Exercise 5: Azure Sentinel Logging and Reporting

In this exercise, you will setup Azure Sentinel to point to a logging workspace and then create custom alerts that execute Azure Runbooks.

Task 1: Create a dashboard

  1. Open the Azure Portal.
  2. Click All services, then type Sentinel, select Azure Sentinel
In this screenshot, All Services is selected, and then a search for Sentinel is displayed.
  1. In the blade, click +Add, select the Log Analytics resource for your resource group, then click Add Azure Sentinel
  2. In the blade, select Dashboards
  3. In the list of dashboards, select Azure AD Audit logs, select Install
In this screenshot, Dashboards has been selected and the Azure AD Audit Logs dashboard has also been selected.
  1. In the list of dashboards, select Azure Network Watcher, select Install
  2. Click View Dashboard, take a moment to review your new dashboard

Task 2: Create an Analytics alert

  1. Navigate back to the Azure Sentinel workspace, in the Configuration blade section, select Analytics then select +Add.
In this screenshot, Analytics is highlighted and so is the Add button.
  1. For the name, enter PortScans.
  2. For the description, enter A custom rule to detect port scans.
  3. In the Set alert query text box, type:
 AzureDiagnostics | where Type != 'AzureMetric' and OperationName == 'NetworkSecurityGroupCounters' and type_s == 'block' and direction_s == 'In' and Resource == 'WEBTRAFFICONLY'
In this screenshot, the alert simulation shows data after the query has been entered.

Note: If you were quick going through the labs, then you may not have log data in the Log Analytics workspace just yet that corresponds to “AzureMetric”. You may need to wait 15-30 minutes before a query will execute.

  1. For the operator value, enter 50.
  2. For the frequency, select 30 and Minutes.
  3. For the period, select 30 and Minutes.

Note: This is so that our lab will run quickly and may not be appropriate for real world.

  1. For the suppress alerts for, enter 30 and Minutes.
  2. Click Create.

Note: It may take a few minutes for the alert to fire. You may need to run the PortScan script a few times from paw-1

Task 3: Investigate a custom alert Case

  1. In the main menu, select Azure Sentinel.
  2. Select Cases.
  3. Select the new PortScans case.

Note: It may take 15-20 minutes for the alert to fire. You can continue to execute the port scan script to cause log events or you can lower the threshold for the custom alert.

  1. In the dialog, click Investigate
  2. In future versions, you will get to see insights about the alerts and the resources related to what caused it to fire:

Task 4: Create and run a playbook

  1. In the Azure Sentinel blade, select Playbooks.
  2. In the new window, select Add Playbook.
  3. The Create logic app blade will display:a. For the name, enter Email.b. Select your existing resource group.c. Toggle the Log Analytics to On and then select your azuresecurity Log Analytics workspace.
The information above is entered in the Create logic app dialog box.
  1. Select Create, the Logic Apps Designer will load.
  2. Select the Send notification email template.
  3. Select Use this template.
  4. Select Sign In, and then type your Azure/O365 credentials.

Note: This would need to be a valid Office 365 account.

  1. Select Continue.
  2. For the email address, enter your email.
  3. Select Save. You now have an email alert action based on PowerApps for your custom security alert to use.

Task 5: Execute Jupyter Notebooks

  1. In the Azure Sentinel blade, select Notebooks.
  2. Scroll to the bottom of the page and select Clone Azure Sentinel Notebooks.
Notebooks and Clone Azure Sentinel Notebooks is highlighted
  1. The Azure Notebooks page will open, on the page, select Import.
Import button is highlighted
  1. In your notebook, browse to /Azure Sentinel/Notebooks, then select Get Started.ipynb.
  2. On the page, select Run on Free Azure.
The Run on Free Azure is button is highlighted
  1. In the menu, select Kernel->Change kernel, then select Python 3.6.
The page menu is expanded to the Kernel menu item and the change kernel with Python 3.6 is selected
  1. Click the Run button until you execute the entire Notebook, note that some steps will required your input.

Note: You can find the open source GitHub notebooks at https://github.com/Azure/Azure-Sentinel.

Task 6: Creating Reports with Power BI

  1. Navigate back to your Azure Sentinel browser window. Select Logs.
  2. Expand the LogManagement node, notice the various options available.
  3. In the query window, type AzureDiagnostics, then click the eye icon.
  4. In the top right, select Export, then select the Export to Power BI (M Query) link.
  5. Select Open, a text document with the Power Query M Language will be displayed.
  6. Follow the instructions in the document to execute the query in Power BI.
  7. Close Power BI.