Protect Microsoft Teams + SharePoint with Azure Sentinel against Cyber Security Threats

[MUSIC PLAYING] Hey. Welcome to my presentation at TEC 2022, Virtual TEC. My session is today about how to protect Microsoft Teams and SharePoint against cybersecurity threats using Microsoft Sentinel. My name is Ragnar Heil. I'm a Microsoft MVP and also partner channel account manager at Quest Software for the region of EMEA. I'm living with my family here in Germany, middle of Europe, and I'm also a blogger. I blog at ragnarheil.de. I've got a hybrid virtual work tour membership, and also I have a biweekly news show around the modern workplace at Microsoft Teams called Alex and Ragnar Show, and also I'm a Viva Explorer, in case you're interested in Microsoft Viva. And today's agenda is to explain you what Microsoft Sentinel is. What are the main differences to a classic SIEM solution? What are the big major phases in a Sentinel project? What are the configuration steps, analytics logs, incidents, hunting? I will show you the difference between playbooks, workbooks, and notebooks, and what's in for you in case you're using Teams and SharePoint, and how you can visualize your cybersecurity reports and visualizations here using Power BI. And finally, I will wrap up with the resources. Let's start with the introduction to Microsoft Sentinel. And the most important question, maybe not for you, but I had this question, is Microsoft actually a SIEM solution with Sentinel? Because Sentinel is running in the cloud. It's fully scalable and extremely scalable, and it is really using low administration overhead. No installation required. It just runs pay as you go, and the installation can be done within a few minutes. I checked it. It didn't take longer than just getting a fresh cappuccino out of my coffee machine. In case, you want to try it immediately, there are free trials available. And it's only going to be commercial, and you'll have to pay for it in case you want to use more data sources, commercial data sources, and also premium connectors. In case you want to make sure that you're not running out of costs, there is a monitoring tool available to help you to stay in your budget. Microsoft Sentinel is a tool-- is a holistic solution designed for a specialist working in a SOC center, security and operations center. So very specialized product. So maybe you are working in Microsoft Teams and SharePoint Teams, or you definitely have to talk to your SOC colleagues, or maybe your SOC team and your modern workplace team are working closely together. That will be the best case. And Sentinel starts and harvesting, collecting, and querying log files. It is going to detect later correlations, patterns, and anomalies and then create alerts and incidents. So it's starting from creating visibility by collecting and then going from the collection phase into the detection phase, analyzing, hunting, and then investigating incidents and then responding, automation, and help you to save time and be faster by detecting threats. The architecture looks like this. There is the core of threat management and it's configuration. Threat management has got modules like incidents, workbooks, hunting, threat intelligence, notebooks, and so on, and they're using Azure workbooks. They're also using a query language called Kusto, KQL, and it's based on the MITRE ATT&CK framework. It can be configured on the connector side, automation side, watch list, settings, using third party tools, using Microsoft-native tools, using logic apps from Azure and then also always Log Analytics. If you want to go deeper and more advanced things, then you can also use Python and external libraries using the Jupyter Notebooks. A few recommendations what I can give to you around workplace design is that you want to have conversations and discussions around data sovereignty and the compliance standards from your regulators in case you're in a regulated industry. You'll also want to think about multi-tenant environments. Maybe your organization is going to acquire other organizations. You're currently in an M&A project, or you want to carve out. These are all very important topics which you have to consider when using Sentinel. Data ownership. Who owns the data? What are data boundaries? Which subsidiaries in which department is using which kind of data and who has official ownership? Then make sure that you also talk about the different data retention policies in each department in each subsidiary. And in case you are a partner, you are working here in services, and you also have MSP requirements, then make sure that your MSP requirements fulfilling the workplace settings here and the design settings and recommendations. Access, permissions, and role are always very important. We are going to have a conversation about which roles I can recommend to you. They shouldn't be too fine. They shouldn't be too broad and wide. So here, you need to find a right good mixture of access controls. Not to give to less and not to give to less permissions. Not to give to less and not to give too many permissions. A quick start in data source and connectors, so how you can easily and quickly start using Microsoft Sentinel would be to use Azure activity logs. That is actually the main basic foundation of data sources. In the Office 365 audit logs, you can use SharePoint Activities, Exchange Admin activities, Teams activities. You can also use the Security Alerts from Defender for Office 365, Defender for Cloud, Defender for Identity, for Endpoint, and for cloud apps. And if you're not really sure about the quality of the vectors, there is a tool called Connector Health Checks, which will ensure that the connectors are robust, and are working, and are stable. The connector for third party products are available. There are many. That's a big value of using Sentinel. And if you're not happy with the current offering of third party connectors, you can also ride your own connectors. Codeless connector platform is available, or the custom connectors with more code than just codeless. Let's talk