DENIS APTULA Cloud Security Specialist

Introduction

Azure Sentinel is Microsoft’s cloud-native security information and event management (SIEM) solution that leverages the power of artificial intelligence to monitor and respond to security incidents in real-time. By integrating with various data sources such as Azure services, Office 365, and external services like AWS, Azure Sentinel provides a unified platform for detecting, investigating, and mitigating potential security threats. This report details the step-by-step process of setting up and configuring Azure Sentinel, connecting data sources, creating analytics rules, and managing alerts to maintain a secure and responsive environment.

Setting Up Azure Sentinel

To get started with Azure Sentinel, I followed these steps:

1. Log in to Azure Portal:
   • I accessed the Azure Portal and signed in using my Azure account credentials.
2. Create a Log Analytics Workspace:
   • In the left-hand menu, I selected All Services and searched for Log Analytics Workspaces.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXdTZvExn7jxIF4mK4F3sEMvKs6gt4HsJslq00QnoT7G17Iy6XYdx1F8wmNxLXortxibIVzcS3pfdMMGfqznzrlKc7PRQo-G2ljIGFiBnfK7yDCKbOfKScTCp1wKgISM1Jqa7i8qyPXPPIoVSzzIdFgoFn1md1Fo4FQ2WI7Z-lFnhLPPjPRjWwA?key=QFJIoVuUbB9oy-I-wuPx8A

• I clicked Add to create a new workspace and provided the necessary information, such as Subscription, Resource Group, Name, and Region.
• After validation passed, I clicked Create to set up the workspace.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXfj_2n_N1TKyS0fEP05rG7lBXTsmHHNXYJCsPAmduiIZFpa6lsfBKMupFnkqI1WHAcpBoBPjNfYMlteIbWEPJudqqv8QISbCY9bg1LQIWD9qvFg5RRHSR-OHbABSayPkaEahv0uqIb34P0ZVKLHlVOwFUWoYb2144bQ3TI4zGwUCRWMiLzVdDI?key=QFJIoVuUbB9oy-I-wuPx8A

1. Enable Azure Sentinel:
   • Once the Log Analytics Workspace was created, I navigated to Azure Sentinel and clicked Add.
   • I selected the previously created Log Analytics Workspace and clicked Add Azure Sentinel to complete the setup.

https://lh7-rt.googleusercontent.com/docsz/AD_4nXc60Pzkq4VniBNSv7Osr5dXVK8hrdsosOjJxut-Rb4iqPR2QgTku4VY_pcrZqFLgsicxyQr4kUItifAjcEIL6LNUASXjWEgNfITrStqw-8DM0Z071dTGhjGVN2CPk42L27fw383gi-qIvQJtmzelYzo9EC-OpdQGglApznP7J7FCaN2VIdfq9c?key=QFJIoVuUbB9oy-I-wuPx8A

Connecting Data Sources

With Azure Sentinel set up, I proceeded to connect various data sources to start monitoring and collecting logs:

1. Navigate to Data Connectors:
   • In the Azure Sentinel workspace, I selected Data Connectors from the configuration section.
2. Select and Configure Data Connectors:
   • I browsed through the available data connectors, such as Azure Active Directory, Office 365, and AWS.
   • I selected the desired data sources and followed the on-screen instructions to configure each source. This process typically involved granting the necessary permissions, setting up diagnostic settings, and ensuring that logs were properly sent to the Log Analytics Workspace.

Creating Analytics Rules

Next, I created analytics rules to define the conditions for generating security alerts: