As more and more customers use Azure Sentinel to view and respond to security alerts and threats within their organization, it becomes more important to set aside some daily, weekly, and monthly tasks to provide care-and-feeding of the product. This vigilance ensures that operations are consistently at peak performance so analysts can focus on securing the company’s assets.
Here’s our current list of daily, weekly, and monthly task suggestions. Feel free to add or retract your own depending on your own environment and what you decide is most important to your SOC operation.
In future blog posts here, I’ll dig into each of these and walk through how to accomplish them in Azure Sentinel and who in the organization might be assigned each task.
|Investigate Incidents||Investigate Incidents to determine if any Analytics Alerts rules were triggered. Set status and begin investigation. Resolve or reassign.||Daily|
|Hunting Queries and Bookmarks||Explore the built-in query results. Update existing hunting queries and bookmarks. Manually generate new or update old Incidents if applicable. Apply automation (Playbooks) where required.||Daily|
|Analytics Rules||Identify any newly released (or newly available due to recently connected Data Connectors) Analytics Rules and enable those that are applicable. Apply automation (Playbooks) where essential.||Daily|
|Data Connectors||Look through active Data Connector and verify the Last Log Received date/time is current to ensure data is flowing.||Daily|
|Log Analytics Agent||Verify the servers (or workstations) are showing a connected status in the workspace. Troubleshoot and remediate failed connections.||Weekly|
|Workbooks Updates||Verify in the Azure Sentinel Dashboard blade if an installed Workbook has an update that needs installed.||Weekly|
|GitHub Alert Rules, Workbooks, Hunting queries, and Playbooks||Visit and review the Azure Sentinel GitHub repository and explore if there are new or updated Detection Rules, Workbooks, Hunting queries, or Playbooks of value that can be added to the environment.||Weekly|
|Log Analytics Agent||Ensure the agent is up-to-date and auto-upgrades are working. For those not auto upgraded, perform a manual update.||Monthly|
|Log Analytics Workspace||Review that your Log Analytics Workspace retention policy still aligns with your current configuration. Run the Data Usage queries to help maintain costs and retention determinations.||Monthly|
|Access Review||Has your SOC team changed? Review RBAC and IAM to verify those that need access have proper access – and those accounts no longer needing access are removed.||At Least Monthly|
Have some of your own? Feel free to reach out and let me know. This is by no means intended to be a definitive list, but instead some suggestions to get you on your way. I would love to crowd-source this list to ensure it matches customer needs. We’re all better together.
I want to thank Mikko Koivunen for his contribution to this list! Mikko replied in the LinkedIn Azure Sentinel group which led to the Access Review task.