Professional Documents
Culture Documents
A Sentinel Cloud-n-OnPrem Arch
A Sentinel Cloud-n-OnPrem Arch
A Sentinel Cloud-n-OnPrem Arch
We will start at 2-3 minutes after the scheduled time to accommodate those still
connecting.
Questions? Feel free to type them in the instant message window at any time. Note that any questions
you post will be public. You have the option to post questions anonymously. After the webinar, you can
ask questions at https://aka.ms/AzureSentinelCommunity.
This webinar is being recorded. We’ll post the recordings to our community forums at
https://aka.ms/SecurityWebinars.
Date Webinar
Topic
(all 8am PST) Registration
Azure Sentinel
Data store
Automation
User interface
Rules
Machine learning
Search & investigation
On Premises
Auto deployed
cloud CEF of
Syslog
connector
(Optional)
Collector Custom
Proxy Connectors
Log Analytics Agent: Deployment
CEF/Syslog On-prem collector
On prem Azure
Restful API
Syslog over TLS
Source Collector Port 443 Azure Sentinel
VM Workspace
Syslog
Source
Syslog
Syslog Linux VM
Over UDP, TCP or TLS
Source Default port: 514
Log
Rsyslogd /
Analytics
Syslog Syslog NG
agent
Source Syslog
TCP 25224
/ 25226
CEF/Syslog Azure based collector
On prem Azure
Syslog Restful API
• TLS, Default port: 514 over TLS
Syslog • Express route Port 443
Source Collector Azure Sentinel
VM Workspace
Syslog
Source
Syslog Linux VM
Source
Log
Rsyslogd /
Analytics
Syslog Syslog NG
agent
Source Syslog
TCP 25224
/ 25226
Deploying a CEF collector
Deploying a Syslog collector
Scaling CEF / Syslog collection
CEF vs. Syslog
<134> 2018-02-21T16:15:00-04:00 PulseSecure: 2018-02-21 16:15:00 - ive - [127.0.0.1] fakeuser(Admin Users)[] - Primary authentication successful
for fakeuser/Administrators from 127.0.0.1
input {
file { path => "/var/log/apache2/access.log“ }
}
filter {
grok { match => { "message" =>
"%{COMBINEDAPACHELOG}" }
date { match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
output {
azure_loganalytics {
customer_id => “…."
shared_key =>”….”
log_type => "ApacheAccessLog"
key_names =>
['logid','date','processing_time','remote','user','method','status','ag
ent']
flush_items => 10
flush_interval_time => 5
}
}
Custom connectors
Microsoft AAD Tenant
Azure subscriptions and resources
Regions and geos
Why multiple workspaces?
Strong reasons:
• Use of multiple azure tenants
• Multi-region:
• For compliance and sovereignty reasons
• To reduce networking costs
• Subsidiaries
Usually avoidable:
• Separate billing
• Fine grained retention setting
• Fine grained access control
• Legacy architecture
Workspaces rule of thumb
Implementing
#1: Consolidate workspaces
use an
existing workspace
#2: Implement Azure Lighthouse
#3: Create cross tenant workbooks
#4: Replicate content and config
AzSentinel
#5: Use data RBAC to allow user access to data
Resources
Tech Community
Tech Blogs
User Voice
Github
AzureSentinel@microsoft.com
Thank You for Joining Us!
Recordings will be posted to our community forums at
https://aka.ms/SecurityWebinars.