Microsoft Sentinel Microsoft Sentinel
Level-500-Referenz für Architektur, Connectoren, Analytics, Hunting, SOAR, Multi-Tenant-Betrieb und Kostensteuerung in Microsoft Sentinel. Level-500 reference for architecture, connectors, analytics, hunting, SOAR, multi-tenant operations, and cost control in Microsoft Sentinel.
SIEM + SOAR
SIEM + SOAR
Sentinel verbindet Log Analytics, KQL, UEBA, Playbooks und Incident-Management in einer Cloud-nativen SOC-Plattform. Sentinel combines Log Analytics, KQL, UEBA, playbooks, and incident management in a cloud-native SOC platform.
100+ Connectoren
100+ Connectors
Der produktive Mehrwert entsteht durch breite Telemetrie: Microsoft 365, Entra ID, Defender, Azure, Syslog, CEF, AWS, GCP und REST-basierte Quellen. Operational value comes from broad telemetry: Microsoft 365, Entra ID, Defender, Azure, Syslog, CEF, AWS, GCP, and REST-based sources.
KQL & Hunting
KQL & Hunting
Scheduled Rules, Near-Real-Time Detection und Proactive Hunting greifen auf dieselben Tabellen, Parser und Content-Hub-Lösungen zu. Scheduled rules, near-real-time detection, and proactive hunting rely on the same tables, parsers, and Content Hub solutions.
Skalierung
Scale
Commitment Tiers, Basic/Auxiliary Logs, Datenaufbewahrung, ADX-Offload und Data Collection Rules bestimmen Architektur und Kostenprofil. Commitment tiers, basic/auxiliary logs, retention, ADX offload, and data collection rules shape architecture and cost profile.
💡 Portal-Strategie
💡 Portal strategy
Microsoft migriert Microsoft Sentinel bis 2027 vollständig in das Defender-Portal. Plane Inhalte, RBAC, Automationsregeln und Analysten-Workflows bereits heute für den Unified-SecOps-Betrieb. Microsoft is moving Microsoft Sentinel fully into the Defender portal by 2027. Plan content, RBAC, automation rules, and analyst workflows today for unified SecOps operations.
Architektur und Datenpfad Architecture and data path
Microsoft Sentinel baut auf Azure Monitor und einem Log-Analytics-Workspace auf. Eingehende Daten werden über native Connectoren, Azure Monitor Agent, Event Hub, REST-Workflows, CEF/Syslog oder benutzerdefinierte Ingestion APIs normalisiert und landen in Tabellen, die anschließend von Rules, Workbooks, UEBA, TI-Matching und Hunting verwendet werden. Microsoft Sentinel is built on Azure Monitor and a Log Analytics workspace. Incoming data is normalized through native connectors, Azure Monitor Agent, Event Hub, REST workflows, CEF/Syslog, or custom ingestion APIs and lands in tables that are then used by rules, workbooks, UEBA, TI matching, and hunting.
Architekturentscheidungen auf Level 500 betreffen vor allem Workspace-Topologie, DCR-Filterung, Hot-/Cold-Tier, Content-Isolation, Parser-Strategien, Multi-Tenant-Governance und die Frage, welche Daten dauerhaft im Workspace verbleiben und welche nach ADX oder Data Lake ausgelagert werden. Level 500 architecture decisions mainly concern workspace topology, DCR filtering, hot/cold tiering, content isolation, parser strategy, multi-tenant governance, and which data remains in the workspace versus being offloaded to ADX or a data lake.
| Baustein Component | Zweck Purpose | Tiefenhinweis Deep-dive note |
|---|---|---|
| Log Analytics Workspace Log Analytics Workspace | Primärer Speicher- und Query-Layer Primary storage and query layer | Tabellen wie SigninLogs, SecurityAlert, DeviceProcessEvents oder CommonSecurityLog bilden die Basis für Detection Engineering und Hunting. Tables such as SigninLogs, SecurityAlert, DeviceProcessEvents, or CommonSecurityLog form the basis for detection engineering and hunting. |
| Azure Monitor Agent + DCR Azure Monitor Agent + DCR | Sammlung und Vorfilterung Collection and pre-filtering | DCRs steuern, welche Windows Events, Syslog Facilities und Custom Logs tatsächlich ingestiert werden und verhindern unnötige Kosten. DCRs control which Windows events, Syslog facilities, and custom logs are ingested, preventing unnecessary cost. |
| Content Hub Content Hub | Bereitstellung von Lösungen Solution deployment | Connectoren, Workbooks, Rules, Parser, Playbooks und ARM-Inhalte werden als installierbare Lösungen versioniert ausgeliefert. Connectors, workbooks, rules, parsers, playbooks, and ARM content are delivered as versioned installable solutions. |
| Analytics Engine Analytics Engine | Detektion und Incident-Erzeugung Detection and incident generation | Scheduled, NRT, Anomaly, Fusion und Microsoft-Security-Detections greifen auf dieselben Datenmodelle zu, unterscheiden sich aber in Latenz und Betriebsmodell. Scheduled, NRT, anomaly, Fusion, and Microsoft-security detections use the same data models but differ in latency and operating model. |
| Automation Rules + Playbooks Automation Rules + Playbooks | SOAR-Orchestrierung SOAR orchestration | Automation Rules entscheiden, wann Logic Apps ausgelöst werden, Tags gesetzt werden, Incidents geschlossen werden oder Triage-Schritte automatisch laufen. Automation rules determine when Logic Apps run, tags are set, incidents are closed, or triage steps execute automatically. |
| UEBA / BehaviorAnalytics UEBA / BehaviorAnalytics | Verhaltensanalyse Behavior analytics | UEBA reichert Identitäten und Entitäten mit InvestigationPriority, Peer Groups und Rare-Behavior-Signalen an. UEBA enriches identities and entities with InvestigationPriority, peer groups, and rare-behavior signals. |
| Threat Intelligence Threat Intelligence | IOC-Matching IOC matching | TI-Indicator-Feeds, TAXII und manuelle Feeds werden gegen Netzwerk-, Endpoint- und Mail-Telemetrie korreliert. TI indicator feeds, TAXII, and manual feeds are correlated against network, endpoint, and email telemetry. |
| Azure Data Explorer Azure Data Explorer | Langzeit- oder High-Volume-Analysen Long-term or high-volume analytics | ADX eignet sich für sehr große Datenmengen, Historisierung jenseits der interaktiven Retention und explorative Data-Science-Workloads. ADX is suitable for very large volumes, history beyond interactive retention, and exploratory data-science workloads. |
Ingestion, Hot/Cold-Tier und Multi-Workspace Ingestion, hot/cold tiers, and multi-workspace
| Thema Topic | Design-Entscheidung Design decision | Praktischer Hinweis Operational note |
|---|---|---|
| Hot Data Hot data | Interaktive Retention im Workspace Interactive retention in the workspace | Für aktive SOC-Daten mit häufigen KQL-Abfragen, Entity Correlation und Incident-Lebenszyklus geeignet. Suitable for active SOC data with frequent KQL queries, entity correlation, and the incident lifecycle. |
| Archive / Cold Archive / cold | Günstigere Langzeitaufbewahrung Lower-cost long-term retention | Archivdaten sind günstiger, aber Rehydration oder Search Jobs erhöhen Latenz und verändern Analysten-Workflows. Archive data is cheaper, but rehydration or search jobs add latency and change analyst workflows. |
| Basic / Auxiliary Logs Basic / auxiliary logs | Kostenoptimierte Telemetrie Cost-optimized telemetry | Für Massenlogs ohne permanenten Analytics-Bedarf nutzen, zum Beispiel verbose Infrastruktur- oder Web-Access-Logs. Use for high-volume logs without a constant analytics need, such as verbose infrastructure or web access logs. |
| Multi-Workspace Multi-workspace | Trennung nach Region, Mandant oder Compliance Split by region, tenant, or compliance | Cross-workspace Queries funktionieren, dennoch steigen Governance-Aufwand, Watchlist-Verteilung und Content-Pflege. Cross-workspace queries work, yet governance effort, watchlist distribution, and content maintenance increase. |
| Dedicated Cluster Dedicated cluster | Hochvolumen-Workspaces High-volume workspaces | Bei großen Umgebungen kann ein dedizierter Cluster Performance, Isolation und Kostensteuerung verbessern. In large environments, a dedicated cluster can improve performance, isolation, and cost control. |
| ADX Offload ADX offload | Historie, Telemetrie-Lake, Advanced Analytics History, telemetry lake, advanced analytics | Nutze ADX für Long Tail Hunting, ML-Experimente oder Multi-Year-Telemetrie außerhalb interaktiver Sentinel-Nutzung. Use ADX for long-tail hunting, ML experiments, or multi-year telemetry outside interactive Sentinel use. |
| DCR Filtering DCR filtering | Noise vor dem Ingest reduzieren Reduce noise before ingest | Filtere irrelevante Event IDs, Facilities, Hosts oder Felder vor der Abrechnung statt später per KQL. Filter irrelevant event IDs, facilities, hosts, or fields before billing instead of dropping them later with KQL. |
- Platziere hochkritische Datenquellen möglichst im gleichen Workspace wie die primären Analytics Rules, damit Join-Operationen, UEBA und Entity-Mapping konsistent bleiben. Place highly critical sources in the same workspace as primary analytics rules so join operations, UEBA, and entity mapping stay consistent.
- Behandle Parser, Functions und ASIM-Normalisierung als Architekturkomponente; uneinheitliche Feldnamen zerstören Wiederverwendbarkeit von Regeln. Treat parsers, functions, and ASIM normalization as architecture components; inconsistent field names destroy rule reuse.
- Plane Multi-Region-Datenhaltung gemeinsam mit Compliance, da Data Residency, Sovereign Clouds und MSSP-Modelle unterschiedliche Workspaces erzwingen können. Plan multi-region data placement with compliance because data residency, sovereign clouds, and MSSP models can require separate workspaces.
- Dokumentiere, welche Daten für Live-Erkennung nötig sind und welche nur für Forensik, Reporting oder regulatorische Langzeitaufbewahrung gesammelt werden. Document which data is needed for live detection and which is collected only for forensics, reporting, or regulatory retention.
Connector-Katalog nach Typ Connector catalog by type
Die folgende Referenz deckt mehr als 100 gängige Sentinel-Connectoren und Connector-Typen ab. In der Praxis werden viele Lösungen heute über den Content Hub installiert und kombinieren Connector, Parser, Workbook und Rules in einem Paket. The following reference covers more than 100 common Sentinel connectors and connector types. In practice, many solutions are now installed through Content Hub and package connectors, parsers, workbooks, and rules together.
Microsoft 365, Entra ID und Defender Microsoft 365, Entra ID, and Defender
| Connector Connector | Typische Tabelle / Ziel Typical table / target | Primärer Nutzen Primary value |
|---|---|---|
| Entra ID Sign-in Logs Entra ID Sign-in Logs | SigninLogs / NonInteractiveUserSignInLogs SigninLogs / NonInteractiveUserSignInLogs | Authentifizierung, IPs, CA, MFA und Risiko-Kontext für Identity Detections. Authentication, IPs, CA, MFA, and risk context for identity detections. |
| Entra ID Audit Logs Entra ID Audit Logs | AuditLogs AuditLogs | Administrative Änderungen, App-Consent, Rollenänderungen und Provisioning-Aktionen. Administrative changes, app consent, role changes, and provisioning actions. |
| Entra ID Provisioning Logs Entra ID Provisioning Logs | AADProvisioningLogs AADProvisioningLogs | SCIM- und Synchronisationsfehler, die oft Indikatoren für Missbrauch oder Betriebsfehler sind. SCIM and sync failures that often signal misuse or operational issues. |
| Entra ID Identity Protection Entra ID Identity Protection | SecurityAlert / Risk detections SecurityAlert / Risk detections | Risky users, risky sign-ins und automatische Remediation-Signale. Risky users, risky sign-ins, and automatic remediation signals. |
| Microsoft 365 Defender Microsoft 365 Defender | SecurityAlert / SecurityIncident SecurityAlert / SecurityIncident | Einheitliche Alerts aus Endpoint, Identity, Cloud Apps und Office 365. Unified alerts from endpoint, identity, cloud apps, and Office 365. |
| Defender for Endpoint Defender for Endpoint | Device* tables Device* tables | Prozess-, Netzwerk-, Registry- und File-Telemetrie für Endpoint Hunting. Process, network, registry, and file telemetry for endpoint hunting. |
| Defender for Office 365 Defender for Office 365 | Email* tables / Alerts Email* tables / Alerts | Mailflow, URL-Klicks, Attachments und AIR-Signale aus E-Mail-Kampagnen. Mail flow, URL clicks, attachments, and AIR signals from email campaigns. |
| Defender for Identity Defender for Identity | Identity* / Alerts Identity* / Alerts | On-Prem-AD-Angriffe wie Kerberoasting, DCSync, DCShadow und lateral movement. On-prem AD attacks such as Kerberoasting, DCSync, DCShadow, and lateral movement. |
| Defender for Cloud Apps Defender for Cloud Apps | CloudAppEvents CloudAppEvents | SaaS-Aktivitäten, Session Control und OAuth-App-Risiken. SaaS activity, session control, and OAuth app risk. |
| Microsoft Defender for Cloud Microsoft Defender for Cloud | SecurityAlert / Recommendations SecurityAlert / Recommendations | Cloud workload alerts, posture findings und Secure Score Signale. Cloud workload alerts, posture findings, and Secure Score signals. |
| Office 365 Office 365 | OfficeActivity OfficeActivity | SharePoint-, OneDrive-, Teams- und Exchange-Aktivitäten für Insider- und Exfil-Detections. SharePoint, OneDrive, Teams, and Exchange activity for insider and exfil detections. |
| Microsoft Purview Audit Microsoft Purview Audit | AuditData / OfficeActivity AuditData / OfficeActivity | Compliance-Audit, DLP und sensitivitätsbezogene Aktionen in M365. Compliance audit, DLP, and sensitivity-related actions in M365. |
| Microsoft Graph Security Microsoft Graph Security | SecurityAlert SecurityAlert | Aggregator für Sicherheitsanbieter, wenn native Connectoren nicht möglich oder nicht gewünscht sind. Aggregator for security vendors when native connectors are not possible or desired. |
| Microsoft Defender Vulnerability Management Microsoft Defender Vulnerability Management | DeviceTvm* DeviceTvm* | Exposure- und Schwachstellenkontext zur Priorisierung von Incidents. Exposure and vulnerability context for incident prioritization. |
| Microsoft Defender External Attack Surface Management Microsoft Defender External Attack Surface Management | SecurityAlert / custom SecurityAlert / custom | Internet-exponierte Assets, Brand Exposure und Shadow-IT-Kontext. Internet-exposed assets, brand exposure, and shadow-IT context. |
| Microsoft Defender for IoT Microsoft Defender for IoT | SecurityAlert / IoT logs SecurityAlert / IoT logs | OT- und ICS-Telemetrie, Anomalien und Geräteinventare. OT and ICS telemetry, anomalies, and device inventories. |
| Microsoft Security Copilot artifacts Microsoft Security Copilot artifacts | Custom / incidents Custom / incidents | Optionaler Kontext aus AI-gestützter Triage und empfohlenen Investigation-Schritten. Optional context from AI-assisted triage and recommended investigation steps. |
Azure Control Plane und Plattform Azure control plane and platform
| Connector Connector | Typische Tabelle / Ziel Typical table / target | Primärer Nutzen Primary value |
|---|---|---|
| Azure Activity Azure Activity | AzureActivity AzureActivity | Subscription- und Management-Plane-Events für Change Tracking und Privileged Operations. Subscription and management-plane events for change tracking and privileged operations. |
| Azure Resource Logs Azure Resource Logs | AzureDiagnostics / ResourceSpecific AzureDiagnostics / ResourceSpecific | Ressourcenspezifische Logs aus PaaS- und IaaS-Diensten. Resource-specific logs from PaaS and IaaS services. |
| Azure Firewall Azure Firewall | AzureDiagnostics / AZFW* AzureDiagnostics / AZFW* | Allow/Deny, DNAT und Threat-Intelligence-Aktionen aus Azure Firewall. Allow/deny, DNAT, and threat intelligence actions from Azure Firewall. |
| Azure Web Application Firewall Azure Web Application Firewall | AzureDiagnostics AzureDiagnostics | WAF-Regel-Treffer und HTTP-Angriffsindikatoren. WAF rule hits and HTTP attack indicators. |
| Azure Application Gateway Azure Application Gateway | AzureDiagnostics AzureDiagnostics | Access-, performance- und WAF-Logs der Gateway-Schicht. Access, performance, and WAF logs at the gateway layer. |
| Azure Front Door Azure Front Door | AzureDiagnostics AzureDiagnostics | Edge Requests, WAF, Bot- und Caching-Kontext. Edge requests, WAF, bot, and caching context. |
| Azure DDoS Protection Azure DDoS Protection | AzureDiagnostics AzureDiagnostics | Attack-Analysen und Mitigation-Ereignisse für volumetrische Angriffe. Attack analytics and mitigation events for volumetric attacks. |
| Azure Key Vault Azure Key Vault | AzureDiagnostics AzureDiagnostics | Secret-, Key- und Certificate-Operationen für Key-Usage-Anomalien. Secret, key, and certificate operations for key-usage anomalies. |
| Azure Storage Azure Storage | Storage* logs Storage* logs | Blob-, Queue-, Table- und File-Zugriffe inklusive SAS- und Auth-Kontext. Blob, queue, table, and file access including SAS and auth context. |
| Azure SQL Database Azure SQL Database | AzureDiagnostics / SQLSecurityAuditEvents AzureDiagnostics / SQLSecurityAuditEvents | Anmeldeversuche, Abfrage-Anomalien und Auditing für Datenbanken. Logons, query anomalies, and auditing for databases. |
| Azure Kubernetes Service Azure Kubernetes Service | Kube* / ContainerLogV2 Kube* / ContainerLogV2 | Audit-, control-plane- und containerbezogene Security-Telemetrie. Audit, control-plane, and container security telemetry. |
| Azure DNS Azure DNS | AzureDiagnostics AzureDiagnostics | DNS-Abfragen, Resolver-Ereignisse und Bedrohungsindikatoren. DNS queries, resolver events, and threat indicators. |
| Azure Bastion Azure Bastion | AzureDiagnostics AzureDiagnostics | Administrative Zugriffe auf VMs und Session-Herkunft. Administrative access to VMs and session origin. |
| Azure API Management Azure API Management | AzureDiagnostics AzureDiagnostics | API-Aufrufe, Policy Errors und Missbrauchsmuster gegen kritische APIs. API calls, policy errors, and abuse patterns against critical APIs. |
| Azure Load Balancer Azure Load Balancer | AzureDiagnostics AzureDiagnostics | Frontend-/Backend-Health und Netzwerkbeziehungen für Traffic-Korrelation. Frontend/backend health and network relationships for traffic correlation. |
| Azure Monitor Agent Azure Monitor Agent | Heartbeat / AMA sources Heartbeat / AMA sources | Agentzustand, Versionsstand und Telemetrie-Sammelstatus. Agent health, versioning, and telemetry collection status. |
| Azure Arc-enabled Servers Azure Arc-enabled Servers | Heartbeat / custom logs Heartbeat / custom logs | Einheitliche Ingestion von Hybrid-Servern und Nicht-Azure-Hosts. Unified ingestion for hybrid servers and non-Azure hosts. |
| Azure Container Registry Azure Container Registry | ContainerRegistryLoginEvents ContainerRegistryLoginEvents | Registry-Logins, Pulls und Supply-Chain-Indikatoren. Registry logins, pulls, and supply-chain indicators. |
Windows, Linux, Syslog und CEF Windows, Linux, Syslog, and CEF
| Connector Connector | Typische Tabelle / Ziel Typical table / target | Primärer Nutzen Primary value |
|---|---|---|
| Windows Security Events via AMA Windows Security Events via AMA | SecurityEvent / WindowsEvent SecurityEvent / WindowsEvent | Authentifizierung, Prozessstarts, Privilege Use und objektbezogene Audits. Authentication, process creation, privilege use, and object-based auditing. |
| Windows DNS Events Windows DNS Events | WindowsEvent WindowsEvent | DNS-Abfragen auf Domain Controllern für Recon- und Exfil-Signale. DNS queries on domain controllers for recon and exfil signals. |
| Windows Firewall Windows Firewall | WindowsEvent / custom WindowsEvent / custom | Hostbasierte Allow/Deny-Informationen und Segmentierungsvalidierung. Host-based allow/deny data and segmentation validation. |
| Sysmon Sysmon | Event / DeviceProcessEvents alignment Event / DeviceProcessEvents alignment | Detaillierte Process-, ImageLoad-, Pipe- und Network-Telemetrie. Detailed process, image load, pipe, and network telemetry. |
| Syslog via AMA Syslog via AMA | Syslog Syslog | Facilities aus Linux, Netzwerk- und Security-Geräten in einem Standardpfad. Facilities from Linux, network, and security devices in a standard path. |
| CEF via AMA CEF via AMA | CommonSecurityLog CommonSecurityLog | Vendor-übergreifender Ingest für Firewalls, WAFs, Proxys und IDS/IPS. Vendor-neutral ingestion for firewalls, WAFs, proxies, and IDS/IPS. |
| Custom Logs via AMA Custom Logs via AMA | Custom tables Custom tables | Text- und JSON-Dateien aus Anwendungen, die kein natives API besitzen. Text and JSON files from applications without a native API. |
| Linux auditd Linux auditd | Syslog / custom Syslog / custom | Privilegierte Aktionen, sudo, File Integrity und Prozessaudit auf Linux. Privileged actions, sudo, file integrity, and process auditing on Linux. |
| IIS / W3C Logs IIS / W3C Logs | Custom tables Custom tables | Webserver-Telemetrie für App-Layer-Anomalien und Exfiltration. Web server telemetry for app-layer anomalies and exfiltration. |
| NGINX / Apache Logs NGINX / Apache Logs | Custom tables Custom tables | Reverse-Proxy-, App- und API-Zugriffe aus Linux-Webstacks. Reverse proxy, application, and API access from Linux web stacks. |
| Cisco ASA Cisco ASA | CommonSecurityLog CommonSecurityLog | Firewall-Sessions, NAT, VPN und Policy Denies aus Cisco-Perimetergeräten. Firewall sessions, NAT, VPN, and policy denies from Cisco perimeter devices. |
| Cisco Meraki Cisco Meraki | CommonSecurityLog / API CommonSecurityLog / API | Cloud-verwaltete Netzwerk- und Security-Ereignisse aus Branch-Umgebungen. Cloud-managed networking and security events from branch environments. |
| Cisco Firepower Cisco Firepower | CommonSecurityLog CommonSecurityLog | IPS-, Malware- und Firewall-Telemetrie für North-South-Traffic. IPS, malware, and firewall telemetry for north-south traffic. |
| Fortinet FortiGate Fortinet FortiGate | CommonSecurityLog CommonSecurityLog | Firewall-, VPN-, Application-Control- und Threat-Logs. Firewall, VPN, application control, and threat logs. |
| Palo Alto Networks Palo Alto Networks | CommonSecurityLog CommonSecurityLog | Threat-, Traffic- und URL-Filtering-Signale aus Next-Gen-Firewalls. Threat, traffic, and URL filtering signals from next-gen firewalls. |
| Check Point Check Point | CommonSecurityLog CommonSecurityLog | Firewall und IPS mit User/Policy-Kontext für Korrelation. Firewall and IPS with user/policy context for correlation. |
| Sophos XG Sophos XG | CommonSecurityLog CommonSecurityLog | Proxy-, Firewall- und Endpoint-nahe Netzwerkdaten. Proxy, firewall, and endpoint-adjacent network telemetry. |
| Juniper SRX Juniper SRX | CommonSecurityLog CommonSecurityLog | Perimeter-, Session- und Threat-Logs im CEF/Syslog-Pfad. Perimeter, session, and threat logs through the CEF/Syslog path. |
| F5 BIG-IP F5 BIG-IP | CommonSecurityLog / custom CommonSecurityLog / custom | Load-Balancer-, WAF- und ASM-Telemetrie für App-Schutz. Load balancer, WAF, and ASM telemetry for application protection. |
| Citrix ADC Citrix ADC | CommonSecurityLog / custom CommonSecurityLog / custom | NetScaler-Zugriffe, WAF-Ereignisse und ICA-kontextbezogene Daten. NetScaler access, WAF events, and ICA-related telemetry. |
| Zscaler Internet Access Zscaler Internet Access | CommonSecurityLog / API CommonSecurityLog / API | Proxy-, DLP- und Web-Policy-Kontext für Web Filtering und Exfil. Proxy, DLP, and web-policy context for web filtering and exfil. |
| Netskope Netskope | CommonSecurityLog / API CommonSecurityLog / API | SASE-, CASB- und DLP-Events mit Benutzer- und SaaS-Kontext. SASE, CASB, and DLP events with user and SaaS context. |
| Blue Coat ProxySG Blue Coat ProxySG | CommonSecurityLog CommonSecurityLog | URL, Category, User und Action für Proxy- und Webzugriffe. URL, category, user, and action for proxy and web access. |
| Imperva WAF Imperva WAF | CommonSecurityLog CommonSecurityLog | App-Layer-Schutzsignale und Web-Request-Anomalien. App-layer protection signals and web request anomalies. |
| Barracuda WAF Barracuda WAF | CommonSecurityLog CommonSecurityLog | WAF-Regeltreffer, Threat Signatures und virtuelle Patches. WAF rule hits, threat signatures, and virtual patches. |
| Akamai Akamai | Syslog / API Syslog / API | Edge-, WAF- und Bot-Manager-Signale aus Internet Edge Services. Edge, WAF, and bot manager signals from internet edge services. |
SaaS, IAM und Collaboration SaaS, IAM, and collaboration
| Connector Connector | Typische Tabelle / Ziel Typical table / target | Primärer Nutzen Primary value |
|---|---|---|
| Okta System Log Okta System Log | Custom / API Custom / API | Okta-Authentifizierungen, MFA, Device Trust und Admin-Änderungen. Okta authentications, MFA, device trust, and admin changes. |
| Duo Security Duo Security | Custom / API Custom / API | MFA-Events, Device Health und Policy-Rejections. MFA events, device health, and policy rejections. |
| Ping Identity Ping Identity | Custom / API Custom / API | SSO- und Federation-Ereignisse inklusive Token- und Policy-Änderungen. SSO and federation events including token and policy changes. |
| Google Workspace Google Workspace | Custom / API Custom / API | Admin Audit, Login-Aktivität und SaaS-Kollaborationsereignisse. Admin audit, login activity, and SaaS collaboration events. |
| Slack Audit Logs Slack Audit Logs | Custom / API Custom / API | Workspace-Administration, App-Installationen und Datenzugriffe. Workspace administration, app installations, and data access. |
| Zoom Audit Logs Zoom Audit Logs | Custom / API Custom / API | Meeting-, Recording- und Admin-Änderungen für Collaboration-Sicherheit. Meeting, recording, and admin changes for collaboration security. |
| Dropbox Business Dropbox Business | Custom / API Custom / API | Sharing, external collaboration und Massendownloads. Sharing, external collaboration, and mass downloads. |
| Box Events Box Events | Custom / API Custom / API | Dateiaktivitäten, Freigaben und App-Aktionen in Cloud Content. File activity, sharing, and application actions in cloud content. |
| GitHub Enterprise Audit GitHub Enterprise Audit | Custom / API Custom / API | Repo-Admin, PAT-Missbrauch, OAuth-Apps und Actions-bezogene Changes. Repo admin, PAT misuse, OAuth apps, and Actions-related changes. |
| Atlassian Cloud Audit Atlassian Cloud Audit | Custom / API Custom / API | Jira- und Confluence-Admin-Aktionen, API Tokens und Gruppenänderungen. Jira and Confluence admin actions, API tokens, and group changes. |
| ServiceNow ServiceNow | Custom / API Custom / API | ITSM- und CMDB-Kontext für Incident Enrichment und Change Governance. ITSM and CMDB context for incident enrichment and change governance. |
| Salesforce Salesforce | Custom / API Custom / API | Admin-, Login- und Datenexport-Signale aus CRM-Workloads. Admin, login, and data export signals from CRM workloads. |
| Cloudflare Zero Trust Cloudflare Zero Trust | Custom / API Custom / API | Access, Gateway, WARP und DNS-Signale aus Zero-Trust-Zugängen. Access, gateway, WARP, and DNS signals from zero trust access. |
| Mimecast Mimecast | Custom / API Custom / API | Mail-Security-, Archive- und User-Awareness-Telemetrie. Mail security, archive, and user-awareness telemetry. |
| Proofpoint TAP Proofpoint TAP | Custom / API Custom / API | URL Defense, Attachment Defense und Kampagnen-Indikatoren. URL defense, attachment defense, and campaign indicators. |
| Jamf Pro Jamf Pro | Custom / API Custom / API | macOS-Geräteinventar, Compliance und Script-Execution-Kontext. macOS inventory, compliance, and script execution context. |
| CrowdStrike Falcon CrowdStrike Falcon | Custom / API Custom / API | EDR Alerts und Device Context zur Multi-EDR-Korrelation. EDR alerts and device context for multi-EDR correlation. |
AWS und Multi-Cloud AWS and multi-cloud
| Connector Connector | Typische Tabelle / Ziel Typical table / target | Primärer Nutzen Primary value |
|---|---|---|
| AWS CloudTrail AWS CloudTrail | AWSCloudTrail AWSCloudTrail | Management- und Data-Plane-Aktivitäten für IAM-, S3- und Control-Plane-Überwachung. Management and data-plane activity for IAM, S3, and control-plane monitoring. |
| AWS GuardDuty AWS GuardDuty | AWSGuardDuty AWSGuardDuty | Managed detections aus AWS für Findings, EC2, IAM und S3. Managed detections from AWS for findings, EC2, IAM, and S3. |
| AWS Security Hub AWS Security Hub | AWS* findings AWS* findings | Aggregierte Findings aus AWS Security Services zur Zentralisierung. Aggregated findings from AWS security services for centralization. |
| AWS VPC Flow Logs AWS VPC Flow Logs | AWSVPCFlow AWSVPCFlow | Netzwerkflüsse für Ost-West- und Exfil-Diagnosen. Network flows for east-west and exfil diagnostics. |
| AWS WAF AWS WAF | AWSWAF AWSWAF | HTTP Layer Detections, Bot Traffic und Block-Aktionen. HTTP layer detections, bot traffic, and block actions. |
| AWS Route 53 Resolver AWS Route 53 Resolver | AWSRoute53Resolver AWSRoute53Resolver | DNS-Abfragen und Resolver-Patterns in AWS. DNS queries and resolver patterns in AWS. |
| AWS CloudWatch AWS CloudWatch | Custom / events Custom / events | Service-spezifische Logs, Alarme und Events aus CloudWatch. Service-specific logs, alarms, and events from CloudWatch. |
| AWS Config AWS Config | AWSConfig AWSConfig | Configuration Drift und Compliance Changes in AWS. Configuration drift and compliance changes in AWS. |
| AWS EKS Audit AWS EKS Audit | AWSEKS AWSEKS | Kubernetes Audit Trail für Cluster und Pod-Aktionen. Kubernetes audit trail for cluster and pod actions. |
| AWS S3 Access AWS S3 Access | AWSS3Access AWSS3Access | Object-Level Access, ungewöhnliche Reads und Public Exposure. Object-level access, unusual reads, and public exposure. |
| AWS Inspector AWS Inspector | AWSInspector AWSInspector | Schwachstellen- und Exposure-Findings aus AWS-Workloads. Vulnerability and exposure findings from AWS workloads. |
| GCP Cloud Audit Logs GCP Cloud Audit Logs | GCPCAudit GCPCAudit | Admin-, Data-Access- und System-Events in GCP. Admin, data access, and system events in GCP. |
| GCP VPC Flow Logs GCP VPC Flow Logs | GCPVPCFlow GCPVPCFlow | Netzwerkströme für Cloud-Network-Hunting in GCP. Network flows for cloud network hunting in GCP. |
| GCP Security Command Center GCP Security Command Center | GCPSCC GCPSCC | Findings aus Container-, IAM- und Storage-Sicherheitskontrollen. Findings from container, IAM, and storage security controls. |
| GCP Cloud IDS GCP Cloud IDS | GCPIDS GCPIDS | Intrusion-Detections und Signaturen für GCP-Traffic. Intrusion detections and signatures for GCP traffic. |
| GKE Audit Logs GKE Audit Logs | GKEAudit GKEAudit | Kubernetes Audit auf Google Kubernetes Engine. Kubernetes audit on Google Kubernetes Engine. |
| Google Workspace Alert Center Google Workspace Alert Center | WorkspaceAlerts WorkspaceAlerts | Sicherheitsrelevante Google-SaaS-Alerts für Cross-Platform Correlation. Security-relevant Google SaaS alerts for cross-platform correlation. |
| Oracle Cloud Infrastructure Audit Oracle Cloud Infrastructure Audit | OCIAudit OCIAudit | Control-Plane- und IAM-Änderungen in OCI. Control-plane and IAM changes in OCI. |
| VMware vSphere VMware vSphere | Custom / Syslog Custom / Syslog | Hypervisor- und vCenter-Signale für Datacenter-Korrelation. Hypervisor and vCenter signals for datacenter correlation. |
| VMware NSX-T VMware NSX-T | Syslog / custom Syslog / custom | Microsegmentation-, Firewall- und East-West-Netzwerkereignisse. Microsegmentation, firewall, and east-west network events. |
| VMware Carbon Black Cloud VMware Carbon Black Cloud | Custom / API Custom / API | EDR- und Threat-Hunting-Signale aus Carbon Black. EDR and threat hunting signals from Carbon Black. |
Custom APIs, Event Hubs und Spezialfälle Custom APIs, Event Hubs, and special cases
| Connector Connector | Typische Tabelle / Ziel Typical table / target | Primärer Nutzen Primary value |
|---|---|---|
| HTTP Data Collector API HTTP Data Collector API | Custom tables Custom tables | Einfacher HTTP-Ingest für Legacy-Integrationen und One-off-Sources. Simple HTTP ingestion for legacy integrations and one-off sources. |
| Log Ingestion API Log Ingestion API | DCR-based custom tables DCR-based custom tables | Moderne API für schema-gesteuerte Ingestion über Data Collection Endpoints. Modern API for schema-driven ingestion through data collection endpoints. |
| Event Hub Event Hub | Custom / partner streams Custom / partner streams | Streaming-Pipeline für Azure- und Drittanbieterdaten mit hohem Durchsatz. Streaming pipeline for Azure and partner data at scale. |
| Storage Account via Logic Apps Storage Account via Logic Apps | Custom tables Custom tables | Batch-Ingest aus Blob Files, CSV oder JSON Dumps. Batch ingestion from blob files, CSV, or JSON dumps. |
| REST API Polling via Logic Apps REST API Polling via Logic Apps | Custom tables Custom tables | Nützlich für Security-Produkte ohne native Sentinel-Lösung. Useful for security products without a native Sentinel solution. |
| Webhook to Playbook Webhook to Playbook | Custom tables / automation Custom tables / automation | Empfängt Ereignisse direkt in Logic Apps und schreibt sie anschließend in Sentinel. Receives events directly in Logic Apps and then writes them to Sentinel. |
| Azure Function Connectors Azure Function Connectors | Custom tables Custom tables | Für periodische Pull-Integrationen, Token-Rotation und Transformation. For periodic pull integrations, token rotation, and transformation. |
| Microsoft Sentinel Repositories Microsoft Sentinel Repositories | Deployment content Deployment content | Versioniert ARM/Bicep/Terraform- oder GitOps-Inhalte für Regeln, Parser und Playbooks. Versions ARM/Bicep/Terraform or GitOps content for rules, parsers, and playbooks. |
| Watchlists CSV Upload Watchlists CSV Upload | Watchlist Watchlist | Referenzdaten wie VIP-User, Assets, TLP-Zuordnung oder Geo-Ausnahmen. Reference data such as VIP users, assets, TLP mapping, or geo exceptions. |
| Threat Intelligence - TAXII Threat Intelligence - TAXII | ThreatIntelligenceIndicator ThreatIntelligenceIndicator | Automatischer IOC-Bezug aus kommerziellen oder Community-TAXII-Feeds. Automatic IOC retrieval from commercial or community TAXII feeds. |
| Threat Intelligence - MISP Threat Intelligence - MISP | ThreatIntelligenceIndicator / custom ThreatIntelligenceIndicator / custom | IOC- und TTP-Sharing über MISP plus Sentinel-Korrelation. IOC and TTP sharing through MISP plus Sentinel correlation. |
| Threat Intelligence - STIX/TAXII Gateways Threat Intelligence - STIX/TAXII Gateways | ThreatIntelligenceIndicator ThreatIntelligenceIndicator | Normierte IOC-Pipelines aus TIPs, CERTs oder ISACs. Standardized IOC pipelines from TIPs, CERTs, or ISACs. |
| Azure Data Explorer Federation Azure Data Explorer Federation | External / ADX External / ADX | Historische oder massive Datenmengen per Kusto-Federation einbinden. Bring in historical or massive datasets through Kusto federation. |
| Custom JSON via AMA Custom JSON via AMA | Custom tables Custom tables | Lokale Agents lesen strukturierte JSON-Files mit DCR-Transformationen ein. Local agents ingest structured JSON files with DCR transformations. |
| Custom Text Logs via AMA Custom Text Logs via AMA | Custom tables Custom tables | Geeignet für Appliances oder Apps, die nur Flat Files erzeugen. Suitable for appliances or applications that only emit flat files. |
| Syslog over Arc Syslog over Arc | Syslog Syslog | Hybrid- und Edge-Hosts ohne klassische Azure-VM-Anbindung konsolidieren. Consolidate hybrid and edge hosts without classic Azure VM attachment. |
| OT / ICS Vendor Feeds OT / ICS Vendor Feeds | Custom / IoT Custom / IoT | Speziallösungen aus Fertigung oder Energie über REST, Syslog oder Defender for IoT. Specialized manufacturing or energy solutions via REST, Syslog, or Defender for IoT. |
Analytics Rules und KQL-Muster Analytics rules and KQL patterns
| Regeltyp Rule type | Wann einsetzen When to use | Kernmerkmal Core characteristic |
|---|---|---|
| Scheduled Scheduled | Für wiederkehrende Korrelationen mit definierter Abfragefrequenz For recurring correlations with a defined query frequency | Volle KQL-Flexibilität, Suppression, Entity Mapping und Tactics-Mapping. Full KQL flexibility, suppression, entity mapping, and tactics mapping. |
| Near-real-time (NRT) Near-real-time (NRT) | Für extrem kurze Erkennungszeit bei klaren Conditions For extremely short detection latency on clear conditions | Sekundenschnelle Ausführung mit engeren KQL-Constraints und Fokus auf Speed. Sub-minute execution with tighter KQL constraints and a focus on speed. |
| Microsoft Security Microsoft Security | Wenn Microsoft-Produkte bereits hochwertige Alerts erzeugen When Microsoft products already generate high-quality alerts | Sentinel übernimmt oder ergänzt Alerts aus Defender, Entra und weiteren Microsoft-Quellen. Sentinel consumes or enriches alerts from Defender, Entra, and other Microsoft sources. |
| Fusion Fusion | Für Multi-Stage-Korrelation ohne eigene Modellierung For multi-stage correlation without custom modeling | ML-gestützte Verknüpfung mehrerer Low-Signal-Events zu einem hochwertigen Incident. ML-driven linking of multiple low-signal events into a higher-quality incident. |
| Anomaly Anomaly | Für Verhalten, Volumen und Rare-Pattern-Dektionen For behavior, volume, and rare-pattern detections | Baselines und Lernmodelle identifizieren ungewöhnliche Aktivität jenseits statischer Schwellwerte. Baselines and learning models identify unusual activity beyond static thresholds. |
Erfolgreiche Sign-ins aus mehreren Ländern am selben Tag Successful sign-ins from multiple countries on the same day
KQL
KQL
SigninLogs
| where ResultType == 0
| summarize Countries = make_set(LocationDetails.countryOrRegion), IPs = dcount(IPAddress) by UserPrincipalName, bin(TimeGenerated, 1d)
| where array_length(Countries) > 1 and IPs > 1
| project TimeGenerated, UserPrincipalName, Countries, IPs
MFA-Fatigue durch wiederholte Prompt-Ablehnungen MFA fatigue through repeated prompt denials
KQL
KQL
SigninLogs
| where ResultType != 0
| where Status.failureReason has_any ("MFA denied", "user declined", "fraud")
| summarize Denials = count(), Apps = make_set(AppDisplayName) by UserPrincipalName, IPAddress, bin(TimeGenerated, 15m)
| where Denials >= 5
Rollenänderungen in privilegierten Entra-Gruppen Role changes in privileged Entra groups
KQL
KQL
AuditLogs
| where OperationName has_any ("Add member to role", "Add eligible member to role")
| extend InitiatedByUser = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, OperationName, InitiatedByUser, TargetResources
Verdächtige OAuth-Consent-Gewährung Suspicious OAuth consent grants
KQL
KQL
AuditLogs
| where OperationName has_any ("Consent to application", "Add delegated permission grant")
| project TimeGenerated, OperationName, InitiatedBy, TargetResources, AdditionalDetails
Encoded PowerShell auf Endpunkten Encoded PowerShell on endpoints
KQL
KQL
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("-enc", "-encodedcommand", "FromBase64String")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
Seltene ausgehende Domains Rare outbound domains
KQL
KQL
DeviceNetworkEvents
| where isnotempty(RemoteUrl)
| summarize Hits = count(), Devices = dcount(DeviceName) by RemoteUrl
| where Hits < 5 and Devices < 3
| order by Hits asc
Mailbox-Forwarding und Inbox-Regeln Mailbox forwarding and inbox rules
KQL
KQL
OfficeActivity
| where OfficeWorkload == "Exchange"
| where Operation in ("New-InboxRule", "Set-InboxRule", "Set-Mailbox")
| where Parameters has_any ("ForwardTo", "RedirectTo", "DeliverToMailboxAndForward")
| project TimeGenerated, UserId, Operation, Parameters
Massendownloads in SharePoint/OneDrive Mass downloads in SharePoint/OneDrive
KQL
KQL
OfficeActivity
| where OfficeWorkload in ("SharePoint", "OneDrive")
| where Operation in ("FileDownloaded", "FileSyncDownloadedFull")
| summarize Downloads = count(), Files = dcount(SourceFileName) by UserId, bin(TimeGenerated, 30m)
| where Downloads > 250 or Files > 100
GuardDuty High Severity Findings GuardDuty high severity findings
KQL
KQL
AWSGuardDuty
| where Severity >= 7
| summarize Findings = count() by Title, AccountId, Region, bin(TimeGenerated, 1h)
| order by Findings desc
Firewall-Deny-Spikes aus CEF Firewall deny spikes from CEF
KQL
KQL
CommonSecurityLog
| where DeviceAction =~ "Deny"
| summarize Denies = count() by DeviceVendor, SourceIP, DestinationPort, bin(TimeGenerated, 10m)
| where Denies > 100
Threat-Intelligence-Matches Threat intelligence matches
KQL
KQL
let ti = ThreatIntelligenceIndicator
| where Active == true and ExpirationDateTime > now()
| project IndicatorId, NetworkIP, DomainName, Url;
DeviceNetworkEvents
| join kind=innerunique ti on $left.RemoteIP == $right.NetworkIP
| project Timestamp, DeviceName, RemoteIP, IndicatorId
UEBA High Investigation Priority UEBA high investigation priority
KQL
KQL
BehaviorAnalytics
| where InvestigationPriority >= 5
| summarize Entities = make_set(Entities), Signals = count() by UserName, ActivityType, bin(TimeGenerated, 1d)
| order by Signals desc
NRT-Kandidat für Password Spray NRT candidate for password spray
KQL
KQL
SigninLogs
| where ResultType != 0
| summarize Failed = count(), Users = dcount(UserPrincipalName) by IPAddress, bin(TimeGenerated, 5m)
| where Failed > 25 and Users > 10
Fusion-Nachverfolgung über SecurityAlert Fusion follow-up through SecurityAlert
KQL
KQL
SecurityAlert
| where ProductName =~ "Azure Sentinel"
| where AlertName has "Fusion"
| project TimeGenerated, AlertName, CompromisedEntity, ExtendedProperties
Incident Aging und SOC Backlog Incident aging and SOC backlog
KQL
KQL
SecurityIncident
| extend AgeHours = datetime_diff('hour', now(), CreatedTime)
| summarize OpenIncidents = count(), AvgAge = avg(AgeHours) by Severity, Status
Neu auftretende Prozesse pro Host New processes per host
KQL
KQL
DeviceProcessEvents
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, FileName, SHA1
| where FirstSeen > ago(24h)
| order by FirstSeen desc
MITRE ATT&CK, Incidents und Investigation Graph MITRE ATT&CK, incidents, and investigation graph
| Bereich Area | Sentinel-Mechanik Sentinel mechanism | SOC-Nutzen SOC value |
|---|---|---|
| MITRE Mapping MITRE mapping | Rules mappen Tactics und Techniques direkt im Detection-Objekt Rules map tactics and techniques directly on the detection object | Analysten sehen sofort Kill-Chain-Kontext und können Coverage-Lücken pro Tactic identifizieren. Analysts immediately see kill-chain context and can identify coverage gaps by tactic. |
| Incidents Incidents | Alerts werden per Incident Settings gruppiert Alerts are grouped through incident settings | Richtiges Grouping reduziert Alarmflut und vereint Mail-, Identity- und Endpoint-Signale in einer Story. Proper grouping reduces alert storms and unifies email, identity, and endpoint signals into one story. |
| Investigation Graph Investigation graph | Entitäten wie User, Host, IP, Mailbox und URL werden graphisch verbunden Entities such as users, hosts, IPs, mailboxes, and URLs are connected visually | Hilft besonders bei lateraler Bewegung und bei Multi-Signal-Incidents aus Defender XDR plus Drittquellen. Especially helpful for lateral movement and multi-signal incidents from Defender XDR plus third-party sources. |
| Entity Mapping Entity mapping | KQL-Ausgaben werden auf standardisierte Entitätstypen gemappt KQL outputs are mapped to standardized entity types | Ohne sauberes Entity Mapping verlieren Incidents Graph, UEBA und Investigation Features deutlich an Qualität. Without clean entity mapping, incidents lose significant graph, UEBA, and investigation quality. |
⚠️ Incident-Tuning
⚠️ Incident tuning
Zu aggressive Incident-Gruppierung verschmilzt unterschiedliche Angriffsketten; zu konservative Gruppierung erzeugt Analysten-Rauschen. Tune Rules, Reopen-Logik und Grouping gemeinsam. Overly aggressive incident grouping merges unrelated attack chains; overly conservative grouping creates analyst noise. Tune rules, reopen logic, and grouping together.
SOAR: Automation Rules und Playbooks SOAR: automation rules and playbooks
| Baustein Building block | Beispiel Example | Wichtig für Betrieb Operational importance |
|---|---|---|
| Automation Rule Automation rule | Tagge High-Fidelity-Identity-Incidents automatisch mit 'Tier1-AutoTriage' Automatically tag high-fidelity identity incidents with 'Tier1-AutoTriage' | Regeln steuern Playbook-Auslösung, Ownership, Severity-Updates und automatische Schließung. Rules control playbook triggers, ownership, severity changes, and automatic closure. |
| Playbook via Logic Apps Playbook via Logic Apps | Entra User suspendieren, Teams-Nachricht senden, Ticket erstellen Suspend an Entra user, send a Teams message, create a ticket | Playbooks sind am wertvollsten, wenn sie Idempotenz, Fehlerpfade und Rückmeldung an den Incident unterstützen. Playbooks are most valuable when they support idempotency, failure paths, and write-back to the incident. |
| Template Template | Prebuilt Playbooks aus Content Hub Prebuilt playbooks from Content Hub | Templates beschleunigen den Start, müssen aber Security Reviews, Secrets Management und Naming Standards erfüllen. Templates accelerate adoption, but must pass security review, secret management, and naming standards. |
| Managed Identity Managed identity | Playbook greift sicher auf Graph, Azure oder ServiceNow zu Playbook securely accesses Graph, Azure, or ServiceNow | Vermeidet statische Secrets und vereinfacht Rotation, RBAC und Auditing. Avoids static secrets and simplifies rotation, RBAC, and auditing. |
PowerShell mit Az.SecurityInsights PowerShell with Az.SecurityInsights
PowerShell
PowerShell
Connect-AzAccount
Select-AzSubscription -SubscriptionName "Contoso-SOC"
Get-AzOperationalInsightsWorkspace -ResourceGroupName "rg-sentinel" -Name "law-soc-prod"
Get-AzSentinelIncident -ResourceGroupName "rg-sentinel" -WorkspaceName "law-soc-prod" |
Where-Object { $_.Severity -eq "High" -and $_.Status -eq "New" } |
Select-Object Title, Severity, Status, Owner
PowerShell
PowerShell
$rule = Get-AzSentinelAlertRule -ResourceGroupName "rg-sentinel" -WorkspaceName "law-soc-prod" -Name "scheduled-passwordspray"
$rule.DisplayName = "Password Spray - Entra ID NRT Follow-up"
$rule.Enabled = $true
Set-AzSentinelAlertRule -ResourceGroupName "rg-sentinel" -WorkspaceName "law-soc-prod" -AlertRule $rule
Workbooks, UEBA und Threat Intelligence Workbooks, UEBA, and threat intelligence
| Funktion Function | Datenbasis Data basis | Typischer Einsatz Typical use |
|---|---|---|
| Workbooks Workbooks | KQL, Parameters, Azure Resource Graph KQL, parameters, Azure Resource Graph | Executive Dashboards, Detection Coverage, Identity Risk, Connector Health und MSSP-Sicht auf Kundenmandanten. Executive dashboards, detection coverage, identity risk, connector health, and MSSP views across customer tenants. |
| UEBA UEBA | BehaviorAnalytics, Identity, Device, Cloud Signale BehaviorAnalytics, identity, device, and cloud signals | Rare Country, rare impossible activity, peer deviation und prioritisiertes Entity Hunting. Rare country, rare impossible activity, peer deviation, and prioritized entity hunting. |
| Threat Intelligence Threat intelligence | TI-Feeds, TAXII, MISP, manuelle Uploads TI feeds, TAXII, MISP, manual uploads | IOC-Enrichment, outbound C2 detection, email URL hits und Firewall/IP-Korrelation. IOC enrichment, outbound C2 detection, email URL hits, and firewall/IP correlation. |
| Bookmarks Bookmarks | Hunting-Ergebnisse Hunting results | Persistiert Untersuchungsartefakte, die später in Incidents, Playbooks oder weiteren Hunts auftauchen. Persists investigative artifacts that can later show up in incidents, playbooks, or additional hunts. |
Hunting, Bookmarks, Livestream und Notebooks Hunting, bookmarks, livestream, and notebooks
Advanced Hunting in Sentinel ist nicht nur KQL auf Tabellen. Effektive Hunting-Programme standardisieren Bookmark-Konventionen, nutzen Livestream für aktive Incidents, korrelieren Defender-XDR-Tabellen mit Netzwerkdaten und dokumentieren Hypothesen in wiederverwendbaren Hunt-Queries. Advanced hunting in Sentinel is not just KQL on tables. Effective hunting programs standardize bookmark conventions, use livestream during active incidents, correlate Defender XDR tables with network data, and document hypotheses in reusable hunt queries.
| Werkzeug Tool | Stärke Strength | Wann sinnvoll When useful |
|---|---|---|
| Hunting Queries Hunting queries | Schnelle Hypothesentests Fast hypothesis testing | Für Analysten, die in Minuten neue Fragen an Telemetrie stellen müssen. For analysts who need to ask new questions of telemetry within minutes. |
| Livestream Livestream | Nahezu Echtzeit-Sicht auf frisch eingehende Daten Near-real-time view of fresh incoming data | Während aktiver Angriffe, um laufende Prozess- oder Sign-in-Ereignisse zu beobachten. During active attacks to watch live process or sign-in activity. |
| Bookmarks Bookmarks | Persistente Markierungen Persistent markers | Zum Übergang von Threat Hunting in Incident Response und für Peer Review zwischen Schichten. For transitioning from threat hunting into incident response and peer review between shifts. |
| MSTICPy MSTICPy | Python-Analytik auf Kusto, TI und Notebooks Python analytics across Kusto, TI, and notebooks | Wenn Data Science, enrichment pipelines oder Visualisierung über reines KQL hinausgehen. When data science, enrichment pipelines, or visualization go beyond pure KQL. |
| Jupyter / Notebooks Jupyter / notebooks | Mehrstufige Analysen und Case Narratives Multi-step analysis and case narratives | Für umfangreiche Investigations, Malware Clustering oder wiederholbare DFIR-Workflows. For extensive investigations, malware clustering, or repeatable DFIR workflows. |
KQL
KQL
let suspiciousIps = materialize(
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| summarize Users = dcount(UserPrincipalName) by IPAddress
| where Users > 20
);
DeviceNetworkEvents
| where Timestamp > ago(1d)
| join kind=inner suspiciousIps on $left.RemoteIP == $right.IPAddress
| summarize Connections = count() by DeviceName, RemoteIP, RemoteUrl
Python
Python
from msticpy.data import QueryProvider
qry = QueryProvider("MSSentinel")
qry.connect(workspace="law-soc-prod")
result = qry.exec_query("SigninLogs | take 10")
result.head()
Content Hub, Watchlists und Repositories Content Hub, watchlists, and repositories
| Capability Capability | Beispiel Example | Hinweis Note |
|---|---|---|
| Content Hub Solutions Content Hub solutions | Microsoft Defender for Endpoint, Palo Alto, Okta Microsoft Defender for Endpoint, Palo Alto, Okta | Behandle Solutions wie Code: versionieren, testen, dokumentieren und Freigabeprozesse definieren. Treat solutions like code: version, test, document, and define release processes. |
| Watchlists Watchlists | VIPs, High Value Assets, Sanctioned IP Ranges VIPs, high value assets, sanctioned IP ranges | Nutze Suchschlüssel bewusst; schlecht gepflegte Watchlists erzeugen False Positives und Query-Overhead. Use search keys deliberately; poorly maintained watchlists create false positives and query overhead. |
| Repositories Repositories | ARM/Bicep/Terraform/KQL in Git ARM/Bicep/Terraform/KQL in Git | CI/CD für detections ermöglicht Peer Review, Branch Policies, Pull Requests und reproduzierbare Deployments. CI/CD for detections enables peer review, branch policies, pull requests, and reproducible deployments. |
| Parser & Functions Parsers and functions | ASIM-Normalisierung für NetworkSession, Authentication, DNS ASIM normalization for NetworkSession, Authentication, DNS | Ohne zentrale Parser wird jede neue Rule teurer und schwieriger wartbar. Without central parsers, every new rule becomes more expensive and harder to maintain. |
Kostenmanagement und Datensteuerung Cost management and data control
| Hebel Lever | Wirkung Effect | Praxis Practice |
|---|---|---|
| Commitment Tiers Commitment tiers | Preis sinkt bei planbarer Tagesmenge Price decreases when daily volume is predictable | Sinnvoll für stabile SOC-Workloads; monatlich prüfen, ob Peak- und Durchschnittsvolumen den Tier rechtfertigen. Useful for stable SOC workloads; review monthly whether peak and average volume justify the tier. |
| Freie Datenquellen Free data sources | Einige Microsoft-Signale verursachen reduzierte oder keine Ingest-Kosten Some Microsoft signals carry reduced or no ingest cost | Defender- und Aktivitätsdatenmodelle regelmäßig gegen aktuelle Preislisten und Produktdokumentation verifizieren. Regularly verify Defender and activity data models against current pricing and product documentation. |
| Data Collection Rules Data collection rules | Noise vor der Abrechnung entfernen Remove noise before billing | Event IDs, Facilities, Hosts und Parser schon beim Ingest minimieren. Minimize event IDs, facilities, hosts, and parsers at ingest time. |
| Retention Retention | Interaktive Datenmenge reduzieren Reduce interactive data volume | Aktive 30 bis 90 Tage im Workspace, Langzeitdaten archivieren oder nach ADX verschieben. Keep active 30 to 90 days in the workspace and archive or offload long-term data to ADX. |
| Sampling / Summaries Sampling / summaries | Kostengünstigere Use Cases Lower-cost use cases | Nicht jede hochvolumige Quelle muss roh und vollständig ingestiert werden; Summaries genügen oft für Monitoring. Not every high-volume source must be ingested raw and in full; summaries are often enough for monitoring. |
| Parser Reuse Parser reuse | Analysten-Zeit sparen Save analyst time | Konsistente Functions und ASIM sparen Query-Kosten und reduzieren Fehler in allen Teams. Consistent functions and ASIM save query time and reduce errors across teams. |
KQL
KQL
Usage
| where TimeGenerated > ago(14d)
| summarize GB = sum(Quantity) / 1024 by DataType, Solution, bin(TimeGenerated, 1d)
| order by TimeGenerated desc, GB desc
Multi-Tenant, Lighthouse und Migration Multi-tenant, Lighthouse, and migration
| Szenario Scenario | Muster Pattern | Hinweis Note |
|---|---|---|
| MSSP via Azure Lighthouse MSSP via Azure Lighthouse | Delegierter Zugriff auf Kunden-Subscriptions und Workspaces Delegated access to customer subscriptions and workspaces | Ideal für zentrale Bearbeitung, aber RBAC, Data Residency und Incident Ownership sauber modellieren. Ideal for centralized operations, but model RBAC, data residency, and incident ownership carefully. |
| Multi-Tenant Entra + M365 Multi-tenant Entra + M365 | Connectoren in Kundenmandanten, SOC-Views im Provider-Kontext Connectors in customer tenants, SOC views in the provider context | Achte auf Consent, cross-tenant diagnostics und getrennte Playbook-Identitäten. Watch consent, cross-tenant diagnostics, and separate playbook identities. |
| Splunk-Migration Splunk migration | SPL nach KQL, CIM nach ASIM, Forwarder-Use-Cases nach AMA/Event Hub SPL to KQL, CIM to ASIM, forwarder use cases to AMA/Event Hub | Beginne mit High-Value Use Cases statt 1:1 Dashboard- oder Index-Replikation. Start with high-value use cases instead of 1:1 dashboard or index replication. |
| QRadar-Migration QRadar migration | Offense-Modelle in Incidents, DSM/Log Sources in Connectoren und Parser übertragen Translate offense models into incidents, DSM/log sources into connectors and parsers | Mapping von Regeln, Referenzsets und Use Cases vorab dokumentieren und priorisieren. Document and prioritize mapping of rules, reference sets, and use cases upfront. |
| Coexistence-Phase Coexistence phase | Parallelbetrieb mit abgestimmten Schweregraden und Ownership Parallel run with aligned severities and ownership | Verhindere Doppelalarme durch klares Routing, deduplizierte Ticketpfade und abgestimmte Use-Case-Verantwortung. Prevent duplicate alerts through clear routing, deduplicated ticketing paths, and aligned use-case ownership. |