To onboard Microsoft Sentinel, you first need to connect to your security sources.
Microsoft Sentinel comes with several connectors for Microsoft solutions, available out of the box and which provide real-time integration. Microsoft Sentinel’s out-of-the-box connectors include Microsoft 365 sources, Microsoft Entra ID, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions.
Relevant data connectors for Azure Arc-enabled servers might include Security Events via Legacy Agent, Windows Security Events via AMA, or Syslog.
Workbooks and analytics
After you connect your data sources to Microsoft Sentinel, you can monitor the data using the Microsoft Sentinel integration with Azure Monitor workbooks, which provides versatility in creating custom workbooks. Microsoft Sentinel also comes with built-in workbook templates to allow you to quickly gain insights across your data as soon as you connect to a data source.
To help you minimize the number of alerts you must investigate, Microsoft Sentinel uses analytics to correlate alerts into incidents. Incidents are groups of related alerts that together create an actionable possible threat that you can investigate and resolve. Use the built-in correlation rules as-is, or use them as a starting point to build your own. Microsoft Sentinel also provides machine learning rules to map your network behavior and then look for anomalies across your resources.
Leave a Reply