Just wanted to say a big thanks for your continuous effort. I'm sure it's massively time consuming to put together these videos, please be assured that they are very much appreciated.
I couldn't agree more! Not only all the video are precious in the contents, but the way how things are explained, capturing the viewer attention, making much easier to remember and put the various pieces together. We all cannot thank you enough John! You are amazing 💪
Another show from John to give us a good understanding. Sometimes, we got a little confused about the scope of each tool, but John put our feet on the ground for us to grow. Thank you, John.
I just have to say that your videos are a great example of teaching. When I shared your videos with some colleagues the other day, I thought about the Albert Einstein quote (At least I think it was Einstein): If you can't explain it simply, you don't understand it well enough. Well, you clearly understand it well enough. Thank you for making these. They really make the technology understandable. Your PowerShell videos for instance, made me understand and therefore use PowerShell much more than I did before, when I just googled the commands I needed.
John, you are awesome!!! I can't thank you enough. The way you deliver everything in Azure is so unique and engaging that I haven't seen anyone else in any of the well-known e-learning platforms able to do so. Appreciate your hard work!
really good timing on your videos recently. I have noticed a lot in my stream of work that many people think ASC and sentinel achieve the same objective and get confused, especially when talking about log analytics and how it works with ASC and sentinel. Only watched 20 mins so far but good video.
Hi John, I just wanted to thank you again for the immense effort required to put together these videos. I am happy to announce I just passed my AZ-500 exam today after three months of study and watching your videos. A million thanks or not enough!!!
Man, another awesome lecture from John. Could listen and watch all day. Thanks again for creating this lecture - we all know how much time it takes (you really work your ass off ;-). Helps me do my job even better, John.
John, what you create for our community is nothing short of phenomenal. I remember I once "helped" you on some advanced networking stuff a few years ago but seeing the breath of things you cover absolutely amazes me. Keep it up!
Hey John, Thank you for putting this together. It is awesome. Just one small comment is that at @1:19 you mentioned that ASC is proactive and Azure sentinel is reactive. Actually, it is the other way round. Sentinel with built-in AI is proactive.
I still say it’s mostly other way round. Asc driven by policy is telling you things to protect to avoid attack, ie proactive, sentinel is triggered by logs which are things that have mostly happened, ie reactive. Yes sentinel has aspects of proactive but fundamentally it’s reactive. That’s also how product groups see the technology.
Another Good Video. Can't help but wonder Why MSFT makes everything so complicated and confusing. OMG, Azure Security Center, Azure Defender, Azure Sentinel, Azure Monitor, Workboos, Playbooks, Runbooks..... How does this company stay in business!! "-)
All good stuff, but it is hard to find a course (happy to pay) that focuses on the knowledge required to pass the AZ 500 exam. Not a cram, what I'd love to see is how to approach the exam. I am happy I have covered all the security interfaces in Azure, and I can work efficiently but the logic of the exam questions is a long way from just being proficient in Azure. Some of the questions I don't feel I could ever know how to answer (question breakdown really).
You can try the" measure up"to get prepare your azure exam . The exam format is almost identical to real exam and it also provides the explanation for each answer and the referring document. It is not a cram but it examine your knowlege of specific area in Azure. I got pass without cram through measure up on every azure exam. Hope this can help .
I have a sentinel deployment planned in az gov and this was great help . Thanks John . Any chance you would consider a video with pointers on SC-300 beta exam .
Hi John, Regarding the Connectors for Azure Sentinel, what are the differences between Azure Active Directory connector and Azure Active Directory Identity Protection connector? New-AzSentinelDataConnector command only has param -AzureActiveDirectory which is for Azure AD Identity Protection connector. No param for Azur AD connector.
The docs walk through what is captured. docs.microsoft.com/en-us/azure/sentinel/connect-data-sources. AAD is the sign-in/audit type logs while IP gives security alert type info.
@@NTFAQGuy Hi John, thanks. Because it took ~3-4h for the Azure Active Directory connector to be "connected" while in Azure AD Identity Protection case it is almost instant, I was confused...Also the misleading Powershell command which uses -AzureActiveDirectory for Azure AD Identity Protection... Don't know why the hell it took so long just to connect to my test Azure AD...
Hi John! As always, great video! Thank you very much! :) I would like to share a couple of considerations with you. OS Logs - Azure Security Center uses them for VM protection and it requires the deployment of a Log Analytics agent that stream such OS logs to a Log Analytics workspace. I would say that it would be smart to stream them to the same Log Analytics workspace on which Azure Sentinel sits. Would you agree? Are there any other factors to be taken into account? What do you think? Azure Sentinel Connectors - Let's take the Activity Logs as an example. What is the difference between setting the Diagnostic Settings on the Azure Subscription and streaming the Activity Logs to the Log Analytics workspace on which Azure Sentinel sits, and enabling the Azure Activity Logs Connector of Azure Sentinel? Are these two options the same thing? Or am I losing any security feature (e.g. the Analytics Rules)? Thanks once again John. This channel is awesome!
Hello Giovanni, I have had exactly the same question that you raised here. I did a bit of work and found out the below. Again I would appreciate an expert opinion to know if what I found is right. 1. Yes. That will be the smart idea so Sentinel gets the view of all raw windows logs and it can enable detections based on ML. But please note that these would have only windows event logs. Security Center doesn’t capture and store Linux workload logs. We will have to enabled that from Log analytics advance settings by switching on the Syslog and the required facilities you need. I just added this here since I didn’t know how this in the very beginning when I stated working with Azure. We can map as many workspace to Sentinel as possible. 2. This is a very common doubt one can have esp when we start using Sentinel. If we are actually storing any logs that is security relevant ( when I say security relevant, it means logs that can have security use cases and interested for securing team ) in log analytics we could just enable Sentinel on top of it. When we use a data connector what it is doing behind the scenes is to enable the diagnostic setting and switching on the stream of logs to the respective log analytics workspace that Sentinel is mapped to. So if we already have these logs streamed to a LA workspace, we don’t need to use the connector option. If we use it , I think it will cause duplication of logs. And we don’t loose out of any feature say analytics or hunting as workspace is the base or backend for all these features. I hope it helps. We could connect on LinkedIn to exchange our ideas and views if that helps. Thanks.
Hey John, thanks for your great instructional videos. They've helped me a great deal with Azure! Are you planning to cover the new SC-200 certification at some point in the future?
I need some pointer Could you help me on these two questions? Q.1) How to get raw payload of incident related events using KQL? Q.2) How to get volume of day using API? I am new to Sentinel Thank You
there are log analytics insights that shows detail and various queries you will find from a quick search. The payload is available as part of result set from queries.
Hey John, great explanation skills you got there. However I was wondering if it's possible to stream the alerts and incidents to a different ticketing system like ServiceNow, ConnectWise etc.
@@NTFAQGuy Thank you John for the help. I'll try to get it done (which I'm feeling is going to be very difficult for me) but please help me with any relatable resources if you get in future. Thanks once again.
Defender is not really in scope of this. My focus was ASC and Sentinel but you can drive Defender from ASC and its results would show in ASC. Look at todays video :-)
@@NTFAQGuy I was thinking of going through your playlist, Microsoft labs & practice tests. Would these help? Or do you recommend some more I should go through?
@@vishalpathak143 Depending on how well you retain information you can pass going through Microsoft labs + reading material + Savills videos. Do them at the same time (Watch PIM while going through PIM material and labs, etc.)
Just wanted to say a big thanks for your continuous effort. I'm sure it's massively time consuming to put together these videos, please be assured that they are very much appreciated.
You're very welcome!
I couldn't agree more! Not only all the video are precious in the contents, but the way how things are explained, capturing the viewer attention, making much easier to remember and put the various pieces together.
We all cannot thank you enough John! You are amazing 💪
Another show from John to give us a good understanding. Sometimes, we got a little confused about the scope of each tool, but John put our feet on the ground for us to grow. Thank you, John.
You bet!
I passed SC200 today! Thankyou for your continued hard work and support. I couldn’t have done it without these videos. MS500, you’re next.
Congrats!
This is really great, looking forward to a deep dive Sentinel session, John
I just have to say that your videos are a great example of teaching. When I shared your videos with some colleagues the other day, I thought about the Albert Einstein quote (At least I think it was Einstein): If you can't explain it simply, you don't understand it well enough. Well, you clearly understand it well enough. Thank you for making these. They really make the technology understandable. Your PowerShell videos for instance, made me understand and therefore use PowerShell much more than I did before, when I just googled the commands I needed.
That is very kind and appreciate the feedback. Take care.
John, you are awesome!!! I can't thank you enough. The way you deliver everything in Azure is so unique and engaging that I haven't seen anyone else in any of the well-known e-learning platforms able to do so. Appreciate your hard work!
I appreciate that, thank you
Hear hear!
really good timing on your videos recently. I have noticed a lot in my stream of work that many people think ASC and sentinel achieve the same objective and get confused, especially when talking about log analytics and how it works with ASC and sentinel. Only watched 20 mins so far but good video.
Hi John, I just wanted to thank you again for the immense effort required to put together these videos. I am happy to announce I just passed my AZ-500 exam today after three months of study and watching your videos. A million thanks or not enough!!!
Congrats and thanks for the kind note
High quality, focus on principal instead of details as always. Thanks!
You got it!
Man, another awesome lecture from John. Could listen and watch all day. Thanks again for creating this lecture - we all know how much time it takes (you really work your ass off ;-). Helps me do my job even better, John.
Glad it helps!
John, what you create for our community is nothing short of phenomenal. I remember I once "helped" you on some advanced networking stuff a few years ago but seeing the breath of things you cover absolutely amazes me. Keep it up!
Very kind, thank you!!!
Talk about timing, I was asked to implement sentinel within the next two weeks. Thanks for the work you do John.
Perfect!
you are a true gem, take care John.
Good overview and introduction of Azure Security and Defender for Cloud. Thanks John!
Best Azure tutorials i have seen so far. Thanks a lot for all your efforts to help learning
Glad you like them!
Great training video! I have learned a great deal. I take the SC200 exam this week. Your content has been invaluable. THANK YOU!!!
Glad it was helpful and good luck!
Thanks John for great videos on Azure. Big fan of yours from the past 6 years when I started listening to your courses on Pluralsight.
Very kind, thank you
very comprehensive, well paced and detailed intro to AZ-500. great job!
Thanks
S stands for security/ Sentinel. I like when you bring humour into it. 👍 video
Great video and something I watched a couple of times before doing my SC-200 exam. More of the same please :)
Hi Jase,
What other content did you use for the SC-200? Thanks
Yeah I would like to know 2!
very nice end to end view of how things work in Azure Security .
Glad you liked it
Excellent training from John.
This was amazingly clear, thank you very much John :)
I am fan of teaching stuff ...I am greatful to find you ..
Thanks!
Thanks John. Great breakdown of ASC!
This is so awesome!!! Helped me perform my workshops more efficiently!!!
youre the best john! cant thank you enough for content like this :)
You are the Shon Harris of Azure.. Thanks a lot!
No clue who that is but thanks ? :-D
@@NTFAQGuy - en.m.wikipedia.org/wiki/Shon_Harris . She helped me clear CISSP and was the best I have ever come across. Unfortunately, she is no more.
The man of Microsoft Security Stack.
thats super timing! exam is next week.. Thanks man!
You can do it!
thanks for your time and effort !!!!!
Hey John, Thank you for putting this together. It is awesome. Just one small comment is that at @1:19 you mentioned that ASC is proactive and Azure sentinel is reactive. Actually, it is the other way round. Sentinel with built-in AI is proactive.
I still say it’s mostly other way round. Asc driven by policy is telling you things to protect to avoid attack, ie proactive, sentinel is triggered by logs which are things that have mostly happened, ie reactive. Yes sentinel has aspects of proactive but fundamentally it’s reactive. That’s also how product groups see the technology.
@@NTFAQGuy Thank you for the clarification, John
Another great video John, thanks
Great explanation. Thank you!
This was extremely useful. Thank you very much!
Great to hear, thank you
These are great, very helpful, thank you John!
My pleasure
My first video. There will be more, for sure. T H A N K S ! ! !
Thanks and welcome!
Thank you for this - it is much appreciated
You're very welcome!
Long-time subscriber, first time commenter.
Did a lot change between making this video and the changes introduced in September 2021?
Not major
Thanks for Sharing this John. Can you please make videos for SC-300 exam
He's got a great Master Class video on Identity that should help you with SC-300
Very informative and helpful
Glad it was helpful!
Super helpful - Thank you so much john !! #StayBlessednHappy
Another Good Video. Can't help but wonder Why MSFT makes everything so complicated and confusing. OMG, Azure Security Center, Azure Defender, Azure Sentinel, Azure Monitor, Workboos, Playbooks, Runbooks..... How does this company stay in business!! "-)
Awesome job John! greetings from SA
Thanks!
Great content as usual! Much appreciated.
Glad you enjoyed it!
Nice job with great tutorial.
Good work keep it up, Thank you it helped me a lot.
Glad to hear that
I am again on your channel. You are great 👍
awesome, I've been struggling on the architecture now am certain Thank you @John Savill's
Great video, very informative!
Thank you!
merci John. Very interesting.
Great info as usual, thanks!
Thanks!
Amazing - as always
Thanks
All good stuff, but it is hard to find a course (happy to pay) that focuses on the knowledge required to pass the AZ 500 exam. Not a cram, what I'd love to see is how to approach the exam. I am happy I have covered all the security interfaces in Azure, and I can work efficiently but the logic of the exam questions is a long way from just being proficient in Azure. Some of the questions I don't feel I could ever know how to answer (question breakdown really).
You can try the" measure up"to get prepare your azure exam . The exam format is almost identical to real exam and it also provides the explanation for each answer and the referring document.
It is not a cram but it examine your knowlege of specific area in Azure.
I got pass without cram through measure up on every azure exam.
Hope this can help .
Excellent video. Liked
Many thanks!
I have a sentinel deployment planned in az gov and this was great help . Thanks John . Any chance you would consider a video with pointers on SC-300 beta exam .
Very nice lecture, thanks keep it up... :)
Thank you, I will do my best!
Sentinel is awesome!
Excellent!
Thanks
Great content, keep up the good work :-)
Thsnks
As always, great video with explanation. Would it be posible for you to share the photo image of Whiteboard in the session, John?
While I post for newer videos I didn't keep for old ones.
@@NTFAQGuy No problem. Thanks as always
Hi John,
Regarding the Connectors for Azure Sentinel, what are the differences between Azure Active Directory connector and Azure Active Directory Identity Protection connector?
New-AzSentinelDataConnector command only has param -AzureActiveDirectory which is for Azure AD Identity Protection connector. No param for Azur AD connector.
The docs walk through what is captured. docs.microsoft.com/en-us/azure/sentinel/connect-data-sources. AAD is the sign-in/audit type logs while IP gives security alert type info.
@@NTFAQGuy Hi John, thanks. Because it took ~3-4h for the Azure Active Directory connector to be "connected" while in Azure AD Identity Protection case it is almost instant, I was confused...Also the misleading Powershell command which uses -AzureActiveDirectory for Azure AD Identity Protection...
Don't know why the hell it took so long just to connect to my test Azure AD...
Hi John!
As always, great video! Thank you very much! :)
I would like to share a couple of considerations with you.
OS Logs - Azure Security Center uses them for VM protection and it requires the deployment of a Log Analytics agent that stream such OS logs to a Log Analytics workspace. I would say that it would be smart to stream them to the same Log Analytics workspace on which Azure Sentinel sits. Would you agree? Are there any other factors to be taken into account? What do you think?
Azure Sentinel Connectors - Let's take the Activity Logs as an example. What is the difference between setting the Diagnostic Settings on the Azure Subscription and streaming the Activity Logs to the Log Analytics workspace on which Azure Sentinel sits, and enabling the Azure Activity Logs Connector of Azure Sentinel? Are these two options the same thing? Or am I losing any security feature (e.g. the Analytics Rules)?
Thanks once again John. This channel is awesome!
Hello Giovanni,
I have had exactly the same question that you raised here. I did a bit of work and found out the below. Again I would appreciate an expert opinion to know if what I found is right.
1. Yes. That will be the smart idea so Sentinel gets the view of all raw windows logs and it can enable detections based on ML. But please note that these would have only windows event logs. Security Center doesn’t capture and store Linux workload logs. We will have to enabled that from Log analytics advance settings by switching on the Syslog and the required facilities you need. I just added this here since I didn’t know how this in the very beginning when I stated working with Azure. We can map as many workspace to Sentinel as possible.
2. This is a very common doubt one can have esp when we start using Sentinel.
If we are actually storing any logs that is security relevant ( when I say security relevant, it means logs that can have security use cases and interested for securing team ) in log analytics we could just enable Sentinel on top of it. When we use a data connector what it is doing behind the scenes is to enable the diagnostic setting and switching on the stream of logs to the respective log analytics workspace that Sentinel is mapped to. So if we already have these logs streamed to a LA workspace, we don’t need to use the connector option. If we use it , I think it will cause duplication of logs. And we don’t loose out of any feature say analytics or hunting as workspace is the base or backend for all these features.
I hope it helps. We could connect on LinkedIn to exchange our ideas and views if that helps.
Thanks.
Hey John, thanks for your great instructional videos. They've helped me a great deal with Azure! Are you planning to cover the new SC-200 certification at some point in the future?
Glad they help, thanks for watching. I don’t discuss future plans, sorry
@@NTFAQGuy Okay, thanks. Appreciate the response!
RESPECT! great video sir
Thanks!
Would you still add alerts in defender for endpoint, defender for azure etc or would it be all done in sentinel?
Would consider delay vs centralization, native ml etc
Thanks!
No problem!
I need some pointer
Could you help me on these two questions?
Q.1) How to get raw payload of incident related events using KQL?
Q.2) How to get volume of day using API?
I am new to Sentinel
Thank You
there are log analytics insights that shows detail and various queries you will find from a quick search. The payload is available as part of result set from queries.
Hey John, great explanation skills you got there. However I was wondering if it's possible to stream the alerts and incidents to a different ticketing system like ServiceNow, ConnectWise etc.
yes you can send via event hub for example. Look up continuous export. no need to type "please answer" lol
@@NTFAQGuy I tried this out but my real concern is I don't get a page where I can actually select ServiceNow for integrating it with Security center.😭
@@yashmudaliar6590 Thats not how it works. You send from ASC to event hub then ServiceNow you configure to pick up from Event Hub.
@@NTFAQGuy Thank you John for the help. I'll try to get it done (which I'm feeling is going to be very difficult for me) but please help me with any relatable resources if you get in future. Thanks once again.
@@yashmudaliar6590 Look at ServiceNow for docs on reading from publish/subscribe sources like event hub. Good Luck
Hi, I'm kinda new to Azure but where is Microsoft defender in this. Isnt that a different dashboard to Azure defender?
Defender is not really in scope of this. My focus was ASC and Sentinel but you can drive Defender from ASC and its results would show in ASC. Look at todays video :-)
Hey, Is this Az-500 playlist enough to clear the Az-500 exam?
No. Supplemental help
@@NTFAQGuy I was thinking of going through your playlist, Microsoft labs & practice tests. Would these help? Or do you recommend some more I should go through?
@@vishalpathak143 Depending on how well you retain information you can pass going through Microsoft labs + reading material + Savills videos. Do them at the same time (Watch PIM while going through PIM material and labs, etc.)
Is there by chance a link to that git hub ?
It’s in description
_/\_ Awesome explanation....
Glad it was helpful!
finally passed 104 tempted to move onto az500 just not sure . could be very hard... ?
The harder the obstacle the greater the accomplishment. Just requires study and practice.
@@NTFAQGuy true wise words. 104 was starting to do my head in. plan was to get some aws next but maybe i should push forward for az500
@@ZeNex74 whatever you think best for you.
For the algorithm!