Exploring the Azure Sentinel Overview page
The Azure Sentinel Overview page is the page that you will automatically go to when entering Azure Sentinel after you have associated the Log Analytics workspace with it. This page provides a general overview of the information in your Azure Sentinel environment and will look as in the following screenshot. The actual numbers and data being shown will vary depending on your environment, of course:
Figure 2.14 – Azure Sentinel Overview page
The page is broken up into various sections and each of these is described in the following sections.
The header bar
The header bar allows you to refresh the screen to see any updates, as well as to select how far back in time to look for the data. You can select the icon that looks like a clock to change how far back you want to look.
The summary bar
The summary bar will show you how much data has been ingested in the selected time period as well as how many alerts were raised, and the number of incidents those alerts created. In addition, the incidents are broken down by their status.
The Events and alerts over time section
This section will show the logs that have ingested the most data and the number of incidents created in the selected time frame. This is an interactive chart, so when you mouse over a specific time, the information will be filtered to show what happened at that time.
The Recent incidents section
This section will show up to the last five created incidents as well as the number of alerts that have generated the incident. You can click on the incident name to get more information about the incident.
The Data source anomalies section
This section will show up to two different data sources that Azure Sentinel's machine learning has determined contain anomalies. You can click on the log name to get more information about the anomaly.
The Potential malicious events section
This section, not shown, will show an interactive map where any potential malicious events will be highlighted. You can zoom in to the map to get a very precise indication of where the event occurred.
The Democratize ML for your SecOps section
This section, not shown, provides some general information on Azure Sentinel's use of machine learning and provides a link where you can obtain more information.
That is the Azure Sentinel Overview page. It is a great place to go to get an overview of what is going on in your Azure Sentinel environment and is the landing page of Azure Sentinel. While Figure 2.14 shows lots of data, when you first create a Log Analytics workspace, it will be empty. The next section will explain how to start getting data into your workspace.
Connecting your first data source
Before we dig into the details of the Azure Sentinel data connectors (see Chapter 3, Data Collection and Management), we will review how Log Analytics enables connectivity to a range of different sources in order to receive data to store and analyze. Some of the data source options include the following:
- Application and OS diagnostics
- Virtual machine log data
- Azure storage account logs
- Azure activity log
- Other Azure resources
In this section, we will show you how you can enable log collection from Azure virtual machines.
Obtaining information from Azure virtual machines
To have the virtual machines (VMs) populate a Log Analytics workspace, they need to be connected to it. This is done from the Log Analytics workspace Overview page.
There are two different ways to get to this page. First, you can select Log Analytics in the Azure portal navigation menu and then select the appropriate workspace. The second, and perhaps easier, way is to select Settings from the Azure Sentinel navigation menu and then select Workspace settings from the menus at the top of the page, as shown in the following screenshot:
Figure 2.15 – Azure Sentinel settings
No matter which method you use to get to the page, it will look similar to the following screenshot:
Figure 2.16 – Log Analytics Overview page
Under Connect a data source in the Get started with Log Analytics section, select Azure virtual machines (VMs). This will take you to the Virtual machines page, which lists each VM and shows whether it is connected, as well as the OS, subscription GUID, the resource group, and the location it belongs to. The following screenshot is an example of what this page looks like:
Figure 2.17 – Log Analytics – Azure Virtual machines page
You can see that the first three VMs are connected to this workspace, the fourth one, called LinuxWebServer, is connected to another workspace, and the final one, ThreatHuntDemo, is not connected to any workspace.
To change the connection status of any of the VMs, click on the row containing it. This will open a new blade, where you can either connect or disconnect the VM:
Figure 2.18 – Azure virtual machine log data connection
Select either the Disconnect or Connect link to perform the action you desire.
Connecting a VM to a Log Analytics workspace downloads and installs the Microsoft Monitoring Agent to the VM, so this step can be performed automatically when provisioning the VM using tools such as PowerShell Desired State Configuration. However, the actual steps to perform this task are beyond the scope of this book.
In a large-scale deployment, especially with VMs that are not hosted in Azure, you may not want each individual server directly sending their logs to the Log Analytics workspace. Instead, you may consider deploying the Syslog/CEF connector to centralize log collection and data ingestion. Each VM would then point toward the CEF collector server instead of Log Analytics.