Step-by-step guide to connect a data source to Microsoft Sentinel,

  • This topic is empty.
  • Post
    • December 14, 2024 at 4:01 pm
    Weekend Wiki
    Keymaster
    Let’s go through a step-by-step guide to connect a data source to Microsoft Sentinel, using a practical example. I’ll take AWS CloudTrail as the data source, but this can be adapted to other sources.

    Step-by-Step: Connect AWS CloudTrail to Microsoft Sentinel

    Step 1: Prerequisites

    Ensure the following are in place:

    1. Azure Sentinel Workspace:
      • A Log Analytics Workspace connected to Microsoft Sentinel.
    2. AWS Permissions:
      • An AWS account with administrator permissions or specific permissions to configure CloudTrail.
    3. CloudTrail enabled in AWS:
      • AWS CloudTrail is used to track API calls and events in AWS.

    Step 2: Open Microsoft Sentinel

    1. Sign in to the Azure portal.
    2. Navigate to Microsoft Sentinel.
    3. Select the Sentinel workspace you want to connect data to.

    Step 3: Access Data Connectors

    1. In the Sentinel dashboard, select Data connectors from the left-hand menu under the Configuration section.
    2. Use the search bar to look for AWS CloudTrail.
    3. Click on the AWS CloudTrail connector.

    Step 4: Configure the AWS CloudTrail Connector

    1. In the connector interface, click Open connector page.
    2. Review the connector’s Prerequisites section, which outlines permissions, regions, and configuration details.

    Connector Configuration Steps:

    • Step 4.1: Set Up an AWS IAM Role
      • In the AWS Management Console:
        1. Go to the IAM service.
        2. Create a new IAM Role:
          • Select Another AWS Account as the trusted entity.
          • Enter the Microsoft Sentinel AWS Account ID and an External ID (provided by the connector page in Azure Sentinel).
          • Attach the AWS managed policy: AWSCloudTrailReadOnlyAccess.
        3. Copy the Role ARN from AWS.
    • Step 4.2: Configure CloudTrail
      • Ensure AWS CloudTrail is enabled in your AWS account.
      • If not:
        1. Go to the CloudTrail service in AWS.
        2. Create a trail and configure it to send logs to an S3 bucket.

    Step 5: Link Sentinel to AWS

    1. In the Microsoft Sentinel connector configuration page:
      • Enter the AWS Role ARN you copied earlier.
      • Specify the Region and CloudTrail S3 bucket name.
    2. Test the connection to verify access.
    3. Once validated, click Save to establish the connection.

    Step 6: Validate Data Ingestion

    1. Open the Logs section in Sentinel.
    2. Run the following KQL query to check if CloudTrail logs are being ingested: 
      AWSCloudTrail
| take 10
    3. Confirm that logs are showing up in the query results.

    Step 7: Enable Analytics Rules (Optional)

    1. Go to the Analytics section in Sentinel.
    2. Enable pre-built analytics rules provided for AWS CloudTrail:
      • Example: Detect unauthorized access attempts.
    3. Adjust rule thresholds and alerts based on your organization’s requirements.

    Step 8: Set Up Dashboards (Optional)

    1. Go to the Workbooks section in Sentinel.
    2. Search for and deploy the AWS CloudTrail Workbook.
      • This provides a visual dashboard for monitoring CloudTrail events.

    Generalization for Other Data Sources

    For other sources (e.g., Syslog, Palo Alto), replace the AWS-specific steps with:

    • Syslog/CEF: Configure a Linux VM with a Log Analytics agent to act as a Syslog forwarder.
    • Third-Party APIs: Use API credentials and tokens to link Sentinel with platforms like Okta, Salesforce, or ServiceNow.

    Would you like this walkthrough for a different data source? Let me know!

  • You must be logged in to reply to this topic.
en_USEnglish
arArabic en_USEnglish