Exercise overview

You are a Security Operations Architect working at a company that implemented Microsoft Sentinel. You must learn how to connect log data from the many data sources in your organization. The organization has data from Microsoft 365, Microsoft Defender, Azure resources, and non-azure virtual machines. As they are the easiest to do, you will start by connecting the Microsoft sources first.

Exercise instructions

Task 1 - Access the Microsoft Sentinel workspace

In this task, you will access your Microsoft Sentinel workspace.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. Open the Microsoft Edge browser.

  3. In the Edge browser, navigate to the Azure portal at https://portal.azure.com.

  4. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  5. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

  6. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  7. Select your Microsoft Sentinel Workspace that you created in the previous lab.

  8. Proceed to the next task.

Task 2 - Connect the Microsoft Defender for Cloud data connector

In this task, you will connect the Microsoft Defender for Cloud data connector.

  1. In the Microsoft Sentinel left navigation menu, scroll down to the Content management section and select Content Hub.

  2. In the Content hub, search for the Microsoft Defender for Cloud solution and select it from the list.

  3. On the Microsoft Defender for Cloud solution details page select Install.

  4. When the installation completes, search for the Microsoft Defender for Cloud solution and select it.

  5. On the Microsoft Defender for Cloud solution details page select Manage

    Note: The Microsoft Defender for Cloud solution installs the Subscription-based Microsoft Defender for Cloud (Legacy) Data connector, the Tenant-based Microsoft Defender for Cloud (Preview) Data connector, and an Analytics rule. The Tenant-based Microsoft Defender for Cloud (Preview) Data connector is used when a tenant has multiple subscriptions.

  6. Select the Subscription-based Microsoft Defender for Cloud (Legacy) Data connector check-box, and select Open connector page.

  7. In the Configuration section, under the Instructions tab, select the checkbox for the “Azure Pass - Sponsorship” subscription and slide the Status option to the right.

    Note: If it switches back to disconnected, please review the prerequisites and confirm you have been assigned the proper permissions to modify the data connector.

  8. The Status should be now Connected and “Bi-directional sync” should be Enabled.

Task 3: Connect a Threat Intelligence Feed

In this task, you will set up the Microsoft Defender Threat Intelligence Connector.

  1. In the Microsoft Sentinel left navigation menu, scroll down to the Content management section and select Content Hub.

  2. In the Content hub, search for the Threat Intelligence solution and select it from the list.

  3. On the solution page, select Install.

  4. When the installation completes, select Manage.

  5. Select the Microsoft Defender Threat Intelligence (Preview) data connector and select Open connector page.

  6. Under the configuration steps, click on the button to install.

Task 4: Connect the Azure Activity data connector

In this task, you will connect the Azure Activity data connector.

  1. In the Microsoft Sentinel left menus, scroll down to the Content management section and select Content Hub.

  2. In the Content hub, search for the Azure Activity solution and select it from the list.

  3. On the Azure Activity solution page select Install.

  4. When the installation completes select Manage

    Note: The Azure Activity solution installs the Azure Activity Data connector, 12 Analytic rules, 14 Hunting queries and 1 Workbook.

  5. Select the Azure Activity Data connector and select Open connector page.

  6. In the Configuration area under the Instructions tab, scroll down to “2. Connect your subscriptions…”, and select Launch Azure Policy Assignment Wizard>.

  7. In the Basics tab, select the ellipsis button (…) under Scope and select your “MOC Subscription-lodxxxxxxxx” subscription from the drop-down list and click Select.

  8. Select the Parameters tab, choose your uniquenameDefender workspace from the Primary Log Analytics workspace drop-down list. This action will apply the subscription configuration to send the information to the Log Analytics workspace.

  9. Select the Remediation tab and select the Create a remediation task checkbox. This action will apply the policy to existing Azure resources.

    Note: The remediation task creates a “managed identity” in the default “US East” region. You can change the region if you created the Log Analytics workspace in a different region.

  10. Select the Review + Create button to review the configuration.

  11. Select Create to finish.

Proceed to Exercise 3