gymnasium

Author: ultroni1

  • Security automation and orchestration

    You can automate common tasks and simplify security orchestration with playbooks that integrate with Azure services and your existing tools.

    Using Azure Logic Apps, Microsoft Sentinel’s automation and orchestration solution is extensible, scalable, and modernized. To build playbooks with Azure Logic Apps, you can choose from a growing gallery of built-in playbooks. These include 200+ connectors for services such as Azure Functions. The connectors allow you to apply any custom logic in code, ServiceNow, Jira, Zendesk, HTTP requests, Microsoft Teams, Slack, Windows Defender ATP, and Defender for Cloud Apps.

    Hunting and notebooks

    Use Microsoft Sentinel’s powerful hunting search-and-query tools, based on the MITRE framework, to proactively hunt for security threats across your organization’s data sources before an alert is triggered. After you discover which hunting query provides high-value insights into attacks, you can also create custom detection rules based on your query and surface those insights as alerts to your security-incident responders. While hunting, you can create bookmarks for interesting events, which allows you to return to them later, share them with others, and group them with other correlating events to create a compelling incident for investigation.

  • Connect data

    To onboard Microsoft Sentinel, you first need to connect to your security sources.

    Microsoft Sentinel comes with several connectors for Microsoft solutions, available out of the box and which provide real-time integration. Microsoft Sentinel’s out-of-the-box connectors include Microsoft 365 sources, Microsoft Entra ID, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions.

    Relevant data connectors for Azure Arc-enabled servers might include Security Events via Legacy Agent, Windows Security Events via AMA, or Syslog.

    Workbooks and analytics

    After you connect your data sources to Microsoft Sentinel, you can monitor the data using the Microsoft Sentinel integration with Azure Monitor workbooks, which provides versatility in creating custom workbooks. Microsoft Sentinel also comes with built-in workbook templates to allow you to quickly gain insights across your data as soon as you connect to a data source.

    To help you minimize the number of alerts you must investigate, Microsoft Sentinel uses analytics to correlate alerts into incidents. Incidents are groups of related alerts that together create an actionable possible threat that you can investigate and resolve. Use the built-in correlation rules as-is, or use them as a starting point to build your own. Microsoft Sentinel also provides machine learning rules to map your network behavior and then look for anomalies across your resources.

  • Threat intelligence for Azure Arc-enabled servers with Microsoft Sentinel

    Tailwind Traders’ SOC (Security Operations Center) Analysts are struggling to assess their environment with its various SIEM and SOAR solutions. In this unit, you learn how Azure Arc-enabled servers work together with Microsoft Sentinel, a SIEM and SOAR solution that keeps up with hybrid and multicloud environment.

    Overview of Microsoft Sentinel

    Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Microsoft Sentinel delivers threat intelligence across the enterprise, providing a single solution for attack detection, proactive hunting, and threat response.

    Microsoft Sentinel is your birds-eye view across the enterprise for alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames.

    • Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
    • Detect previously undetected threats and minimize false positives using Microsoft’s analytics and unparalleled threat intelligence.
    • Investigate threats with artificial intelligence and hunt for suspicious activities at scale, tapping into years of cyber security work at Microsoft.
    • Respond to incidents rapidly with built-in orchestration and automation of common tasks.

  • File integrity monitoring (FIM)

    File integrity monitoring (FIM) examines files and registries of operating systems and application software for changes that might indicate an attack. A comparison method is used to determine if the current state of the file is different from the last scan of the file. You can use this comparison to determine if valid or suspicious modifications were made to your files.

    When you enable Defender for Servers, you can use FIM to validate the integrity of Windows files, your Windows registries, and Linux files.

    Adaptive application controls (AAC)

    Adaptive application controls are an intelligent and automated solution for defining allowlists of known-safe applications for your machines. When you’ve configured adaptive application controls, you get security alerts if any application runs other than the ones you defined as safe.

  • Integration with Microsoft Defender for Endpoint

    Defender for Servers includes Microsoft Defender for Endpoint. Together, they provide comprehensive endpoint detection and response (EDR) capabilities.

    When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown in Defender for Cloud. From Defender for Cloud, you can also pivot to the Defender for Endpoint console and perform a detailed investigation to uncover the scope of the attack. When you enable Defender for Servers, you give Defender for Cloud access to the Defender for Endpoint data related to vulnerabilities, installed software, and alerts.

    Vulnerability assessment tools

    Defender for Servers includes a choice of vulnerability discovery and management tools. From Defender for Cloud’s settings pages, you can choose whether to deploy these tools to your machines. Any discovered vulnerabilities are shown in a security recommendation.

    • Microsoft threat and vulnerability management: Discover vulnerabilities and misconfigurations in real time with Defender for Endpoint, without the need for more agents or periodic scans. Threat and vulnerability management prioritizes vulnerabilities based on the threat landscape, sensitive information, and business context.
    • Vulnerability scanner powered by Qualys: Qualys is one of the leading tools for real-time identification of vulnerabilities in your hybrid virtual machines. You don’t need a Qualys license or even a Qualys account; everything is handled seamlessly inside Defender for Cloud.
    Design

  • Secure Azure Arc-enabled servers with Microsoft Defender for Servers

    Tailwind Traders is interested in more of Microsoft Defender for Cloud’s enhanced security features. These enhanced security features include vulnerability assessments, file integrity monitoring, and adaptive application controls. In this unit, you learn how Azure Arc-enabled servers together with Microsoft Defender for Servers can unlock even more security functionality.

    Overview of Microsoft Defender for Servers

    Microsoft Defender for Servers is one of the enhanced security features of Microsoft Defender for Cloud. Defender for Servers adds threat detection and advanced defenses to your Windows and Linux machines whether they’re running in Azure, on-premises, or in a multicloud environment. Core benefits of Defender for Servers include:

    • Microsoft Defender for Endpoint Integration
    • Virtual machine behavioral analytics (and security alerts)
    • Fileless security alerts
    • Integrated Qualys vulnerability scanner
    • File integrity monitoring
    • Adaptive application controls
    • Regulatory compliance dashboard and reports
    • Missing OS patches assessment
    • Security misconfigurations assessment
    • Endpoint protection assessment
    • Non-Microsoft vulnerability assessment
    Sample Page

  • Onboard Azure Arc-enabled servers to Microsoft Defender for Cloud

    Tailwind Traders has onboarded its machines to Azure Arc-enabled servers, and now wants to onboard those servers to Microsoft Defender for Cloud. In this unit, you learn how to onboard your Azure Arc-enabled servers to Defender for Cloud.

    Enable Microsoft Defender for Cloud

    To enable Microsoft Defender for Cloud in your Azure subscription, search for Microsoft Defender for Cloud in the Azure portal. Select Microsoft Defender for Cloud to open the overview page.

    After a few minutes, Defender for Cloud is now enabled, and you have access to the basic features provided by Defender for Cloud.

    To enable the enhanced security features of Defender for Cloud for your machines, you need to enable the Defender for Servers plan. To do this, follow these steps:

    1. In the Defender for Cloud menu, under Management, select Environment settings.
    2. Select the subscription that you want to protect.
    3. Under Cloud Workload Protection (CWPP), find Servers and toggle the switch to On.
    4. Select Save.

    When you enable the Defender for Servers plan in Defender for Cloud, Defender for Endpoint integration is enabled by default. This integration provides advanced capabilities such as real-time threat detection, automated response capabilities, vulnerability assessments, and software inventory.

  • Assess, secure, and defend Azure Arc-enabled servers with Microsoft Defender for Cloud

    With Tailwind Traders’ distributed IT infrastructure, it’s often difficult to get a coherent view of the entire organization’s security posture. Moreover, initiatives to secure and defend resources are increasingly siloed. In this unit, you learn how to use Microsoft Defender for Cloud with Azure Arc-enabled servers. Together, they can facilitate a more comprehensive security strategy to meet the demands of your hybrid and multicloud infrastructure.

    Overview of Microsoft Defender for Cloud

    Microsoft Defender for Cloud provides unified security management and advanced threat protection. With its integrated Microsoft Defender plans, Defender for Cloud protects workloads running in Azure, hybrid, and other cloud platforms.

  • Applications and service principals

    A service principal is essentially, an identity for an application. For an application to delegate its identity and access functions to Microsoft Entra ID, the application must first be registered with Microsoft Entra ID to enable its integration. Once an application is registered, a service principal is created in each Microsoft Entra tenant where the application is used. The service principal enables core features such as authentication and authorization of the application to resources that are secured by the Microsoft Entra tenant.

    For the service principals to be able to access resources secured by the Microsoft Entra tenant, application developers must manage and protect the credentials. If not done correctly, this can introduce security vulnerabilities. Managed identities help off-load that responsibility from the developer.

  • Workload identities

    A workload identity is an identity you assign to a software workload. This enables the software workload to authenticate to and access other services and resources. This helps secure your workload.

    Securing your workload identities is important because unlike a human user, a software workload may deal with multiple credentials to access different resources and those credentials need to be stored securely. It’s also hard to track when a workload identity is created or when it should be revoked. Enterprises risk their applications or services being exploited or breached because of difficulties in securing workload identities.

    Microsoft Entra Workload ID helps resolve these issues when securing workload identities.

    In Microsoft Entra, workload identities are applications, service principals, and managed identities.