Organizations' infrastructures are becoming more complex. As the new landscape expands into the cloud and third-party PaaS and SaaS services, it has become more of a challenge to maintain proper visibility and aggregation of logs into a single pane of glass. While Security Information and Event Management (SIEM) systems have been around for years, the complexity of new data sources, infrastructure, and business needs require a scalable approach. Sentinel is a scalable cloud-native solution that can ingest sources from both cloud and on-prem.
Sentinel: This introduction demonstration will provide a high-level understanding of the user interface, Sentinel architecture, log ingestion, rule creation process, and different methods used to investigate and correlate logs in Sentinel.
Skills Learned:
Knowledge of how Sentinel is deployed
Create analytics rules (detection rules)
Knowledge of the available methods of ingesting logs
Knowledge of Data connectors and Content Hub
Creation of parsers
Ability to navigate Sentinel and use logs, entities, and the investigation page to investigate alerts
Prerequisites
The workshop is an introduction to Sentinel. Students will not need to have prior experience with Sentinel or KQL (Kusto Query Language).
The following are courses or equivalent experiences that are prerequisites for the workshop:
SANS SEC488: Cloud Security Essentials, www.sans.org/sec488
Or hands-on experience using Microsoft Azure Cloud.
Students must have basic familiarity with Azure IAM.
Understand basic cloud resources such as virtual machines, storage services, and Identity Access Management
ABOUT THE SPEAKER
John Alves is a cloud security principal with just shy of a decade of experience in information security across network engineering, systems administration, compliance, and cloud security. He leads the cloud security practice at CyberOne Security and is a subject matter expert across Azure and Microsoft 365. He holds multiple certifications from various certifying bodies, most notably GPCS, GCWN, GSEC, and Microsoft Certified Trainer, Microsoft Solutions Architect, Microsoft Cybersecurity Architect. Over the course of his career he has demonstrated deep technical understanding of security practices, and has consistently delivered robust solutions to enterprises. @cyberlowdown | Linkedin.com/in/alves-john/
SANS Cloud Security focuses the deep resources of SANS on the growing threats to The Cloud by providing training, GIAC certification, research, and community initiatives to help security professionals build, deploy and manage secure cloud infrastructure, platforms, and applications.
SANS Cloud Security Curriculum: www.sans.org/cloud-security
Follow us on social:
SANS Cloud Security on Twitter: @SANSCloudSec
SANS Cloud Security on LinkedIn: / sanscloudsec
SANS Cloud Security on KZread: / sanscloudsecurity