Create and Configure Azure Sentinel
In order to create and configure Azure Sentinel, we need to create the Azure Log Analytics Workspace, as Azure Sentinel is built on top of Azure Log Analytics. After the Azure Sentinel is created and configured, we will use Azure Active Directory as a data source for this tutorial. In order to view the log and events data, we will use the built-in workbooks for viewing sign-in and audit logs and events.
We will follow below steps to create and configure Azure Sentinel.
- Create Resource Group
- Create and Configure Azure Sentinel
- Create Log Analytics Workspace for Azure Sentinel
- Create and Azure Sentinel
- Connect to Data Sources
- Connect to Workbooks for Monitoring Data
- View Logs and Events using Workbooks
- View Reported Incidents
Create a Resource Group
The first step in the creation of any resource within Azure is to create the resource group. These resource groups are created within the subscription and are mapped to a location.
- Login to Azure Portal and go to “Resource Group” and click the “Add” button.
- On the “Create Resource Group” Page, choose subscription, enter resource group name and select a region based on your location.
- Click on Review + Create and after the validation is complete, click on the Create button.
Configure Log Analytics Workspace for Azure Sentinel
We will have to create the Log Analytics workspace for Azure Sentinel as the default workspaces created by Azure Security Center will not appear in the list and we will not be able to install Azure Sentinel on them
- On the search bar, type “Azure Sentinel”.
- From the search results, click on the “Azure Sentinel” Option and hit enter.
- From the Azure Sentinel page, click on ‘Create’ from the top menu or click on the ‘Create Azure Sentinel’ button. It will redirect you to the Log Analytics Workspace if the workspace does not exist for Azure Sentinel.
- From the ‘Add Azure Sentinel to a workspace’ page, click on ‘Create a new workspace’ button
- On the ‘Create Log Analytics Workspace’ page select the subscription, the resource group.
- Provide the name as ‘loganalyticsvaronis’
- Choose the region as ‘East US2’
- Once that is done, you can leave other option as-is, and then click on Review+Create and finally click on create after the validation.
Create Azure Sentinel
- Once the Azure Log Analytics Workspace has been created, you will be redirected back to the Azure Sentinel page, where you can click on the ‘Create’ button from the top menu or click on the ‘Create Azure Sentinel’ button at the bottom.
- After clicking on the Create button, you will be redirected to the page to ‘Add Azure Sentinel to a Workspace’
- Select the workspace name, ‘loganalyticsvaronis’ in this case, and then click on the Add button. This will add Azure Sentinel to the Log Analytics workspace. And you will be redirect to the Azure Sentinel’s ‘News and Guides’ page.
There are certain key points to note with Azure Sentinel.
- Once deployed on the workspace, Azure Sentinel currently does not support switching or moving of that workspace to another subscriptions or workspace.
- If you have already moved the workspace, disable all active rules under Analytics and re-enable them after five minutes. This should be effective in most cases, though, to reiterate, it is unsupported and undertaken at your own risk.
Connect to Data Sources
Azure Sentinel has the ability to connect to a variety of data sources. At present there are around 98 connectors that allows connectivity to these different data sources.
- Data ingestion from services and apps are done by connecting to the service and forwarding the events and logs to Azure Sentinel.
- For physical and virtual machines, the Log Analytics agent is installed that collects the logs and forwards them to Azure Sentinel.
- For Firewalls and proxies, Log Analytics agent is installed on a Linux Syslog server, from which the agent collects the log files and forwards them to Azure Sentinel.
In the example below, we will try to connect to the Azure Active Directory. This will help in streaming logs and events from Azure Active Directory into Azure Sentinel. During the configuration, we can select what types of logs are captured from Azure AD and forwarded to Azure sentinel.
- On the Data Connectors page, type Azure Active Directory in the search bar, and you will see the options for Azure AD
- Select Azure Active Directory and the click on ‘Open connector page’ button from the bottom right corner
- On the Azure Active Directory connector page, you will see Prerequisites that are needed to have a connection with Azure Active Directory
- Below the prerequisites, there is a configuration section which can be used to select the Active Directory log types. From the available checkboxes, check to select Sign-in logs and the audit logs and then click on the ‘Apply Changes’ button
After the changes have been applied, your Azure Sentinel is ready to collect the Sign-in and the Audit Logs from Azure Active Directory.
Connect to Workbooks for Monitoring Data
- Click on the ‘Next steps’ tab on the configuration page
- On the page that appears, there is a list of recommended built-in workbooks that can be used to check the logs. We can click on ‘Go to workbooks gallery’ as well, where we can see around 90 templates available for us to choose from, but for now we are going to choose the default Azure AD Sign-in logs workbook.
Here you will also see the query samples. They are the Kusto Query Language (KQL) queries, that can be used to extract information from the SigninLogs and the AuditLogs tables from within the Log Analytics database.
- After you choose the workbook, you will be redirected to the workbooks page. Here, you can select the ‘Azure AD Sign-in logs’ template and then click on the ‘Save’ button on the bottom right corner
- Once you click on the ‘Save’ button, it will open a small popup asking for a location for the workbook to be saved. Choose the location as ‘East US2’ and then click on ‘OK’
- You can repeat steps 1 through 4 to save the ‘Azure AD Audit logs’ workbook as well.
View Logs and Events using Workbooks
After the workbooks have been saved, you can monitor events and logs for any suspicious activities if they have been reported.
- To view the reported events and logs, you can also click on ‘Workbooks’ under ‘Threat Management’. Here you can see the two workbooks already in the saved state that were previously configured.
- Click on the Azure AD Sign-in logs to see the logs and events from Azure Active Directory for the any suspicious sign-in event encountered and logged.
View Reported Incidents
Incidents reported by Azure Sentinel can also be viewed in the similar way as workbooks, directly from within Azure Sentinel.
- Go to the Azure Sentinel page. Then click on ‘Incidents’ under ‘Threat Management’. Here you can see if there has been any incident reported.
Azure Sentinel is a powerful cloud-native SIEM tool that has the features of both security information event management (SIEM) and security orchestration automated response (SOAR) solution. It provides intelligent security analysis and threat intelligence across enterprise. With Azure Sentinel, it is possible to proactively and smartly detect threats and respond faster with built-in artificial intelligence. In fact, it is considered as a bird’s eye view across enterprise. It brings along decades of Microsoft’s security experience to work.
Azure Sentinel also eliminates the overhead of infrastructure setup, maintenance, and scaling requirements, thereby enabling the security responders to focus on threat management instead of thinking about infrastructure requirements, which is the case with other SIEM tools available in the market today.