From the course: Microsoft Security Essentials: Concepts, Solutions, and AI-Powered Protection

SIEM and SOAR with Microsoft Sentinel - Microsoft Security Copilot Tutorial

From the course: Microsoft Security Essentials: Concepts, Solutions, and AI-Powered Protection

SIEM and SOAR with Microsoft Sentinel

- Microsoft Sentinel is a cloud native SIEM and a SOAR solution. First, let's talk about what SIEM and SOAR mean. SIEM stands for security information and event management. SOAR stands for security orchestration, automation, and response. These are two popular technologies used in modern security operations. Here's the general workflow of SIEM. First, it connects with all kinds of data sources, such as identity and access management systems, endpoint devices, applications, and security controls. Then SIEM collects logs and metrics from these data sources. Next, the aggregated data is processed through data analytics. If any cyber threats are detected, alerts are raised and sent to the incident management process. SOAR focuses on incident response process. It empowers you to achieve your security objectives through orchestration, which integrates various solutions and tools to perform security tasks. Automation, which replaces repetitive and time consuming manual tasks with automated workflows, and the response, which streamlines the incident response process, including triage, investigation, and remediation. In summary, SIEM helps us collect data, analyze security information, and the events, detect threats, and generate incidents. SOAR helps us respond to incidents and automate workflows. As you can see, SOAR naturally extends the capabilities of SIEM. Microsoft Sentinel is a cloud native solution that provides both SIEM and SOAR functions. It supports the entire security operations lifecycle, including collecting security data across your enterprise environments, detecting cyber threats, investigating security incidents, and responding to incidents rapidly with orchestration and automation of security tasks. Let's take a quick tour of Microsoft Sentinel. On the Overview page, we can see the dashboard for incidence information, data collection information, and analytics rules. Under Threat Management, you can manage incidents, create workbooks, hunt threats, analyze threat intelligence, and leverage the Mitre Attack framework. Under Content Management, you can explore the Content Hub. You can find pre-configured solutions, connectors, workbooks, analytic rules, playbooks, and hunting queries. Under Configuration, you can manage data connectors, create analytics rules, and set up automation rules and playbooks.

Contents