Enable Microsoft Sentinel
To enable Microsoft Sentinel:
- Sign into the Azure portal at https://portal.azure.com.
- Search for and select Microsoft Sentinel (as shown in Figure 17.1).
FIGURE 17.1 Selecting Microsoft Sentinel in Azure
3. Click Add.
4. Select the workspace you want to use or you can create a new one (see Figure 17.2). You can run Microsoft Sentinel on more than one workspace, but the data is isolated to a single workspace.
FIGURE 17.2 Choosing a workspace
5. Select Add Microsoft Sentinel.
Microsoft Sentinel does not support moving the workspace to another resource groups or subscription once it’s deployed. If you have already moved the workspace, you need to disable all active rules under Analytics and reenable them after 5 minutes. Microsoft states that this may be effective in most cases but that moving the workspace is not supported.
The next step is to set up your data connectors.
Set Up Data Connectors
Once Microsoft Sentinel is onboarded, you can use data connectors to start obtaining your information. Microsoft Sentinel comes with numerous out- of- the- box connectors for Microsoft services, which you can then integrate in real time.
Microsoft Sentinel obtains the data from services and apps by connecting to the service and then forwarding the events and logs to Microsoft Sentinel. For physical and virtual machines, you can install the Log Analytics agent or for firewalls and proxies, you can install the Log Analytics agent on a Linux Syslog server, and the agent will collect the log files and forward them onto Microsoft Sentinel.
To set up data connectors, perform the following:
- From the main menu, select Data Connectors. This opens the data connectors gallery, as shown in Figure 17.3.
FIGURE 17.3 Microsoft Sentinel data connectors gallery
2. Select your desired data connector, and then click the Open Connector Page button.
3. The Connector page shows instructions for configuring the connector and any other instructions that may be necessary. Follow the installation instructions. Once connected, you will see a summary of the data in the Data Received graph and the connectivity status of the data types, as shown in Figure 17.4.
FIGURE 17.4 Microsoft Sentinel data received
4. The Next Steps tab on the Connector page shows all the relevant built- in workbooks, sample queries, and analytics rule templates that go with the specified the data connector, as shown in Figure 17.5. You can use these as is or modify them— either way, you can immediately obtain insights across your data.
FIGURE 17.5 Microsoft Sentinel Next Steps tab
Once done, your data will start streaming into Microsoft Sentinel and you can start working with it.
To see what is happening with your environment, take a look at the Overview dashboard. In the Azure portal, select Microsoft Sentinel and then select the workspace you want to monitor, as shown in Figure 17.6.
FIGURE 17.6 Microsoft Sentinel Overview dashboard
Now, let’s take a look at how to identify and remediate security issues using Microsoft Defender for Cloud.