Home Deployment of Microsoft Sentinel (SIEM)
Post
Cancel

Deployment of Microsoft Sentinel (SIEM)

Posted Apr 28, 2022 Updated Apr 27, 2022
By Jean Pierre
2 min read

Creating Azure Subscription

We need to visit Azure web site. There, you should click in “Start Free” and continue with the steps.

Azure Homepage

Now, we can sign in portal.azure.com.

Azure portal

Creating VM in Azure

In order to create our VM, we click on “Virtual machines” option. Next, click in “Create” → “Azure virtual machine” with the following parameters:

  • Resource group: create new → “SentinelLab”
  • virtual machine name: server-vm
  • Region: Central US
  • user and pass

This server will serve as a vulnerable machine. Therefore, In the networking section, we are going to create a NSG (Network Security Group) which allows all traffic. The configurations is this:

  • NIC network security group: advanced
  • configure network security group: create new →
  • create inbound rule: from any to any by all protocols with priority 100

NOTE: You shouldn’t do this in a real enrivonment.

Inbound rule

Finally, click in “review+create”

creating vm

when the VM is deployed, we should test our RDP. To do that, we can run “mstsc” and test our connection.

rdp vm

Creating a log analytics workspace

Now the goal is to ingest logs from the virtual machine. For that, it needs to create a log analytics workspace. here is a description of what log analytic is:

Log Analytics collects data from a variety of sources and uses a powerful query language to give you insights into the operation of your applications and resources. Use Azure Monitor to access the complete set of tools for monitoring all of your Azure resources.

After, in the search bar we type log analytics workspacescreate log analytics workspace.

for this example, we select those parameters:

  • resource group: the same of the VM
  • name: LAW-Sentinel
  • region: Central US

workspace

Finally, Sentinel will connect to this workspace in order to display the data

Enablig Microsoft Defender for Cloud

Now, it’s time to enable gather logs from VM into log analytics workspace. So, you need to search it and go to environment settings → select the subscription → auto provisioning → Log Analytics agent for Azure VMs to on → connect Azure VMs to a differente workspace: LAW-Sentinel

settings

enable-law-auto

Afterward, we should back to the log analytics workspace to connect the VM

law-vm

law-vm-connect

Note: the VM must be running to connect with the log analytics workspace

Set up Sentinel

type Microsoft Sentinel in the search bar → create Microsoft Sentinel → select the workspace

sentinel

we have a 30-day trial:

Microsoft Sentinel free trial activated: The free trial is active on this workspace from 26/4/2022 to 27/5/2022 at 23:59:59 UTC. During the trial, up to 10 GB/day are free for both Microsoft Sentinel and Log Analytics. Data beyond the 10 GB/day included quantity will be billed

Finally, we did a simple set up of Microsoft Sentinel and we can explore all features can give us Sentinel.

Azure, security
azure sentinel siem
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents