15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations https://www.infusedinnovations.com/blog/intelligent-cloud/step-by-step-guide-to-deploy-azure-sentinel 1/14 Step-by-Step Guide to Deploy Azure Sentinel May 6, 2019 / / / / / / / By Dan Chemistruck Azure Sentinel is by far the most exciting announcement out of Redmond so far this year. Aside from that, what is Azure Sentinel? It’s a 100% cloud based Security Information Event Management (SIEM) solution. I’ve been referring to Log Analytics with Azure Security Center as Microsoft’s cloud SIEM solution for a couple years, but Azure Sentinel allows you to collect logs from anywhere. ANYWHERE. When you deploy Azure Azure Azure Sentinel Cloud Security Identity Access Management Intelligent Cloud Log Analytics Secure Modern Workplace Threat Intelligence 0
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations
Step-by-Step Guide to DeployAzure SentinelMay 6, 2019
/ / / / / /
/
By Dan Chemistruck
Azure Sentinel is by far the most exciting announcement out of Redmond so far thisyear. Aside from that, what is Azure Sentinel? It’s a 100% cloud based SecurityInformation Event Management (SIEM) solution. I’ve been referring to Log Analytics withAzure Security Center as Microsoft’s cloud SIEM solution for a couple years, but AzureSentinel allows you to collect logs from anywhere. ANYWHERE. When you deploy Azure
Sentinel, anything that ships Common Event Format (CEF) logs over port 514 canintegrate with Azure Sentinel. Even more exciting is the one-click setup for a number ofdata connectors:
What is Security Information Event Management(SIEM)?Think about your one friend that has memorized every line from every Marvel movie.And now think about every time he corrects you when you misquote the movie ormistake which movie a speci�c scene was from. It’s that, but for your hybrid cloudnetwork. Your friend knows what to expect and he throws an exception whensomething is out of place.
Every time you sign into Outlook, an audit log is generated. Any time you share a �le inOneDrive, a log is generated. When you connect your personal phone to the corporatenetwork, a log is generated. If your frustrated senior IT engineer tries to download all ofyour intellectual property from Teams and then deploy EternalBlue to the entirenetwork, then a LOT of logs are generated. SIEM collects all of those logs and usestrained machine learning models to generate risk pro�les for users and devices on yournetwork based on expected behavior.
15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations
So when unusual behavior occurs, like stealing your IP, an alert is generated andMicrosoft Cloud App Security with Azure Logic Apps can be used to automatically blockthe download and lock the user out of your tenant. If a user logs in from Italy 30minutes after they left the o�ce in Boston, the login can be automatically blocked.
Digital forensics and breach investigation
SIEM also provides the digital forensics that allow you to investigate the attack chain ofa breach in its entirety. With Microsoft analyzing 6.5 trillion signals daily, they have thelargest security dataset of any company in the world. Even more data points than yourfriend that’s watching the Avengers Endgame for the �fth time as we speak.
To get the full value out of Azure Sentinel for your Microsoft 365 environment, youneed EM+S E5, M365 E5 or something similar to collect telemetry from MCAS andAADP2. As with all Microsoft products, you can review our blog on Microsoft 365 subscription licenses to make sure you have access to all the securityproducts discussed in this post.
Deploy Azure Sentinel in 5 MinutesIf you already have Log Analytics and Azure Security Center deployed, as all of ourcustomers do, it takes 5 minutes to deploy Azure Sentinel. However, if you don’t havethose services setup yet, it might take you 15 minutes to deploy. Before we jump intocon�guring data connectors and dashboards, let’s get go through the prerequisitesquickly.
Prerequisites: Con�guring Log Analytics and Azure Security Center
Our engineers will gladly assist you through customizing Log Analytics deployments foryour environment, but let’s just create a workspace for demonstration purposes.
1. Navigate to the Log Analytics blade in the Azure Portal2. Click Add and complete the form to create a new Log Analytics Workspace. (Note:
Refer to the Azure Sentinel documentation to make sure Sentinel is available in yourregion.)
Infused Innovations does not recommend deploying Azure Security Center with only thesecon�gurations in production environments. This is the minimal con�guration to deploySentinel. It is important to tune Azure Security Center policies and alerts to meet yourorganization’s speci�c regulatory requirements. The out-of-box con�guration of AzureSecurity Center is not su�cient for most organizations, but does provide immediate insightsto your environment.
Deploy Azure SentinelNow for the easy part.
1. Login to https://portal.azure.com click All Services and search for Azure Sentinel2. Click the Connect Workspace button
Now that you’re ingesting data into Azure Sentinel, let’s enable Fusion. Fusion for AzureSentinel uses ML to help reduce alert fatigue and false positives. Fully utilizing theMicrosoft Intelligent Security Graph to correlate millions of low-�delity signals for
unusual behavior across the entire Microsoft ecosystem, Fusion attempts to reduce theamount of security cases to investigate.
To enable Fusion for Azure Sentinel, open the Cloud Shell in the Azure Portal and enterthe following command:
Be sure to swap out your subscription GUID and Log Analytics Workspace Name alongwith the surrounding curly brackets.
Con�gure Dashboards, Notebooks, and Queriesin Azure SentinelCon�guring dashboards in Azure Sentinel is as easy as opening the Dashboards blade,clicking on the data connector solution that we just setup, and clicking install.
Once your dashboards are installed, you can start using them for threat hunting.Another helpful resource to identify threats is the Hunting blade, which includes anumber of built-in log queries.
The last item that you’ll want to take a look at is importing Microsoft’s Azure SentinelNotebooks from GitHub for some guided-hunting patterns. Click on the Notebooksblade and then Clone Azure Sentinel Notebooks. This will guide you throughimporting the notebooks from GitHub.
Closing thought on Deploying Azure Sentinel
15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations
2 thoughts on “Step-by-Step Guide toDeploy Azure Sentinel”
g g p y gI thought deploying Azure Security Center in 10 minutes was totally rad. But deploying acloud-native SIEM solution in �ve minutes is ridiculous. Enabling Azure Sentinel is sosimple, there’s no reason not to do it. Unless you’re the CFO and not knowing thepricing gives you anxiety. Or if you’re the COO and products labeled “Public Preview”make you nervous in a production environment. Azure Sentinel is free during the publicpreview, and I highly recommend checking it out.
The ease of enabling telemetry from multiple data sources is mind-blowing. Theinnovation that Microsoft continues to make in the security space never ceases toamaze me. I am looking forward to this product going GA so we can formallyincorporate it into our cloud security and orchestration platform, Secqur.
Happy hunting!
IJ
May 14, 2019 at 9:40 am
Hello,
Thanks for the walk through. Can youplease give a reference for “Turn on AutoProvisioning (this will cost you $15/mo perVM plus any data overages) ” I am not ableto �nd it on https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection#enable-automatic-provisioning-of-microsoft-monitoring-agentnor at https://azure.microsoft.com/en-gb/pricing/calculator/