With the groundwork in place, I'm prepared to proceed to Sentinel and delve into the functionalities within this cloud-based SIEM solution that has been deployed.
Navigate to the search bar and search: "Microsoft Sentinel" and click on it.
- Click on "SEC-Monitoring" in Microsoft Sentinel.
Microsoft Sentinel: Logs
In Logs, you can search for your data using Kusto Query Language (KQL).
- Navigate to the left side bar, click on "Logs" under General.
- Close the window for Queries.
- Click on "LogManagement" to expand the list.
- Click on "AADNonInteractiveUserSignInLogs". Then press Run.
- This check on the interactive user sign-ins encompasses the retrieval of information concerning authentication requirements, client usage, and location details. The location details will be particularly useful for this project.
Microsoft Sentinel: Data connectors
- Navigate to the left side bar, click on "Data connectors" under Configuration.
- The Status can be filtered by clicking on "Status: All".
- Uncheck the box for "Not connected".
- By clicking on the connectors, we can get information about:
- The type of data being collected.
- The number of logs received
- The tables that ware populated.
Microsoft Sentinel: Analytics
Within the Analytics section, you will find pre-configured detection rules provided by Microsoft to facilitate threat monitoring.
- Navigate to the left side bar, click on "Analytics" under Configuration.
- Click on "Anomalies" section.
- These Anomaly templates were created to be robust by using thousands of data sources and millions of events.
- Microsoft permits adjustments to the threshold in the event of false positive occurrences.
Enable AI in Cloud SIEM: Sentinel
The Azure Sentinel User and Entity Behavior Analytics (UEBA) feature is a remarkable capability employing artificial intelligence to identify and notify users of any unusual activities occurring within their system.
Enable AI for Sentinel
- Navigate to the left side bar, click on "Settings" under Configuration.
- Click on "Settings" again at the top of the page.
- Click on "Set UEBA".
- Click and turn on the UEBA feature for 1.
- Check the box for "Azure Active Directory". Then Apply for 2.
- Check both boxes. Then Apply for 3.
Configure Sentinel to use Automation Playbooks
- Navigate back to the Setting page.
- Scroll down and click on "Playbook permissions" to expand.
- Click on "Configure permissions".
- Check the box for "SEC-Monitoring". Then click "Apply".
Explore Cloud SIEM: Sentinel
With the groundwork in place, I'm prepared to proceed to Sentinel and delve into the functionalities within this cloud-based SIEM solution that has been deployed.
- Click on "SEC-Monitoring" in Microsoft Sentinel.
Microsoft Sentinel: Logs
In Logs, you can search for your data using Kusto Query Language (KQL). - Navigate to the left side bar, click on "Logs" under General.- Close the window for Queries.
- Click on "LogManagement" to expand the list. - Click on "AADNonInteractiveUserSignInLogs". Then press Run. - This check on the interactive user sign-ins encompasses the retrieval of information concerning authentication requirements, client usage, and location details. The location details will be particularly useful for this project.
Microsoft Sentinel: Data connectors
- Navigate to the left side bar, click on "Data connectors" under Configuration.- The Status can be filtered by clicking on "Status: All". - Uncheck the box for "Not connected".
- By clicking on the connectors, we can get information about: - The type of data being collected. - The number of logs received - The tables that ware populated.
Microsoft Sentinel: Analytics
Within the Analytics section, you will find pre-configured detection rules provided by Microsoft to facilitate threat monitoring. - Navigate to the left side bar, click on "Analytics" under Configuration.- Click on "Anomalies" section.
- These Anomaly templates were created to be robust by using thousands of data sources and millions of events. - Microsoft permits adjustments to the threshold in the event of false positive occurrences.
Enable AI in Cloud SIEM: Sentinel
The Azure Sentinel User and Entity Behavior Analytics (UEBA) feature is a remarkable capability employing artificial intelligence to identify and notify users of any unusual activities occurring within their system.Enable AI for Sentinel
- Navigate to the left side bar, click on "Settings" under Configuration.- Click on "Settings" again at the top of the page.
- Click on "Set UEBA".
- Click and turn on the UEBA feature for 1. - Check the box for "Azure Active Directory". Then Apply for 2. - Check both boxes. Then Apply for 3.
Configure Sentinel to use Automation Playbooks
- Navigate back to the Setting page.- Scroll down and click on "Playbook permissions" to expand. - Click on "Configure permissions".
- Check the box for "SEC-Monitoring". Then click "Apply".