Microsoft Azure Sentinel is a new Cloud native SIEM service with built-in AI for analytics that removes the cost and complexity of achieving a central and focused near real-time view of the active threats in your environment. Koby Koren from the Azure Sentinel engineering team walks through the entire solution with an end-to-end demonstration from how to set it up, perform queries, investigations and more. Azure Sentinel is in preview today. Follow the link to try for yourself https://aka.ms/AzureSentinel

1. www.techconnect.io
Journey to Azure Sentinel
Eng Soon Cheah, Microsoft MVP
@CheahEngSoon

2. Setup Azure Sentinel

3. Login to the Azure Portal.
Search at the top for Azure Sentinel. Click Add to setup the Azure Sentinel workspace.

4. Click Create a new workspace. (You could also add to an existing one if desired.)

5. Name your new workspace and place in the proper Resource Group.
NOTE: The Azure Sentinel Preview is currently Free. Microsoft states they will release pricing information at a later
date. Be aware that you can still accrue charges with storage, throughput, and Machine Learning automation responses.

6. On the next page click the new workspace you created and click Add Azure Sentinel.

7. Click on the new workspace. Click the Getting Started tab and you will see the overview of the setup.

8. Setup Azure Sentinel Data Collection

9. Click on the Connect for step 1 we will need to setup Sentinel to collect data from on-prem and cloud locations.

10. Click through any you wish to setup… each Data Collection plugin has step by step instructions. For example the Azure
Active Directory was just 2 easy clicks to connect the logs. Some will be more involved and need you to point your current
Syslog files or a client install.
.

11. Setup Azure Sentinel Dashboards

12. Once you have Data Collection setup go to Dashboards, select the pre-made dashboards for your Collectors and
click Install on the bottom right.

13. Setup Azure Sentinel Analytics –
Alert Rules

14. Select Analytics and then Add.

15. AzureActivity
| where OperationName == “Create or Update Virtual Machine” or
OperationName == “Create Deployment”
| where ActivityStatus == “Succeeded”
| make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in
range(ago(7d), now(), 1d) by Caller
This is where i notice things get tricky… Microsoft does not appear to have a nice selection of pre-made rules. Admins will
have to create their own alert rules using the query system. The example from Microsoft is shown here. I really hope they
create some built-in best practice rules that can be easily enabled but it appears they plan to rely on
the Community Section.
.

16. Click Create.

18. Next Select the Community tab under configuration and select Go to Azure Sentinel community.

19. From this community GitHub you can find many useful alerts to setup in you Azure Sentinel Preview.

20. Enable Fusion

21. az resource update –ids /subscriptions/{Subscription
Guid}/resourceGroups/{Log analytics resource Group
Name}/providers/Microsoft.OperationalInsights/workspaces/{Log analytics
workspace Name}/providers/Microsoft.SecurityInsights/settings/Fusion –api-
version 2019-01-01-preview –set properties.IsEnabled=true –subscription
“{Subscription Guid}”
Fusion is the AI/Machine Learning portion of Sentinel designed to help analysts with Alert Fatigue. More info here.
Open the Cloud Shell and select Powershell.
Create Storage and authenticate.

22. References
Blogs:
https://dev.to/cheahengsoon
YouTube:
https://www.youtube.com/c/engsooncheah

23. www.techconnect.io