You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/overview.md
+10-9Lines changed: 10 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,13 +35,14 @@ Microsoft Sentinel natively incorporates proven Azure services, like Log Analyti
35
35
36
36
## Collect data by using data connectors
37
37
38
-
To on-board Microsoft Sentinel, you first need to [connect to your security sources](connect-data-sources.md).
38
+
To on-board Microsoft Sentinel, you first need to [connect to your data sources](connect-data-sources.md).
39
39
40
40
Microsoft Sentinel comes with many connectors for Microsoft solutions that are available out of the box and provide real-time integration. Some of these connectors include:
41
41
42
-
- Microsoft 365 sources like Office 365, Azure AD, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps
42
+
- Microsoft sources like Microsoft 365 Defender, Microsoft Defender for Cloud, Office 365, Microsoft Defender for IoT, and more.
43
+
- Azure service sources like Azure Active Directory, Azure Activity, Azure Storage, Azure Key Vault, Azure Kubernetes service, and more.
43
44
44
-
Microsoft Sentinel has built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use common event format, Syslog, or REST-API to connect your data sources with Microsoft Sentinel.
45
+
Microsoft Sentinel has built-in connectors to the broader security and applications ecosystems for non-Microsoft solutions. You can also use common event format, Syslog, or REST-API to connect your data sources with Microsoft Sentinel.
45
46
46
47
For more information, see [Find your data connector](data-connectors-reference.md).
47
48
@@ -59,9 +60,9 @@ Workbooks are intended for SOC engineers and analysts of all tiers to visualize
59
60
60
61
Workbooks are best used for high-level views of Microsoft Sentinel data, and don't require coding knowledge. But you can't integrate workbooks with external data.
61
62
62
-
## Correlate alerts into incidents by using analytic rules
63
+
## Correlate alerts into incidents by using analytics rules
63
64
64
-
To help you reduce noise and minimize the number of alerts you have to review and investigate, Microsoft Sentinel uses [analytics to correlate alerts into incidents](detect-threats-built-in.md). Incidents are groups of related alerts that together create an actionable possible-threat that you can investigate and resolve. Use the built-in correlation rules as-is, or use them as a starting point to build your own. Microsoft Sentinel also provides machine learning rules to map your network behavior and then look for anomalies across your resources. These analytics connect the dots, by combining low fidelity alerts about different entities into potential high-fidelity security incidents.
65
+
To help you reduce noise and minimize the number of alerts you have to review and investigate, Microsoft Sentinel uses [analytics to correlate alerts into incidents](detect-threats-built-in.md). Incidents are groups of related alerts that together indicate an actionable possible-threat that you can investigate and resolve. Use the built-in correlation rules as-is, or use them as a starting point to build your own. Microsoft Sentinel also provides machine learning rules to map your network behavior and then look for anomalies across your resources. These analytics connect the dots, by combining low fidelity alerts about different entities into potential high-fidelity security incidents.
65
66
66
67
:::image type="content" source="media/investigate-cases/incident-severity.png" alt-text="Screenshot of the incidents page in Microsoft Sentinel with a list of open incidents." lightbox="media/investigate-cases/incident-severity.png":::
67
68
@@ -80,7 +81,7 @@ Microsoft Sentinel's automation and orchestration solution provides a highly ext
80
81
- Windows Defender ATP
81
82
- Defender for Cloud Apps
82
83
83
-
For example, if you use the ServiceNow ticketing system, use Azure Logic Apps to automate your workflows and open a ticket in ServiceNow each time a particular event is detected.
84
+
For example, if you use the ServiceNow ticketing system, use Azure Logic Apps to automate your workflows and open a ticket in ServiceNow each time a particular alert or incident is generated.
84
85
85
86
:::image type="content" source="media/tutorial-respond-threats-playbook/logic-app.png" alt-text="Screenshot of example automated workflow in Azure Logic Apps where an incident can trigger different actions.":::
86
87
@@ -90,19 +91,19 @@ Playbooks work best with single, repeatable tasks, and don't require coding know
90
91
91
92
## Investigate the scope and root cause of security threats
92
93
93
-
Microsoft Sentinel [deep investigation](investigate-cases.md) tools help you to understand the scope and find the root cause, of a potential security threat. You can choose an entity on the interactive graph to ask interesting questions for a specific entity, and drill down into that entity and its connections to get to the root cause of the threat.
94
+
Microsoft Sentinel [deep investigation](investigate-cases.md) tools help you to understand the scope and find the root cause of a potential security threat. You can choose an entity on the interactive graph to ask interesting questions for a specific entity, and drill down into that entity and its connections to get to the root cause of the threat.
94
95
95
96
:::image type="content" source="media/investigate-cases/map-timeline.png" alt-text="Screenshot of an incident investigation that shows an entity and connected entities in an interactive graph.":::
96
97
97
-
## Detect threats by using build-in queries
98
+
## Hunt for security threats by using built-in queries
98
99
99
100
Use Microsoft Sentinel's [powerful hunting search-and-query tools](hunting.md), based on the MITRE framework, which enable you to proactively hunt for security threats across your organization’s data sources, before an alert is triggered. Create custom detection rules based on your hunting query. Then, surface those insights as alerts to your security incident responders.
100
101
101
102
While hunting, create bookmarks to return to interesting events later. Use a bookmark to share an event with others. Or, group events with other correlating events to create a compelling incident for investigation.
102
103
103
104
:::image type="content" source="media/overview/hunting.png" alt-text="Screenshot of the hunting page in Microsoft Sentinel that shows a list of available queries. ":::
104
105
105
-
## Hunt for security threats with notebooks
106
+
## Enhance your threat hunting with notebooks
106
107
107
108
Microsoft Sentinel supports Jupyter notebooks in Azure Machine Learning workspaces, including full libraries for machine learning, visualization, and data analysis.
0 commit comments