Azure Sentinel implementation and functionality

A SIEM system in the Cloud.

I saw the Azure Sentinel announcement a few weeks ago and for my point of view it’s the right security step from Microsoft for the Azure Cloud.

At the moment Azure Sentinel is in preview and FREE, so the best time for me to test the implementation and the functionality! I’m curious about the pricing!

But lets start with the implementation.

To implement Azure Sentinel, there are the following minimum requirements:

  • Azure Active Directory Tenant
  • Azure Subscription
  • Log Analytics resource

After you are in place, we can start to configure Azure Sentinel.

Open the Sentinel Service:

image

and connect an exist or create a new Azure Log Analytics workspace.

image

Great, this was very simple, so we can start to connect other services. At the moment there are the following connectors available

image

and it’s quiet simple to implement. For me it’s important to know and understand what’s going on in my Azure Active Directory fist.

To archive that, I’ll implement Azure Active Directory and there is one bad thing.

If you want to implement the Azure Active Directory connector, you need an Azure Active Directory P2 License.

image

But no problem in my test environment, I order the 90 Day trial Azure AD P2 License Smile. Done

Next step, I want to analyze all my VMs (On-Prem and Cloud), so I have to implement Security Events.

At the overview, I can see all activities in my environment now.

image

At the moment there is nothing to do in my environment but I will test a Demo Error.

I create an error rule with the following Log Analytics query:

AzureActivity

| where OperationName == “Create or Update Virtual Machine”

| where ActivityStatus == “Failed”

| make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller

image

image

Now I provoke an error, I upgrade a VM to a non supported size and a few minutes later I get an Alert and also an open case.

image

image

At the moment, it’s not possible to execute a playbook (Azure LogicApp) but I think in a few weeks the functionality will be available and I can execute a task when an error occurred.

I will try to implement the following solution in a few weeks and will share my experience.

  • configure azure firewall
  • start a brute force attack to a specific port
  • create an alert/case and automatically close the port with an Azure Playbook

For me, Azure Sentinel is really simple to setup but the fine tuning takes a lot of time and deep security know how.

I think Azure Sentinel is a real alternative to other products but it depends on the pricing structure.

Cheers and always keep in mind “the future is always here”