Just wanted to say a big thanks for your continuous effort. I'm sure it's massively time consuming to put together these videos, please be assured that they are very much appreciated.
I couldn't agree more! Not only all the video are precious in the contents, but the way how things are explained, capturing the viewer attention, making much easier to remember and put the various pieces together. We all cannot thank you enough John! You are amazing 💪
Another show from John to give us a good understanding. Sometimes, we got a little confused about the scope of each tool, but John put our feet on the ground for us to grow. Thank you, John.
John, you are awesome!!! I can't thank you enough. The way you deliver everything in Azure is so unique and engaging that I haven't seen anyone else in any of the well-known e-learning platforms able to do so. Appreciate your hard work!
I just have to say that your videos are a great example of teaching. When I shared your videos with some colleagues the other day, I thought about the Albert Einstein quote (At least I think it was Einstein): If you can't explain it simply, you don't understand it well enough. Well, you clearly understand it well enough. Thank you for making these. They really make the technology understandable. Your PowerShell videos for instance, made me understand and therefore use PowerShell much more than I did before, when I just googled the commands I needed.
Man, another awesome lecture from John. Could listen and watch all day. Thanks again for creating this lecture - we all know how much time it takes (you really work your ass off ;-). Helps me do my job even better, John.
Hi John, I just wanted to thank you again for the immense effort required to put together these videos. I am happy to announce I just passed my AZ-500 exam today after three months of study and watching your videos. A million thanks or not enough!!!
really good timing on your videos recently. I have noticed a lot in my stream of work that many people think ASC and sentinel achieve the same objective and get confused, especially when talking about log analytics and how it works with ASC and sentinel. Only watched 20 mins so far but good video.
John, what you create for our community is nothing short of phenomenal. I remember I once "helped" you on some advanced networking stuff a few years ago but seeing the breath of things you cover absolutely amazes me. Keep it up!
Hey John, Thank you for putting this together. It is awesome. Just one small comment is that at @1:19 you mentioned that ASC is proactive and Azure sentinel is reactive. Actually, it is the other way round. Sentinel with built-in AI is proactive.
I still say it’s mostly other way round. Asc driven by policy is telling you things to protect to avoid attack, ie proactive, sentinel is triggered by logs which are things that have mostly happened, ie reactive. Yes sentinel has aspects of proactive but fundamentally it’s reactive. That’s also how product groups see the technology.
Another Good Video. Can't help but wonder Why MSFT makes everything so complicated and confusing. OMG, Azure Security Center, Azure Defender, Azure Sentinel, Azure Monitor, Workboos, Playbooks, Runbooks..... How does this company stay in business!! "-)
Defender is not really in scope of this. My focus was ASC and Sentinel but you can drive Defender from ASC and its results would show in ASC. Look at todays video :-)
All good stuff, but it is hard to find a course (happy to pay) that focuses on the knowledge required to pass the AZ 500 exam. Not a cram, what I'd love to see is how to approach the exam. I am happy I have covered all the security interfaces in Azure, and I can work efficiently but the logic of the exam questions is a long way from just being proficient in Azure. Some of the questions I don't feel I could ever know how to answer (question breakdown really).
You can try the" measure up"to get prepare your azure exam . The exam format is almost identical to real exam and it also provides the explanation for each answer and the referring document. It is not a cram but it examine your knowlege of specific area in Azure. I got pass without cram through measure up on every azure exam. Hope this can help .
I have a sentinel deployment planned in az gov and this was great help . Thanks John . Any chance you would consider a video with pointers on SC-300 beta exam .
Hi John, Regarding the Connectors for Azure Sentinel, what are the differences between Azure Active Directory connector and Azure Active Directory Identity Protection connector? New-AzSentinelDataConnector command only has param -AzureActiveDirectory which is for Azure AD Identity Protection connector. No param for Azur AD connector.
The docs walk through what is captured. docs.microsoft.com/en-us/azure/sentinel/connect-data-sources. AAD is the sign-in/audit type logs while IP gives security alert type info.
@@NTFAQGuy Hi John, thanks. Because it took ~3-4h for the Azure Active Directory connector to be "connected" while in Azure AD Identity Protection case it is almost instant, I was confused...Also the misleading Powershell command which uses -AzureActiveDirectory for Azure AD Identity Protection... Don't know why the hell it took so long just to connect to my test Azure AD...
I need some pointer Could you help me on these two questions? Q.1) How to get raw payload of incident related events using KQL? Q.2) How to get volume of day using API? I am new to Sentinel Thank You
there are log analytics insights that shows detail and various queries you will find from a quick search. The payload is available as part of result set from queries.
@@NTFAQGuy I was thinking of going through your playlist, Microsoft labs & practice tests. Would these help? Or do you recommend some more I should go through?
@@vishalpathak143 Depending on how well you retain information you can pass going through Microsoft labs + reading material + Savills videos. Do them at the same time (Watch PIM while going through PIM material and labs, etc.)
Hi John! As always, great video! Thank you very much! :) I would like to share a couple of considerations with you. OS Logs - Azure Security Center uses them for VM protection and it requires the deployment of a Log Analytics agent that stream such OS logs to a Log Analytics workspace. I would say that it would be smart to stream them to the same Log Analytics workspace on which Azure Sentinel sits. Would you agree? Are there any other factors to be taken into account? What do you think? Azure Sentinel Connectors - Let's take the Activity Logs as an example. What is the difference between setting the Diagnostic Settings on the Azure Subscription and streaming the Activity Logs to the Log Analytics workspace on which Azure Sentinel sits, and enabling the Azure Activity Logs Connector of Azure Sentinel? Are these two options the same thing? Or am I losing any security feature (e.g. the Analytics Rules)? Thanks once again John. This channel is awesome!
Hello Giovanni, I have had exactly the same question that you raised here. I did a bit of work and found out the below. Again I would appreciate an expert opinion to know if what I found is right. 1. Yes. That will be the smart idea so Sentinel gets the view of all raw windows logs and it can enable detections based on ML. But please note that these would have only windows event logs. Security Center doesn’t capture and store Linux workload logs. We will have to enabled that from Log analytics advance settings by switching on the Syslog and the required facilities you need. I just added this here since I didn’t know how this in the very beginning when I stated working with Azure. We can map as many workspace to Sentinel as possible. 2. This is a very common doubt one can have esp when we start using Sentinel. If we are actually storing any logs that is security relevant ( when I say security relevant, it means logs that can have security use cases and interested for securing team ) in log analytics we could just enable Sentinel on top of it. When we use a data connector what it is doing behind the scenes is to enable the diagnostic setting and switching on the stream of logs to the respective log analytics workspace that Sentinel is mapped to. So if we already have these logs streamed to a LA workspace, we don’t need to use the connector option. If we use it , I think it will cause duplication of logs. And we don’t loose out of any feature say analytics or hunting as workspace is the base or backend for all these features. I hope it helps. We could connect on LinkedIn to exchange our ideas and views if that helps. Thanks.
Hey John, great explanation skills you got there. However I was wondering if it's possible to stream the alerts and incidents to a different ticketing system like ServiceNow, ConnectWise etc.
@@NTFAQGuy Thank you John for the help. I'll try to get it done (which I'm feeling is going to be very difficult for me) but please help me with any relatable resources if you get in future. Thanks once again.
Hey John, thanks for your great instructional videos. They've helped me a great deal with Azure! Are you planning to cover the new SC-200 certification at some point in the future?