Muokkaa

Jaa


Microsoft Sentinel operational guide

This article lists the operational activities that we recommend security operations (SOC) teams and security administrators plan for and run as part of their regular security activities with Microsoft Sentinel. For more information about managing your security operations, see Security operations overview.

Daily tasks

Schedule the following activities daily.

Task description
Triage and investigate incidents Review the Microsoft Sentinel Incidents page to check for new incidents generated by the currently configured analytics rules, and start investigating any new incidents. For more information, see Investigate incidents with Microsoft Sentinel.
Explore hunting queries and bookmarks Explore results for all built-in queries, and update existing hunting queries and bookmarks. Manually generate new incidents or update old incidents if applicable. For more information, see:

- Automatically create incidents from Microsoft security alerts
- Hunt for threats with Microsoft Sentinel
- Keep track of data during hunting with Microsoft Sentinel
Analytic rules Review and enable new analytics rules as applicable, including both newly released or newly available rules from recently connected data connectors.
Data connectors Review the status, date, and time of the last log received from each data connector to ensure that data is flowing. Check for new connectors, and review ingestion to ensure set limits aren't exceeded. For more information, see Data collection best practices and Connect data sources.
Azure Monitor Agent Verify that servers and workstations are actively connected to the workspace, and troubleshoot and remediate any failed connections. For more information, see Azure Monitor Agent overview.
Playbook failures Verify playbook run statuses and troubleshoot any failures. For more information, see Tutorial: Respond to threats by using playbooks with automation rules in Microsoft Sentinel.

Weekly tasks

Schedule the following activities weekly.

Task description
Content review of solutions or standalone content Get any content updates for your installed solutions or standalone content from the Content hub. Review new solutions or standalone content that might be of value for your environment, such as analytics rules, workbooks, hunting queries, or playbooks.
Microsoft Sentinel auditing Review Microsoft Sentinel activity to see who updated or deleted resources, such as analytics rules, bookmarks, and so on. For more information, see Audit Microsoft Sentinel queries and activities.

Monthly tasks

Schedule the following activities monthly.

Task description
Review user access Review permissions for your users and check for inactive users. For more information, see Permissions in Microsoft Sentinel.
Log Analytics workspace review Review that the Log Analytics workspace data retention policy still aligns with your organization's policy. For more information, see Data retention policy and Integrate Azure Data Explorer for long-term log retention.