top of page
Writer's pictureRadhakrishnan Govindan

Microsoft Sentinel Implementation a Deep Dive - Part 3: Configuring Data Connectors

Previous Articles
 

Installing and Configuring Data Connector of Microsoft Sentinel to Ingest Windows Security Events

Learn more about Content Hub solutions at https://learn.microsoft.com/azure/sentinel/sentinel-solutions.

Configure the data connector for Azure Activity to apply all new and existing resources in the subscription

Go to Microsoft Sentinel -- > Content hub

Sentinel-3-1

Click on Open Connector age once Installation completed

Sentinel-3-2

Install Microsoft Defender for Cloud Data Connector as well

Sentinel-3-4

Click on Launch Azure Policy Assignment Wizard>

Sentinel-3-5

In the Configuration window, Go to Scope -- > Select the right Subscription in the Basics Tab

Sentinel-3-5

Select the Parameters tab, choose your workspace from the Primary Log Analytics workspace drop-down list

Sentinel-3-6

Select the Remediation tab and select the Create a remediation task checkbox.

Sentinel-3-7

Select the Review + Create button to review the configuration.

Sentinel-3-8

Select Create to finish.

Sentinel-3-10

Installing and Configuring Windows Security Events Data Connector

In Microsoft Sentinel, go to the Content Management menu section and select Content Hub

Search for Windows Security Events

Sentinel-3-11

Click on Install

Sentinel-3-12

Ingesting Windows Security event data

Create an analytic rule based on the Suspicious number of resource creation or deployment activities template. The rule should run every hour and only look at data for that last hour

In Microsoft Sentinel, go to the Configuration menu section and select Analytics.

Sentinel-3-13

In the Rule Templates tab, search for the Suspicious number of resource creation or deployment activities.

Sentinel-3-14

Select the Suspicious number of resource creation or deployment activities, and select Create rule. Leave the defaults on the General tab and select Next: Set rule logic >

Sentinel-3-15

Leave the default Rule query and configure Query Scheduling using the table:

Setting

Value

Run query every

1 Hours

Lookup data from the last

1 Hours

Sentinel-3-16

Select Next: Incident settings >.

Leave the defaults and select Next: Automated response >.

Leave the defaults and select Next: Review and create >.

Select Save.

Sentinel-3-18
 
Next Articles
25 views0 comments
bottom of page