Log Analytics workspaces is a type of Azure service where the logs can be collected and stored for analysis and retention. Logs from various sources can be piped to the Log Analytics Workspace and it is one of the crucial components for Microsoft Sentinel. Log Analytics Workspace serves as the centralised repository for the logs. The logs are piped using connectors and agents. A retention policy can be set on Log Analytics workspace for compliance requirements. The logs are then used for analysis using Kusto Query Language (KQL). KQL helps to query, filter data to identify patterns, anomalies and potential threats in the environment. In addition to log storage, Log Analytics workspaces offers dashboards and data visualisation options using queries and metrics. Log Analytics can be integrated with Microsoft Sentinel and with Microsoft Defender for Cloud. Sentinel utilises the data stored in Log Analytics workspaces to perform analysis, threat detection, threat hunting and for incident i...
A Security Operations Centre is a centralised unit that monitors traffic, triage alerts, participates in incident response, perform threat hunting and often performs vulnerability assessments. The individuals who work in a SOC are often referred to as SOC analysts. When it comes to Microsoft Azure SOC, the analysts work predominantly on Microsoft Security, Compliance and identity products and solutions such as Microsoft 365, Defender for Cloud, Microsoft 365 Defender, Sentinel etc. Let's go through the top two products that are critical for a SOC. SIEM and SOAR. A SIEM or Security Information and Event Management provides a centralised management and a holistic view of all events happening in the organisation by collecting and analysing logs from different sources across. SIEM uses correlation to detect anomalies and create alerts based on the conditions. Whereas a SOAR or Security Orchestration Automation and Response helps to handle incidents efficiently and automatically by inte...