Microsoft Azure Sentinel is the latest SIEM offering based on the cloud power, artificial intelligence and Machine learning. In this article I will share the configuration of Azure Sentinel and how to add connectors from different platforms. For Instance connecting Office365 to Azure Sentinel.
WHY AZURE SENTINEL ?
Microsoft Azure Sentinel is a modern SIEM (Security Information Event Management) solution based on cloud. Azure Sentinel can connect all your organizations assets whether on-premise or any cloud. In addition to that the built in AI and Machine learning capabilities deliver real accurate data for analysts. The real main benefit of Azure Sentinel is consuming Microsoft Threat intelligence and Graph. In other words you will have the power of Microsoft cloud with billions of signals to empower your Azure Sentinel Dashboard. You can have one dashboard with all critical applications and devices or specific dashboards per service. For more information please click Here.
ENABLING AND CONFIGURING AZURE SENTINEL
At the point of writing this post, Azure Sentinel is in Preview which means its free. First you need to create a Workspace or use an existing workspace (maybe your old Microsoft OMS). Next will be connecting your Sentinel to other devices and applications. In this article we will connect with Office365 out of the box connector.
- First step is logging to Azure Portal and searching for Azure Sentinel. Click on connect workspace
Create a new workspace or link an existing one if you have used OMS/Log Analytics lately. I would recommend having a new fresh workspace and pick the suitable Pricing tier.
Now when you get the option to choose a workspace, pick the one created earlier. Click Add below to add Sentinel to this created Workspace.
That’s all you need to have an up and running Sentinel workspace. The next step will be collecting data which requires adding connectors to your resources.
CONNECTING AZURE SENTINEL TO OFFICE365
Microsoft provides out of the box connectors to most of Microsoft cloud applications. In just few clicks you can connect to Office 365, Azure AIP, Cloud app Security and others. Also connectors for the main non-Microsoft resources are available For instance PaloAlto, CISCO, F5 and many others. You also have the option to use Syslog or common event format to connect other resources.
In this article we will connect to Office 365 and will have other connectors on future posts.
From the Getting started, collect data we will click on connect. Data connectors page will open up with all currently available out of the box connectors. We will be picking the Office 365 connector.
Adding and configuring the Office 365 connector is 3-step process. First you need to enable the Office 365 solution on your workspace. All you need to do is to Install the solution/connector
After adding/installing the solution, the next step will be adding your tenant. However this step requires a user with Global admin permission. Click Add Tennant to add your Office 365 resources.
After that, It will take few hours till the data is populated and your dashboard start displaying some meaningful data. Also you have the option to view the specific dashboards installed earlier
In this blog post we introduced Microsoft latest cloud SIEM and its basic configuration in addition to the connectors. Microsoft Sentinel is a very promising cloud SIEM solution. If your company is already on Azure and leveraging the power of the cloud then Sentinel is worth trial. More and more connectors are added to ensure all your ecosystem is connected. Its free with no usage charge. I would encourage all Azure users to give it a try.
Hopefully this post was helpful.
About the Author:
I am an IT professional specialized in IT infrastructure, security and IT management.
My real passion is Networking and Security. I hold a BS, MS, MCITP, MCSE, CCNP, CWSP, CEH, CHFI, ITIL and PMP.
I have been awarded the Microsoft Most Valuable Professional (MVP) in Enterprise Security
Mahmoud Nabil, A (2019). Azure Sentinel Cloud SIEM Solution. Available at: https://itcalls.net/azure-sentinel-cloud-siem-solution/ [Accessed: 8th October 2019].