Microsoft Sentinel

How to Set Up and Configure Microsoft Sentinel In today’s fast-evolving digital landscape, businesses are continuously facing security challenges. Microsoft Sentinel is an intelligent cloud-native security information and event management (SIEM) solution designed to provide advanced threat detection, visibility, and automated response capabilities. With the growing number of cyber threats, configuring a robust security solution like Microsoft Sentinel is essential to keep your data and infrastructure safe. In this step-by-step guide, I will walk you through the process of setting up and configuring Microsoft Sentinel, ensuring you can maximize its capabilities to protect your organization from malicious activity. What is Microsoft Sentinel? Microsoft Sentinel is a comprehensive cloud-based security information and event management (SIEM) solution that allows organizations to efficiently detect, investigate, and respond to security threats across their enterprise. Sentinel collects, analyzes, and visualizes security data from various sources, using built-in AI and automation to reduce manual efforts and improve response time. Why Use Microsoft Sentinel? Prerequisites for Setting Up Microsoft Sentinel Before diving into the setup process, ensure you have the following prerequisites in place: Create a Microsoft Sentinel Instance Log in to the Azure Portal. Search for Microsoft Sentinel in the search bar and select Microsoft Sentinel from the results. In the Microsoft Sentinel dashboard, click on + Create. On Add Microsoft Sentinel to a workspace page, click on + Create a new workspace. Choose the correct Subscription, select an existing Resource group, or create a new one. Give your workspace a meaningful Name and select a Region. Click Review + Create, Click on the Create button. Add Log Analytic Workspace to Sentinel Click on Microsoft Sentinel >Create, and select the Log Analytics Workspace that you want to associate with Sentinel. Click the Add button. Next, we are going to connect data sources to Microsoft Sentinel. For this example, I am going to connect Microsoft Defender to Microsoft Sentinel. How to Connect Microsoft Defender XDR data with Microsoft Sentinel Click on Content management, then click on Content hub. Or click on Go to Content hub from the Microsoft Sentinel dashboard, as shown below, to install the Microsoft Defender connector. Click on Content management, then click on Content hub. Or click on Go to Content hub from the Microsoft Sentinel dashboard, as shown below, to install the Microsoft Defender connector. Type Defender in the search box and press enter. Select Microsoft Defender for Endpoint and click on Install. This will install all the dependencies. Click on Data connectors, select Defender for Endpoint, and click on the open connector page button, as shown below. Click on the blue Connect button under Configuration. The Microsoft Defender for Endpoint was connected successfully, as shown below. Click here to learn how to analyze malware incidents in Microsoft Sentinel. Set Up Dashboards and Visualizations To get a quick overview of your security posture, you can create custom dashboards and visualizations In Microsoft Sentinel, click on Workbooks under the Configuration section. Click on + Add Workbook to create a new workbook. For this example, I will install the Workspace Usage Report. Select Workspace Usage Report and click on the Install button, as shown below. Click on Configuration. Select Workspace Usage Report and click Save. Select a location to save the workbook and click on Yes. For example, East US. The workbook was created successfully, as shown in the screenshot below. You can customize your workbook to meet your needs.

Ingest Logs from On-Premises Windows Server to Microsoft Sentinel In today’s digital landscape, security is a top priority for organizations of all sizes. One effective way to strengthen your security posture is through centralized log management and analysis. Microsoft Sentinel, a scalable and intelligent Security Information and Event Management (SIEM) solution, provides real-time monitoring and analysis of security events. In this post, I will walk you through the process of ingesting logs from an on-premises Windows Server to Microsoft Sentinel for analysis, which helps you detect and respond to threats efficiently. Why Ingest Logs into Microsoft Sentinel? Before diving into the technical steps, it’s important to understand why ingesting logs into Microsoft Sentinel is crucial: Prerequisite Before you proceed with the steps, ensure your machine is onboarded to Azure Arc. Click here to learn how to onboard a Windows server to Azure using Azure Arc. In Microsoft Sentinel, click on Content hub under the Content Management section and search for Windows Security Events via AMA. Press enter and click the Install button, as shown below. Click on Data connectors under the Configuration section and select Windows Security Events via AMA. Click on the Open Connector page, as shown below. Click on + Create data collection rule. On the Basic tab, give your rule a name and select your Subscription and Resouce group, as shown below. Click on Next: Resources. Click on the Resources tab at the top. Select the resource from which you would like to collect data. Note: If you have multiple subscriptions, click the down arrow under the Subscriptions (Select: All) to select your subscription. Click on Resource Groups to specify a resource group. Specify your Resouce Types and Location. Click on Next: Collect >. Select what events you would like to collect based on your organization’s needs. For this example, I will select All Security Events. Click on Next: Review + Create >. Review your rule and click on the Create button. The rule was created successfully, as shown below. Evaluate the Effectiveness of the Configuration To evaluate the effectiveness of the log ingestion configuration, I am going to simulate a brute-force attack on the on-premises server. First, make sure that your machine is configured to report account login events. Follow these steps if not configured already. How to Configure Your Windows Server to Report Account Logon Events Press Windows Key + R and type gpedit.msc. Click Ok or press Enter. Windows Settings > Security Settings > Advanced Audit Policies > System Audit Policies > Account Logon. Double-click on Audit Credential Validation. Check the box next to Configure the following audit events, and select Success and Failure. Click on Apply, and click on OK. Next, on the target machine (on the premises Windows server), enter the wrong password multiple times. Go to your Microsoft Sentinel workspace in the Azure portal. Click on Logs and run the Kusto Query Language (KQL) below to search for EventID 4776. EventID 4776 “The domain controller attempted to validate the credentials for an account.” You can also set up alerts and analytics rules to monitor specific events from your Windows Server logs. You can configure custom rules or use out-of-the-box templates to detect common attack patterns or anomalies. Notice that logs have started coming in, as shown below. Click on Columns on the right side to filter and select what information you want to see on your dashboard. Now, let’s compare the logs in Microsoft Sentinel with the generated logs on the target machine. Log in to your target machine, open the Event Viewer, and click on Security on the left side. Click on Filter Current Logs on the right side to filter and select what information you want to see on your dashboard, as shown below. Conclusion Ingesting logs from your on-premises Windows Server into Microsoft Sentinel is an essential step toward improving your organization’s security posture. By following the above steps, you can collect, monitor, and analyze security data in a centralized environment, enabling faster threat detection and response. With the power of Microsoft Sentinel’s analytics and automation, your team can stay ahead of potential security risks and ensure the security of your infrastructure. Don’t forget to continuously review and refine your log collection strategies to ensure you’re capturing the most relevant security data for your environment. As threats evolve, so should your security monitoring and incident response strategies.