[go: up one dir, main page]
Scribd
Upload
132 views4 pages

Sentinel Study Guide

Uploaded by

suresh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
132 views4 pages

Sentinel Study Guide

Uploaded by

suresh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Study Guide: Configure Azure Sentinel with VM and Logic App for Automated Incident Management

Step 1. Deploy a Virtual Machine

1. Navigate to Virtual Machines in the Azure Portal.

2. Click + Create and select Azure Virtual Machine.

3. Configure the VM:

o Image: Use Windows Server or any desired OS.

o Size: Choose a size based on your workload.

o Networking: Ensure it’s connected to a Virtual Network.

4. Complete the setup and start the VM.

Sentinel Config:

Step 1: Set Up Azure Sentinel

1. Create a Log Analytics Workspace

1. Navigate to the Azure Portal.

2. Search for Log Analytics Workspaces and select it.

3. Click + Create and fill out the details:

o Resource Group: Create a new or select an existing one.

o Workspace Name: Choose a descriptive name, e.g., SentinelWorkspace.

o Region: Select the appropriate region.

4. Click Review + Create and then Create.

2. Enable Azure Sentinel

1. Navigate to Azure Sentinel in the Azure Portal.

2. Click + Add.

3. Select the Log Analytics Workspace created earlier and click Add Azure Sentinel.

Step 2: Connect Data Sources

1. Add a Virtual Machine Data Connector

1. In Azure Sentinel, go to Content Hub

2. Search for Windows Security Events and click on it.


3. Follow the instructions to enable the connector:

o Create a Data Collection Rule (DCR):

 Navigate to Data Collection Rules and create a new rule.

 Assign the rule to the VM.

o Enable all logs.

Step 3: Configure Analytics Rules

1. In Azure Sentinel, go to Configuration > Analytics.

2. Click + Create > Scheduled Query Rule.

3. Configure the rule:

o Rule Name: Enter a descriptive name, e.g., Windows Security Alert Rule.

o Severity: Select the severity level.

o Rule Query: Use a KQL query to detect security event,Use KQL=Secuityevents

o Tactics: Select all tactics.

o Actions: Enable incident creation.

4. Save the rule.

Step 4: Monitor Incidents

1. Navigate to Incidents in Azure Sentinel.

2. Review and analyze generated incidents.

Step 5: Configure a Logic App for Incident Automation

1. Create a Logic App

1. Navigate to the Azure Portal.

2. Search for Logic Apps and select it.

3. Click + Create.

4. Fill out the required fields:

o Resource Group: Select the same Resource Group as your Sentinel workspace.

o Name: Give the Logic App a descriptive name, e.g., SentinelIncidentNotifier.


o Region: Select the same region as your Sentinel workspace.

5. Click Review + Create and then Create.

2. Design the Logic App Workflow

1. Open the Logic App you just created.

2. Click on Edit to open the Logic App Designer.

3. Add the trigger:

o In the search bar, type Microsoft Sentinel.

o Select When an incident is created.

4. Add a Compose Action:

o Click + New Step.

o In the search bar, type Compose.

o Select the Compose action.

o Enter the following JSON payload to structure incident details:

o "Incident Title": "@triggerOutputs()?['body/Properties/title']",

o "Incident Severity": "@triggerOutputs()?['body/Properties/severity']",

o "Incident Description": "@triggerOutputs()?['body/Properties/description']",

5. Add an Email Action:

o Click + New Step.

o In the search bar, type Send an email (V2).

o Select your email provider (e.g. Outlook).

o Configure the email:

 To: Enter the recipient’s email address.

 Subject: VM Incident triggered:

 Body: Use the o/p of Compose “output”

6. Save the Logic App:

o Click Save at the top to ensure all configurations are stored.

You might also like