Welcome to the Azure Sentinel webinar

We will start at 2-3 minutes after the scheduled time to accommodate those still
connecting.

Questions? Feel free to type them in the instant message window at any time. Note that any questions
you post will be public. You have the option to post questions anonymously. After the webinar, you can
ask questions at https://aka.ms/AzureSentinelCommunity.

This webinar is being recorded. We’ll post the recordings to our community forums at
https://aka.ms/SecurityWebinars.

Please give us your feedback on this webinar at https://aka.ms/SecurityCommunityWebinarFeedback.

Join our Community: https://aka.ms/SecurityCommunity

Azure Sentinel Webinars

Date Webinar
Topic
(all 8am PST) Registration

Nov. 13, 2019 Features and functionality deep dive Link

Nov. 20, 2019 Cloud & on-prem architecture Link

Jan. 22, 2020 End-to-End SOC scenario TBA

Jan. 29, 2019 Threat Hunting - revisited TBA

Azure Sentinel
Architecture
Agenda
Collect security data at cloud scale from any source

AWS, Other Clouds

Customer’s Tenant & SaaS Apps

Azure Sentinel
Data store
Automation
User interface
Rules
Machine learning
Search & investigation

On Premises
 Auto deployed
cloud CEF of
Syslog
connector

(Optional)
Collector Custom
Proxy Connectors

Branch Office HTTPS

CEF or Syslog
connector
WEF
LogStash Connector

Syslog (TLS, TCP, UDP)

WEC
agent agent

OS events, DNS, Windows FW, DHCP

The full catalog

The Syslog and CEF grand

list
Collecting logs from
Microsoft Services & Apps
The Agent: Collecting from
on-prem and IaaS server
Custom Connectors
Log Analytics Agent*: collected events

 


 

Log Analytics Agent: Deployment
CEF/Syslog On-prem collector
On prem Azure

Restful API
Syslog over TLS
Source Collector Port 443 Azure Sentinel
VM Workspace

Syslog
Source

Syslog
Syslog Linux VM
Over UDP, TCP or TLS
Source Default port: 514
Log
Rsyslogd /
Analytics
Syslog Syslog NG
agent
Source Syslog
TCP 25224
/ 25226
CEF/Syslog Azure based collector
On prem Azure
Syslog Restful API
• TLS, Default port: 514 over TLS
Syslog • Express route Port 443
Source Collector Azure Sentinel
VM Workspace

Syslog
Source

Syslog Linux VM
Source
Log
Rsyslogd /
Analytics
Syslog Syslog NG
agent
Source Syslog
TCP 25224
/ 25226
Deploying a CEF collector


 




Deploying a Syslog collector
Scaling CEF / Syslog collection

 





CEF vs. Syslog

<134> 2018-02-21T16:15:00-04:00 PulseSecure: 2018-02-21 16:15:00 - ive - [127.0.0.1] fakeuser(Admin Users)[] - Primary authentication successful
for fakeuser/Administrators from 127.0.0.1

<134> Dec 06 16:51:38 hostname CEF:0|JATP|Cortex|3.6.0.1444|email|Phishing|8|externalId=1504 eventId=14067 lastActivityTime=2016-12-06

23:51:38+00 src= dst= src_hostname= dst_hostname= src_username= dst_username=src_email_id=src@abc.comdst_email_id={test@abc.com}
startTime=2016-12- 06 23:51:38+00 url=http://greatfilesarey.asia/QA/files_to_pcaps/74280968a4917da52b5555351eeda969.bin
fileHash=bce00351cfc559afec5beb90ea387b03788e4af5 fileType=PE32
executable (GUI) Intel 80386, for MS Windows
Azure Sentinel parsing
Windows Event Forwarding*

Azure Sentinel Syslog Collector

(Dedicated Windows VM)
Logstash

 input {
file { path => "/var/log/apache2/access.log“ }
}
 filter {
grok { match => { "message" =>
 "%{COMBINEDAPACHELOG}" }
date { match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
 }

output {
azure_loganalytics {
customer_id => “…."
shared_key =>”….”
log_type => "ApacheAccessLog"
key_names =>
['logid','date','processing_time','remote','user','method','status','ag
 ent']
flush_items => 10
flush_interval_time => 5
}
}
Custom connectors






Microsoft AAD Tenant
Azure subscriptions and resources
Regions and geos

• Any Azure region, supporting LA

with some exceptions, can be
used
• Most, but not all, data at rest
stays in region
• Some data may go to EU West
(EU), US East (Elsewhere)
The Azure Sentinel workspace
Fully compatible with Log Analytics


Why multiple workspaces?

Strong reasons:
• Use of multiple azure tenants
• Multi-region:
• For compliance and sovereignty reasons
• To reduce networking costs
• Subsidiaries

Usually avoidable:
• Separate billing
• Fine grained retention setting
• Fine grained access control
• Legacy architecture
Workspaces rule of thumb
Implementing
#1: Consolidate workspaces


use an
existing workspace
#2: Implement Azure Lighthouse




#3: Create cross tenant workbooks



#4: Replicate content and config

AzSentinel
#5: Use data RBAC to allow user access to data
Resources

 Tech Community
 Tech Blogs
 User Voice
 Github
 AzureSentinel@microsoft.com

Thank You for Joining Us!
Recordings will be posted to our community forums at
https://aka.ms/SecurityWebinars.

You can ask additional questions at https://aka.ms/AzureSentinelCommunity.

Please give us your feedback on this webinar at

https://aka.ms/SecurityCommunityWebinarFeedback.

Join our Community: https://aka.ms/SecurityCommunity