SIEM and XDR in one place

Previous Articles

Part 1:  Microsoft Sentinel Implementation a Deep Dive- Part 1: Workspace Deployment

Part 2: Microsoft Sentinel Implementation a Deep Dive – Part 2: Microsoft Sentinel Deployment

Installing and Configuring Data Connector of Microsoft Sentinel to Ingest Windows Security Events

Learn more about Content Hub solutions at https://learn.microsoft.com/azure/sentinel/sentinel-solutions.

Configure the data connector for Azure Activity to apply all new and existing resources in the subscription

Go to Microsoft Sentinel — > Content hub

Click on Open Connector age once Installation completed

Install Microsoft Defender for Cloud Data Connector as well

Click on Launch Azure Policy Assignment Wizard>

In the Configuration window, Go to Scope — > Select the right Subscription in the Basics Tab

Select the Parameters tab, choose your workspace from the Primary Log Analytics workspace drop-down list

Select the Remediation tab and select the Create a remediation task checkbox.

Select the Review + Create button to review the configuration.

Select Create to finish.

Installing and Configuring Windows Security Events Data Connector

In Microsoft Sentinel, go to the Content Management menu section and select Content Hub

Search for Windows Security Events

Click on Install

Ingesting Windows Security event data

Create an analytic rule based on the Suspicious number of resource creation or deployment activities template. The rule should run every hour and only look at data for that last hour

In Microsoft Sentinel, go to the Configuration menu section and select Analytics.

In the Rule Templates tab, search for the Suspicious number of resource creation or deployment activities.

Select the Suspicious number of resource creation or deployment activities, and select Create rule. Leave the defaults on the General tab and select Next: Set rule logic >

Leave the default Rule query and configure Query Scheduling using the table:

SettingValue
Run query every1 Hours
Lookup data from the last1 Hours

Select Next: Incident settings >.

Leave the defaults and select Next: Automated response >.

Leave the defaults and select Next: Review and create >.

Select Save.

Next Articles

Part 4: Microsoft Sentinel Implementation a Deep Dive – Part 4: Deploy VM to Validate the Microsoft Sentinel Deployment

Part 5: Microsoft Sentinel Implementation a Deep Dive – Part 5: Validating the Microsoft Sentinel Deployment

Part 6: Microsoft Sentinel Implementation a Deep Dive – Part 6: Ingesting Microsoft 365 Logs and validation

Author

Leave a comment

Your email address will not be published. Required fields are marked *