Collect, detect, investigate, and respond to security threats using Microsoft Sentinel
What is Microsoft Sentinel?
Microsoft Sentinel is a scalable cloud-based security information and event management (SIEM). It's also a security orchestration, automation, and response (SOAR) solution. So what does that mean?
The easiest way to understand Microsoft Sentinel is to break down its capabilities.
- Collect data across all users, applications, devices, and infrastructure hardware for on-premises devices and cloud apps.
- Detect previously undetected threats, and reduce false positives. Hunt for suspicious activity and Investigate threats using AI.
- Respond to incidents with automation and orchestration.
In short, it collects, detects, investigates, and responds to threats across your organization. I think it's probably even easier to understand by setting it up and getting started.
What licenses are required for Microsoft Sentinel?
What roles/permissions are available and required?
First, the global admin has full access to create a Microsoft Sentinel workspace.
Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. This is the role that's received when you set up the workspace.
Microsoft Sentinel Automation Contributor: Allows Microsoft Sentinel to add playbooks to automation rules. It is not meant for user accounts.
Reader: View all resources but cannot make any changes.
Managed Application Operator Role: Lets you manage the managed application resources
Contributor: Can perform everything the owner can except they can't assign roles.
Logic App contributor: This allows you to manage logic apps including playbooks and incidents.
Enable Microsoft Sentinel
1. Open the Azure admin center (note, not the Azure AD admin center) > Search for Microsoft Sentinel. Click Microsoft Sentinel.
2. Click Create Microsoft Sentinel.
3. Click Create a new workspace.
4. Click Create new. Set the name to Sentinel. Click OK.
5. Set the instance name to Sentinel-Instance. Click Review + Create.
6. Click Create.
7. Click the Sentinel-Instance. Click Add.
Connect Microsoft Sentinel to data sources
Next, we'll need to connect Microsoft Sentinel to a data source. In short, this means Microsft Sentinel will ingest the data from the service or app. Sometimes, you'll need to install an agent, for example, to monitor computers/servers. In Microsoft 365 case all we need to do is set up the connector.
How to connect Office 365 with Microsoft Sentinal
1. Go to Microsoft Sentinel in the Azure admin center. Click your workspace instance. Click Data connectors. Search for Office 365 and click on the connector. Click Open connector page.
2. Click Exchange, SharePoint, and Teams checkboxes. Click Apply Changes.
How to connect Azure Active Directory with Microsoft Sentinal
1. Go to Microsoft Sentinel in the Azure admin center. Click your workspace instance. Click Data connectors. Search for Azure Active Directory and click on the connector. Click the Open connector page button.
2. Click all the checkboxes under Configuration. Click Apply Changes.
Enable diagnostic settings
Next, we'll enable the diagnostic settings to send the logs to Microsoft Sentinel.
1. Go to Microsoft Azure admin center > search for monitor > Click Monitor > Diagnostic settings.
2. Click your workspace. Click Add diagnostic setting.
3. Click audit > allLogs > AllMetrics > Send to Log Analytics workspace. Set the name to Diagnostic settings. Click Save.
How to integrate Microsoft Defender for Cloud Apps
So now we have connected a couple of pieces of Microsoft 365 but what about Microsoft Defender for Cloud Apps? To manage incidents based on alerts generated by Microsoft Cloud App Security we'll need to create a security extension in Microsoft Defender for Cloud Apps.
1. Open the Microsoft Defender for Cloud Apps portal. Click the settings gear in the top right corner. Click Security Extension.
2. Click SIEM agents > Add SIEM agent > Azure Sentinel.
3. Click Next > Close.
How to create a rule
Rules are created to turn raw data into alerts and incidents. In short, they are used to detect threats and create alerts.
1. Go to Microsoft Sentinel in the Azure admin center. Click your workspace instance. Click Analytics > Rule templates > Search for Advanced Multistage. Click Advanced Multistage Attack Detection > Create rule.
2. Click Next: Automated response > Next: Review > Create
How to create a workbook
Workbooks are like dashboards. They will show you your data in different graphs and ways. Let's create one now.
1. Go to Microsoft Sentinel in the Azure admin center. Click your workspace instance. Click Workbooks > Add workbook.
2. Click Save (the floppy disk icon) > Enter a title of Azure Sign in and usage. Click Save.
How to view a workbook
Now let's open the workbook so you know how to view it when you want to come back to it.
1. Go to Microsoft Sentinel in the Azure admin center. Click your workspace instance. Click Workbooks > My workbooks > Azure Sign in and usage > View saved workbook.
There are a number of template workbooks you can use too. Why not try to set up one now?
How to create a playbook
Playbooks are like Power Automate flows. They have a trigger and then a set of actions that happen when the trigger is initiated. Before we can create the playbook let's set up for it first.
1. Go to Microsoft Sentinel in the Azure admin center. Click your workspace instance. Automation >Playbook templates (Preview) > Block AAD user - Alert > Create playbook.
2. Click Next: Connections > Next: Review and create > Create and continue to designer.
3. Click each action in the playbook looking for yellow triangles. Once found click the exclamation in the circle. Sign in to your Microsoft 365 account. Accept the permissions.
4. Click Save.
2. Enter the playbook name of Email-on-sign-in. Click Enable diagnostics logs in Log Analytics. Click Next: Connections.
3. Click Next: Review and create > Create and continue to designer.
4. Set a condition
5. Under true click Add an action.
6. Enter "Send an email (V2) Office 365 Outlook" in the search box. Click Send an email (V2).
7. Click Sign in. In the box that opens sign in to your account.
How to review the logs
Microsoft Sentinel gathers logs and then allows you to search through the logs using Kusto Query Language (KQL), Let's check out one of the built-in queries.
1. Go to Microsoft Sentinel in the Azure admin center. Click your workspace instance > Logs. Search for All SiginLogs events and click Run.
Parts of Microsoft Sentinel
Workspaces are like tenants. You can use one workspace to store everything or you can break down your Microsoft Sentinel deployment with multiple workspaces.
Data connectors allow you to ingest data into Microsoft sentinel. Some sources simply require enabling it in Microsoft Sentinel, for example, Office 365 and Azure Active Directory. Other sources require a little more setup but it's still doable.
Log retention and querying
After the logs are ingested into Microsoft Sentinel, the data is stored in Log Analytics where you can use Kusto Query Language (KQL) to parse and find the data you need.
Workbooks are like dashboards. They are built on your log data and the KQL queries to view your data. Microsoft has a number of workbooks built-in to Microsoft Sentinel.
Playbooks are a trigger with a set of rules that allow you to automatically respond to threats. A basic playbook would be "When alert X is created then send an email"
Rules help you get notified when something suspicious happens. They turn the raw data into alerts and incidents
Alerts are the basis for incidents. They indicate that someone or something attempted to perform a malicious or suspicious event. One or more alerts will generate incidents
Microsoft Sentinel will group related alerts, assets, and other information into incidents that you can assign and work on.