Previous Articles
Part 1: Microsoft Sentinel Implementation a Deep Dive- Part 1: Workspace Deployment
Part 2: Microsoft Sentinel Implementation a Deep Dive – Part 2: Microsoft Sentinel Deployment
Installing and Configuring Data Connector of Microsoft Sentinel to Ingest Windows Security Events
Learn more about Content Hub solutions at https://learn.microsoft.com/azure/sentinel/sentinel-solutions.
Configure the data connector for Azure Activity to apply all new and existing resources in the subscription
Go to Microsoft Sentinel — > Content hub
Click on Open Connector age once Installation completed
Install Microsoft Defender for Cloud Data Connector as well
Click on Launch Azure Policy Assignment Wizard>
In the Configuration window, Go to Scope — > Select the right Subscription in the Basics Tab
Select the Parameters tab, choose your workspace from the Primary Log Analytics workspace drop-down list
Select the Remediation tab and select the Create a remediation task checkbox.
Select the Review + Create button to review the configuration.
Select Create to finish.
Installing and Configuring Windows Security Events Data Connector
In Microsoft Sentinel, go to the Content Management menu section and select Content Hub
Search for Windows Security Events
Click on Install
Ingesting Windows Security event data
Create an analytic rule based on the Suspicious number of resource creation or deployment activities template. The rule should run every hour and only look at data for that last hour
In Microsoft Sentinel, go to the Configuration menu section and select Analytics.
In the Rule Templates tab, search for the Suspicious number of resource creation or deployment activities.
Select the Suspicious number of resource creation or deployment activities, and select Create rule. Leave the defaults on the General tab and select Next: Set rule logic >
Leave the default Rule query and configure Query Scheduling using the table:
Setting | Value |
Run query every | 1 Hours |
Lookup data from the last | 1 Hours |
Select Next: Incident settings >.
Leave the defaults and select Next: Automated response >.
Leave the defaults and select Next: Review and create >.
Select Save.
Next Articles
Part 5: Microsoft Sentinel Implementation a Deep Dive – Part 5: Validating the Microsoft Sentinel Deployment
Part 6: Microsoft Sentinel Implementation a Deep Dive – Part 6: Ingesting Microsoft 365 Logs and validation