We are announcing over 30 new out-of-the-box data connectors for Azure Sentinel to enable data collection for leading security products and other clouds. With these new connectors, we are continuing the momentum to enable customers to easily bring data from different products into Azure Sentinel and analyze data at cloud scale.
When it comes to incident management and response, time is everything. Impact and damage from a malicious actor can be weighed in minutes. Azure Sentinel strives to deliver a strong experience for users while also providing tools for investigations. Recently, a newer feature called Watchlists was released to pubic preview. This new feature can be utilized to speed up and drive investigations to be more efficient. This blog is going to provide examples of how they can be used while providing a scenario with examples.
The workbook allows you to visualize alerts from Azure Defender and monitor its coverage across your Sentinel workspaces. In addition, it provides security insights from the activity logs. These insights include baselines for key vault access and anomalous deviations from them, as well as event and operation analysis over time. The analysis allows you to inspect failed events, caller IPs, active users & services, as well as their operations. You can further investigate notable and suspicious entities and their activities using the direct links provided in the workbook to relevant incidents involving these entities.
This blog post will take an in-depth look at some of the log sources we used behind the scenes to connect these events. We’ll also cover in more detail how to analyze blob and file storage logs. As well as looking at the log sources, we’ll explore some additional hunting queries and detections that can be added to your Azure Sentinel hunting arsenal. All of the queries within this post can be found liked at the bottom.