Welcome back to setting up our Azure Environment for hands on experience with Sentinel. In our last blog post, we deployed our API, but today, we will be installing and enabling Data Connectors to bring in alerts and other things into Sentinel. If you haven’t read the previous posts, you will need to in order to proceed with this.
Head over to your Microsoft Sentinel dashboard, and click on content hub.
When the deployment completes, select Data Connectors in the Configuration section of the Sentinel workspace.
In the data connectors screen, click on Azure Activity connector. There may be different options, but we will only be using Azure Activity.
Click on Azure Activity, and open connectors page. Here we will be presented with a set of Instructions. We can ignore step 1 because we do NOT have any subscriptions using the legacy method. We will focus on step 2 so click on Launch Azure Policy Assignment Wizard.
We will begin configuration for Azure Activity. The first section of the Policy Assignment Wizard is Scope. This is where we will select our subscription and resource group.
For now, we will everything else as normal in Basics. Go to the Parameters tab and look at the Primary Log Analytics workspace. Here we will select the Microsoft Sentinel workspace.
In this next step, we will be using deployIfNotExists (DINE) feature of Azure Policy to deploy the setting directly to any Activity Logs in the scope. In order to do this, Click on the Remediation tab, then tick the Create a remediation task. Leave Managed Identity set to System Managed Identity, and choose the closest region to where you’re located. For me, it is US-EAST.
You can now click Review + Create, then click Create again to save the policy. It may take some time for it to appear, but don’t worry, that is normal.
We can now head back to our Sentinel dashboard. Here we will go back into Content Hub, and click on Azure Activity Solution, and click the Manage button at the bottom of the panel on the right.
We can now see the contents of the solution displaying any connectors, analytic rules, workbooks, hunting queries, and other content that is included in the solution pack. For now we will only be focusing on NRT Azure Active Directory Hybrid Health AD FS New Server, as shown below.
And that is all for now, in the next post, we will continue with part 2 of Data Connectors in Azure Sentinel. Thanks for reading!