Exercise 5: Azure Sentinel Logging and Reporting
In this exercise, you will setup Azure Sentinel to point to a logging workspace and then create custom alerts that execute Azure Runbooks.
- Open the Azure Portal.
- Click All services, then type Sentinel, select Azure Sentinel
- In the blade, click +Add, select the Log Analytics resource for your resource group, then click Add Azure Sentinel
- In the blade, select Dashboards
- In the list of dashboards, select Azure AD Audit logs, select Install
- In the list of dashboards, select Azure Network Watcher, select Install
- Click View Dashboard, take a moment to review your new dashboard
- Navigate back to the Azure Sentinel workspace, in the Configuration blade section, select Analytics then select +Add.
- For the name, enter PortScans.
- For the description, enter A custom rule to detect port scans.
- In the Set alert query text box, type:
AzureDiagnostics | where Type != 'AzureMetric' and OperationName == 'NetworkSecurityGroupCounters' and type_s == 'block' and direction_s == 'In' and Resource == 'WEBTRAFFICONLY'
Note: If you were quick going through the labs, then you may not have log data in the Log Analytics workspace just yet that corresponds to “AzureMetric”. You may need to wait 15-30 minutes before a query will execute.
- For the operator value, enter 50.
- For the frequency, select 30 and Minutes.
- For the period, select 30 and Minutes.
Note: This is so that our lab will run quickly and may not be appropriate for real world.
Note: It may take a few minutes for the alert to fire. You may need to run the PortScan script a few times from paw-1
Note: It may take 15-20 minutes for the alert to fire. You can continue to execute the port scan script to cause log events or you can lower the threshold for the custom alert.
- In the dialog, click Investigate
- In future versions, you will get to see insights about the alerts and the resources related to what caused it to fire:
- In the Azure Sentinel blade, select Playbooks.
- In the new window, select Add Playbook.
- The Create logic app blade will display:a. For the name, enter Email.b. Select your existing resource group.c. Toggle the Log Analytics to On and then select your azuresecurity Log Analytics workspace.
- Select Create, the Logic Apps Designer will load.
- Select the Send notification email template.
- Select Use this template.
- Select Sign In, and then type your Azure/O365 credentials.
Note: This would need to be a valid Office 365 account.
- Select Continue.
- For the email address, enter your email.
- Select Save. You now have an email alert action based on PowerApps for your custom security alert to use.
- In the Azure Sentinel blade, select Notebooks.
- Scroll to the bottom of the page and select Clone Azure Sentinel Notebooks.
- The Azure Notebooks page will open, on the page, select Import.
- In your notebook, browse to /Azure Sentinel/Notebooks, then select Get Started.ipynb.
- On the page, select Run on Free Azure.
- In the menu, select Kernel->Change kernel, then select Python 3.6.
- Click the Run button until you execute the entire Notebook, note that some steps will required your input.
Note: You can find the open source GitHub notebooks at https://github.com/Azure/Azure-Sentinel.
- Navigate back to your Azure Sentinel browser window. Select Logs.
- Expand the LogManagement node, notice the various options available.
- In the query window, type AzureDiagnostics, then click the eye icon.
- In the top right, select Export, then select the Export to Power BI (M Query) link.
- Select Open, a text document with the Power Query M Language will be displayed.
- Follow the instructions in the document to execute the query in Power BI.
- Close Power BI.