Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Advertisements

On Boarding Azure Sentinel

Prerequisites

  • Active Azure Subscription,
  • Log Analytics workspace.
  • To enable Azure Sentinel, you need contributor permissions to the subscription in which the Azure Sentinel workspace resides.
  • Contributor or reader permissions on the resource group that the workspace belongs to.

  1. Sign in to the Azure portal.
  2. Search for and select Azure Sentinel.

Enter the resource group, Name and Region

Click on review & Create to complete this process.

Azure Sentinel does not currently support the moving of that workspace to other resource groups or subscriptions.

Advertisements

Working with Data connectors

Connecting data sources

Azure Sentinel ingests data from services and apps by connecting to the service and forwarding the events and logs to Azure Sentinel. For physical and virtual machines, we can install the Log Analytics agent that collects the logs and forwards them to Azure Sentinel. For Firewalls and proxies, Azure Sentinel installs the Log Analytics agent on a Linux Syslog server, from which the agent collects the log files and forwards them to Azure Sentinel. Lets see some of the major connectors and how can we configure in this post.

Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, Microsoft 365 sources (including Office 365), Azure AD, Microsoft Defender for Identity (formerly Azure ATP), Microsoft Cloud App Security, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. we can use Common Event Format (CEF), Syslog or REST-API to connect your data sources with Azure Sentinel.

More details can be found here

Connect data from Azure Activity log

Lets see how to work with Azure Activity logs Connector

From the Azure Sentinel navigation menu, select Data connectors. From the list of connectors, click on Azure Activity, and then on the Open connector page button on the lower right.

  • Under the Instructions tab, click the Configure Azure Activity logs > link.
  • In the Azure Activity log pane, select the subscriptions whose logs you want to stream into Azure Sentinel.
  • In the subscription pane that opens to the right, click Connect.
Advertisements

Adding workbooks

Azure Sentinel allows to create custom workbooks across the data, and also comes with built-in workbook templates to allow us to quickly gain insights across your data as soon as you connect a data source.

Below is the easy method to save the workbook

To view the saved workbooks, Select workbooks under threat management and choose saved workbooks

Sample view from Azure Activity Logs Workbooks

Alerts and Incidents

Once we have data sources to Azure Sentinel, we want to be notified when something suspicious occurs. WIth OOB templates Rules created from these templates will automatically search across your environment for any activity that looks suspicious. Many of the templates can be customized to search for activities, or filter them out, according to our needs. The alerts generated by these rules will create incidents that you can assign and investigate in your environment.

In this example lets pick Azure activity log and create a alert if someone creates or updates any public IP address.

Let’s pick this template

You can choose the tactics and severity depending on your query. you can choose from among categories of attacks by which to classify the rule. These are based on the tactics of the MITRE ATT&CK framework.

AzureActivity |where OperationName contains “Create or Update Public Ip Address”

Used this as rule query and tested Simulation

Automated Response

Now we don’t have any automated responses available by default, Lets see how to create a new playbook

\

I will be explaining in my next post about creating Automated responses. Review and create this alert. Now after I saved the alert I got a incident, As there were previously one public IP created.

We can also create automation rule and team which is in preview

Now lets test this simple rule, I created a new public IP address and i can see an incident directly assigned to the user to whom I have specified in my earlier step.

Now lets close this incident.

This post is being updated on a frequent basis. Please remember to subscribe to get instant updates!!