Basic Knowledges about Azure Sentinel (Price, Log, Connectors, T.I., Analytics Rules, KQL)

This post is to summarzie the basic knowledge you can start to use Azure Sentinel as fast as possible. 

Architecture

Sentinel Architecture

 

Sentinel Workspace, Price and Roles

Create Microsoft Sentinel (Log Analytics) Workspace 

• https://blog.51sec.org/2023/10/azure-sentinel-101.html

Microsoft Sentinel pricing

• https://azure.microsoft.com/en-ca/pricing/details/microsoft-sentinel/

Tier	Microsoft Sentinel Price	Effective Per GB Price1	Savings Over Pay-As-You-Go
Pay-As-You-Go	$6.95 per GB-ingested	$6.95 per GB-ingested	N/A
100 GB per day	$456.74 per day	$4.57 per GB	34%

Roles and permissions in Microsoft Sentinel  (https://learn.microsoft.com/en-us/azure/sentinel/roles)

• Microsoft Sentinel Reader can view data, incidents, workbooks, and other Microsoft Sentinel resources.

• Microsoft Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.).

• Microsoft Sentinel Contributor can, in addition to the above, install and update solutions from content hub, create and edit workbooks, analytics rules, and other Microsoft Sentinel resources.

• Microsoft Sentinel Playbook Operator can list, view, and manually run playbooks.

• Microsoft Sentinel Automation Contributor allows Microsoft Sentinel to add playbooks to automation rules. It isn't meant for user accounts.

The role is assgined at subscription level, not at Entra ID group. 

Log Retention

Log Analytics Workspace

Settings - Tables - Default retention period is 90 days. 

To modify those configuraiton, go to Azure Portal - Log Analytics Workspace - <Your Workspace> - Tables - Right click table - Manage table

Diagram

Note: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/best-practices-for-common-event-format-cef-collection-in-azure/ba-p/969990

Content Hub & Data Connectors

You can search Training to get Microsoft Sentinel Training Lab to install it in your lab environment. 

• Azure Activity
• Network Session Essential
• Azure Active Directory
• 
  
• Common Event Format
• 
  
• WIndows Security Events

Microsoft Sysmon For Linux

Common Event Format (CEF) via AMA (Azure Monitor Agent)

Microsoft Sentinel Training Lab Solution

This solution ingests pre-recorded data into your Microsoft Sentinel workspace and enables several artifacts to simulate scenarios that showcase various Microsoft Sentinel features. The size of the ingested data is around ~20 MBs, so you will see no cost related to ingestion. Pre-recorded data will land in the following custom log tables: SecurityEvent_CL, SigninLogs_CL, OfficeActivity_CL, AzureActivity_CL, Cisco_Umbrella_dns_CL.

Training guide: https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Training/Azure-Sentinel-Training-Lab

Threat Intelligence

Install Threat Intelligence from Content Hub
Open Connector Page from Connector - Threat Intelligence - TAXII
Get free threat intelligence service from https://pulsedive.com/

api root:https://pulsedive.com/taxii2/api

api collection id: test id

username : taxii2

password : your own api key

Threat Intelligence - TAXII :

Automation 

Analytics Rules

High

Medium

Issuse for Built-in Rule - SonicWall - Allowed SSH, Telnet, and RDP Connections

It shows "ASimNetworkSessionSonicWallFirewall(): function expects 0 argument(s)."

Solution: Remove false from the script since 0 argument expects. It will be:

ASimNetworkSessionSonicWallFirewall()

The error should go away after removed false argement.

KQL - Kusto Query Language

 

You can practice Kusto Query Language statements - including the ones in this article - in a Log Analytics demo environment in the Azure portal. There is no charge to use this practice environment, but you do need an Azure account to access it.

References

• Windows security event sets that can be sent to Microsoft Sentinel
• Microsoft 365 Enterprise All | M365 Maps