![]() ![]() Another setting is the look-back time-how far back in the log the rule is going to look. ![]() Sentinel doesn't charge you for running rules, so setting them fairly frequently helps to let you know about suspicious activity quickly. The shortest time is every five minutes, but you can set it to hours or days. When you configure a rule, you have to decide how often the rule will run. I started by filtering the view on severity (high and medium), plus the data sources we have, and enabled all matching built-in rules. There are hundreds of built-in rule templates. Next, you use analytics rules to run queries over the data to alert you to suspicious activity. Getting the log data into Sentinel is the first step. Threat intelligence data in Sentinel Next step Following this blog post, I set up Anomali’s free intel feeds so domains/IPs, malware domains, TOR nodes, C2 servers, and compromised host matches in our logs would be flagged. It would have been nice to be able to collect security events not only from servers but also from Windows 10 clients, but I needed to watch the ingestion cost carefully before expanding the agent deployment.įinally, I configured the Threat Intelligence-TAXII connector, which is one of two ways to ingest TI information into Sentinel. MMA simply has three options: Minimal, Common, or All-I picked Common. The main benefit for Sentinel in AMA is data collection rules that let you fine-tune exactly which events from the Windows Security Event log are collected. It's in public preview at the time of writing, which I would have used had it been available back when I deployed the agents. There's now a newer option, the Azure Monitoring Agent (AMA) which spans both Windows and Linux hosts. On each physical server and VM, I deployed the Microsoft Monitoring Agent (MMA), a simple MSI installer that you run, supplying the workspace ID and primary key from the Log Analytics workspace in Azure. The non-cloud data source connectors (security events, Windows Firewall, and DNS) are based on data from the on-premises VMs and hosts. ![]() For this client, I used Azure AD (sign-in logs for users, interactive, non-interactive, and service principals, plus audit logs), DNS, Office 365 (SharePoint, Exchange, and Teams activity), Windows Security Events, Threat intelligence-TAXII, and Windows Firewall. The cloud-based data connectors were the easiest to connect it's a couple of clicks for each. It definitely restricted our ability to investigate breaches going back into the past, but that's the free retention period and budget was king in this project. The retention period for the workspace was 90 days, which was a calculated risk. I deployed a Log Analytics workspace and then enabled Azure Sentinel for the workspace in the Australia East region (use whenever possible to ensure the lowest latency to the client). I made sure to base it on the same Azure Active Directory as in their M365 tenant, as this is important for the AAD data to flow into Sentinel properly. Since they had Microsoft 365 but no Azure subscriptions, I created one for them through CSP (Microsoft's partner program). The VMs (Windows Server 2016/2019) are two DCs, a file and print server, Windows Server Update Services (WSUS), a school management application, Microsoft's Advanced Threat Analytics (ATA), and a Linux syslog server. We have two Windows Server 2019 Dell Hyper-V hosts with seven VMs, all running on the newer server, with the older server as a Hyper-V replica target in a separate building. The first client is a small school with about 90 students (years 1–12) and 20 staff, all using Microsoft 365 A3, which is like E3 in the commercial world. So I thought maybe I could build an SMB SIEM on a shoestring budget, which would provide the visibility we were lacking. Back then, Sentinel had fewer than 20 connectors for other data sources today, that list is 116 and growing rapidly. As mentioned in our earlier look at Sentinel, there are some free data sources for Sentinel: Azure activity, Office 365 audit logs, and alerts from the Microsoft 365 Defender suite (max 90-day retention). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |