Commerce

An Introduction of Azure Sentinel

An Introduction of Azure Sentinel

Microsoft Sentinel is a solution for a variety of issues including intelligence analysis, detecting uncovered threats, investigating suspicious activity, enterprising monitoring, and rapid response. Sentinel is a Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) service in the cloud.

Today, I will discuss Azure Sentinel’s benefits, how it differs from Microsoft Defender for Cloud (formerly Azure Security Center), how to use it to trigger an alert when a malicious incident has occurred, and forward the notification to a specific Microsoft Teams channel.

Understanding the Risk

Today’s organizations are moving toward multi-clouds like GCP, AWS, Azure, and On-Premesis. People currently work outside the company network, using unknown websites and suspicious devices. This leaves your organization vulnerable to attacks by hackers. Your priority should be protecting your investment by collecting data, detecting threats, investigating threats, and responding to the threat accordingly. Therefore, you need a security manager that can keep eye on everything. This is where Azure Sentinel can step in.

Azure Sentinel 1

 

The Difference Between Azure Sentinel & Microsoft Defender for Cloud

Azure Sentinel 2

Both Azure Sentinel and Microsoft Defender for Cloud are offered by Microsoft. However, Microsoft Defender for Cloud mainly focuses on detecting security issues, generating alerts, misconfiguration, and lack of permission. These alerts would be further utilized by Azure Sentinel to investigate and respond accordingly.

To begin your Azure subscription, you’ll first need to create a free account here.

You will also need to familiarize yourself with some definitions before proceeding, such as:

  • Resource Group – a container that contains related resources for an Azure solution.
  • Log Analytics workspaces – used to store logs and data from Azure.
  • Storage accounts – used to share data and logs generated from Log Analytics.
  • Permission– Contributor or reader permissions on the resource group.

 

How to Set Up Sentinel for a Storage Account

Follow these six steps to set up Azure Sentinel in a storage account.

1. Create a Resource Group

First, login to Azure portal and search “Resource group” in the search bar. Then, select “create.”

Next, enter the following in these three values:

  • In subscription, select “Free Trial.”
  • Resource group: I created a resource group called “rahulresource” as an example. You can create your own name based on your Project name.
  • Region: I have selected “(US) East US.”

Then, select “Review + create.”

Azure Sentinel 3

 

2. Create a Workspace:

Search for “Log Analytics Workspace” and select “create.” Then, choose “subscription” and select the existing resource group. Provide a name to the new log analytics. For example, I named my workspace “testinstance.” Finally, select “review + create.”

Azure Sentinel 4

 

3. Create a Storage Account

Search for “storage accounts” in the search bar and select “create.” Then, choose the existing resource group. Add your unique storage account name. For example, I added “rahulstorage9.” Then, select “standard” for “performance” and “redundancy” for “locally-redundant storage (LRS)”.

Next, set “default” as the configuration for the tabs “Advance,” “Networking,” “Data protection,” “Encryption,” and “Tags.”

Finally, select “Review + create.”

Azure Sentinel 5

 

4. Enabling Microsoft Sentinel

Search for “Microsoft Sentinel” and select it and the workspace you created before, such as the “testinstance” I created. Then, find “data connectors” in the left portal menu.

Next, search for the “Azure Storage Account,” and open the “connector” page. Inside the Azure Storage Account, go to the “diagnostic setting” on the left menu. Then, select “+ Add diagnostic setting” and type a diagnostic setting name. Next, under the “destination” details, choose “send to log analytics workspace.”

Select the log analytics as a “testinstance (eastus).” And under “metrics,” check the box for “transaction” and click “save.”

Azure Sentinel 6

 

 

5. Hunting in Sentinel

In the left portal menu in Sentinel, find and choose “hunting.” Then click on “+ New Query” and enter the following into the values:

  • Add “Monitor Azure Storage Account” into “name.”
  • In “custom query,” add the query below:

 

AzureActivity

| where Properties has “Microsoft.Storage/storageAccounts/listKeys/action”

| extend WhoDidIt = Caller, StorageAccountName = tostring(parse_json(Properties).resource)

| project WhoDidIt, StorageAccountName, ResourceGroup, _ResourceId, CallerIpAddress, EventSubmissionTimestamp

 

Then, click on “Create.”

Azure Sentinel 7

 

6. Deploying the Playbook to Post a Message on Microsoft Teams

You’ll create a playbook using a Microsoft template by clicking here. Then, enter the name of your playbook. For example, I named mine “PostMessageTeams-OnAlert.” Next, click “review + create.”

Azure Sentinel 8

Within the Microsoft Sentinel, navigate to “Hunting” and “Open live stream.” Create an analytics rule in the “General” tab and enter the “Name.” Finally, choose “medium” as the severity.

Azure Sentinel 9

 

 

In the “Set rule logic” tab, you’ll add the entity mapping as you see below:

a) Account > Name > WhoDidIt

b) IP > Address > CallerIPAddress

c) Azure resource > ResourceId > _ResourceId

  • In the “Incident settings” tab, enable the “Alert grouping” option.
  • In the “Automated response” tab, select “PostMessageTeams” as an “Alert automation playbook.”
  • Click “Review + create.”

Azure Sentinel 10

 

Azure Sentinel 11

Azure Sentinel 12

To Conclude…

I have performed a proof of concept on Azure Sentinel that will trigger an alert when a malicious incident occurs in an Azure Storage Account and forwarded it to a specific Microsoft Teams channel.

Perficient is uniquely positioned to serve our consumers that need assistance in these areas. Our experts will partner with you to understand what your specific business needs and goals are and develop a map to change your company’s trajectory. Our experts will be with you every step of the way. For more questions, contact our experts today.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Rahul Raju

Rahul Raju is an associate technical consultant at Perficient. He has experience in Linux and Windows, Azure, and AWS cloud platforms. Rahul has global certifications in RHCE and AZ-104.

More from this Author

Subscribe to the Weekly Blog Digest:

Sign Up
Follow Us
TwitterLinkedinFacebookYoutubeInstagram