Using Azure Sentinel with Azure Lighthouse

A recent article:

Configure Azure Lighthouse

detailed how to get Azure Lighthouse working across different tenants (a ‘master’ and multiple ‘clients’). It is now time to look at how to use that capability inside the ‘master’ tenant with Azure Sentinel.

image

Log into your ‘master’ Azure tenant. Select the user in the top right and from the menu that is displayed select Switch directory.

image

You’ll typically see only the current ‘master’ tenant listed in Current + delegated directories. Select the pull down arrow on the left of the Current + delegated directories option as shown.

image

You should now see all the ‘client’ tenants you connected with Azure Lighthouse now appear. However, you’ll will notice they are currently not selected.

image

Ensure that all the directories are selected.

image

With All directories now selected in Current + delegated directories, clock on the pull down arrow on the right of Subscription as shown above.

image

Again, you will probably see that the subscriptions in the ‘client’ tenants are not selected.

image

Ensure these are all selected and the Subscription option displays All subscriptions as shown above.

image

With all the ‘client’ tenant selections now complete it means they will be displayed just like any other in the ‘master’ tenant. Navigate to Azure Sentinel in the ‘master’ tenant and look at the list of workspaces that are displayed. If you don’t see ‘client’ Sentinel workspaces, select the Subscription filter at the top of the page and ensure it is set to All as shown.

image

With all the workspaces selected, click the View incidents button from the menu along the top as shown above.

image

You should now see a list of all the incidents across all the tenants. You can see this by looking at the Directory column as shown in the output. You can, of course, view at individual Sentinel workspaces if you want by just clicking on them in the previous screen. This provides the same experience as if you viewed the results inside that ‘client’ tenant but you are doing that now inside the ‘master’ tenant.

This process now provides you a single pane of glass across all your Azure Sentinel environments. Depending on the permissions you have configured in the ‘client’ tenants, you get much the same capability across other Azure resources in the ‘master’ tenant now. This is the benefit of using Azure Lighthouse to manage multiple tenants and exactly how I use it with Azure Sentinel.

The case of the missing Azure Sentinel ingested data

image

Recently, I have seen my Azure Sentinel overview look like the above. I was puzzled why I had so many hours without any data being ingested? In short, it turned out that I had exceeded my storage tier capacity. Here’s where to look if you see something similar.

image

From the menu on the left of the Azure Sentinel workspace scroll to the bottom and select Settings as shown. Then from the pane that appears on the right select Workspace settings at the top as shown.

image

This will take you to the Azure Log Analytics workspace that underpins Sentinel. From the menu on the left here select Usage and estimated costs. Note on the right what is highlighted under Free pricing tier I was using:

(The log data ingestion includes the 500 MB/VM/day data allowances from Azure Security Center.)

That is the limit for my current tier. Any ingested data over that quota was not being ingested. Not ingested data, nothing recorded in the Sentinel overview report.

image

If you select the Daily cap button at the top of the page you’ll get more information appear from the right as shown.

image

The two important things to note are that the daily volume cap is 0.5 GB/day and that the limit is reset at 2am UTC (12pm Sydney time).

clip_image001

When I checked the Workspace Pricing tier details, shown above, there is indeed a daily cap of 512MB.

image

Then when I looked at the overview report in Sentinel I see that data did indeed start begin re-ingest at 12pm local time (2am UTC) as expected.

image

So the next question was, how is it going to cost me avoid this situation and ingest all my data? Looking at the Pay-as-you-go pricing tier I see the estimated cost per month would only be AU$4.79. Easy choice.  SELECT.

SNAGHTMLd5b1a0

The important thing to remember with this ingested data is that you always get the initial 512MB per day free. Anything above that you won’t get any captured data unless you upgrade your pricing tier. But then you’ll only pay for the amount above the 512MB per day, which in my case was only about 34MB per day on average.

image

A good way to keep track of this sort of data, before it becomes and issue as it did for me, is to use the Workspace usage Report workbook which you can access from the Sentinel console as shown above.

image

Here you’ll see everything you need to keep on top of this total data you are ingesting and where it is coming from.

The reason I’m so much data is that I’m pulling security events from local devices. Most Microsoft cloud services include free ingestion, which is the place you should start. However, I had added a number of demo devices to my tenant which pushed me over the free 512MB limit. Most people should be able to stay well below this quota by default, at least to start with. However, if you ever need to upgrade, like I have, it’s still cheap for it provides!

Use PowerShell with Azure Sentinel

Yes Virginia, it is now possible to use PowerShell with Azure Sentinel. Microsoft has made available the Az.Security insights module that allows you to work with Azure Sentinel. You’ll find the module here:

https://www.powershellgallery.com/packages/Az.SecurityInsights/0.1.0

and you install it in your elevated PowerShell environment via the command:

Install-Module -Name Az.SecurityInsights –AllowClobber

To use the module commands you’ll also need to login to Azure. You can do that by using my connection scripts which are  here:

An easier way to connect using PowerShell

However, what I’ve done to make it even easier for you by creating a complete script here:

https://github.com/directorcia/Office365/blob/master/az-sentinel-ruleget.ps1

You run the script in your environment like so:

image

You’ll then be prompted to login to your Azure tenant like so:

image

You’ll then be prompted to select your Azure subscription where Sentinel is configured:

image

You should see a list of all the subscriptions in your tenant as shown above. Select the one where Azure Sentinel is configured and select OK to continue.

image

You’ll then be prompted to select which workspace Azure Sentinel is configured with. Again, just select the appropriate workspace and then OK to continue.

image

The script will now display  a list of all the available Rule Templates in Sentinel as shown above, sorted by most recently added (handy to see what’s new!).

image

This list is what you see in the Azure Sentinel portal when you select Analytics, then Rule templates as shown above. In effect, this is every analytics rule Sentinel makes available to you.

image

The next part of the script output will show you every rule in use.

image

This corresponds with the Active rules area in the web portal as shown above.

image

The next section of the script output will show you all the available rules and whether they are in use or Active as shown above.

image

You’ll see something similar if you return to the Rule templates, and note the rules “IN USE”, as shown above.

image

If you have a close look here, you’ll see rules that have no display name. I’ll cover that a bit further on, as it is still a bit of a mystery to me at this stage.

image

The last listing in script will show you all the rules that are NOT in use in date order. This is handy as I don’t see anything like this in the web portal.

image

Finally, the script will give you a summary as shown above.

It is interesting to note that 11 scripts report errors? These seem to be the ones with no names? Still haven’t quite worked that one out yet. You might also see this mismatch in the rules in use as I have above. I need to dig into this a little more. Also a bit strange is the fact that I have 191 scripts reporting in total but if I add the 104 templates in use with the 112 not in use I come to a total of 216! If I then look in the web interface I see:

image

only 182 templates in total??

This new Azure Sentinel module is only a month old as of writing this article, so early days. Hopefully, these items are minor bugs that will get fixed soon. You can also double check my code to ensure I haven’t something silly. If I have, let me know so I can fix it and share.

However, that considered, I can see this new Azure Sentinel PowerShell module being pretty handy if I’m honest. This script allows me to see when Microsoft adds new rules that I need to go and configure for one. I’ll be spending more time with this PowerShell module to automate how I deploy Azure Sentinel, which I reckon will save me a bucket-load of time.

Looking forward to future updates to this module, but there is no reason you can’t start automating Azure Sentinel yourself today!


 

Handy Azure Sentinel workbook

image

If you have a look at the available workbooks in Azure Sentinel, you should find a Data collection health monitoring workbook under Templates as shown above. It is easy to Save this to your environment (in the lower right after selecting the workbook).

image

If you View the workbook. You’ll need to select the Subscription and Workspace at the top of the page. Once you have done this you should start seeing the values for your environment as shown above.

If you have a look in the Overview section and then the Is billable field as shown above. That is something that is handy to know as not all services ingested into Azure Sentinel incur a cost.

image

Pricing can be found here:

https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/

If you scroll down to the bottom of the screen you see the above:

What data can be ingested at no cost with Azure Sentinel?

Azure Activity Logs, Office 365 Audit Logs (all SharePoint activity and Exchange admin activity) and alerts from Microsoft Defender products (Azure Defender, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint), Azure Security Center, Microsoft Cloud App Security, and Azure Information Protection can be ingested at no additional cost into both Azure Sentinel, and Azure Monitor Log Analytics.


Please Note: Azure Active Directory (AAD) audit data is not free and is billed for ingestion into both Azure Sentinel, and Azure Monitor Log Analytics.

and

What other charges should I be aware of when using Azure Sentinel?

Any Azure services that you use in addition to Azure Sentinel are charged per their applicable pricing. For example – Log Analytics, Logic Apps, Machine Learning, etc.

For a good introduction to Sentinel have a look at my previous article:

Another great security add on for Microsoft 365

and an online course I created:

Getting started with Azure Sentinel

Using the Data collection health monitoring workbook now makes it easy to see what you are exactly you are being billed for. All you need to do is just add it to your own workbooks. Here is great video overview:

A couple of new additions to Azure Sentinel

If you have a look inside your Azure Sentinel console you should some new options.

image

The first is a new option in the Office 365 Data connector to allow you to bring Teams data from the Office 365 Unified Audit Log into Sentinel. All you need to do to enable this is open the Office 365 connector and select the Teams check box as shown above.

image

Once the data starts flowing in, the you’ll be able to run Kusto queries on the log data as shown above. This query will produce a quick report of all the Teams sessions over the last day. The KQL for this is:

OfficeActivity

| where TimeGenerated >= ago(1d)

| where RecordType == “MicrosoftTeams”

| summarize count () by UserId

| sort by count_

With Teams data now flowing into Sentinel you can start creating all sorts of interesting reports.

image

The next new item is the Entity behavior as shown above. Here is what it does:

image
image

Basically, it is going to give you the ability to be more granular when looking at data as well as providing more AI (Artificial Intelligence) across that data looking for anomalies.

image

Just scroll down the page and Turn it on.

image

Now when you visit the link you’ll see:

image

and selecting an account will show you information like:

image

Which is a great summary for that user over the time period you selected.

image

The Threat intelligence option provides the above options, which to be honest, I haven’t fully figured out how to use effectively yet. I may not as yet have enough data in this tenant to make full use of it. I’ll have to wait and see.

Overall some really handy additions to Azure Sentinel that I’d be encouraging you to take advantage of to improve you security analysis. If you are looking to get started with Azure Sentinel, don’t forget my online course:

https://www.ciaopsacademy.com/p/getting-started-with-azure-sentinel

Announcing the CIAOPS Azure Sentinel online course

pexels-mike-350784

If you want to get started with Azure Sentinel and don;t know quite where, then I have created an online course just for you.

You’ll find it here:

https://www.ciaopsacademy.com/p/getting-started-with-azure-sentinel/

Azure Sentinel is a cloud based security information and event management (SEIM) tool that you can easily connect to various data sources, both on premises and in the cloud. Once events are flowing you can then use Sentinel to analyse and report on those events quickly and easily as well as take automated actions if desired.


This course is aimed at helping you get up and running with Azure Sentinel quickly by introducing you to its main features and then showing you how to configure the most important settings to get it working for business.


If you want to quickly and easily ingest security logging data, analyse, report and act on that then Azure Sentinel is for you and this course will show you how to get up and running quickly. Inside you’ll find video tutorials, references, best practices, how-to’s and more.

I’ll continue to add more material to the course but once you sign up you’ll always have access to all the content.

Look out for more online courses coming soon.

Need to Know podcast–Episode 244

Sarah Young from Microsoft joins us again to talk about Azure Sentinel. We run through what it is and why you should be using it to protect your IT environments. Brenton joins us as well to cover off the latest news and certifications he has achieved. Listen in for all the details.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-244-sarah-young/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Sarah Young

@contactbrenton

@directorcia

L400 Sentinel Ninja Training

MS Tech Community Sentinel blog

Sentinel GitHub repo

Sentinel documentation

MS Security Community webinars

Defender ATP for Linux now GA

Defender ATP for Android

OneDrive Roadmap Roundup – May 2020

PowerPoint Live is now generally available

What’s New: Livestream for Azure Sentinel is now released for General Availability

Azure responds to COVID-19

20 updates for Microsoft Teams for Education, including 7×7 video and Breakout Rooms

Outlook for Windows: Signature cloud settings