I had a great time bringing value with Sentinel, and here I will try to assist you in getting started with integrating this product into your business. This SIEM, in my experience, is excellent for increasing your employees’ overall awareness asides from assisting in decision making, providing advanced insights and protect your entreprise from threats.

Table of Contents

Architecture Overview

The following is a simplified architecture for the technical process of the implementation.

Microsoft Sentinel Technical Procedure

This technical documentation will walk you through the entire process, from setting up Sentinel to operating it and using its core features.

Description

We’ll go over the preliminary steps for configuring the product.

  • Initialize the product on your entreprise Microsoft Azure tenant.
  • Ingestion of the required connectors.
  • Perform analytics queries to get alerted when threats appear.
  • Operate and create workbooks for insightful reports.
  • When necessary, delete the product and its dependencies.

Sentinel Workflow

To get started with Sentinel you require to implement Log analytics workspace.

Then, you go and create a new Azure Sentinel resource on top of it.

Once this has been done, the next step is to connect your data sources. This can be done by using either the Data Connectors library or by creating custom connectors.

After connecting your data sources, you will then need to configure them so that they are sending data into your newly created workspace.

Finally, you will want to create some queries and alerts so that you can start monitoring your system for issues and consult workbooks to help you decide.

Product Setup

In this section will go over

  • Create Log Analytics Workspace
  • Create Microsoft Sentinel Instance

Create Log Analytics Workspace

1- Search for Log Analytics Workspace in the Azure Portal.
2- Click on the service then click Create to create a new resource.


1- Specify the required subscription.
2- Choose your resource group, or create a new one for all related senitnel resources.
3- Name your workspace.
4/5- Pick the region and click Review + Create


  • Wait some seconds for the validation to pass and click Create.


Once the creation is completed, you have to add sources to your workspace so that you can get data-in on Sentinel.

  • In Log Analytics Workspace, go to Diagnostic Settings.
  • Click Add Diagnostic Setting.


1- Specify the types of log you want to have access to.
2- Send the logs to workspace you just created, you can consult the other options.
3- Pick a name for the setting.
4- Once finished, click Save

That’s the required configuration for the Log analytics workspace.

Create Microsoft Sentinel Instance

Once we have our workspace, we can go further and create Sentinel.

  • Search bar in the portal, write Sentinel.


  • Click Create Microsoft Sentinel.


  • Specify the workspace we just created and click Add.


  • Microsoft Sentinel is Setup.

Connectors

Once product is set, the first step is to import the necessary connectors before running any queries on Sentinel.

Quickstart Connectors

  • Office
  • Azure Activity
  • Azure Active Directory

Search for connectors

1- On the left pane, click Connectors

2- In the search bar, where you can search for the desired connector

3- Once found, give it a click and then open connector page

The Connector page

1- The good news is once you ingest some connectors. There will be analytics rules, workbooks as well as queries applied within the connector bundle.

2- To be configured, each connector will need its own prerequisite.

3- The same is true for the configuration. However, here you can find configurations that are as simple as clicking and others that necessitate the use of APIs.

Analytics Rules

The Microsoft Team is attempting to include as many Analytics rule templates as possible. However, it is nearly impossible to cover everything, so you should be aware of how to include built-in queries as well as create your own with some knowledge of KQL.

Here i’ll go through both cases.

Built-In Rules

You can select the template provided within the product from the asset below, and it should become active in a matter of seconds.

Once in Sentinel, Click Analytics => Rules Templates.

Custom Analytics Rules

We’ll walk through configuring the yaml file below, which includes all of the pipeline’s parameters.

However, for this demonstration, we will conduct it as a security operation.

Here is the YAML for Explicit MFA Deny.

id: a22740ec-fc1e-4c91-8de6-c29c6450ad00
name: Explicit MFA Deny
description: |
  'User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.'
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADNonInteractiveUserSignInLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - CredentialAccess
relevantTechniques:
  - T1110
query: |
  let aadFunc = (tableName:string){
  table(tableName)
  | where ResultType == 500121
  | where Status has "MFA Denied; user declined the authentication" or Status has "MFA denied; Phone App Reported Fraud"
  | extend Type = Type
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed
  };
  let aadSignin = aadFunc("SigninLogs");
  let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
  union isfuzzy=true aadSignin, aadNonInt
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
  - entityType: URL
    fieldMappings:
      - identifier: Url
        columnName: URLCustomEntity
version: 1.0.1
kind: Scheduled

This query will require Azure Active Directory connector for it to perform.

Go to Analytics but instead of templates, click Create then Scheduled query rule.

As a best practice, refer to the pipeline and include a fit description so your team understands the role of this query.

Choose the severity indicated. And then choose your tactics. After that, click Next to set the rule.

1- As for the query, once it is created, enter it in this field and wait for the product to reload.

2- Don’t forget about the Entity mapping.

Sentinel is constantly improving and incorporating artificial intelligence. When you include such queries, the product will be able to identify the correct entity and map it automatically.

This is extremely powerful as it allows you to not only find out what’s going on in your environment but also to perform SecOps quick.

Once Entities are set click Next to incidents Settings.

1- What is most important here is to enable incident creation so that you can be notified via your product home page if any threats are triggering.

2- The second section is to organize your queries. This is helpful when you have tons of rules that make sense as groups. I’ll leave the decision to you.

1- You can receive an automated response that will take you to a logic app where you can decide what action to take when this rule is triggered.

In this case, I prefer sending an email to my manager about an analytics with a high severity and posting the threat to our team channel.

2- When you’re finished, you’ll see a summary of the entire rule. Continue with the creation by clicking Create.

Workbooks

Built-In Workbooks

Microsoft provides a set of templates along the chosen connector that you can take advantage of directly and use.

1- On the left pane, Click Workbooks.

2- Click Templates.

3- Search for the desired workbook.

4- Click save, click to My workbooks besides the template and you should have it.

Custom Workbooks

In addition to the templates, you can make your own. JSON and ARM Templates formats are supported by workbooks.

1- Go to Workbooks

2- Instead of Templates, Click Add Workbook


Click on Edit


1- Click on the code <>

2- This will print you the editor where you can decide the type.

  • For this demo we will use JSON, copy my workbook and paste it on your environment.
  • The workbook is merged to the official sentinel repo, you can have a look on the pull request from here.

3- Once done, click Apply

4- Click Done Editing

5- Then, the Save Icon.

Continue by entering the name of your workbook, the subscription, the RG, and the location.

Finally Click Apply

Your workbook will take effect and produce the desired results.

You can continue looking through the custom workbooks I created and start using them right away.

Workbook Showcase

This section is where you can marvel at the fantastic insights generated by this feature.

Azure Activity



Azure Active Directory Audit Insights


All In One Insights


Multi-Factor Authentification Insights




Conditionnal Access Insights

This is a very small portion of the data generated by the product, i hope it helps, due to the confidentiality of the information.

Product Shutdown

The product can be very expensive;

We ended up spending $1200 CAD per month to cover the compute required to keep ingesting data and delivering value.

As a result, you may consider shutting it down at some point.

This section is specifically designed for that purpose.

Three things required termination when you’re accomplished with Microsoft Sentinel to avoid any additional costs.

  • Azure Sentinel Instance
  • The Log Analytics Workspace and the related solutions
  • The Resource Group used

1- From Sentinel, go down to Settings on the left pane.
2- Beside pricing, Click Settings.
3- Last option, click Remove Microsoft Sentinel.


  • Confirm Remove Microsoft Sentinel from your workspace.


To make sure, you cut with all expenses.

  • Go back to your workspace and delete it.

  • Lastly, check your RG, and terminate it to avoid any additionnal costs within its resources.

  • Confirm the deletion by clicking Delete.

Closure

That’s it; your connectors and analytics should now be properly preconfigured. You are capable to add workbooks and create your own. This is a huge accomplishment! By following this technical documentation, you have taken the first step in ensuring that your data is properly managed and monitored. You know also how to delete your product in case its required.