Skip to content

Getting started using Microsoft Azure Sentinel (Cloud-Native SIEM and SOAR)

In this module, we are going to explore Microsoft Azure Sentinel (Cloud-Native SIEM and SOAR). We are going to learn how to deploy the SIEM from scratch and we are going to see how to start detecting threats with it


Before learning how to use Azure Sentinel, we need to define it first. According to one of their official blog posts:

Azure Sentinel provides intelligent security analytics at cloud scale for your entire enterprise. Azure Sentinel makes it easy to collect security data across your entire hybrid organization from devices, to users, to apps, to servers on any cloud. It uses the power of artificial intelligence to ensure you are identifying real threats quickly and unleashes you from the burden of traditional SIEMs by eliminating the need to spend time on setting up, maintaining, and scaling infrastructure.

Most of the first steps are already discussed in details in the previous resource. Thus I am going to go through the steps rapidly:

Go to Azure search bar and look for Azure Sentinel (preview) and add a new workplace

Create a new Workspace and press "OK"

Add a new Azure Sentinel


Now you need to select a connector to receive logs:

For example, you can select Azure Activities:

Click "Next Steps"

Create a Dashboard. The following graph illustrates some of the Dashboard components:

If you want to receive logs from an Azure VM you can select the Syslog Connector and pick the VM that you want to use:

Deploy the Linux agent for example in "Zeek" VM

Go to "Advanced Settings" - \> Data - \> Syslog - \> select Apply below configuration to my machines

And now you are connected the Linux Machine

If you want to receive logs from a windows machine: Go to "Advanced Settings" - \> Connected Sources and select "Windows Servers". Then download the Windows agent installation binary

Open your Windows machine (in my case Windows 7 x32 ) and install the agent. Click Next

Add your ID and Key (You will find them in Windows servers dashboard )

Click Next and you are done

Now it is hunting time! Go to your Sentinel page and select Hunting and you will be able to type your own hunting queries using KQL Azure query language.

You can also use and create your own Notebooks

You can use some pre-made hunting notebooks delivered by Azure. Click Import

and you will upload them directly from the official Sentinel GitHub account:

The Sentinel dashboards are highly customizable. In other words, you add any visualisation you want. In this example i added a CPU visualization

You can even add your alert/detection rules. If you want to do so click "New alert rule"

I tried an arbitrary condition for educational purposes CPU \> 1.4%

You can also select your action when the condition is performed. In my case, i tried the email notification option

You will receive a confirmation email to check that everything is ok:

When the rule is achieved you will receive an email notification

You can also write your own advanced detection queries with KQL. Go to " Hunting" and Click " New Query" and create your customized query and also you can identify its connection with MITRE ATT&CK framework.

By now you are ready to start your Hunting mission.