appears the Internet is the root cause, users can check their last mile by using ping or tracert to 13.107.64.2 (Microsoft’s virtual head-end).
6 of 10
Another template, the Security Alerts workbook, provides a holistic view of where alerts are coming from and their overall severity. This can help identify where a lot of noise may be coming from and allow further investigation or modification of existing policies to reduce false
positives.
Microsoft is disabling legacy authentication on Oct. 13, 2020 for several protocols. You can use the Insecure Protocols workbook to
capture existing legacy authentication attempts to plan on migrating to Modern Authentication. This workbook can account for both Azure AD and on-premises Active Directory authentication.
OPERATING MICROSOFT
SENTINEL
Custom Workbooks
Custom workbooks can be created to provide the exact insights you are looking for. You can add several
different components including text labels, parameters for resource picker searches, and links and buttons for actions. Queries and metrics can be added for further customization. Finally, using the advanced editor, you can import Gallery or ARM templates to create the workbook from JSON code.
OPERATING MICROSOFT
SENTINEL
New Dynamic, New Tools
Get familiar with the new tools to troubleshoot and triage issues. For Teams, that means the
Call Quality Diagnostic tool. If users experience poor quality, help desks can use the Call Quality Diagnostic (CQD) tool to ID where the issue
lies (i.e. headset, network, or service). If it
appears the Internet is the root cause, users can check their last mile by using ping or tracert to 13.107.64.2 (Microsoft’s virtual head-end).
6 of 10
Hunting
For advanced Security Operators and IT Pros, hunting allows proactive assessments against specific risks. They allow manual, proactive investigations into possible security threats based on the ingested data. Hunting is based off queries. Microsoft provided several built-in queries and custom queries can also be created. Once a query is created you can convert it into an analytic rule to run on a schedule.
Sample queries can also be obtained from each data connector page.
OPERATING MICROSOFT
SENTINEL
Analytics
Once you have a solid query created, you can create an analytic alert rule to perform additional actions on those results. As with most other components of Microsoft Sentinel, Microsoft has also provided built-in analytic template rules with pre-created queries based on the data sources. You simply need to select the template and click Create rule.
OPERATING MICROSOFT SENTINEL
During the creation of a template or custom analytic rule, you can configure specific settings to create an appropriate schedule and alert threshold. You can specify how often to run the query and how far back to search. In additional, alert threshold specifies how many results are required to issue an incident alert.
New Dynamic, New Tools
Get familiar with the new tools to troubleshoot and triage issues. For Teams, that means the
Call Quality Diagnostic tool. If users experience poor quality, help desks can use the Call Quality Diagnostic (CQD) tool to ID where the issue
lies (i.e. headset, network, or service). If it
appears the Internet is the root cause, users can check their last mile by using ping or tracert to 13.107.64.2 (Microsoft’s virtual head-end).
6 of 10
On the next page, you define whether to create an incident alert from the results.
Alert Grouping will allow you to group a minimum number of results together rather than potentially creating an incident alert for each result.
OPERATING MICROSOFT SENTINEL
Finally, you can assign a playbook for automated remediation or actions against the results.
Incidents
Incidents are only created when specified by an analytic alert rule. In the Microsoft Sentinel Portal, click on Incidents to view a list of all incidents created. Clicking on View full details provides additional information on the incident. You can change the severity, if applicable, set the Status, and assign the incident to the
responsible individual to investigate further. You can also manually submit the results of this incident against any playbook created for Microsoft Sentinel.
OPERATING MICROSOFT SENTINEL
Currently in preview, clicking on Investigate provides the Investigation Graph. This provides an interactive overview of all entities involved in the incident. This will assist to understand the scope and impact of the incident, determine a root cause, and stop any potential threats that may be occurring elsewhere.
New Dynamic, New Tools
Get familiar with the new tools to troubleshoot and triage issues. For Teams, that means the
Call Quality Diagnostic tool. If users experience poor quality, help desks can use the Call Quality Diagnostic (CQD) tool to ID where the issue
lies (i.e. headset, network, or service). If it
appears the Internet is the root cause, users can check their last mile by using ping or tracert to 13.107.64.2 (Microsoft’s virtual head-end).
6 of 10
Playbooks
Playbooks are Azure Logic Apps, but specific for Microsoft Sentinel by adding an API connection to Microsoft Sentinel alerts. The example playbook below sets and Azure AD user account to disabled when an alert is triggered and puts a comment into the Incident. Additional
actions can be added, such as a simple email notification. Anything that Logic Apps can connect to, you can tie it into an Microsoft Sentinel Playbook and Analytic Rule to automate that action.
OPERATING MICROSOFT
SENTINEL
This has been a small sample of the capabilities of Microsoft Sentinel. Microsoft Sentinel can be extended in many ways to manage and monitor your environment. You can integrate Microsoft Sentinel into an existing Splunk deployment or deploy it as Infrastructure as code using DevOps. Microsoft Sentinel can be used in conjunction with Azure Lighthouse to manage and monitor multiple Azure environments allowing Enabling
Technologies the ability fully manage your Microsoft Sentinel deployment and ongoing operations and incident response.
OPERATING MICROSOFT
SENTINEL
New Dynamic, New Tools
Get familiar with the new tools to troubleshoot and triage issues. For Teams, that means the
Call Quality Diagnostic tool. If users experience poor quality, help desks can use the Call Quality Diagnostic (CQD) tool to ID where the issue
lies (i.e. headset, network, or service). If it
appears the Internet is the root cause, users can check their last mile by using ping or tracert to 13.107.64.2 (Microsoft’s virtual head-end).
6 of 10