Proposed Pull Request Change

📄 Document Links

View on GitHub View on Microsoft Learn

--- title: Operational guide - Microsoft Sentinel description: Learn about the operational recommendations to help security operations teams to plan and run security activities. ms.date: 08/30/2024 ms.topic: reference ms.author: edbaynash author: EdB-MSFT appliesto: - Microsoft Sentinel in the Microsoft Defender portal - Microsoft Sentinel in the Azure portal #Customer intent: As a security operations (SOC) team member or security administrator, I want to know what operational activities I should plan to do daily, weekly, and monthly with Microsoft Sentinel to help keep my organization's environment secure. --- # Microsoft Sentinel operational guide This article lists the operational activities that we recommend security operations (SOC) teams and security administrators plan for and run as part of their regular security activities with Microsoft Sentinel. For more information about managing your security operations, see [Security operations overview](/security/operations/overview). ## Daily tasks Schedule the following activities daily. | Task | description | | --- | --- | | **Triage and investigate incidents** | Review the Microsoft Sentinel **Incidents** page to check for new incidents generated by the currently configured analytics rules, and start investigating any new incidents. For more information, see:<li>[Navigate, triage, and manage Microsoft Sentinel incidents in the Azure portal](incident-navigate-triage.md)<li>[Investigate Microsoft Sentinel incidents in depth in the Azure portal](investigate-incidents.md) | | **Explore hunting queries and bookmarks** | Explore results for all built-in queries, and update existing hunting queries and bookmarks. Manually generate new incidents or update old incidents if applicable. For more information, see:<li>[Create your own incidents manually in Microsoft Sentinel in the Azure portal (Preview)](create-incident-manually.md)<li>[Hunt for threats with Microsoft Sentinel](hunting.md)<li>[Keep track of data during hunting with Microsoft Sentinel](bookmarks.md) | | **Analytics rules** | Review and enable new analytics rules as applicable, including both newly released or newly available rules from recently deployed solutions. For more information, see:<li>[Create scheduled analytics rules from templates](create-analytics-rule-from-template.md)<li>[About Microsoft Sentinel content and solutions](sentinel-solutions.md)<br><br>Monitor the health and optimize the execution of your analytics rules. For more information, see:<li>[Monitor the health and audit the integrity of your analytics rules](monitor-analytics-rule-integrity.md)<li>[Monitor and optimize the execution of your scheduled analytics rules](monitor-optimize-analytics-rule-execution.md) | | **Data connectors** | Review the health status of your data connectors to ensure that data is flowing. Check for new connectors, and review ingestion to ensure set limits aren't exceeded. For more information, see [Monitor the health of your data connectors](monitor-data-connector-health.md). | | **Azure Monitor Agent** | Verify that servers and workstations are actively connected to the workspace, and troubleshoot and remediate any failed connections. For more information, see [Azure Monitor Agent overview](/azure/azure-monitor/agents/azure-monitor-agent-overview). | | **Playbook failures** | Verify playbook run statuses and troubleshoot any failures. For more information, see [Tutorial: Respond to threats by using playbooks with automation rules in Microsoft Sentinel](tutorial-respond-threats-playbook.md). | ## Weekly tasks Schedule the following activities weekly. |Task|description| |---|---| |**Content review of solutions or standalone content**| Get any content updates for your installed solutions or standalone content from the [Content hub](sentinel-solutions-deploy.md). Review new solutions or standalone content that might be of value for your environment, such as analytics rules, workbooks, hunting queries, or playbooks.| |**Microsoft Sentinel auditing**| Review Microsoft Sentinel activity to see who updated or deleted resources, such as analytics rules, bookmarks, and so on. For more information, see [Audit Microsoft Sentinel queries and activities](audit-sentinel-data.md).| ## Monthly tasks Schedule the following activities monthly. |Task|description| |---|---| |**Review user access**| Review permissions for your users and check for inactive users. For more information, see [Permissions in Microsoft Sentinel](roles.md).| |**Log Analytics workspace review**| Review that the Log Analytics workspace data retention policy still aligns with your organization's policy. For more information, see [Data retention policy](/workplace-analytics/privacy/license-expiration) and [Integrate Azure Data Explorer for long-term log retention](store-logs-in-azure-data-explorer.md).| ## Related content - [Security operations overview](/security/operations/overview) - [Implement Microsoft Sentinel and Microsoft Defender XDR for Zero Trust](/security/operations/siem-xdr-overview) - [Deployment guide for Microsoft Sentinel](deploy-overview.md)