15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations

https://www.infusedinnovations.com/blog/intelligent-cloud/step-by-step-guide-to-deploy-azure-sentinel 1/14

Step-by-Step Guide to DeployAzure SentinelMay 6, 2019

/ / / / / /

/

By Dan Chemistruck

Azure Sentinel is by far the most exciting announcement out of Redmond so far thisyear. Aside from that, what is Azure Sentinel? It’s a 100% cloud based SecurityInformation Event Management (SIEM) solution. I’ve been referring to Log Analytics withAzure Security Center as Microsoft’s cloud SIEM solution for a couple years, but AzureSentinel allows you to collect logs from anywhere. ANYWHERE. When you deploy Azure

Azure Azure Sentinel Cloud Security Identity Access Management Intelligent Cloud Log Analytics

Secure Modern Workplace Threat Intelligence

0

15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations

https://www.infusedinnovations.com/blog/intelligent-cloud/step-by-step-guide-to-deploy-azure-sentinel 2/14

Sentinel, anything that ships Common Event Format (CEF) logs over port 514 canintegrate with Azure Sentinel. Even more exciting is the one-click setup for a number ofdata connectors:

What is Security Information Event Management(SIEM)?Think about your one friend that has memorized every line from every Marvel movie.And now think about every time he corrects you when you misquote the movie ormistake which movie a speci�c scene was from. It’s that, but for your hybrid cloudnetwork. Your friend knows what to expect and he throws an exception whensomething is out of place.

Every time you sign into Outlook, an audit log is generated. Any time you share a �le inOneDrive, a log is generated. When you connect your personal phone to the corporatenetwork, a log is generated. If your frustrated senior IT engineer tries to download all ofyour intellectual property from Teams and then deploy EternalBlue to the entirenetwork, then a LOT of logs are generated. SIEM collects all of those logs and usestrained machine learning models to generate risk pro�les for users and devices on yournetwork based on expected behavior.

15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations

https://www.infusedinnovations.com/blog/intelligent-cloud/step-by-step-guide-to-deploy-azure-sentinel 3/14

So when unusual behavior occurs, like stealing your IP, an alert is generated andMicrosoft Cloud App Security with Azure Logic Apps can be used to automatically blockthe download and lock the user out of your tenant. If a user logs in from Italy 30minutes after they left the o�ce in Boston, the login can be automatically blocked.

Digital forensics and breach investigation

SIEM also provides the digital forensics that allow you to investigate the attack chain ofa breach in its entirety. With Microsoft analyzing 6.5 trillion signals daily, they have thelargest security dataset of any company in the world. Even more data points than yourfriend that’s watching the Avengers Endgame for the �fth time as we speak.

To get the full value out of Azure Sentinel for your Microsoft 365 environment, youneed EM+S E5, M365 E5 or something similar to collect telemetry from MCAS andAADP2. As with all Microsoft products, you can review our blog on Microsoft 365 subscription licenses to make sure you have access to all the securityproducts discussed in this post.

Deploy Azure Sentinel in 5 MinutesIf you already have Log Analytics and Azure Security Center deployed, as all of ourcustomers do, it takes 5 minutes to deploy Azure Sentinel. However, if you don’t havethose services setup yet, it might take you 15 minutes to deploy. Before we jump intocon�guring data connectors and dashboards, let’s get go through the prerequisitesquickly.

Prerequisites: Con�guring Log Analytics and Azure Security Center

Our engineers will gladly assist you through customizing Log Analytics deployments foryour environment, but let’s just create a workspace for demonstration purposes.

1. Navigate to the Log Analytics blade in the Azure Portal2. Click Add and complete the form to create a new Log Analytics Workspace. (Note:

Refer to the Azure Sentinel documentation to make sure Sentinel is available in yourregion.)

15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations

https://www.infusedinnovations.com/blog/intelligent-cloud/step-by-step-guide-to-deploy-azure-sentinel 4/14

3. Now let’s head over to Azure Security Center and Enable it.

15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations

https://www.infusedinnovations.com/blog/intelligent-cloud/step-by-step-guide-to-deploy-azure-sentinel 5/14

4. Next, go to Security Policy and click Edit Settings for your subscription name:

5. Con�gure Security Center to Use another workspace and select your Log Analyticsworkspace.

15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations

https://www.infusedinnovations.com/blog/intelligent-cloud/step-by-step-guide-to-deploy-azure-sentinel 6/14

Optional: Turn on Auto Provisioning (this will cost you $15/mo per VM plus any dataoverages)

6. Next, go to Threat Detection and enable Microsoft Cloud App Security andMicrosoft Defender ATP integration:

That’s it! You’ve �nished setting up all the prerequisites to deploy Azure Sentinel.

15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations

https://www.infusedinnovations.com/blog/intelligent-cloud/step-by-step-guide-to-deploy-azure-sentinel 7/14

Disclaimer:

Infused Innovations does not recommend deploying Azure Security Center with only thesecon�gurations in production environments. This is the minimal con�guration to deploySentinel. It is important to tune Azure Security Center policies and alerts to meet yourorganization’s speci�c regulatory requirements. The out-of-box con�guration of AzureSecurity Center is not su�cient for most organizations, but does provide immediate insightsto your environment.

Deploy Azure SentinelNow for the easy part.

1. Login to https://portal.azure.com click All Services and search for Azure Sentinel2. Click the Connect Workspace button

3. Next, link your Log Analytics workspace:

15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations

https://www.infusedinnovations.com/blog/intelligent-cloud/step-by-step-guide-to-deploy-azure-sentinel 8/14

That’s it. You just deployed Azure Sentinel. But it’s useless without data, so let’s clickCollect Data:

Almost all of the Microsoft data sources can be enabled with 1-4 clicks. I’ve put togethera gallery of screenshots to show how simple it is to deploy:

15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations

https://www.infusedinnovations.com/blog/intelligent-cloud/step-by-step-guide-to-deploy-azure-sentinel 9/14

Deploy Fusion for Azure Sentinel

Now that you’re ingesting data into Azure Sentinel, let’s enable Fusion. Fusion for AzureSentinel uses ML to help reduce alert fatigue and false positives. Fully utilizing theMicrosoft Intelligent Security Graph to correlate millions of low-�delity signals for

15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations

https://www.infusedinnovations.com/blog/intelligent-cloud/step-by-step-guide-to-deploy-azure-sentinel 10/14

unusual behavior across the entire Microsoft ecosystem, Fusion attempts to reduce theamount of security cases to investigate.

To enable Fusion for Azure Sentinel, open the Cloud Shell in the Azure Portal and enterthe following command:

Be sure to swap out your subscription GUID and Log Analytics Workspace Name alongwith the surrounding curly brackets.

Con�gure Dashboards, Notebooks, and Queriesin Azure SentinelCon�guring dashboards in Azure Sentinel is as easy as opening the Dashboards blade,clicking on the data connector solution that we just setup, and clicking install.

Once your dashboards are installed, you can start using them for threat hunting.Another helpful resource to identify threats is the Hunting blade, which includes anumber of built-in log queries.

1. az resource update --ids /subscriptions/{Subscription Guid}/resourceGroups/{Log analytics resource Group Name}/providers/Microsoft.OperationalInsights/workspaces/{Log analytics workspace Name}/providers/Microsoft.SecurityInsights/settings/Fusion --api-version 2019-01-01-preview --set properties.IsEnabled=true --subscription "{Subscription Guid}"

15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations

https://www.infusedinnovations.com/blog/intelligent-cloud/step-by-step-guide-to-deploy-azure-sentinel 11/14

The last item that you’ll want to take a look at is importing Microsoft’s Azure SentinelNotebooks from GitHub for some guided-hunting patterns. Click on the Notebooksblade and then Clone Azure Sentinel Notebooks. This will guide you throughimporting the notebooks from GitHub.

Closing thought on Deploying Azure Sentinel

15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations

https://www.infusedinnovations.com/blog/intelligent-cloud/step-by-step-guide-to-deploy-azure-sentinel 12/14

2 thoughts on “Step-by-Step Guide toDeploy Azure Sentinel”

g g p y gI thought deploying Azure Security Center in 10 minutes was totally rad. But deploying acloud-native SIEM solution in �ve minutes is ridiculous. Enabling Azure Sentinel is sosimple, there’s no reason not to do it. Unless you’re the CFO and not knowing thepricing gives you anxiety. Or if you’re the COO and products labeled “Public Preview”make you nervous in a production environment. Azure Sentinel is free during the publicpreview, and I highly recommend checking it out.

The ease of enabling telemetry from multiple data sources is mind-blowing. Theinnovation that Microsoft continues to make in the security space never ceases toamaze me. I am looking forward to this product going GA so we can formallyincorporate it into our cloud security and orchestration platform, Secqur.

Happy hunting!

IJ

May 14, 2019 at 9:40 am

Hello,

Thanks for the walk through. Can youplease give a reference for “Turn on AutoProvisioning (this will cost you $15/mo perVM plus any data overages) ” I am not ableto �nd it on https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection#enable-automatic-provisioning-of-microsoft-monitoring-agentnor at https://azure.microsoft.com/en-gb/pricing/calculator/

Thanks

15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations

https://www.infusedinnovations.com/blog/intelligent-cloud/step-by-step-guide-to-deploy-azure-sentinel 13/14

Dan Chemistruck

May 15, 2019 at 6:43 pm

Azure Security Center pricing is availablehere: https://azure.microsoft.com/en-us/pricing/details/security-center/

15/07/2019 Step-by-Step Guide to Deploy Azure Sentinel - Infused Innovations

https://www.infusedinnovations.com/blog/intelligent-cloud/step-by-step-guide-to-deploy-azure-sentinel 14/14