 Digital estates are growing, and so are the volume and sophistication of cyber attacks. Security operations teams are increasingly challenged to protect assets across distributed environments, analyze the growing quantity of security data, and prioritize response to real threats. The problem? Traditional SIM solutions are costly to operate, slow to scale, and generate an overwhelming number of alerts, all of which are major obstacles to effective security. But their solution? Azure Sentinel, a cloud native SIM for your entire enterprise. Azure Sentinel helps eliminate infrastructure setup and management complexity, saving you major costs. It scales automatically to meet your dynamic needs. With just a few clicks you can collect, correlate, and analyze data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds. It empowers you with insights from Microsoft's global security operations and threat intelligence, informed by analyzing trillions of signals every day, and it arms your entire team with intelligent, role-based tools so they can focus on what's important, protecting your organization. With built-in AI and machine learning, you can improve detection, hunting, response, and potential incidents, reducing false positives and alert fatigue by more than 90%. You can identify compromised users and entities with behavior analytics and simplify investigation for the entire incident. And with integrated playbooks, you can automate and orchestrate a majority of tasks, simplifying operations, and accelerating threat response. While security threats continue to grow, Microsoft is dedicated to keeping you one step ahead. Modernize your security operations with Azure Sentinel. Hey, everybody, it's Jay. Welcome back to Azure FunBytes. It's been a couple weeks, I know, but it was the holiday season. We got through it. We all are here. It's 2022. It is a new year. It's time for new shows. My name is Jay Gordon. I am always here as your host to give you all the information, products, services, and people that make up an incredibly great Azure experience, the delightful Azure experience, if you will. So I've really, really enjoyed that little intro video, and I think it helps set us up for what we're going to be talking about today. You know, it's so important to talk about security and the concepts that help protect our IT operations and our applications. In order to do that, we have to find different methodologies to be able to scoop up all the data that's created along the way and make some decisions on how to handle whether it's your, whether it's intrusion detection, users that have been created, auditing, things like that. We want to make sure that we've spent our time getting things right when it comes to being able to put out something that people are going to be using. So we are here on LearnTV, and I want to remind you, as always, before I introduce our guest, that we have a poll. You can always take the poll along the way. I'd love to hear from you. I want to know a little bit about whether you've used some of these services before and today. We'd love to hear whether or not you've worked with security and event management in your IT infrastructure. So go to aka.ms-learnTV. Now, to help me along the way today, I've got a great guest, someone that was kind enough to come and be part of this, and that would be Rod Trent. He is a senior cloud security advocate. How are you doing, Rod? I'm fine, Jay. How are you? How about yourself? Happy New Year. Happy New Year to you, too. I'm doing good. It's another Thursday. I haven't done one of these in a couple weeks, and I've actually really missed the opportunity to be able to talk with not just my guests, but all the people in the community that take part. They all seem to really appreciate this information, and I'm so glad you're here to help give some new stuff. We've kind of touched upon Sentinel before, but we haven't really done a deep dive in here, so we'll talk a little bit more about that in a minute, Rod. But what I really wanted to do, just because I wanted to kind of get everything set up and let people know a little bit about yourself, and my question is, how did you get here? How did I get here? That's actually an extremely good question, I'm glad you asked. I've actually been, in terms of other folks, I've been at Microsoft probably relatively short time. I started with Microsoft on tax day, April 15, 2019, but since then kind of hit the ground running. One of the first things that I accomplished at Microsoft was delivering Microsoft Sentinel workshops, and ever since I started that, that's literally the only thing that I have done since. Not just the workshops, I've worked with a number of customers. Before this role that I'm in currently, I worked in our services org as a customer engineer and also a security CSA, worked with lots and lots of customers, doing lots and lots of really cool things with Microsoft Sentinel. Very cool. It's a great opportunity today to remind people that Microsoft really believes in this Zero Trust initiative and how we handle applications and what we think about the importance of identity and access management. We also need to concern ourselves with the auditing of what happens along the way. From what I know Sentinel, I'll give you a chance to talk to us a little bit more about it. It's really there to give you a single pane of glass to look at your security posture and then provide you with information about what's going on and lead you to some remediations, am I right? Yeah, so Zero Trust is a mindset that your organization needs to take, but Zero Trust can't do everything for you because that's your policies, your procedures that you implement within an organization. Something like Microsoft Sentinel or a tool like Microsoft Sentinel while it does provide that simple pane of glass for the entire environment. What I like to refer to Microsoft Sentinel, I don't know if you've ever watched one of those TV shows where they're digging for gold. They use these massive pieces of equipment to dig the earth out and they're looking for gold, but what actually helps them find those little nuggets of value is what's called a sluice box. I don't know if you've seen this, they run water through it, it gets the dirt out of the way and produces the gold. That's exactly, almost exactly what Microsoft Sentinel is in respect to it's the last mile of security. It monitors the environment for potential for the things that Zero Trust and your policies can't always address. It's going to capture all of that stuff like that sluice box that your tools, your policies and the other things and mechanisms that you use are going to miss. Gotcha, and so I brought up this image because I thought it was a really great way to kind of kick off the big use cases for Sentinel and Alaska a little bit more about specifics. But what we're looking to do is collect information about your security data across the enterprise. You're looking to detect threats so that we're able to mitigate them. We're investigating incidents like we would in almost any operations situation. We want to look at those incidents and then we want to respond to them. So we've got this kind of like circular path to take when it comes to creating a secure and audited environment for our IT infrastructure. Yeah, so those are kind of the primary pillars of a tool like Microsoft Sentinel. Microsoft Sentinel obviously is not the only tool like this on the market. We are actually probably the newest, the most recent. And as I mentioned earlier, we released in September of 2019 publicly. Obviously since then because of how our services work and function and improvements are made, it's leaps and bounds ahead of where it started. But at the same time, those are the primary pillars. So it has to do those four things, right? We need to collect data. We need to investigate. We need to look through that data, need to sift through it. We need to supply the capability to be able to remediate if there are actual threats found in the environment. So yeah, absolutely. It meets every one of those, every one of that criteria. Plus it does have a lot more. Very cool. And if you want to be able to, you the viewer want to take some time to do some introductory education around this. There is a really great Microsoft learn module. I actually, you know, took this one yesterday and it gave me some kind of background on what exactly it is to utilize this service to be able to secure my solutions. So I really recommend head over to this URL after the show. We want to finish what we're doing today and take this opportunity to get free education on Microsoft learn. I think it's, it's a really great thing. So the next kind of thing I wanted to talk to you about are security operations in Azure. What would you say is the role of the soccer, the security operations center for applications deployed in Azure? Well, so the sock generally is a formal team, security operations center, right? That manages the security or not necessarily manages, but monitors the security of everything that's deployed within the environment, not just, not just on-prem, which absolutely needs to be done. But also, you know, if you're a multi-cloud organization, whether it's Azure, whether it's GCP, whether it's AWS, it doesn't matter wherever your resources exist. The sock needs to have that capability to be able to monitor what's going on there, whether it's user activity or application or service activity, access to those things. That's what the sock, that's where the sock kind of fits in that organization, being able to kind of have that purview or that overview of everything that goes on. Very cool. And I want to just give a shout out here to one of our viewers who said, Azure Sentinel saved my back, or Microsoft Sentinel as it's known now, saved my back more than one time implementing a seam in a short time that was needed. So yeah, that's one of the great things about here is people in those security operation centers, they're able to use a service that's managed, it's already there for you to start working with. And that being said, Rod, I know you've got some slides to show us. So if you're ready, I will bring up your deck and I'll give you an opportunity to kind of chat with us a little bit about the big, who, what and when. Absolutely. And like most of our customers, I'm not a huge fan of slides. So I only have like six that I want to go through, but it's only kind of set the stage for the demos for what I essentially want to talk about today. Okay. So understand that I'm not a, I'm not a big demo guy and I'm not a big slide guy. In fact, most of my slide decks people yell at me and they hate me because it's like one slide and they'll talk for two hours. I won't talk for two hours today. I promise. But I think there's some things that we kind of need to get through to kind of set the stage about what I'm talking about because we've talked about Sentinel. We've talked about these seams or Sims, whatever you want to call them, talked about these types of tools. But Microsoft Sentinel exists for specific reasons. And one of those is that we identified as a Microsoft that uses those same tools as our customers have used a lot of inefficiencies to me. So here's our review. Okay. So here's what I want to go through today during our time together. These are the areas I want to highlight and cover. So efficiency is a big thing in mind. And that's a big reason why I'm so enamored and so in love with Microsoft Sentinel. That's why I've done this for almost three years. The ability to provide for security, monitoring, investigation and remediation and do it all in an efficient way is a huge win literally for everyone. Efficiency is key to big companies obviously, right? And Microsoft Sentinel is absolutely designed to provide for those enormous, multi-tiered environments. But efficiency is critically key to small companies, right? By utilizing the efficiencies built into Microsoft, Sentinel small companies don't have to skimp on security. I've worked with customers with hundreds of locations and hundreds of security people, but I've also worked with customers that have a single office with single operations person who's responsible for security and everything else, right? I'm sure there's people listening in now. They feel like that person, right? Microsoft Sentinel works just as well for those customers, right? Because of J-What? Because of efficiency. There you go. Yes, yes. Your key word here. Yeah, we're going to get that by the end of this. I promise you, all right? So that's good information, right? But let's not just take my word for it. I can tell you all day, yeah, by Microsoft, we do all this cool stuff. Let's look at why efficiency in the Security Operations Center and the SOC is important, right? Every solution that we have that Microsoft has started with a problem. We didn't just one day wake up and let's create Excel. There was a need that existed. So what's our problem? What are we trying to fix here? All right? Big scary slide. I promise it's going to slide through here. I'm going to talk here for a second. So let's take a quick minute to set this stage, right? Why do we need efficiency in security? Will efficiency compromise security or will it bolster it, right? What's our hope? What's our goal? What's our nirvana when it comes to security operations? And is there truly a solution that can deliver the promise of better security through this improved efficiency without compromising that security at all? That's our hope. That's our goal. Okay, so here's something that I absolutely truly believe. Efficiency, or let's just call it the lack of efficiency, is a barrier to security, right? I'm going to preach this here. You're going to believe me. We need to develop a modern response to security threats based on efficiency, all right? We are at a point, and I hope you can agree with me at this. We're in 2022, right? Brand-new year 2022. We're at a point in technology where the features and tools should accommodate our requirements for this, right? We ask our tools to do something they should be able to do it. As a security analyst or security team that is actively hunting or investigating threats in the environment, a lot of people know this. You're on the clock. Somebody's beating down your door. What's going on? Where's this intrusion, right? Things must happen quickly. Must get to the point of remediation as soon as possible because as we've seen, right, or heard in news reports or obviously some of us have actually experienced this firsthand, right? One intrusion can lead to the next. One compromised account, for example, could lead to the next and the next and so on and so on until the entire organization is compromised and data is stolen or the business is just halted completely, right? We don't want to damage our reputation based on that either because as a business, the security of our customer's data is just important. It's imperative here. Absolutely. Well, and customers agree and they believe that too. And that's why a lot of our customers put their trust in us because they know that that's what we promote, right? So based on, I don't know if you're familiar with this, but a few people are recent surveys and reports and taking into account what we know about most of today's tools, right? It's been determined that the average company needs 100, think about this, 162 hours to detect triage and container breach. And if you're doing the math in your head, that's actually six and three-quarter days. All right? So let's break this number down so we can get a better understanding of the situation. Again, what I, is a personal belief of mine, what our biggest threat to security is, it's not complacency, it's inefficiency, it's efficiency. So all right? The average organization takes 120 hours to detect an attack. When you think about it in terms of days, that's five days. That sounds like a heck of a long time, all right? It takes five hours to triage or rather to determine if we need to do something about what we've detected, all right? Six hours to investigate. After we decided to do something, now we kind of have to figure out the extent of the damage and what we need to do about it, right? And then it takes on average 31 hours over another day to contain it, right? There's our 162 hours. That seems pretty interesting, pretty regular, but that's kind of the norm. To me, that's a little bit scary. Knowing what I do know about Microsoft Sentinel, that's absolutely scary. Most security folks probably have heard of this 11060 rule, all right? But if not, and for those that are listening in or watching that are not cyber folks, this is how this goes. Not long ago, this 11060 rule was proposed as our goal. I think this was around 2012, something like this. It's been a while. Not originally a hard and fast rule that could be enacted immediately because we didn't have the technology to do that, but it was a goal, right? So we should be able to get to this point as soon as our tools and technologies improve enough to let us get there, or close enough at least to kind of show that we're making progress. The idea is that the most cyber-prepared organization should aim to detect an intrusion in under a minute, perform a full investigation under 10 minutes, and eradicate the adversary from the environment in an hour in order to effectively kind of combat whatever that cyber threat is. Understand it. Efficiency. Efficiency. Efficiency, you're getting it, right? Hence, this is our 11060 rule, right? Based on what we just discussed, that 162 hours number, this is kind of a difference, quite a difference, wouldn't you say? Right? I mean, based on what we thought we knew, right? Doesn't that seem almost unobtainable? This one hour and 11 minutes, 71 minutes, right? It's tough. It is. Sort of pie in the sky thinking. It's like a Microsoft salesperson or marketing person coming into your organization and saying, ah, we can do all this stuff, right? What this tells me when you look at these comparisons and these differences, that our tools and processes are absolutely broken, and they haven't evolved like we thought they would, right? Tells me that the tools actually have created the problem. It tells me that our tools themselves have become the actual blockers to our security, right? Like the cure being worse than the actual disease itself, if you will. You're with me. That's awesome. All right, so if I take a step back and review operations from an analyst's perspective, put myself in that role, right? These, this list here are the things that absolutely must be done each day to fulfill and enhance security operations for an organization, right? You can go through the list. I'm not going to jump through all that. These are part of a standard SOC workflow. We talked about those four pillars of things that the tool must do. Okay, this is part of that. Part of the normal daily operations from triage to identifying those positives. However, let's jump back again. Consider again that 162 hours, right? If SOCs are focused only on their reactive, right? This stuff either gets overlooked forgotten or even worse, discontinued completely, right? This stuff is absolutely equally important. If you don't do this stuff, your reaction time that where your focus is, that stuff you're focusing on is dismal, right? I can't tell you the number of customers that I've worked with that have just literally stopped doing the necessary stuff because the number of alerts of potential issues have overrun their organization, overrun their teams. And the problem was the tool, right? The tool was bloated, used legacy architecture, was hard to maintain, hadn't evolved in years, and actually created bad habits for the team. Okay, these other tools, I don't like the reference in by name, our competitors, I just affectionately call them just not Microsoft, okay? Sure, sure, sure. Best way to put it, if your software hasn't involved to help your customers manage security from a modern perspective, you're just not Microsoft Central, okay? This list, which I'm going to demo here a little bit, can be done officially with Microsoft Sentinel, so the tool itself is not the barrier to security. All right? So my approach to discussion topics like this that we're discussing are always based on working with our customers. It's not something I make up, all right? Fortunately, I can make up all kinds of things. All right? So I believe a lot of knowledge working with a large number of customers and based on admittedly an OCD of mine, this whole efficiency thing, I want to solve their complaints, particularly when it comes to the topic of efficiency. Again, I talked earlier, I'm so enamored with Microsoft Sentinel, it never gets boring because there's so much going on here from an efficiency standpoint, it just literally, it feeds me, okay? These, this list, okay, are some of the complaints I've heard and captured from working with our customers, right? I've written these things down. How do you fix this? How do you do this with a Microsoft Sentinel? Many of you watching or listening in probably see this list and it's something that you're intimately familiar with. You've written this stuff down yourself. Why can't my tool do this, right? This list was developed based on the customer's knowledge of working with their, what their existing legacy scenes and security tools, right? Most generally those tools have been historically on-premises software and services. Those tools have created bad habits for security folks and a lot of times those security folks don't even know it, right? Sadly, and I've seen this multitude of times. They actually start pointing fingers at each other and blaming each other for their security woes when, in fact, it was the tool. Those customers that I've worked with that have migrated to Microsoft Sentinel from whatever solution that they have, they were almost gobsmacked immediately because it's so easy to stand up, the efficiency that's built in, obviously at that point some start cursing their old vendor and saying, hey, it cost too much money, blah, blah, blah. But to the customer's credit, they literally had no idea what was going on until they tried something else, until they tried Microsoft Sentinel, okay? Obviously as we move to the cloud, Azure itself, the cloud helps customers realize additional efficiency, which is what Microsoft Sentinel is built on, but specifically for our discussion, I want to focus on these pain points, this list, okay, on how we can improve even those kind of mundane and manual processes still, all right? So the bottom line is that focus on the right things, the correct things for security environment is being pulled away from our security folks because of these inefficient areas, because their tool is inefficient in these areas, all right? Okay, almost to the demo part, Microsoft Sentinel already provides some automated functionality. A lot of customers, they start to get interested in Microsoft Sentinel, they're like, oh, it's got playbooks, it's got automation, this is great, but that's only, that's like kind of like the facing part of our automation. There's some other things for efficiency standpoint that happen in the back end, that customers can take advantage of. The most prominent, most glaring are the examples that I want to highlight as part of our remaining discussion, okay? But understanding, understandably, there's plenty more. I have delivered workshops every week for, I don't know, like a year, and all of those workshops were like four days before, right? So, that's built into this thing. Our time today is like an hour. So, in the time we have today, let's focus on these primary areas of Microsoft Sentinel that provide the most immediate and most glaring value for efficiency. And to be honest, I'm not going to focus on everything that's already existing, I'm going to focus on the newer areas, okay? Understanding that Microsoft Sentinel was released publicly again in September 2019, and since then has seen significant updates constantly, like any Azure service, there's new features and enhancements released at breakneck speed. If there's anything that you can blame Microsoft for, it's releasing features and updates too quickly, providing too much value, I guess. You'll see as I walk through these primary areas that Microsoft Sentinel works similarly to the tools that customers are probably already familiar with. However, each area has been given deliberate and intentional focus for improvements over those existing legacy tools. A lot of customers don't realize this, but at Microsoft, we actually use those same tools our customers have used ourselves, okay? Microsoft Sentinel exists today in part in the way Microsoft Sentinel is presented, just literally based on those gaps that we found in those same tools. So, a lot of it is and that leads me to a great question. Is can Microsoft Sentinel integrate with other Microsoft security tools? Defender or something like that? That's actually a really good question, a really good story. Our Defender products, everybody, customers should be aware at this point that we've done some rebranding. At the beginning of this, there was a video about Azure Sentinel. There was a question about Azure Sentinel. However, it's now Microsoft Sentinel. We have rebranded all of our Defender type or security type products, right? So, it's now Microsoft Sentinel. Our Defender products have a Defender nomenclature along with whatever focus it is, like Defender for Endpoint, Defender 365, Defender for Office and all that good kind of stuff. Our first-party sources, tools, we have a really good story there because customers can stand up Microsoft Sentinel, enable the connection between that existing console, use Microsoft Sentinel as that centralized console for all security within the environment and it's free, right? Connecting those alerts from Defender for Endpoint, for Office 365, for what have you, those first-party services you connect at the Microsoft Sentinel, for that ingestion, right? Anytime you move data from anywhere whether it's on-prem to cloud or cloud to cloud or other clouds to cloud, it's going to cost something, right? It's just the fact of life. So, this is huge from a cost standpoint. For those organizations who are still using those not Microsoft tools, it's costing them a lot of money. By just taking advantage of this opportunity, it's going to save them a lot of money. But, of course, it's not the full story. Microsoft, obviously, we do a very good job with our own services and our own products and things like that, right? We know how to centralize and consolidate all that stuff, but Microsoft Sentinel also works with other things, on-prem, any device, any service or application you have on-premises, any other cloud you can connect to. That answers the next question, though. So, Microsoft Sentinel doesn't just work with Microsoft products and clouds. You can go across the spectrum of on-prem, private cloud, public cloud. Is that right? That's correct. That image that you showed right at the beginning about those four pillars, that top one was collect, right? We're collecting data. This type of tool, yep, there it is. This type of tool, if we're going to do anything and do it well within this space, Microsoft within this space, within the security or organization or industry, we have to provide that pillar. And as a customer, you don't want to choose a Microsoft security platform and just focus on Microsoft products. That's cool. It'd be awesome if every customer in the world only used Microsoft products. It's definitely not the case. Everybody uses what provides for their business, and we understand that. One of the primary reasons why we changed the name of Azure Sentinel to Microsoft Sentinel is because we're trying to shed that platform specific theory or idea that customers have. Microsoft Sentinel allows you to connect anything from anywhere. And if a customer can't do that, they're missing something, missing the view or that capability to look into those devices, services and applications that they have deployed in their organization. And if you're missing one thing, you have at least one security hole in your operations. Absolutely. Microsoft Sentinel is a what I call a platform. It's almost like Space Lab. You have Space Lab and all those countries come up and connect to it. We all use that one Space Lab or at least we use two. I don't know if that's still the case. But Microsoft Sentinel is the same thing. Connect everything here, data flows into Microsoft Sentinel and then Microsoft Sentinel uses its intelligence to let you know if there are issues within your environment. Great, great. So we've got through some of our beginning questions and I think I've got one more for you before I'd like you to go into your demo. Which is what can be automated in Microsoft Sentinel? That is an awesome question. I mentioned that a little bit earlier. Like I said, one of the things that customers think of when they first start looking at Microsoft Sentinel is this automation piece. A lot of their tools, some of them don't have automated capabilities. Being able to automate some kind of normal operations around security. Some of them have add-ons from other vendors. When you deal with multitude of vendors there's that whole viability and tug of war between the different vendors. It's something wrong with this tool. They blame each other. Some have seen the value of this automation piece and have built it in over the past three, four, five years, something like that. So it's still kind of an add-on but it's integrated with the product. Some have done it through acquisition and what have you. From day one, Microsoft was using those other tools. That was one of the gaps that we identified. We knew that this type of tool needed to have automation built in for customers to use on day one. It's not an add-on. It's not something that you pay extra for. We have automation built into Microsoft Sentinel. Microsoft Sentinel is built on some existing successful services within Azure. We didn't have to recreate the entire wheel. We'll talk about this here shortly because it's built on some elastic data storage, utilizing the power of the cloud. The automation piece is built on our logic apps. Anybody that knows about logic apps. There's one thing that turns a logic app into a playbook, which is what we call our automation in Microsoft Sentinel. There's also some other automated capability that we have in there. Particularly for the automation, what we call automation rules, which hopefully as we get through the demo we'll talk about a little bit, but we'll see. Automation is absolutely built into this. Consider this. This is kind of key. Anybody that's familiar with logic apps knows that we have I think over almost 400 different logic app connectors at this point. These are part of that service. That literally includes anything from Office to Cosmos DB to Service Now, which is not even a Microsoft thing. These connections, you can literally visualize it. If you can idealize it would be nice to be able to automate this. You can absolutely do it. We have customers that do this constantly. If you go out to our GitHub repository today, the Microsoft Sentinel GitHub repository, there's a number of playbooks you can take advantage of in the console itself. There's a playbook library. You can enable these things just kind of right off the bat. Understanding that you're attempting to create a new way that's going to save you time from an efficiency standpoint. You're able to do it also with a low code kind of tool. It's a visual designer for developing this automation. Which is absolutely cool. I'm not going to show that. You're not putting a ton of additional development time into another process. You're able to utilize this kind of point click and go whizzy-wig as we like to call them and put everything together and create this automation. Rod, I want to give you a second to get your demo up and while you're doing that, I want everybody to remember that we are running a poll today. We've got some nice response so far, but we'd love to get some more. If you can, head over to aka.ms slash learn TV where you can go ahead and take a look at everything. Remember, there's the Microsoft learn module on Sentinel that you can take and I ask you to do that baby though after the show. Because we've got a little bit more. We've got about 25 more minutes of talking about Sentinel and I think Rod is going to show us a little bit about it next. Rod, I'm going to bring up your screen. You're probably going to want to do the font size a bit. Let's do that. How's that? I think that's a little bit. Yeah, I think that's perfect right there. All right, excellent. Yeah, I was going to say don't go away yet as anybody that has ever attended a Microsoft conference or session knows demos tend to blow up so don't miss the fireworks, right? So stay on. Yeah, absolutely. I've had that done several times and it's though it's embarrassing, it's endearing. We're just like you. This is the Microsoft. Well, this is the Azure portal. So we're going to start here. What I want to do again, we're not going to deep dive into literally everything within Microsoft Sentinel that would take days. I want to keep focused on what our topic is for today and that is the specifically architected and developed and engineered into Microsoft Sentinel to make it not those other things, right? To enhance the capability. So customers can use this right off the bat. They can use the capability right off the bat as soon as you stand it up and enable it. It just goes out and starts looking at your stuff and telling you what it found. So that's pretty awesome, right? When you think about it from the other tool perspective, the majority of those have specific architecture, they need specific requirements for servers and storage and things like this that have to be maintained by an operations person. And a lot of time, unfortunately, some of the customers I worked with who have those shared responsibilities, not only do they have to detect and monitor security and investigate security issues within their environment, they also have to maintain that structure and that architecture and that whole organization tool which is kind of sad. We're in 2022. Absolutely. You shouldn't have to rely on that stuff, right? Shouldn't have to do your own maintenance. So what I want to do, I have a this is my own personal demo environment. So I have my workspace set up already. I'm going to not start there. I'll probably jump into there in a minute. But what I wanted to absolutely do while we're doing this to just show you that with Microsoft Sentinel efficiency literally starts right? Just as soon as you stand it up. So I have this log analytics workspace that I have right here and I'll talk through as this is working. I'm going to go ahead. This is how easy it is and how quickly it works to stand up Microsoft Sentinel. So it's going to take a little check that out. There we go. The other tools you got to stand up to server, you got to do this. Even some of those tools have their own cloud resources, but you have to call the vendor and say, you know, here's my data requirements. I need this. I need this. Oh, I forgot. Okay, we need more data storage. It takes a long and drawn out effort just to get it stood up. Microsoft Sentinel in this environment is stood up that quickly. There's some things obviously that we want to do after we get it stood up. And that that really opens the door to talk about some other efficiencies that we have that are built into Microsoft Sentinel going back to that that image that you showed up those four pillars of things that we must absolutely do with this product connecting that data. That has been historically for customers one of those nightmare scenarios, right? Figuring out what the data is, where the log files are, how to get it to our tool for the tool to be able to react and enact on that data to show us what's going on in our environment. We have made it so absolutely easy and I'm going to jump to one of those first parties, Microsoft 365 Defender and I want to jump to one of those first parties just to show you how easy it is in most cases to configure and stand up data for Microsoft Sentinel. So I've come into this, what we call a data connector. These data connectors are really just little buckets of efficiency, right? Data connectors contain things like parsers for the data so they know what the data looks like, they know how to act on the data and know how to look at the data and tell you what's in there. They also know how to connect to that data and keep that connection live until you want it fails. There's a number of other pieces of collateral that come with this to make it even more efficient for you. I want to show you here real quick how absolutely simple it is to connect this, right? So this is connected by default. This is Defender. I want to connect Defender for Office 365. I click that which gives me email events, email URL info, the attachment info so I can dig down into my email stuff, right? I click that checkbox I click apply changes and guess what I now have connected Office 365 Defender to my Microsoft Sentinel environment. It is absolutely just that easy. When you think about how you do that from a competitors system you have to access the API. You have to pull that data in either on-prem or to someone else's cloud you have to make sure the data is there you have to make sure that it's parsing correctly because that has to happen in that tool, right? You have to then enable rules that look at that data to tell you what's in there, right? So there's this whole long drawn out thing and if that connection fails well then you have to go and do that troubleshooting yourself. Microsoft Sentinel is intelligent enough using some of the components that we have in here to even tell you stuff like that so I can see that data is flowing here very shortly. Look at that data is already flowing from the email events and everything like this. You can see that right there, right? Pretty sure. I have a question about the infrastructure aspect of using this. So if I am running something to build my applications through CICD is there a way to be able to take build logs like for GitHub actions or for measure pipelines and be able to import those build logs in here so that we can actually audit what's going on there the versions of say NPM modules, things like that. So understand too that these things you see here I call these data connectors we have a lot we have a lot of data connectors these were developed to make it as absolutely easy for our customers to connect their stuff there's something for BlackBerry, there's the Cisco stuff it's pretty much just click click click if you have something that there's not a data connector for Microsoft Sentinels absolutely supports all of the industry standards from common event format syslog whatever it takes to get the data here. So however your data needs to function however it needs to be sent to this login analytics workspace it's absolutely easy to do it and if more customers are doing that whatever that thing is most likely you're going to find the data connector released for that right so anything from anywhere one of the things and you brought this up that kind of reminded me I wanted to kind of discuss this as well I mentioned this earlier that Microsoft Sentinel has built on some existing services one of those is our log analytics service or log analytics workspace this is our little data bucket where the data flows into right for those customers that aren't using Microsoft Sentinel still using some of those legacy tools you have to maintain your storage if you get a thousand switches in right brand new switches that you have to swap out your switches or maybe you're adding them over the weekend and you've deployed those guess what every switch introduces one new log right so now you have thousands of new logs that need to go somewhere if you're still using those old tools you have to determine what your data requirements are you have to build it up if your provider is has a cloud of their own you have to call the provider up and say okay we need to negotiate this contract I need more data space right okay Microsoft Sentinel is built on log analytics workspaces it's an elastic data bucket in that we send as little or as much to this log analytics workspaces I want I don't have to call anybody up and say guess what I've got more data right it just takes or as little or as much as I want to send to it which is absolutely fantastic again you don't have to maintain that infrastructure that infrastructure is maintained for you okay right sounds good yeah the next thing that you do and another area of efficiency that I want to kind of highlight this is kind of the next step in standing up Microsoft Sentinel I don't have any enabled here we can go to our rule templates I keep talking about rules right these rules that go out and look at the data in specific ways to tell you certain things really neat about our rules we have a multitude of different types of rules that you can enable we have one that's a scheduled rule that you can configure and modify to go out and look at your data on a very specific schedule you want to look at data in the last 24 hours and look at it every 24 hours maybe it's one of those situations where it's more critical to your environment you can adjust that so that you get notified on it more frequently right completely customizable we also have a newer type of analytics called NRT or near real-time so this analytics rule when you enable one of these it literally runs every single minute looking for that thing that you want it to go look for if you feel like there's an account that's compromised within your environment I mean you've done the due diligence look through the data you're like oh my goodness this person's tried to log in 100 times in the last 10 minutes unsuccessfully you can set up a near real-time rule to say yep you're absolutely correct you need to block this user or lock this account out because it's potentially compromised right cool stuff and is that where play books kind of come into place like play here where you know we've got other ways to have these like you know remediations automated right through to know absolutely and I was going to let's see let's do less I'll show you one of these schedule rules let's go and show you exactly what you're talking about there it's really easy to create a rule everything is wizard based right so you don't have to memorize things it's wizard based based on the MITRE tech tactics if I go up here there's a lot of things that I can configure here but one of the really cool things about this is automated response this one is O365 attack tool kit let's pretend this is something else let's pretend this is maybe password spray or something like that it's an account that's compromised if this analytics rule goes out and finds that criteria that we're looking for that an account we believe has been compromised because someone's tried to attempted to use wrong password 100 times for an account we know that that's something that we want to provide some automation against so that this one account doesn't compromise the rest of our environment I can add that automation here if it meets this criteria we're just going to automatically lock this user account out and from an analyst perspective I don't care if it's the CEO I don't care who it is in our environment if this looks like this account's been compromised I'm going to lock that account out I'm going to send myself a notification which we can do through the automation as well and then I'm going to do the due diligence to make sure I didn't lock out the wrong person or I didn't do something silly but at that point I know for sure that my environment has been protected that a compromised account potentially compromised account won't reach the rest of my environment that's where some of that automation comes in you can add automation to literally anything that exists in here one of the other I want to kind of focus on and we'll jump into something else is this fusion analytics rule this is absolutely cool so fusion it's one rule but somebody told me last night how many it is over a hundred different types of detections in it it's a consolidated thing in our machine learning our behavior analytics at Microsoft customers that use our services anytime they use our services there are signals that are produced when they go to a bad website when they open up an attachment when they all those things that users do that they probably shouldn't do those are captured as signals at Microsoft we take those things we take that intelligence and we feed them back into our systems into our security consoles whatever has to be defender Microsoft Sentinel so customers can always feel comfortable and confident that what they're using from our security products is always the most up to date threat intelligence so this fusion and this ML behavior analytics that's built into Microsoft Sentinel is another efficiency piece it's constantly we're feeding this into the product and it's automatically looking at things that you may not even thought of it's looking at things that probably were brand new over the past 24 hours something that you didn't even know to detect so it looks for specific anomalies and things like that so that's actually pretty cool you don't have to you don't adjust those it just automatically does that for you one thing I do want to mention and I think this is a huge thing particularly for those customers I worked with that use those other products one of the biggest barriers for those products is the performance of their query language right so these tools all these tools they seem to all have their own query language and unfortunately Microsoft Sentinel is no different we have our own query language but it is a query language that works across all of Azure anything data centric whether it's Microsoft Sentinel Azure activity Intune Defender for endpoints in point manager everything utilizes KQL Microsoft Sentinel is the same way KQL is absolutely a fantastic query language in the fact that it utilizes the power of the cloud the compute resources the clustering when I look at massive amounts of data and I look for something very specific within my environment I think there's a potential security issue when I look for that thing those results particularly from a security perspective should come back instantaneous right so we built this query language based on the power of the cloud to be able to perform that and perform it as it should I've worked with a number of customers using those other tools they were interested in Microsoft Sentinel I've run took their data from on-prem stuck it in Microsoft Sentinel they ran their query language against their database I ran it my query from KQL against their data within Microsoft Sentinel mine came back within eight seconds or less there and I've had go ahead there's some of them had SLAs for their organization where if they made a request for data they couldn't expect it back within three days and I wanted everybody to know that there is a great GitHub repository that Radis put together that I've got here on the screen Muscler and KQL looks like it's based on a book and there's some all sorts of stuff so it looks like you've got some examples on different queries that you can run like here account table query that you can have for security events yeah so I should mention so I was probably like November I love KQL right if I have downtime I'm probably have my laptop in my lap I'm watching a six million dollar man old six million dollar man episode I'm probably typing out KQL queries because I just love it that batch and you can see them six million dollar man stuff behind me it's just we had a discussion internally I didn't realize it and it shocked me that KQL is a barrier for some of our customers using our products it's so simple it's so easy it's so powerful I want everybody to use KQL to test some knowledge so I kind of started that last year around November sometime and that thing has just exploded people are like oh I love it so those examples that you see there the book is actually kind of interesting in that I have a demo tenant that anyone can log into and those examples they can actually type this stuff out and look at the results themselves the book is actually defined that way where you take that query typing out that query and look at the results and showing why we do this things and it's done in a methodical way it starts from absolutely the very beginning of KQL why KQL is called Cousteaux query language all the way to and it's a continuing series we're up to like chapter 11 and I expected to go for a couple of years to be honest so really really cool so we got about little less than five minutes left and I was curious is there any things you want to show us before we start wrapping up or a couple things I think I want to highlight from an efficiency standpoint like I said I could literally and you probably see it already I could talk like two weeks on this stuff there's a couple new things that I think are extremely important these exist because customers requested them customers have come from the other tools they saw their own gaps they said hey Microsoft Sentinel needs to be able to do this for us all right so one of those we have what's called a content hub so when you deploy you saw me go through and enable data connector you saw me go through and look at the analytics rules I could enable those from there there's some other things that I could do kind of on a manual perspective content hub is gives you the ability to find whatever it is right here's a good one who's been working with log forge over the past you know yeah yeah yeah so we have this you just literally go in here this includes I think it includes the analytics rules a workbook some hunting queries and a lot of collateral that comes with this one click install for everything and your organization is now monitoring for that log forge stuff right pretty cool content hub is absolutely cool and in relation to that it's almost like the it's almost like the merch store for Microsoft Sentinel and everything's free though a lot of our partners as part of our Microsoft security partnership they create solutions that go into this content hub right so if you want to connect let's say semantics stuff I'm sure there's probably a semantic thing in here right that they supply who knows better how to connect that data and look at that data than the original vendor they create these little marketplace things that you can enable within Microsoft Sentinel another thing that I want to highlight in the short time that we have I think is absolutely important to understand how we've reacted and how we've engineered this for our customers who have asked a lot of customers deploy a standard you know dev ops pipeline they will not deploy anything unless it's and that's absolutely that's cool I am so happy that our customers are doing that that's that's awesome it's another piece of automation and efficiency that they're doing on their own we have this new repositories component that's in preview within every Microsoft Sentinel console and what this does it does that so you can send your Microsoft Sentinel analytics roles even the custom ones everything to a GitHub repository or a devops board and then go to the next installation and import it so you have you know you deploy this using that devops pipeline or maybe you can update your existing infrastructure here if you want to do it that way customers have asked for that for like a year yeah and we've released that we took the time and I think we've done it right so very cool so Rob we're just about at the end of it and I wanted to kind of wrap up and before I kind of say goodbye and all that stuff I just wanted to remind people of a few things one we had a poll today and 70% of you who took the poll said yeah you are using a security and event management service within your IT solutions and I think that that's super important and then if you take a look on the right rail here we've got all the notes for today you could also check these in the YouTube video that you can look at there's lots of great information that you can get to to close up Rod I just wanted to say thank you so much for being part of this today helping us understand a little bit more about how we can create efficiency within our security operations center and how we can utilize these tools to bring it all together in a single pane of glass awesome and thank you for having me I love talking about this stuff I assume I'm the first guest of the new year so I set the bar low for everybody else wonderful so Rod thank you so much for being part to everybody watching and who were in the actual comments and chats today thank you you all were really really active I got a lot of interesting information coming in DarkEyesGrow says that it was a great presentation and says thank you to everyone who watched today I can't do this without you watching so thank you so much and we'll catch you next time here on Azure FunBytes Rod let's give everybody the big wave goodbye take care everybody have a great rest of your day and have a great weekend bye bye now