Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel

As more and more customers use Azure Sentinel to view and respond to security alerts and threats within their organization, it becomes more important to set aside some daily, weekly, and monthly tasks to provide care-and-feeding of the product. This vigilance ensures that operations are consistently at peak performance so analysts can focus on securing the company’s assets.

Here’s our current list of daily, weekly, and monthly task suggestions. Feel free to add or retract your own depending on your own environment and what you decide is most important to your SOC operation.

In future blog posts here, I’ll dig into each of these and walk through how to accomplish them in Azure Sentinel and who in the organization might be assigned each task.

Operational TaskDetailsInterval
Investigate IncidentsInvestigate Incidents to determine if any Analytics Alerts rules were triggered. Set status and begin investigation. Resolve or reassign.Daily
Hunting Queries and BookmarksExplore the built-in query results. Update existing hunting queries and bookmarks. Manually generate new or update old Incidents if applicable. Apply automation (Playbooks) where required.Daily
Analytics RulesIdentify any newly released (or newly available due to recently connected Data Connectors) Analytics Rules and enable those that are applicable. Apply automation (Playbooks) where essential. Modify thresholds, schedules, and automation where needed.Daily
Data ConnectorsLook through active Data Connector and verify the Last Log Received date/time is current to ensure data is flowing.Daily
Log Analytics AgentVerify the servers (or workstations) are showing a connected status in the workspace. Troubleshoot and remediate failed connections.Weekly
Workbooks UpdatesVerify in the Azure Sentinel Dashboard blade if an installed Workbook has an update that needs installed.Weekly
GitHub Alert Rules, Workbooks, Hunting queries, and PlaybooksVisit and review the Azure Sentinel GitHub repository and explore if there are new or updated Detection Rules, Workbooks, Hunting queries, or Playbooks of value that can be added to the environment.Weekly
Log Analytics AgentEnsure the agent is up-to-date and auto-upgrades are working. For those not auto upgraded, perform a manual update.Monthly
Log Analytics WorkspaceReview that your Log Analytics Workspace retention policy still aligns with your current configuration. Run the Data Usage queries to help maintain costs and retention determinations.Monthly
Access ReviewHas your SOC team changed? Review RBAC and IAM to verify those that need access have proper access – and those accounts no longer needing access are removed.At Least Monthly

Have some of your own? Feel free to reach out and let me know. This is by no means intended to be a definitive list, but instead some suggestions to get you on your way. I would love to crowd-source this list to ensure it matches customer needs. We’re all better together.

I want to thank Mikko Koivunen for his contribution to this list! Mikko replied in the LinkedIn Azure Sentinel group which led to the Access Review task.