Getting Started with Microsoft Sentinel

Microsoft Sentinel is a security software that protects your company from malware and data loss. It is designed for small, medium, or large enterprises of any size.

Getting Started with Microsoft Sentinel

Microsoft Sentinel is a security software that protects your company from malware and data loss. It is designed for small, medium, or large enterprises of any size. Sentinel protects your data from digital threats with advanced threat protection at the gateway, endpoint, and cloud levels. The software has industry-leading “cloud capability” that spans an entire organization with data-at-rest encryption, data-in-motion encryption, and user authentication to ensure compliance with HIPAA (healthcare), PCI (retail), or PII/PHI (credit card payments). Since Sentinel is deployed through the Azure cloud platform at super fast speed like a LED light bar, it provides uniform security across devices, apps, and endpoints, it’s a staple have for every business. The good thing is that it’s easy to start. Here’s how.

Azure Subscription

First, you need to subscribe to Azure. If you do not have an account, create a log analytics workspace. Now, configure the workspace usage settings to curb extra costs. Ensure you change the retention period even if it defaults within 30 days. The good thing is that you will get a 90-day retention for your Microsoft Sentinel. Therefore, you can set your retention period to 90 days and above if need be.

After configuring the workspace, add your Microsoft Sentinel service to the Azure portal and purchase a commitment tier.

Collect and Analyze Logs

Collect data from some sources such as Microsoft 365, Azure, and from Managed Microsoft Sentinel. Focus on Microsoft cloud services and let Sentinel access the logs using data connectors. After the connection, the records will be ingested into the Log Analytics services for analysis.
At this point, you have to deploy a solution and specify the Azure Active Directory logs that you would like to ingest and analyze. Tick the boxes you want to ingest and analyze on the connector page. Remember, you need to include everything, such as the audit logs and sign-in logs.
You must also create an analytic rule template for your Azure Active Directory. You can make the rules on Managed Microsoft Sentinel. Start with the most severe rules to the least severe rules.

Create A Template with A New Rule

Go to the set rule logic and search for the KQL code, which will help you create a new rule. Test the code from the screen to ensure it’s functional as you review any data that matches your query. Now click on the incident settings and define what you want from the question. That is, if you want it to generate incidences in the Sentinel and how it will group alerts. Afterward, automate the response by configuring any automation rules that you wish the power to trigger.

Test The Rule

Now, test the rule that you created and ensure that it is working. Assign one of your users with a role such as an administrator. Click on the incident and review a detailed log analysis. Trigger the playbook to run on an automated routine or assign an incident to a security engineer as a task.

Report

Visualize your log data on your Azure portal and use a workbook from Microsoft and Managed Microsoft Sentinel. Use the content hub to access the workbooks as you search for the service you monitor. Search for Azure AD and reach a few workbooks you can save to your environment. Note that after installing the templates, you can access all workbooks you want, provided you have ingested relevant data.

Automate

At this age, you need to automate a response when you create an incident. Create a logic App for performing a task, such as creating a playbook through the Sentinel automation section. You can also create a system-assigned managed identity for your logic app connection.