Hi Hello, Everyone,
Thank you for coming here to the MTC theater.
I know it's 4:30 right now?
How's everything?
How's the energy? Right now?
Perfect alright OK,
so for people like a great,
so let me introduce myself,
my name is Mohammed Jibril.
I'm working as a technical architect.
I'm coming from Dubai MTC if you know
MTC it's Microsoft technology centers.
You can find it up here.
So Microsoft technology centers.
The main idea what we are doing we
actually sit with our customers
understand the challenges that they have
an we started out on start afterwards.
Avoiding them with the right solutions,
removing any types of blockers.
These blockers could be technical
blockers or business blockers
for technical blockers.
We have architecture design sessions.
We have proof of concept so we could work on.
We could create a workshop.
We could also support them when
it comes to hands on experiences
built demos and so on,
so that's mainly what we are doing in
the MTC we are technical experts and
at that point we support them when it
comes to removing these blockers so.
I would session today is actually
about Microsoft cybersecurity
reference architecture.
And what I'm going to do today is
actually I'll try to simplify it.
It's a little bit.
You know,
not simple if you if anyone so
the reference architecture before
for cyber security.
Yeah,
I think people know there with
is looking at So what I'm going
to do I try to simplify it and
I'll try to show you with a very
like 3 dashboards or 3 portals?
How you could actually access.
These security controls how
you could enable them.
And how we could protect your
environment at that point,
so that's exactly if you
stick around with me.
You'll have only 3 dashboards
and from these dashboards,
you will have like,
most of the controls available
until your hands right.
So let me just start with my agenda here,
so first of all.
I just want to set the stage and just
give you look up an overview about the
threat landscape and what's happening?
Who are the bad actors?
What they are doing?
What are they creating?
What are they developing and
what actually they want to
reach too alright So what is?
What was actually their target OK?
Then I'll start opening
talking about a little bit.
The reference architecture.
But here I'm going to divide it
into 5 main parts and this is
how I'm going to simplify it.
I hope so.
So the first part will be how we
could secure the infrastructure.
How we could secure the identity how
we could secure the endpoints and
how we could also encrypt our data?
And then I will show you how you
could have like a bird view when it
comes to the security operations.
You can have only one dashboard
that will show you all of this.
OK.
Um.
So as I said it's only 3 dashboards that we
will go through all of these 5 pillars right.
So if I start first of all with the cyber
security landscape or the threat landscape.
So we'll start first of all
with the adversaries alright.
These are the people are
creating the threats.
Right these people could be hackers
could be crackers right pretty dangerous.
But What's more dangerous here.
When we start talking about governments.
We talk talking about cybercriminals spies.
So here it becomes really dangerous
because these people have a lot
of money they have the power and
they have the patience so they
could build or develop an attack.
And wait and see what will happen.
These are types of threats that are
created so you could see the fishing.
I I know most of you saw like these types
of attacks fishing AdWords Spyware.
But becomes really hear more sophisticated
and complex when it comes to 0 day
attacks advanced threats file is attacks.
This is actually what will happen when
it comes to these adversaries and what
they're doing from the other side,
so this is like the red part of the
all the attackers from the other
side as organizations.
What we usually do we build
layers of security.
These layers of security to prevent the
adversary's reaching out to our assets.
and I just divided like I.
I just divided the assets.
And so on,
according to what we're going
to cover today right.
What they want to do is actually
they want to penetrate these
layers and to reach the assets?
And by the way they will do it.
One of the attacks will go through.
There are no 100% protection when
it comes to security and that's very
important because we need to change the
mindset when it comes to protection.
We need to have like a 0 trust.
Mindset what does that mean?
We cannot trust our only our protection.
We need to have detection mechanism
on Top of the protection.
We need also a way to solve the problems
or or re mediate these attacks as soon
as possible if we find them if we detected.
Does it make sense?
Right. OK.
So this is the part that I'm going
to cover which is the security.
And how we could do that with this OK,
yeah, and I'm hope I hope you know,
I'm going to cover this year.
So as you can see here there's a
lot of you know a lot of services
here a lot of security controls.
So if I just yeah,
please if you want to take pictures,
definitely when it's available.
You could access it.
It's available for everyone and I'm
going to do something else here.
I'm just going to open it here be cause.
I'm going to use the Whiteboard
and let me just do that.
I'm going to use the whiteboard on start.
You know,
drawing a little bit around
here and stuff
like this so the first part that we
will cover is the Air Force structure,
which is this area.
Let me just use the whiteboard here.
Or the surface hub,
so this is actually the first
part that we were going to cover
right the hybrid infrastructure.
How we could protect I'm sorry
I'm giving you my back but how
we could protect the hybrid
cloud infrastructure alright.
So it's easier like this so
instead of going with this one.
So I just took this part extracted
here in this slide alright so if
we just go through through here.
What is the hybrid cloud infrastructure
as you can see here most of the customers
will have something like this they have?
Extranet servers,
they have Internet servers alright
these servers could be like Linux
Windows servers could be containers.
And also on Top of that they have like
on Top of the on premise data centers.
They have also 3rd party ISAWS Google.
And some of them will have Azure right.
This is the normal case here and when
it comes to the Internet servers.
These extra lip service could be also
from the cloud or could be from Asia.
They will add these you know protection
solutions on Top of it or appliances.
You can think about it that way
Next Generation Firewalls and so on.
It becomes a really challenging for
us to have visibility across all
of this to have visibility across
the on premise data centers and the
cloud services how we could do that.
And at that point our approach is
that we built Asia security center,
so ages security center will give
you this visibility.
Across all of your Data centers.
Is it cloudy it's cloud if it's on Prem?
An not only it will give you this visibility.
It will also give you this another approach,
which is it will give you the protection.
So visibility protection right
and threat detection.
That's why I'm telling you this is
the 0 trust approach. All right.
And on Top of that you could start
using other security services
which are listed here.
I'm going to go through them,
but through a demo instead.
I will not explain it,
so each of them when I go through it,
I'll just explain it.
Adam.
The last thing also that the same
appliances that we were talking about here,
you will have it also available
for you when it comes to.
Azure Cloud from Microsoft agent.
You could do that.
Also, through a secure sense,
So what I'm going to do right
now with age security center.
We will start protecting our infrastructure.
So is it good till now.
So this part is clear.
Alright so let me just
jump into my other PC here,
so that we could start going
through our phrase demo,
which is agent security center to
protect our infrastructure. Cool.
So let me just go to my screen here.
Everyone's sees what I'm having
right now on the screen or at cool.
So the first thing if you want
to go to Asian Security Center.
You need to go to portal.azure.com sign in.
And you will find it here or you
could just access it from also
from these other pieces here.
So you could just go here to
security center you'll find.
So I just open it and when
you open security center.
What will what will land on is the overview.
Page here from the overview page.
You will have 3 layers in front of you.
These layers are the first first of all.
It's the policy and compliance the second
thing here is the resource security hygiene.
Right and then the threat protection.
So when it comes to the policy and compliance
this is the most important part becaus.
The Azure Security Center is actually built
on this so it's monitoring your your.
Resources in Azure and it's uh it's
updating all of the information
in front of you like this so the
first part of the first layer,
which is policy and compliance
is the secure score from here.
This is very important.
Why Becaus from here,
you could know what's your?
What is your security posture?
What you need to do to enhance your
security so we are gaming flying the
security posture here so that he could
just have this type of overview.
And when you click inside the
secure score dashboard.
You will find it divided
into 4 main categories.
These categories,
according to compute an apps data
and storage identity and access
and networking resources right.
Just let me just go back again here,
the second part.
Is the regulatory compliance from
here you will find all of your
regulations the regulation standards
that you need to actually meet.
So if I just click on it here.
It will start showing you all
of the compliance assessments.
To see if you are meeting this
compliance assessments or not,
you have these compliance assessment
out of the box available for you,
something like Azure CI, CIS PCI ISO.
And then you will have all of
these data in front of you.
These are exactly the rules
that you need to meet.
So you can see here there are
failed failed assessments,
an past assessments,
and you can find them all of them from here,
so if I just expand this.
It will tell you these are the rules.
This is what you need to do this
is the assessment so one of them
and give you an example that you
need to enable something like MFA
for all the permissions for all of
the owners of the OR subscription
right when you click on it,
it will take you directly to the
resource and the place that you could
start enabling something like this
and when you start enabling this
MFA it will directly reflect again.
On your score. Is it clear?
Oh wait.
So yes.
So here it's not we get not getting the data.
Some of them are.
We are getting it from empty 65, all right.
But the rest is actually coming.
I'll show you from where
exactly were getting this data.
Alright, which is from the
managed compliance policies so
what's happening here by default.
When it comes to your
Azure Resources Alright.
By default when we enabled Security
Center for all of the Azure resources.
You will have a default policies that
will be applied and this default
policies are the one which are
reflecting on your score at that point.
It has nothing to do with
Office 365 right now, OK,
so it's something different.
So until now everything here is basically
don't go for the standard theory.
Until now, so there's all of these are so let
me show it to you hear everything here is.
Included with Asia right now,
so when you have your VMS you could
actually go and enable security center.
And you will have like the basic
features of home security center.
I Unfortunately, I don't have the time
to go through all of the to tell you
what are the differences between them?
But at least you know it just got
the idea of yeah from that I'm sorry.
I'm going to, if if we could park.
The questions for after the session.
Becaus I have alot of things to show you.
Yes, alright I'll clear it afterward for
the question so let me show you from
where you getting these scores or the?
The numbers that we were talking about
is from the policy management here.
So when you go to the policy management.
It will list for you,
the management groups and the subscription.
So the subscription if anybody
knows the subscription is like the
umbrella that will cover all of
your Azure Resources Alright.
So when you enable security
Center for your subscription.
That means that you're enabling it enabling
security Center for all of your resources.
If I click on the subscription here?
What you will find it will start
showing you that there is a
security center default policy.
And if you want to know about this policy?
What is it you go to the
view effective policy.
And from here, it will start listing for you,
something like so exactly the same.
You remember the categories that
I showed you in the secure score.
It's here right now,
so compute and apps sorry for that.
You could go network data, an identity.
And if I just go through one of them
are just to give you an example.
So you can see here.
Its monetary missing endpoint protection.
If I just over with my mouse here and just
let me just go here and just over again.
Running away from me.
All right,
so you can see here Asian security
center will assess a VMS are missing
the end point protection agents or not
so this is the policy that will apply
if it didn't meet this policy it will.
Start alerting you in Azure Security Center.
If I'll just go back again here.
The second part which I showed you which
is related to the industry from here,
you find the out of the box in this
three regulations that are available,
but also what is school right now this is
something new that has been announced in
ignite that you could add more standards.
From here if I just add more standards,
it will show you other.
Available regulations that you
could add from here. OK.
So let me go back the last
thing I want to show you here.
Not only you will have the default
policies that will be applied
from ages security center.
You could also add and customize
your own policies.
You could add certain policies that
you are looking for and this is
also something announce in ignore
it if I just click here also.
What you will get it will list
for you all of the customized
policy that have been created?
But also he could go on and
created your own policy.
From here, so the policies.
What is it?
It's actually rules that
will apply across your?
Your subscription what does it
mean so something like I'll
show you one example right now,
so first of all I need to define?
Where is the location of this policy
or this policy where that will apply?
I will choose here, the subscription.
All right.
And what will happen when
I select this subscription.
It will start loading for you.
All of the available built-in
policies or the custom policy
that you could create all right,
so you can see here.
The built-in policies.
Something like audit virtual
machines without disaster recovery
configured so any virtual machine.
Doesn't have disaster recovery
audited for us just give us like
the alerts for something like this?
Is it getting clear here?
Alright OK.
So this is the first part if I'll
just go back to my beautiful.
Diagram here.
So this is actually the first thing
that we covered so I just gave you
an overview about the agent security
sensor and I just covered the
first part which is Azure policy.
Now will start going through the
rest as fast as I can right.
So the second part which I will
talk about is Azure.
Key vault does anybody know
what is Azure key vault?
Yeah,
Asia key vault just like briefly
it is actually the place that you
could start managing your keys.
You could start managing your secrets.
These secrets or your certificates
and you could start assigning
these keys and certificates
to different resources right.
So.
If we want to start you know working on
key vault on right now start you know.
Understanding what's happening
so from here when you go to
the resource security hygiene.
And you go to the recommendations
it will show you how its ability
recommendations and medium severity.
So if I click on one on the
recommendations it will give you an overview.
Of all of your alerts that you
have across your
subscription. As you can see here.
These these alerts could be identity
alerts could be data and storage alerts
could be virtual machine alerts and so on.
So let's say right now,
I know that I have keyboards and
I want to know what's happening
with these chaebols across my my
my tenant right now or customize
subscription as a security admin.
So I'll just search for key Bolton see.
Yeah, it seems that I have some problems
when it comes to the key bolts here.
One of them is that diagnostic logs
in kevil should be enabled becaus.
I want to audit what's happening
with these specific keyboards.
One of the very handy feature that
is available right now is quick fix.
When I click on quick fix.
What will happen.
It will enable for me the key the
diagnostics for the key vault.
Directly from here and it will
enable it across all of my keyboard,
so let's say I have 5 of them.
So that diagnostic and it will be
enabled across the five keyboards
that we have,
but I just want to show you manually how
we could do that, if I click on it here.
First of all ages.
Security center will give you this overview.
A description of what exactly you need
to do the general information and
how it will reflect on your score.
And then which is very important here
it will show you what are the threats
if you don't enable something like this?
Right so the bad actors could
do that right now.
And from here to show their mediation steps.
Either it's a quick fix remediation and
if you want to go a little bit further
here and I want to know exactly what?
How does it look like on?
What's happening in the back end
if you just click on the view
remediation logic you will find
here that Jason script that will run
to execute something like this for
all of the unhealthy resources and
the last thing that you will have
here is the unhealthy resources.
It will list for you.
The healthy and the unhealthy resources.
These are keyboards.
And when you click on the key vault here.
And everybody see what I'm doing.
Yeah.
When you click on the key vault
you can see it.
It will give you first of all an overview
about what you have and it will show
you all of the settings that you have.
And then you could start.
Enabling something like that
there are no stick settings.
It will show you their reputation.
Septon exactly what you need to do
when it comes to the remediation steps.
If I'll go next to the next part of our.
Beautiful diagram here,
so we covered the keyboard right now,
what I want to show you right now
is how we could protect right now,
the virtual machines and the
virtual network right so these
virtual machines could be on
premise or it could be in the cloud.
So how we could do that,
so as a security admin.
The first thing I want to do
is go not only to the overview.
I'll just go to the computer
and absolutely apps resources,
which which is actually the virtual
machines on all of the available
resources when it comes to.
So you can see here you have the VMS on
computers, you have the VM scale sets.
You have the cloud services.
The app services.
And so on,
and also you have the list of
vulnerabilities or weaknesses that
are available in your infrastructure.
So I just go by here just you know,
changing the severity and just showing
I want to go to prioritize right now,
so as you can see when I start doing this,
I have 4 field failed resources
for virtual machines right now
and I could start you know going
through each of them one of them.
I can see here.
I need to encrypt the disk of these
virtual machines right and let's see why.
We need to do something like this,
if I click on it, it will.
Take me to the same page like
the key vault here.
But here it give you a description.
About something like Azure Disk encryption.
It's leveraging something
like the industry standards,
BitLocker and DM crypt.
When it comes to Linux virtual machines and
it will give you this general information.
But here it will give you the threats.
If you don't enable something
like storage encryption.
And it will show you also the
unhealthy resources.
But what is very cool here that I could
just click on the unhealthy resource?
Which is one of the virtual machines?
It will take you directly
to the disks and from here,
I could encrypt my desk.
So this is how easy it is I
just you know went through just
three steps and right now,
I could start you know encrypting.
My disk.
So when it comes to the next thing so right
now, we cover the encryption of the disks.
So if I just go back here also to the
computer and app resources and let's start,
enabling something like Anti malware.
We need to enable something like anti,
malware to detect or to find any
kind of malicious software's or
viruses on the virtual machines on
how we could do something like this.
We just also let's go to the same virtual
machine that I was showing you right now,
let's just go to the severity again,
which is the.
I'll just go to this one.
And I'll open the same virtual machine.
If I want to enable the Anti malware,
I just go to extensions.
And from extensions here,
I just add an search for the.
Microsoft anti malware,
I just open it here and what will happen.
I could create this and it will enable it
for me directly on the virtual machine.
This virtual machine specifically
so it will detect for me viruses.
Spyware's malicious software's and
it will Alert me and show me what
it actually is happening when it
comes to these virtual machines.
So what is next right now is we know we
want right now we protected our virtual
machines were protected our infrastructure.
We want to go to the next thing which
is we want to connect to protect
our network how we could do that.
Also,
you go to the network networking
resources and from the networking
resources here will get a network map
about what's happening when it comes
to the infrastructure and also you
will find the list of recommendations
that you need to take here.
One of the listed listed
recommendations here is something like.
That we have a virtual machine.
Is actually facing the Internet?
Right and we need to make sure that the
we have, like a network security group.
Is applied on this specific virtual machine
because it's facing the Internet right?
And if I go to also to this virtual machine.
It will take me to the networking.
And from the networking here,
I could start adding something like inbound
port rules and outbound port rules right.
I could allow deny and so on,
so I could for this,
this for specific virtual
machine is very important for me.
It's very critical so I need to make
sure that in this virtual machine.
Nobody could access the except
with an RDP protocol.
That's it.
I could do that,
from here right.
When it comes to the networking also,
if I want to enable something
like D dos protection.
OD dos protection will be enabled
enabled by default when it
comes to the Azure Data Center.
But if I want to have to start
monitoring the D DOS attacks that
are happening on my virtual machines.
I could do that also from here by
just going to the virtual network
and from the virtual network here,
I will enable the standard
option directly from here.
All right.
The last thing that I want to talk
about here when it comes to age
security center and then we will jump
into the next dashboard. Is this?
Which is the threat protection so from
the threat protection here it will show
you also the security alerts that you
have and these security alerts by severity.
So if I just click on it,
and go further and have more in depth
insights and you can see here it will
show you the high severity attacks.
The Medium and the low and will list for you
all of this so I just click on one of them.
It will give you an overview of
description about it give you exactly
which virtual machine had these attacks.
And if I just go to the incidents
related to this specific attack here
like anti-malware faction failed.
You will have more information about it,
it will tell you that Microsoft anti-malware
encountered an error and it's on high.
Zach here and you can see the attacked
resources is this specific machine.
And detected by Microsoft anti-malware.
And it will show you the file path?
What is very important here could
trigger something like a logic app?
Which will automate for you.
This automated for you?
How to re mediate this specific
attack or something like this.
Right.
So that's it when it comes to
how you could start you know,
protecting your infrastructure and how you
could actually work on something like this?
Is it clear right now, a little bit and
from where you could this is like a start.
You know from here,
you could start doing this part,
you know protecting your infrastructure.
Right. Clear. Yeah.
Nobody is answering OK OK.
So let me just go back again to my.
So that where is here we go?
So this is the first part that I
was talking about so what's next
right now with the second dashboard
that I will talk about right now,
it will cover a lot of software
us so the second dashboard,
which is M 365 security dashboards
in M 365 security dashboard.
You could have a view of
visibility across this parts,
which is all of your clients and the
devices that you have across an it.
You will have a visibility when it
comes to the defender ATP or your
Windows Defender when it comes to
something like anti viruses or you
know something like Microsoft defender
ATP the second thing also that you
will have an overview when it comes to
the information protection and from here,
you will have from one place you could start.
Encrypting your data your files right you
could encrypt also your SQL SQL databases.
You could also mask it.
And the 3rd part also that you
will have it here is the identity
and access management and from the
identity and access management here.
You have a lot of other controls that
you could apply something like Azure AD.
Identity protection,
enabling something like multi
factor authentication.
But what is school that I'm going to show
you when it comes to the M365 dashboard.
It will give you also a score.
And from this score.
You could understand the poster and what
you need to do and what you need to apply.
The last thing that I will talk
about in this specific dashboard,
which is the software as a service.
Does anybody know caspi?
Cloud app security alright so this is
our it will take you to the cloud app
security from one place and the cloud app.
Security here,
you will have a visibility across
all of your cloud applications
an when you have this visibility
across all of your applications.
You could start pushing some
controls you could start you know,
finding or finding any types of
normal behaviors when it comes to
using these cloud applications right.
OK.
So.
If I'll just go through them right now,
so this is from the
identity access management.
This is actually I'm going to
show you that how you could enable
all of these solutions.
From the information protection,
the same idea here.
You will have you will have first of
all have the ability to build your
own labels to encrypt the solutions.
And the last thing is this has
applications here alright.
Under devices sorry for that.
So let me just open M 365 security did
anybody so the M60 M 365 dashboard before.
Alright cool so let me just open
this and here it is so you go to
security.microsoft.com. And from here,
it will you will land on this page.
The first thing which is
very important for us. Sorry.
Thank you so much let me just go back here.
So you go to security.microsoft.com.
All right and from security@microsoft.com
the first thing that you will have here is
the secure score and from the secure score.
You'll have a lot of information
and how we could improve your score,
which is improving your security
posture so if you go here.
And click on improve your score.
This is what you will get here,
so you get the list of what actions that
you need to take to improve your score.
These actions could be categorized,
according to what I showed you before
which is identity applications.
Right and also data so from here,
you could start enabling a lot of stuff.
I'll just give you 1 example.
Something like require multi
factor authentication for Azure 80,
privileged users alright
if you just click on it.
It will take you to this page.
And in this page you could start managing.
How you could enable something like this,
if you just manage it from here?
It will take you to.
The portal and from the portal here could
enable something like conditional access.
The main idea that I don't want
you to just understand what is
conditional access the main idea.
I just want you to know from
where you could do that?
All right.
If I just go back again to our score here.
I want to improve my score the next
thing that I want to show you here.
How we could enable something like
encrypting the data so if I just go here too?
Something like The data here.
So we can see you need to apply something
like IRM protections to your documents
so from here darling could do that.
If you click on manage it will also
take you to the area that you could
start managing something like this.
It will tell you how you could do that,
and how we could actually
restrict something like this.
OK. Let me just go back.
And the last thing that
I want to show you here.
When it comes through the applications,
which will take you to the
cloud app security right.
So I just go back again to my score.
Improve your score and when it comes
to the improve your score here.
I just want to go to something like use
cloud application security to detect
anomalous behavior when it comes to
your applications so if I click on it.
Manage it will.
Take me to cloud app security and cloud app.
Security is one of the great
solutions that we have because it
will give you visibility across
all of your cloud applications.
What are actually the user is
doing with these application
with these cloud applications?
So it will land you here on all of
the alerts that have been detected.
Alright from These discovered
applications so these are the
listed applications that you have
with every with the score.
And everything and these alerts that
you are receiving when it comes to the
abnormal behaviors across these applications.
All right.
So you're getting the idea right
now from where we could do that
and we went from where we could
start you know, so right now,
we protecting our infrastructure.
We are protecting our identity.
We are protecting the we are
encrypting our data right now and
we are protecting the devices.
I didn't talk about the devices here.
The last thing I want to show
you when it comes to the devices.
That also from the same landing page here.
You could go on and find something like.
Device compliance an from the device
compliance you will understand here.
What's happening when it comes to the
the manage devices that you have these
manage devices could be Android devices
could be iOS devices could be windows,
so if I click on it.
It will take you directly also
to end soon and from intune Here
start managing and building your
policies your compliance policies.
Your configurations and from here directly
could start evaluating what's happening
when it comes to these devices right?
The last thing that I want to show you here.
Is the devices that are under attack?
Which is Microsoft defender ATP in Microsoft
defender ATP here you'll have this overview?
Which will give you a security operations
give you the active alerts the high
active alerts on the medium and the low.
And directly from here,
you could take actions like
going to one of the alerts.
On one of the attacks.
And when you go to this attack here,
you could start understanding what
happened exactly to which device so
first of all you will have it will
show you the voice and what is exactly
the attack and it will give you an
overview and a description about that
type of attack and what is actually the
recommended actions from you to start
remediating this attack but what is
cool here it also automate this attack
for you so from here it will automate?
Automatically investigate for
you and also it will show you it
will give you the option that you
could automatically remediate.
This this issue,
which is this file So what will happen here.
It will directly quarantaine this file
for you right or it will give you the
option that you as an admin would
take the action as you can see here.
When I clicked on it, what happened.
It will take you like this to this
graph that will show you so let me just.
Here.
Ego so it'll show you that it seems
that this machine was under attack
and these are the types of files
that have been analyzed.
Alright an from here,
it will give you all of the data
and you could go through the alerts
and the machines and you can see
what happened here.
If I just go back again to
the investigation graph.
It will show you?
What are the files that have been
monitored and the processes and
the IP addresses and so on? Clear.
All right.
So the next and the last thing
that I want to talk about today.
Is the security operations so all
of what I talk about right now?
Is you could actually connect
it directly to assume solution.
Which we call it?
Agers sentiment is anybody
know Asian Central.
Anybody used it before all right,
so I think so.
You could understand how good it
is so Asian central as you can see
so I I covered cloud app security.
I talked about agent security center.
Microsoft defender so you could
actually color ate all of this data
into agent security center's Asia
Sentinel and from Asia Sentinel.
You could start you know using it
as a same solution and as a sole
solution right so let me show you?
How does it look like an where
you could access it?
Let me go back to my screen here.
So if you want to access also Asian
central it's in azureportal.azure.com.
And you will find it.
Directly here also so either you will
find it here or you need to add it.
So you need to search for it and add it.
Asian central is actually built
on log analytics, so, if you have.
Cousteau query language and you
know about Cousteau query language.
You could actually query and and start
executing a lot of incidents here and
start taking actions accordingly,
so the first thing that will you
will have here is the overview
about all of the alerts that you
have across your organization?
You will have also the incidents that
happened across your organization,
but where are we getting this we are
getting this data or these information
from the data connectors here so we need
first of all to connect the appliances.
The applications that you have
and you can see here there is a
list of them available for you,
that you can start using these
lists could be like 3rd party
like something like Barracuda,
something like as you can
see Amazon Web Services.
And here you could add your Azure
Active Directory Office 365 you.
As the solution and what will
happen is the color ate all of this
data for you and it start showing
you something like this overview.
And what is very interesting that you
could start querying these types of you
know if there is an abnormal attack
or there isn't any type of attack.
You could start query.
Something like this by going through
the logs here and from the log.
O could start start running these queries.
I just give you 1 example of
this how it will look like.
I just saved one of the queries that I have
built before which is I want to show here.
What are the new incidents week over
week so I want to compare the last
week by compare it with this week?
What is the incidents that I'm receiving
here so I'll just go here and query.
From the saved queries here,
I just saved some of the queries that I have.
And one of them,
which I have saved here is week
over week query and you can see
this is how it will look like.
So you could go here for
this security events.
And you could see where exactly it's time
generated it's 14 days ago and I want
to summarize the information that I have.
And I want to show it,
actually in a in a table.
Alright so let me run this
query and see what will happen.
Go back here.
So it's getting my data. All right.
It shouldn't take so much time be cause.
This these are like a very simple data.
They'll need more than this.
Let me try to run it again.
Right it seems that there is something
wrong with this environment right now.
I need to refresh.
It and something like this,
but I don't have that much time.
Let's give it let me show you
something else and return back
to it in the end all right.
So if I just want to show you the
last thing here when it comes
to specifically Azure Sentinel.
That let's say we want to go to
one connected specifically and
you don't want to go through all
of the incidents that you have.
You could just go to the workbook
here and from the workbooks you will
find several templates available
that you could start using?
I'll just give you an example for
one of the templates like Palo Alto.
So this is not Microsoft.
I just added this connector right now.
And I have the view saved workbook
here and from the view saved workbook.
It will start listing for you all
of the incidents that Paulo Alto.
Detected. So we just give it.
So it seems that the Internet is a
little bit slow as you can see here it
starts showing you the threats by subtypes.
The wildfires verdicts and so on,
and it will show you overtime.
What's happening across your appliance
and if you go further than that.
You could see the threat events
and where are these threads events?
And so on.
The last thing I want to
show you I'm sorry for that.
I told you that I promise you that
was the last thing but there's
something else very important,
which is actually the incidence.
So from here be cause.
It's getting the data for you,
you could see all of the incidents
that are happening across your?
Appliances your services and so on,
so one of them is something like
anomalous login when I click on it here.
And start investigating.
It will start showing you.
This graph that there's an
anomalous login happened from Darcy.
And if I want to know what's
related to Darcy right now.
If I just go to the related alerts.
From here, I could see that it seems that
there's a suspicious PowerShell Command
had been running from Darcy and she was
running this actually on one of the?
One of the devices if I just go to the
related alerts here it will show you.
It seems that this device had this
script and if I click on this script.
It will show you what,
exactly the type of attack here.
And if you want to start.
Automatically remediating this problem,
you will need something like.
The playbooks here and the play box is
actually built on something called.
Age are logic apps logic apps here,
you could start building.
Some, like a flow on how to remediate
this issue or this attack. All right.
And that's it when it comes to
the demos and the session today.
I know it was very heavy for 4:30.
But did you get the idea at least?
Yeah. All right. Thank you so much. So.
