Introduction
Imagine that you're a security engineer for Contoso, Ltd., a midsize financial services company in London with a New York branch office. Contoso uses the following Microsoft security management products:
- Microsoft 365
- Microsoft Entra ID
- Microsoft Entra ID Protection
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Identity
- Microsoft Defender for Endpoint
- Microsoft Defender for Office 365
- Intune Endpoint Protection
- Azure Information Protection
Contoso uses Microsoft Defender for Cloud as threat protection for resources that run on Azure and on-premises. The company also monitors and protects other non-Microsoft assets.
Recently, the company's Azure Activity log showed that a significant number of VMs were deleted from the Azure subscription. You need to analyze this occurrence and be alerted when similar activity occurs in the future.
Microsoft Sentinel is a cloud application that can help you protect Contoso's resources. In this module, you learn how to use Microsoft Sentinel to create and investigate an incident when a Contoso user deletes an existing VM.
Learning objectives
- Learn about security incidents and Microsoft Sentinel incident management.
- Explore Microsoft Sentinel incident evidence and entities.
- Use Microsoft Sentinel to investigate security incidents and manage incident resolution.
Prerequisites
- Familiarity with security operations in an organization.
- Basic experience with Azure services.
- Knowledge of operational concepts, such as monitoring, logging, and alerting.
- Basic knowledge of Microsoft Sentinel rules.
Note
If you choose to do the optional exercise in this module, you might incur charges in your Azure subscription. To estimate the costs, see Microsoft Sentinel pricing.