This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I’ll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There’s deeper discussions and training that’s required to get a good handle on the ins-and-outs of working with Azure Sentinel. I won’t dig deep into those here, but instead give an overview for this specific daily task.
For customers that want deeper dives for Azure Sentinel, you have a few options:
- Sift through our docs platform.
- Contact your TAM and ask for me by name.
- Use the following link to access a reference page for our Level-400 training: https://aka.ms/SentinelNinja
In fact, this particular blog series is being developed into a workshop on its own and will also cover the additional, deeper knowledge for taking next steps.
One of the recommended tasks for an Azure Sentinel analyst is to verify that data is connected and flowing. There’s obviously a manual way to perform this function but looking through the Data Connectors blade at each enabled Data Connector and reviewing the “Last Log Received” status as shown in the following image.
However, there’s a much simpler way to do this thanks to Clive Watson’s Usage Reporting Workbook.
Clive has incorporated our Daily, Weekly, Monthly recommendations into the Workbook and after clicking on the Regular Checks (D/W/M) tab in the Workbook you’ll be presented with a fantastic Data Connector information panel as shown in the next image. This gives you a quick view into the last time data was ingested.
You can read about Clive’s workbook here: Usage reporting for Azure Sentinel
The GitHub download is located here: Workspace Usage report.workbook
Again, for customers that want deeper dives for Azure Sentinel, either sift through our docs platform or contact your TAM and ask about our Azure Sentinel workshop/POC.