Search This Blog

Thursday, July 25, 2019

Azure Sentinel

Since we have Azure Sentinel in preview, let’s give it a test spin.

Azure Sentinel is a cloud-native security information and event manager (SIEM) platform that uses built-in AI to help analyze large volumes of data across the enterprise.

Azure Sentinel aggregates data from a lot of sources, including users, applications, servers and devices running on-premises or in cloud, giving you a overview of millions of records fast.

First we will add Azure Sentinel to our favorites.

image

And then select it.

image

Here wee will Add a new workspace.

image

Select Create a new workspace.

image

We will first create a new resource group.

image

Name the resource group according to your preferences.

image

Now lets name the workplace, select the right Azure subscription, location and click on the Pricing tier.

image

For this test we will just select the Free tier

image

And then with all settings in place we can click OK.

image

Select the newly created workspace and click on Add Azure Sentinel.

image

Click Connect.

image

For this test we will include Azure Active Directory and Office 365, but as you can see there is a lot of sources available.

First select Azure Active Directory connector and click on Open connector page.

image

On both Azure Active Directory Sign-in Logs and Azure Active Directory Audit logs click Connect.

image

They will change status to Disconnect.

image

Go back to the Data connectors and select Office 365 and Open connector page.

image

Click Install solution.

image

Status will then change to Uninstall Solution.

image

Next step is to add your Office 365 tenant, click Add tenant.

image

Sign-in to your tenant (Global admin or Security Admin).

image

Click Accept to grant permissions.

image

You will then see this windows, just close it.

2019-07-09 10_46_01-https___weu.rp.asi.azure.com_4433_OfficeOnboarding_code=AQABAAIAAADCoMpjJXrxTq9V

Click refresh to see your tenant, then select SharePoint and Exchange and Save.

image

Next we will install some dashboards, In Azure Sentinel select Dashboards, and in this test we will install Azure AD Audit Logs, Azure AD Sign-in logs, Exchange Online, Office 365,  SharePoint & OneDrive.

image

image

We will have to wait for data, but on the overview page we can see alerts and events and Data anomalies.

image

On each Dashboard we will se a detailed view of the data collected (here is just some examples).

image

image

image

This solution is a good way of getting visibility into threats against our company, now test in your own environment.

No comments:

Post a Comment