Time
8 hours 33 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Transcription

00:00
Hello, Siberians. Welcome to this demonstration on I just sentinel. This demonstration is part of the seventh model off the Is that 500 Microsoft Azure Security technologies costs
00:11
quick information on the activities that will be completing in this demonstration.
00:16
Who start by creating is sentinel and neighborhood log analytics workspace. When I connect data sources, Treasure Sentinel will create analytics rules and finally, we'll explore incidents in I just center. Now, let's get into this.
00:31
So, in the first task of this demonstration are create in new log analytics workspace that will be sent now enabled
00:39
on, um, it's official representation off. What are we, Dean?
00:43
I'll start by creating a log analytics workspace that will be used for starving logs on events that sentinel will be collected.
00:50
How then enable that work space to be used by just sentinel.
00:55
So here I am, in the azure Pato. So what are does is our click on this such option at the top and are set for log analytics on our click on log analytics workspaces.
01:06
You can say that I currently don't have any work spaces, so what I'll do is I'll create a new log analytics workspace I'll put that in the this article that I have called sense. Now allergies are great and click on that. Now, for the name of my workspace, our colleagues Sentinel workspace
01:23
on division will be UK self.
01:25
I'll go ahead and click on pricing Tier. I'll leave the default on our quiet and click on review, Plus creates
01:30
and I'll go ahead and click on Creates.
01:34
So it only took a few seconds to complete. But now I have my workspace fully created. So the next minute out dough is our enabled the workspace for sentinel. If I go ahead and go to the results, he can see the workspace here
01:47
now to never lied. Five. Just Centeno are quiet and click on the such option on our search for as your sentinel on our click on as your Sentinel day. Now you can say I have the option to connect a workspace if I go ahead and click on Connect workspace
02:01
and I'll select the workspace that I just created. So I'll click and that are click on add as your sense now
02:07
on What's This is completed. This workspace is now center now and never would
02:14
so in the next task, I'll be connecting data sources to adjust sentinel
02:19
on yes, a visual representation off What are between our configure are just internal did a connector for the following data sources for Windows Virtual Machine. And they'll be collecting the security adventures in an agent
02:31
for a Giant D audit and sign in logs
02:35
for a variety identity protection security event and also, for just security center security elects.
02:43
So here I am, back in the agile Pato and I'm under my azure sentinel workspace. To begin to connect data sauces into this. Workspace are great and click on data connectors on the left hand side. So the first connected are beheading before as your A D and for Roger 80 identity protection. So if I go ahead and click on a JD
03:02
on the right hand side, you can see information about this connector you consider it's provided by Microsoft.
03:07
You can see right assitant default, analytic roots, templates, queries and Workbooks Butte into that, and this will make it easier for us to begin to get insight after we've enabled the connector. Also, if we scored down, we can see the data types that'll be collected
03:23
so it will be collecting the sign in logs on the audit logs off Azure 80.
03:29
If I go ahead and click on open, connect a page, you can see that there is a requirement tohave as you hear the premium p one or p two. To be ableto connect as your 82 as your sentinel are, why don't click on the option to collect boards, types off logs in a JD Out click on apply changes, and that's not successfully connected.
03:49
So I'll go back to the connector page, and I've got to connect the Brady Identity Protection Data Sauce. You can see that that's going to be collecting the security, and lots are great and upon the connector page and I have the option to click on Connect. Yes, I'll go ahead and click on Connects.
04:04
So now it says connected successfully. So that's good. So the next one RB connecting will be a Windows virtual machine to collect the security event. So if I scroll down, there is a connector for security events on there is the connected. If I go ahead and click on that connector on, I click on Open Collector Page
04:25
and you can see that it's given me the option to choose where to install the agents. And I'm gonna be installing this agent
04:30
on an azure Windows virtual machines. If I great and expand that. And if I click on the link to download and install the agents,
04:38
night automatically displayed the veteran machines that I have in Azure and this is my Windows. VM are quiet and select that
04:45
all right and click on Connect. And this is going to install the necessary agent on the Windows VM and collect the security event. So while that is processing, what I'll do is I'll go back to the Connect us Page on now connects the last data source, which would be security center
05:03
If I scroll up a little bit, I have as your security center here. If I go ahead and click on Security Center on, I click on open connected page. It's Detective that I have just security center enabled for one subscription. So if I want to connect it, I can just great and click on connect air. I can click on connect All on. I click OK
05:20
and you can see that that's not showing us connected
05:24
so we've connected all the forded associates that we wanted to connect.
05:28
So in the next task I'll be creating analytic rules to process the data that we're collecting.
05:34
And this is a visual representation of what I'll be doing. I'll be using the built in analytic route templates to create tree rose. The Foster will create incidents based on Azure 80 identity protection alerts. The second will create incidents based on as your security center alerts
05:51
on the final Rowe, who creates an incident
05:55
if there are multiple failed Logan attempts within 10 minutes on the Windows virtual machine.
06:00
So here I am, back in the azure portal are Go ahead and click away from the connector that I have open. If I click on ANALITICO, you can see the active rules that we have on. You can see this route template here. So if I go ahead and click convert templates, I have the option to future data sources
06:16
and select the data source that I'm interested in in terms off the analytical templates.
06:23
So if I cried unto select all
06:25
on if I select only the sources that I'm interested in, which are a jury 80 identity protection
06:30
has your security center and security events.
06:35
If I go ahead and click out of that so we have a template adequate incident based on Azure 80 identity protection and let's go ahead and select that, and I'll go ahead and click on Create Room. I won't be modifying anything from the vote on. I'll go ahead and click on review on, I'll Click on Create.
06:54
So now I have my Foster. I'll go back to vote and plates
06:58
and I'll be creating incidents based on as your security center. Let also. So if I go ahead and select that on my go ahead and click on Create Route
07:05
On Again, I won't be modifying anything are just quiet and click on review and click on Create.
07:12
And if I go back to vote templates, the taught vote templates and I'll be using is
07:26
so the top vote template that I'll be using Bid one Teoh.
07:31
So the top vote temples it'll be using over days failed Logan attempt within 10 minutes, so this will create an incident when filled Logan attempts at 20 or higher during a 10 minute period that is too filled Logan's per minute violently can create room.
07:47
I leave everything the way teas are. Wait and click on next. In the sexual logic, we have the rule query that is gonna be using Andi. I can also specify our often the square V will be executed on. There's an option that you specify when and a lot of it generated based on the query results
08:05
and in this case will be generating on a lot. Win number off result is greater than
08:09
zero. So if I got the next incident settings. So this is where we can automatically create an incident on, we have the option to also do a lot grouping. So to prevent a lot fatigue, we can decide to group a lot within the same category of I period of time. I leave them as the force settings and click on next automated response.
08:28
So this is where we can use playbooks, which are logic up work flows that I've bean enabled in. As your sentinel on. We can use that trigger an automated response. I won't be doing that out. Just quiet and click on review.
08:39
Ah, now click on creates.
08:41
So now I have to reactive rules in I just sentinel on. Hopefully this rules we start generating incidents after analyzing data that we're bringing in from our data sources. So in the final task of this demonstration RB exploring incidents in I just sentinel
08:58
and there's a fish representation of what are between Because of the rules that we've created, I expect some incidents to be created based off that on will be reviewing them in. I just sent enough.
09:07
So here I am, back in the azure Pato and I can see that I have an incident here. So this incident waas
09:13
intentionally generated by myself. So what I did was I locked into a virtual machine and I tried to connect to the Aja Pato using the user Brenda's account from a top browser. So that's going to generate on identity protection alerts.
09:30
And because that a lot has been generated an identity protection. It's created an incident in I just sentinel. So if I go ahead and click on incidents, I can see the incidents there. You can see that that came from as you're 80 identity protection. If I want that so I could assign this incident to someone to go investigate
09:48
If I scroll down. You can see that this is a village that's toe on account.
09:52
If I click on view for details is gonna give us Ma detailed information on this particular incident for grand and close that for Go ahead and click on the investigator option. So this is where we can investigate this particular incident. So, for example, we can see the allotted self weak a city entity which is the user on the I P address,
10:11
which they use. I was locked in front.
10:13
So, for example, I can click on the user and I can view order related a lot relating to that uses. So, for example, I click on that user account
10:22
and I can view any other village that incident. So that way I can do correlation off What's going on?
10:26
I can do the same thing for the I P address that was detected. Is this I p addressing in any other a lot village into any other incident
10:35
on after during the investigation and Tamminen, Whether this is a view trait or what I eat so fast positive, we can decide to set the status through closed.
10:46
So he has a somebody off the activities that were completed in this demonstration with tired by creating a sentinel and neighborhood log analytics workspace. But don't connect that for their associates. Treasure Sentinel created three analytics rose to analyze the data, and we explored incident in I just sentinel. Thanks very much for watching, and I'll see you in the next lesson.

Up Next

AZ-500: Microsoft Azure Security Technologies

In the AZ-500 Microsoft Azure Security Technologies training, students will learn the skills that are needed to pass the AZ-500 certification exam. All exam topics are covered as well as exam preparation strategies and hands-on practice.

Instructed By

Instructor Profile Image
David Okeyode
Cloud Security Architect
Instructor