Collect, detect, investigate, and respond to security threats using Microsoft Sentinel

What is Microsoft Sentinel?

Microsoft Sentinel is a scalable cloud-based security information and event management (SIEM). It's also a security orchestration, automation, and response (SOAR) solution. So what does that mean?

The easiest way to understand Microsoft Sentinel is to break down its capabilities.

  • Collect data across all users, applications, devices, and infrastructure hardware for on-premises devices and cloud apps.
  • Detect previously undetected threats, and reduce false positives. Hunt for suspicious activity and Investigate threats using AI.
  • Respond to incidents with automation and orchestration.

In short, it collects, detects, investigates, and responds to threats across your organization. I think it's probably even easier to understand by setting it up and getting started.

What licenses are required for Microsoft Sentinel?

Microsoft Sentinel requires a pay-as-you-use license to Microsoft Azure. Pricing can be seen here. You can also sign up for a free $200 credit by going here.

What roles/permissions are available and required?

First, the global admin has full access to create a Microsoft Sentinel workspace.

Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. This is the role that's received when you set up the workspace.

Microsoft Sentinel Automation Contributor: Allows Microsoft Sentinel to add playbooks to automation rules. It is not meant for user accounts.

Reader: View all resources but cannot make any changes.

Managed Application Operator Role: Lets you manage the managed application resources

Contributor: Can perform everything the owner can except they can't assign roles.

Logic App contributor: This allows you to manage logic apps including playbooks and incidents.

Enable Microsoft Sentinel

1. Open the Azure admin center (note, not the Azure AD admin center) > Search for Microsoft Sentinel. Click Microsoft Sentinel.

2. Click Create Microsoft Sentinel.

Create Microsoft Sentinel

3. Click Create a new workspace.

Create a new workspace

4. Click Create new. Set the name to Sentinel. Click OK.

Resource group

5. Set the instance name to Sentinel-Instance. Click Review + Create.

Set the instance name and click Create

6. Click Create.

7. Click the Sentinel-Instance. Click Add.

Add Microsoft Sentinel to a workspace

Connect Microsoft Sentinel to data sources

Next, we'll need to connect Microsoft Sentinel to a data source. In short, this means Microsft Sentinel will ingest the data from the service or app. Sometimes, you'll need to install an agent, for example, to monitor computers/servers. In Microsoft 365 case all we need to do is set up the connector.

How to connect Office 365 with Microsoft Sentinal

1. Go to Microsoft Sentinel in the Azure admin center. Click your workspace instance. Click Data connectors. Search for Office 365 and click on the connector. Click Open connector page.

Microsoft Sentinel | Data connectors

2. Click Exchange, SharePoint, and Teams checkboxes. Click Apply Changes.

Configure Office 365 data connector

How to connect Azure Active Directory with Microsoft Sentinal

1. Go to Microsoft Sentinel in the Azure admin center. Click your workspace instance. Click Data connectors. Search for Azure Active Directory and click on the connector. Click the Open connector page button.

Microsoft Sentinel Azure AD Data connector

2. Click all the checkboxes under Configuration. Click Apply Changes.

Configure Azure AD data connector

Enable diagnostic settings

Next, we'll enable the diagnostic settings to send the logs to Microsoft Sentinel.

1. Go to Microsoft Azure admin center > search for monitor > Click Monitor > Diagnostic settings.

Open diagnostic settings

2. Click your workspace. Click Add diagnostic setting.

Add diagnostic setting

3. Click audit > allLogs > AllMetrics > Send to Log Analytics workspace. Set the name to Diagnostic settings. Click Save.

Create diagnostic settings

How to integrate Microsoft Defender for Cloud Apps

So now we have connected a couple of pieces of Microsoft 365 but what about Microsoft Defender for Cloud Apps? To manage incidents based on alerts generated by Microsoft Cloud App Security we'll need to create a security extension in Microsoft Defender for Cloud Apps.

1. Open the Microsoft Defender for Cloud Apps portal. Click the settings gear in the top right corner. Click Security Extension.

Open Security Extensions

2. Click SIEM agents > Add SIEM agent > Azure Sentinel.

Add SIEM agent Microsoft Sentinel

3. Click Next > Close.

How to create a rule

Rules are created to turn raw data into alerts and incidents. In short, they are used to detect threats and create alerts.

1. Go to Microsoft Sentinel in the Azure admin center. Click your workspace instance. Click Analytics > Rule templates > Search for Advanced Multistage. Click Advanced Multistage Attack Detection > Create rule.

Create Microsoft Sentinel rule

2. Click Next: Automated response > Next: Review > Create

How to create a workbook

Workbooks are like dashboards. They will show you your data in different graphs and ways. Let's create one now.

1. Go to Microsoft Sentinel in the Azure admin center. Click your workspace instance. Click Workbooks > Add workbook.

Add workbook to Microsoft Sentinel

2. Click Save (the floppy disk icon) > Enter a title of Azure Sign in and usage. Click Save.

Save your new workbook

How to view a workbook

Now let's open the workbook so you know how to view it when you want to come back to it.

1. Go to Microsoft Sentinel in the Azure admin center. Click your workspace instance. Click Workbooks > My workbooks > Azure Sign in and usage > View saved workbook.

View saved workbook

There are a number of template workbooks you can use too. Why not try to set up one now?

How to create a playbook

Playbooks are like Power Automate flows. They have a trigger and then a set of actions that happen when the trigger is initiated. Before we can create the playbook let's set up for it first.

1. Go to Microsoft Sentinel in the Azure admin center. Click your workspace instance. Automation >Playbook templates (Preview) > Block AAD user - Alert > Create playbook.

Create a playbook

2. Click Next: Connections > Next: Review and create > Create and continue to designer.

3. Click each action in the playbook looking for yellow triangles. Once found click the exclamation in the circle. Sign in to your Microsoft 365 account. Accept the permissions.

Setup the connections

4. Click Save.

2. Enter the playbook name of Email-on-sign-in. Click Enable diagnostics logs in Log Analytics. Click Next: Connections.

Create a playbook: Basic Settings

3. Click Next: Review and create > Create and continue to designer.

4. Set a condition

5. Under true click Add an action.

6. Enter "Send an email (V2) Office 365 Outlook" in the search box. Click Send an email (V2).

Send an email (V2) Office 365 Outlook

7. Click Sign in. In the box that opens sign in to your account.

Sign in to Office 365 Outlook

How to review the logs

Microsoft Sentinel gathers logs and then allows you to search through the logs using Kusto Query Language (KQL), Let's check out one of the built-in queries.

1. Go to Microsoft Sentinel in the Azure admin center. Click your workspace instance > Logs. Search for All SiginLogs events and click Run.

View Microsoft Sentinel Logs

Parts of Microsoft Sentinel

Workspace

Workspaces are like tenants. You can use one workspace to store everything or you can break down your Microsoft Sentinel deployment with multiple workspaces.

Data connectors

Data connectors allow you to ingest data into Microsoft sentinel. Some sources simply require enabling it in Microsoft Sentinel, for example, Office 365 and Azure Active Directory. Other sources require a little more setup but it's still doable.

Log retention and querying

After the logs are ingested into Microsoft Sentinel, the data is stored in Log Analytics where you can use Kusto Query Language (KQL) to parse and find the data you need.

Workbooks

Workbooks are like dashboards. They are built on your log data and the KQL queries to view your data. Microsoft has a number of workbooks built-in to Microsoft Sentinel.

Playbook

Playbooks are a trigger with a set of rules that allow you to automatically respond to threats. A basic playbook would be "When alert X is created then send an email"

Analytic Rules

Rules help you get notified when something suspicious happens. They turn the raw data into alerts and incidents

Alerts

Alerts are the basis for incidents. They indicate that someone or something attempted to perform a malicious or suspicious event. One or more alerts will generate incidents

Incidents

Microsoft Sentinel will group related alerts, assets, and other information into incidents that you can assign and work on.