Microsoft Sentinel is Microsoft's cloud-native SIEM and SOAR platform. As organizations continue moving deeper into cloud services, it makes sense that security operations and event management increasingly need cloud-native tooling as well.
Sentinel is Microsoft's answer to that need, with support for ingesting signals from Microsoft 365, Azure, AWS, GCP, and on-premises systems into a single security operations platform.
In the last few years, the term "Zero Trust" has been used both to describe a real security strategy and as a buzzword for selling more products. Depending on how you first encountered it, your understanding of the term can vary wildly.
This article is focused on two simple goals:
As SOC analysts work to defend their environments, one of the hardest problems is understanding what normal actually looks like. Baselines are difficult in distributed organizations with remote work, varied privilege, and a wide mix of systems and workflows.
Microsoft Sentinel's User and Entity Behavior Analytics, or UEBA, is designed to help with that problem by correlating logs and alerts from multiple sources and building behavioral baselines around entities in the environment.
As security operations continue to evolve, so do the tools available to practitioners. With so many new tools, languages, and platforms showing up all the time, it is easy to forget that the tools you already know can still be incredibly effective.
For teams living in the Microsoft ecosystem, PowerShell remains one of those tools.