Azure Sentinel: How? - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Monday, March 18, 2024

Azure Sentinel: How?

This post is to summarzie the basic knowledge you can start to use Azure Sentinel as fast as possible. 



 

Sentinel Workspace, Price and Roles

Create Microsoft Sentinel (Log Analytics) Workspace 
  • https://blog.51sec.org/2023/10/azure-sentinel-101.html


Microsoft Sentinel pricing
  • https://azure.microsoft.com/en-ca/pricing/details/microsoft-sentinel/
TierMicrosoft Sentinel PriceEffective Per GB Price1Savings Over Pay-As-You-Go
Pay-As-You-Go$6.95 per GB-ingested$6.95 per GB-ingestedN/A
100 GB per day$456.74 per day$4.57 per GB34%



Roles and permissions in Microsoft Sentinel  (https://learn.microsoft.com/en-us/azure/sentinel/roles)
The role is assgined at subscription level, not at Entra ID group. 

Log Retention

Log Analytics Workspace

Settings - Tables - Default retention period is 90 days. 

To modify those configuraiton, go to Azure Portal - Log Analytics Workspace - <Your Workspace> - Tables - Right click table - Manage table



Diagram




Note: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/best-practices-for-common-event-format-cef-collection-in-azure/ba-p/969990


Content Hub & Data Connectors



You can search Training to get Microsoft Sentinel Training Lab to install it in your lab environment. 
  • Azure Activity
  • Network Session Essential
  • Azure Active Directory

  • Common Event Format

  • WIndows Security Events




Microsoft Sysmon For Linux

Common Event Format (CEF) via AMA (Azure Monitor Agent)


Microsoft Sentinel Training Lab Solution

This solution ingests pre-recorded data into your Microsoft Sentinel workspace and enables several artifacts to simulate scenarios that showcase various Microsoft Sentinel features. The size of the ingested data is around ~20 MBs, so you will see no cost related to ingestion. Pre-recorded data will land in the following custom log tables: SecurityEvent_CL, SigninLogs_CL, OfficeActivity_CL, AzureActivity_CL, Cisco_Umbrella_dns_CL.


Training guide: https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Training/Azure-Sentinel-Training-Lab




Threat Intelligence

Install Threat Intelligence from Content Hub
Open Connector Page from Connector - Threat Intelligence - TAXII
Get free threat intelligence service from https://pulsedive.com/

api root:https://pulsedive.com/taxii2/api

api collection id: test id
username : taxii2
password : your own api key







Automation 









Analytics Rules


High


Medium



Show Table Contents



AzureActivity
| limit 100



KQL - Kusto Query Language

 

You can practice Kusto Query Language statements - including the ones in this article - in a Log Analytics demo environment in the Azure portal. There is no charge to use this practice environment, but you do need an Azure account to access it.



Videos

 



References






No comments:

Post a Comment