Marshall Copeland
Cloud Defense Strategies with Azure Sentinel
Hands-on Threat Hunting in Cloud Logs and Services
1st ed.
Logo of the publisher
Marshall Copeland
New Braunfels, TX, USA
ISBN 978-1-4842-7131-5 e-ISBN 978-1-4842-7132-2
https://doi.org/10.1007/978-1-4842-7132-2
Marshall Copeland 2021
This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This Apress imprint is published by the registered company APress Media, LLC part of Springer Nature.
The registered company address is: 1 New York Plaza, New York, NY 10004, U.S.A.
Dedicated to the memory of Marshal (Mark) Edwin Hilley. Mark was my brother in every way. His family, friends, and extended family of first responders are mourning his passing after a battle with COVID-19. Mark Hilley was a Gulfport firefighter and Harrison County Fire Rescue Battalion Chief. District Chief Mark Hilley served more than 20 years and was also a veteran of the U.S. Marine Corps. Mark Hilley is the epitome of a firefighters firefighter. He devoted his life to public service. Please keep Marks family, wife Carla, children Natalie and Cade, and Marks mother Bonnie in your prayers.
Marshall
Introduction
The Microsoft Azure Sentinel engineering team has brought their best security work in Azure Sentinel, the cloud-native SIEM (Security Information and Event Management ). The need for the next-generation defense is to combat cybercriminals and nation states that continue to threaten human health, steal intellectual property, and terrorize businesses. Plain but certainly not simple, this is cyber war. Global cybercrime events continue to publicly remind governments, businesses, and security leaders that digital criminal efforts are ever-evolving, complex, and never-ending. Criminals in foreign countries are protected. Cyberwarfare from nation states is supported by an endless supply of resources and time.
This hands-on guidance in this book will provide you with a comprehensive understanding, enabling you, in minutes, to save money by integrating with data you already have and start defending your business today.
Target Audience
The following security roles will benefit from this book:
Security Operations Center (SOC) team members
Blue and red team members
Cloud security analysts
Network and server administrators
IT professionals
This book provides excellent guidance for security and IT team members who are responsible for security attack mitigation and respond to cybercriminal attacks.
Summary of Contents
A brief description of subject matter in each chapter:
Part I
Includes Chapters . You enable Azure Sentinel and begin allowing security data into your services, integrate other Azure security services with Azure Sentinel and each other, and learn how these services extend the layered data security.
Part II
Includes Chapters . You are provided guidance that includes security metrics, logs, and events based on limited data and not duplicate storage cost. Details about security threat intelligence (TI) providers and ingestion into Azure Sentinel and consideration for supporting Azure Sentinel for a global business using global Azure regions are also discussed.
Part III
Includes Chapters . Threat hunters with Azure built-in templates, automation (SOAR), and customized Kusto Query Language (KQL) queries for new threats, custom watch lists, and security defenses are discussed. There is an introduction to the MITRE organization and how it is supported in Azure Sentinel and daily, weekly, and monthly best practices for successful operations with Azure Sentinel.
Acknowledgments
Marshall Copeland would like to dedicate this book to the memory of Marshal (Mark) Edwin Hilley. His family, friends, and extended family of first responders are mourninghis passing after a battle with COVID-19. Mark Hilley was a Gulfport firefighter and Harrison County Fire Rescue Battalion Chief. District Chief Mark Hilley served morethan 20 years and was also a veteran of the U.S. Marine Corps. Mark Hilley is the epitome of a firefighters firefighter. He devoted his life to public service. Please keepMarks family in your prayers. Special acknowledgment to Brian OHara, a true security professional with great cyber defense insight. Thank you, Brian. Thank you to Shrikant Vishwakarma, Smriti Srivastava, and the Apress team for your dedication to this publication.
About the Author
Marshall Copeland
is a senior consultant focused on cybersecurity in Azure public cloud. Marshall Copeland currently works at Microsoft Corporation supporting enterprise customers security teams using Azure security services, Azure Sentinel, Azure Security Center, and Azure Defender for hybrid network security management and data protection. He previously worked in cloud security roles at Optiv Security and Salesforce.
About the Technical Reviewer
Brian OHara
is an information security professional who has been supporting the cyber defense efforts of small businesses and large enterprises for more than 12 years. He has held a variety of Security Operations Center roles with responsibilities including security architecture, threat hunting, detection engineering, digital forensics, and incident response. He maintains multiple industry certifications and participates regularly in local cyber community events and conferences. He currently works as a consultant performing incident response and improving Security Operations Center efficiency through SIEM configuration auditing, alert tuning, and detection engineering.