![]() Contribute via the community to encourage community creativity over partner-sourced data, helping customers with more reliable and effective detections. You can add analytics rules by including them in a solution and via the Microsoft Sentinel ThreatHunters community. Output incidents, which are units of investigation.Output alerts, which are notable events.For example, analytics rules can help provide expertise and insight about the activities that can be detected in the data your integration delivers.Īnalytics are query-based rules that run over the data in the customer's Microsoft Sentinel workspace, and can: Threat detection, or analytics rules are sophisticated detections that can create accurate, meaningful alerts.Īdd analytics rules to your integration to help your customers benefit from data from your system in Microsoft Sentinel. The following sections describe monitoring and detection elements that you can include in your integration solution: Threat detection rules Microsoft Sentinel's monitoring and detection features create automated detections to help customers scale their SOC team's expertise. Historical data sets are often large and are best referenced ad-hoc, in place, instead of importing them directly to Microsoft Sentinel.Įach type of data supports different activities in Microsoft Sentinel, and many security products work with multiple types of data at the same time. ![]() Threat intelligence can include current indicators that represent immediate threats or historical indicators that are kept for future prevention. Powers threat detection by contributing indicators of known threats. Putting detections in context with all the activities and other detections visible in Microsoft Sentinel investigations, saves time for analysts and creates a more complete picture of an incident, resulting in better prioritization and better decisions.Įxamples: anti-malware alerts, suspicious processes, communication with known bad hosts, network traffic that was blocked and why, suspicious logons, detected password spray attacks, identified phishing attacks, data exfiltration events, and more.īuilds context with referenced environments, saving investigation effort and increasing efficiency.Įxamples: CMDBs, high value asset databases, application dependency databases, IP assignment logs, threat intelligence collections for enrichment, and more. Bring unprocessed data to Microsoft Sentinel to use Microsoft Sentinel's built-in hunting and detection features to identify new threats and more.Įxamples: Syslog data, CEF data over Syslog, application, firewall, authentication, or access logs, and more.Ĭreates alert visibility and opportunity for correlation.Īlerts and detections are conclusions that have already been made about threats. Supports detections and hunting processes.Īnalyze raw operational data in which signs of malicious activity may be present. Microsoft Sentinel works with the following types of data: Type Both engines run over data ingested into the Microsoft Sentinel data repository. Most Microsoft Sentinel integrations are based on data, and use both the general detection engine and the full-featured investigative engine. Microsoft Sentinel solutions are published in Azure Marketplace and appear in the Microsoft Sentinel Content hub. We recommend that you package and publish your integration as a Microsoft Sentinel solutions so that joint customers can discover, deploy, and maximize the value of your partner integration. For example, your integration might include rules for enrichment, remediation, or orchestration security activities within the customer’s environment and infrastructure. For example, your integration might add new detections, queries, or historical and supporting data, such as extra databases, vulnerability data, compliance, data, and so on.Īutomation in Microsoft Sentinel. ![]() For example, your integration might bring new log data, actionable intelligence, analytics rules, hunting rules, guided hunting experiences, or machine-learning analysisĬontribute to Microsoft Sentinel investigations. Offering your data, detections, automation, analysis, and packaged expertise to customers by integrating with Microsoft Sentinel provides SOC teams with the information they need to act on informed security responses.įor example, your integration may add value for any of the following goals:Ĭreating detections out of semi-structured data. Security Operations (SOC) teams use Microsoft Sentinel to generate detections and investigate and remediate threats. This article reviews best practices and references for creating your own integration solutions with Microsoft Sentinel.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |