Azure Sentinel: How?

主机优惠 • 2024-02-20 13:59 • 好物分享

This post is to summarzie the basic knowledge you can start to use Azure Sentinel as fast as possible.

Sentinel Workspace, Price and Roles

Create Microsoft Sentinel (Log Analytics) Workspace

https://blog.51sec.org/2023/10/azure-sentinel-101.html

Microsoft Sentinel pricing

https://azure.microsoft.com/en-ca/pricing/details/microsoft-sentinel/

Tier	Microsoft Sentinel Price	Effective Per GB Price1	Savings Over Pay-As-You-Go
Pay-As-You-Go	$6.95 per GB-ingested	$6.95 per GB-ingested	N/A
100 GB per day	$456.74 per day	$4.57 per GB	34%

Roles and permissions in Microsoft Sentinel (https://learn.microsoft.com/en-us/azure/sentinel/roles)

Microsoft Sentinel Reader can view data, incidents, workbooks, and other Microsoft Sentinel resources.
Microsoft Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.).
Microsoft Sentinel Contributor can, in addition to the above, install and update solutions from content hub, create and edit workbooks, analytics rules, and other Microsoft Sentinel resources.
Microsoft Sentinel Playbook Operator can list, view, and manually run playbooks.
Microsoft Sentinel Automation Contributor allows Microsoft Sentinel to add playbooks to automation rules. It isn't meant for user accounts.

The role is assgined at subscription level, not at Entra ID group.

Log Retention

Log Analytics Workspace

Settings - Tables - Default retention period is 90 days.

To modify those configuraiton, go to Azure Portal - Log Analytics Workspace - <Your Workspace> - Tables - Right click table - Manage table

Diagram

Note: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/best-practices-for-common-event-format-cef-collection-in-azure/ba-p/969990

Content Hub & Data Connectors

You can search Training to get Microsoft Sentinel Training Lab to install it in your lab environment.

Azure Activity
Network Session Essential
Azure Active Directory
Common Event Format
WIndows Security Events

Microsoft Sysmon For Linux

Common Event Format (CEF) via AMA (Azure Monitor Agent)

Microsoft Sentinel Training Lab Solution

This solution ingests pre-recorded data into your Microsoft Sentinel workspace and enables several artifacts to simulate scenarios that showcase various Microsoft Sentinel features. The size of the ingested data is around ~20 MBs, so you will see no cost related to ingestion. Pre-recorded data will land in the following custom log tables: SecurityEvent_CL, SigninLogs_CL, OfficeActivity_CL, AzureActivity_CL, Cisco_Umbrella_dns_CL.

Training guide: https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Training/Azure-Sentinel-Training-Lab

Threat Intelligence

Install Threat Intelligence from Content Hub
Open Connector Page from Connector - Threat Intelligence - TAXII
Get free threat intelligence service from https://pulsedive.com/

api root:https://pulsedive.com/taxii2/api

api collection id: test id

username : taxii2

password : your own api key

Automation

Analytics Rules

High

Medium

Show Table Contents

AzureActivity | limit 100

KQL - Kusto Query Language

You can practice Kusto Query Language statements - including the ones in this article - in a Log Analytics demo environment in the Azure portal. There is no charge to use this practice environment, but you do need an Azure account to access it.

Videos

References

版权声明：
作者：主机优惠
链接：https://www.techfm.club/p/110952.html
来源：TechFM
文章版权归作者所有，未经允许请勿转载。

THE END

二维码

年尾

< <上一篇

《独饮妈妈酒》音乐

下一篇>>

搜索内容