Редактиране

Споделяне чрез


Configure Microsoft Sentinel content

In the previous deployment step, you enabled Microsoft Sentinel, health monitoring, and the required solutions. In this article, you learn how to configure the different types of Microsoft Sentinel security content, which allow you to detect, monitor, and respond to security threats across your systems. This article is part of the Deployment guide for Microsoft Sentinel.

Configure your security content

Step Description
Set up data connectors Based on the data sources you selected when you planned your deployment, and after enabling the relevant solutions, you can now install or set up your data connectors.

- If you're using an existing connector, find your connector from this full list of data connectors.
- If you're creating a custom connector, use these resources.
- If you're setting up a connector to ingest CEF or Syslog logs, review these options.
Set up analytics rules After you've set up Microsoft Sentinel to collect data from all over your organization, you can begin using analytics rules to detect threats. Select the steps you need to set up and configure your analytics rules:

- Create scheduled rules from templates or from scratch: Create analytics rules to help discover threats and anomalous behaviors in your environment.
- Map data fields to entities: Add or change entity mappings in an analytics rule.
- Surface custom details in alerts: Add or change custom details in an analytics rule.
- Customize alert details: Override the default properties of alerts with content from the underlying query results.
- Export and import analytics rules: Export your analytics rules to Azure Resource Manager (ARM) template files, and import rules from these files. The export action creates a JSON file in your browser's downloads location, that you can then rename, move, and otherwise handle like any other file.
- Create near-real-time (NRT) detection analytics rules: Create near-time analytics rules for up-to-the-minute threat detection out-of-the-box. This type of rule was designed to be highly responsive by running its query at intervals just one minute apart.
- Work with anomaly detection analytics rules: Work with built-in anomaly templates that use thousands of data sources and millions of events, or change thresholds and parameters for the anomalies within the user interface.
- Manage template versions for your scheduled analytics rules: Track the versions of your analytics rule templates, and either revert active rules to existing template versions, or update them to new ones.
- Handle ingestion delay in scheduled analytics rules: Learn how ingestion delay might impact your scheduled analytics rules and how you can fix them to cover these gaps.
Set up automation rules Create automation rules. Define the triggers and conditions that determine when your automation rule runs, the various actions that you can have the rule perform, and the remaining features and functionalities.
Set up playbooks A playbook is a collection of remediation actions that you run from Microsoft Sentinel as a routine, to help automate and orchestrate your threat response. To set up playbooks:

- Review recommended playbooks
- Create playbooks from templates: A playbook template is a prebuilt, tested, and ready-to-use workflow that can be customized to meet your needs. Templates can also serve as a reference for best practices when developing playbooks from scratch, or as inspiration for new automation scenarios.
- Review these steps for creating a playbook
Set up workbooks Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within Microsoft Sentinel. Workbook templates allow you to quickly gain insights across your data as soon as you connect a data source. To set up workbooks:

- Review commonly used Microsoft Sentinel workbooks
- Use existing workbook templates available with packaged solutions
- Create custom workbooks across your data
Set up watchlists Watchlists allow you to correlate data from a data source you provide with the events in your Microsoft Sentinel environment. To set up watchlists:

- Create watchlists
- Build queries or detection rules with watchlists: Query data in any table against data from a watchlist by treating the watchlist as a table for joins and lookups. When you create a watchlist, you define the SearchKey. The search key is the name of a column in your watchlist that you expect to use as a join with other data or as a frequent object of searches.

Next steps

In this article, you learned how to configure the different types of Microsoft Sentinel security content.