Merge pull request #278606 from cwatson-cat/6-17-24-ops-guide

Jill Grant · web-flow · commit 06f34f00752f · 2024-06-28T15:25:01.000-06:00
Ops guide - move content into new article
diff --git a/articles/sentinel/TOC.yml b/articles/sentinel/TOC.yml
@@ -1223,8 +1223,6 @@
   items:
   - name: Service limits
     href: sentinel-service-limits.md
-  - name: Compare playbooks, workbooks, and notebooks
-    href: resources.md
   - name: Microsoft Sentinel REST-API
     href: /rest/api/securityinsights/
   - name: Management references
@@ -1281,6 +1279,10 @@
           href: normalization-schema-web.md
         - name: Legacy network normalization schema
           href: normalization-schema-v1.md
+  - name: Automation and response references
+    items:
+    - name: SOAR content catalog
+      href: sentinel-soar-content.md
   - name: Data collection references
     items:
     - name: Data source schema reference
@@ -1325,12 +1327,10 @@
         href: data-connector-ui-definitions-reference.md
       - name: Data connectors API reference
         href: data-connector-connection-rules-reference.md
-    - name: Defender for Cloud Apps alerts not onboarded to Microsoft 365 Defender
-      href: ./microsoft-365-defender-sentinel-integration.md#microsoft-defender-xdr-incidents-and-microsoft-incident-creation-rules
-  - name: Automation and response references
-    items:
-    - name: SOAR content catalog
-      href: sentinel-soar-content.md
+  - name: Compare playbooks, workbooks, and notebooks
+    href: resources.md
+  - name: Operations guide
+    href: ops-guide.md
 - name: Resources
   items:
   - name: Sample workspace architecture
diff --git a/articles/sentinel/best-practices.md b/articles/sentinel/best-practices.md
@@ -4,7 +4,7 @@ description: Learn about best practices to employ when managing your Microsoft S
 author: cwatson-cat
 ms.author: cwatson
 ms.topic: conceptual
-ms.date: 05/16/2024
+ms.date: 06/28/2024
 ---
 
 # Best practices for Microsoft Sentinel
@@ -59,43 +59,9 @@ The following table provides high-level descriptions for how to use Microsoft Se
 |Entity behavior     | Entity behavior in Microsoft Sentinel allows users to review and investigate actions and alerts for specific entities, such as investigating accounts and host names. For more information, see:<br><br>- [Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](enable-entity-behavior-analytics.md)<br>- [Investigate incidents with UEBA data](investigate-with-ueba.md)<br>- [Microsoft Sentinel UEBA enrichments reference](ueba-reference.md)        |
 |Watchlists    |   Use a watchlist that combines data from ingested data and external sources, such as enrichment data. For example, create lists of IP address ranges used by your organization or recently terminated employees. Use watchlists with playbooks to gather enrichment data, such as adding malicious IP addresses to watchlists to use during detection, threat hunting, and investigations. <br><br>During an incident, use watchlists to contain investigation data, and then delete them when your investigation is done to ensure that sensitive data doesn't remain in view.   <br><br> For more information, see [Watchlists in Microsoft Sentinel](watchlists.md).   |
 
-## Regular SOC activities to perform
-
-Schedule the following Microsoft Sentinel activities regularly to ensure continued security best practices:
-
-### Daily tasks
-
-- **Triage and investigate incidents**.  Review the Microsoft Sentinel **Incidents** page to check for new incidents generated by the currently configured analytics rules, and start investigating any new incidents. For more information, see [Investigate incidents with Microsoft Sentinel](investigate-cases.md).
-
-- **Explore hunting queries and bookmarks**. Explore results for all built-in queries, and update existing hunting queries and bookmarks. Manually generate new incidents or update old incidents if applicable.  For more information, see:
-
-    - [Automatically create incidents from Microsoft security alerts](create-incidents-from-alerts.md)
-    - [Hunt for threats with Microsoft Sentinel](hunting.md)
-    - [Keep track of data during hunting with Microsoft Sentinel](bookmarks.md)
-
-- **Analytic rules**.  Review and enable new analytics rules as applicable, including both newly released or newly available rules from recently connected data connectors.
-
-- **Data connectors**. Review the status, date, and time of the last log received from each data connector to ensure that data is flowing. Check for new connectors, and review ingestion to ensure set limits aren't exceeded. For more information, see [Data collection best practices](best-practices-data.md) and [Connect data sources](connect-data-sources.md).
-
-- **Log Analytics Agent**. Verify that servers and workstations are actively connected to the workspace, and troubleshoot and remediate any failed connections.   For more information, see     [Log Analytics Agent overview](../azure-monitor/agents/log-analytics-agent.md).
-
-- **Playbook failures**. Verify playbook run statuses and troubleshoot any failures.   For more information, see  [Tutorial: Respond to threats by using playbooks with automation rules in Microsoft Sentinel](tutorial-respond-threats-playbook.md).
-
-### Weekly tasks
-
-- **Content review of solutions or standalone content**. Get any content updates for your installed solutions or standalone content from the [Content hub](sentinel-solutions-deploy.md). Review new solutions or standalone content that might be of value for your environment, such as analytics rules, workbooks, hunting queries, or playbooks.
-
-- **Microsoft Sentinel auditing**. Review Microsoft Sentinel activity to see who updated or deleted resources, such as analytics rules, bookmarks, and so on. For more information, see [Audit Microsoft Sentinel queries and activities](audit-sentinel-data.md).
-
-### Monthly tasks
-
-- **Review user access**. Review permissions for your users and check for inactive users. For more information, see [Permissions in Microsoft Sentinel](roles.md).
-
-- **Log Analytics workspace review**. Review that the Log Analytics workspace data retention policy still aligns with your organization's policy.  For more information, see  [Data retention policy](/workplace-analytics/privacy/license-expiration) and [Integrate Azure Data Explorer for long-term log retention](store-logs-in-azure-data-explorer.md).
-
-
 ## Related content
 
+- [Microsoft Sentinel operational guide](ops-guide.md)
 - [On-board Microsoft Sentinel](quickstart-onboard.md)
 - [Deployment guide for Microsoft Sentinel](deploy-overview.md)
 - [Protecting MSSP intellectual property in Microsoft Sentinel](mssp-protect-intellectual-property.md)
diff --git a/articles/sentinel/deploy-overview.md b/articles/sentinel/deploy-overview.md
@@ -4,7 +4,7 @@ description: Learn about the steps to deploy Microsoft Sentinel including the ph
 author: cwatson-cat
 ms.author: cwatson
 ms.topic: conceptual
-ms.date: 06/18/2024
+ms.date: 06/28/2024
 ms.service: microsoft-sentinel
 ---
 
@@ -75,4 +75,6 @@ When you're finished with your deployment of Microsoft Sentinel, continue to exp
 - [Respond to threats using automation](tutorial-respond-threats-playbook.md)
 - [Extract incident entities with non-native action](tutorial-extract-incident-entities.md)
 - [Investigate with UEBA](investigate-with-ueba.md)
-- [Build and monitor Zero Trust](sentinel-solution.md)
+- [Build and monitor Zero Trust](sentinel-solution.md)
+
+Review the [Microsoft Sentinel operational guide](ops-guide.md) for the regular SOC activities we recommend that you perform daily, weekly, and monthly.
diff --git a/articles/sentinel/ops-guide.md b/articles/sentinel/ops-guide.md
@@ -0,0 +1,51 @@
+---
+title: Operational guide - Microsoft Sentinel
+description: Learn about the operational recommendations to help security operations teams to plan and run security activities.
+ms.date: 06/28/2024
+ms.topic: reference
+ms.author: cwatson
+author: cwatson-cat
+appliesto:
+  - Microsoft Sentinel in the Azure portal and the Microsoft Defender portal
+#Customer intent: As a security operations (SOC) team member or security administrator, I want to know what operational activities I should plan to do daily, weekly, and monthly with Microsoft Sentinel to help keep my organization's environment secure. 
+---
+
+# Microsoft Sentinel operational guide
+
+This article lists the operational activities that we recommend security operations (SOC) teams and security administrators plan for and run as part of their regular security activities with Microsoft Sentinel.
+
+## Daily tasks
+
+Schedule the following activities daily.
+
+|Task|description|
+|---|---|
+|**Triage and investigate incidents**|Review the Microsoft Sentinel **Incidents** page to check for new incidents generated by the currently configured analytics rules, and start investigating any new incidents. For more information, see [Investigate incidents with Microsoft Sentinel](investigate-cases.md).|
+|**Explore hunting queries and bookmarks**|Explore results for all built-in queries, and update existing hunting queries and bookmarks. Manually generate new incidents or update old incidents if applicable. For more information, see:</br></br>- [Automatically create incidents from Microsoft security alerts](create-incidents-from-alerts.md)</br>- [Hunt for threats with Microsoft Sentinel](hunting.md)</br>- [Keep track of data during hunting with Microsoft Sentinel](bookmarks.md)|
+|**Analytic rules**|Review and enable new analytics rules as applicable, including both newly released or newly available rules from recently connected data connectors.|
+|**Data connectors**| Review the status, date, and time of the last log received from each data connector to ensure that data is flowing. Check for new connectors, and review ingestion to ensure set limits aren't exceeded. For more information, see [Data collection best practices](best-practices-data.md) and [Connect data sources](connect-data-sources.md).|
+|**Log Analytics Agent**| Verify that servers and workstations are actively connected to the workspace, and troubleshoot and remediate any failed connections.   For more information, see     [Log Analytics Agent overview](../azure-monitor/agents/log-analytics-agent.md).|
+|**Playbook failures**| Verify playbook run statuses and troubleshoot any failures.   For more information, see  [Tutorial: Respond to threats by using playbooks with automation rules in Microsoft Sentinel](tutorial-respond-threats-playbook.md).|
+
+## Weekly tasks
+
+Schedule the following activities weekly.
+
+|Task|description|
+|---|---|
+|**Content review of solutions or standalone content**| Get any content updates for your installed solutions or standalone content from the [Content hub](sentinel-solutions-deploy.md). Review new solutions or standalone content that might be of value for your environment, such as analytics rules, workbooks, hunting queries, or playbooks.|
+|**Microsoft Sentinel auditing**| Review Microsoft Sentinel activity to see who updated or deleted resources, such as analytics rules, bookmarks, and so on. For more information, see [Audit Microsoft Sentinel queries and activities](audit-sentinel-data.md).|
+
+## Monthly tasks
+
+Schedule the following activities monthly.
+
+|Task|description|
+|---|---|
+|**Review user access**| Review permissions for your users and check for inactive users. For more information, see [Permissions in Microsoft Sentinel](roles.md).|
+|**Log Analytics workspace review**| Review that the Log Analytics workspace data retention policy still aligns with your organization's policy. For more information, see  [Data retention policy](/workplace-analytics/privacy/license-expiration) and [Integrate Azure Data Explorer for long-term log retention](store-logs-in-azure-data-explorer.md).|
+
+
+## Related content
+
+- [Deployment guide for Microsoft Sentinel](deploy-overview.md)
