Hello and welcome to intro to Azure Sentinel. Before we get into the meat of monitoring Microsoft 365 with Azure Sentinel, it makes sense to just touch on what Azure Sentinel is and what it offers.

Microsoft Azure Sentinel is a cloud-native security information and event management system, or SIEM. It’s also a security orchestration automated response solution, or SOAR. Essentially, what this means, is that Azure Sentinel can be used to collect and view security analytics data and threat intelligence data across your entire enterprise.

It allows you to detect previously undetected threats using Microsoft’s analytics and threat intelligence, and it allows you to investigate critical incidents using artificial intelligence. You can also use it to hunt down suspicious activities. And lastly, you can use Azure Sentinel to respond rapidly to incidents and you can automate protection of your environment.

Essentially, what Azure Sentinel offers, is the ability to improve your threat investigation and detection capabilities through the use of artificial intelligence.

To implement Azure Sentinel, you first onboard it by connecting it to your security sources. This is done via numerous connectors that are available right out of the box. Once you’ve connected your data sources to Azure Sentinel. You can then monitor that data using the integration with Azure monitor workbooks that Azure Sentinel offers.

Azure Sentinel then uses analytics to correlate alerts into incidents. Now incidents are groups of related alerts that when taken together can create an actionable possible-threat that you can investigate and resolve. By correlating alerts into incidents, what Azure Sentinel does is it reduces the amount of noise that you have to sift through in order to review and investigate real alerts.

Azure Sentinel is built on the foundation of Azure logic apps. Because of this Azure Sentinel offers automation and orchestration features that allow you to automate common tasks and to simplify security orchestration with playbooks, which you can build with Azure logic apps. There are over 200 connectors that you can use to integrate with various services. For example, there are connectors that allow you to integrate with ServiceNow, Zendesk, slack, cloud app security, and many other applications.

For example, if you use Zendesk as your ticketing system, you can use the tools that Azure logic apps offers to automate workflows and to automatically open tickets in Zendesk any time a specific event is detected.

Azure Sentinel also offers deep investigation tools that allow you to better understand the scope and root cause of specific security threats. Its hunting tools, or search and query tools, allow you to proactively hunt for security threats across all of your organization's data sources before an actual alert even gets triggered. This hunting capability allows you to get ahead of many security threats.

There is even an Azure Sentinel community that you can leverage. You can use the community to improve your threat detection and automation. This is made possible because Microsoft security analysts regularly create new workbooks, playbooks, and hunting queries and they post them to the community. You can then use these resources in your own environment.

So, to sum up, Azure Sentinel in a nutshell, it allows you to collect security data, it allows you to detect threats using threat intelligence, it allows you to investigate critical incidents using artificial intelligence, and it allows you to respond to such threats.