Learning Path 6 - Lab 1 - Exercise 3 - Connect Linux hosts to Microsoft Sentinel using data connectors

Lab scenario

Lab overview.

You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to connect log data from the many data sources in your organization. The next source of data are Linux virtual machines using the Common Event Formatting (CEF) and Syslog connectors.

Important: There are steps within the next Tasks that are done in different virtual machines. Look for the Virtual Machine name references.

Task 1: Access the Microsoft Sentinel Workspace

In this task, you will access your Microsoft Sentinel workspace.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. Start the Microsoft Edge browser.

  3. In the Edge browser, navigate to the Azure portal at https://portal.azure.com.

  4. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  5. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

  6. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  7. Select your Microsoft Sentinel Workspace you created in a previous lab.

Task 2: Connect a Linux Host using the Common Event Format connector

In this task, you will connect a Linux host to Microsoft Sentinel with the Common Event Format (CEF) connector.

  1. Select Data connectors from the Configuration area in Microsoft Sentinel. From the Data Connectors tab, search for the Common Event Format (CEF) connector and select it from the list.

  2. Select Open connector page on the connector information blade.

  3. Under Configuration, copy to the clipboard the command shown in 1.2 Install the CEF collector on the Linux machine.

  4. Launch your LIN1 virtual machine. Login with the username and password provided by your lab hoster. Hint: You might need to press the Enter key to see the login prompt.

  5. Note the IP address for your LIN1 server. See the screenshot below as an example:

    linux login

  6. Go back to the WIN1 virtual machine. Launch Windows PowerShell as Administrator by right-clicking the Start menu icon and select Windows PowerShell (Admin). Select Yes to allow the app to run in the User Account Control window that appears. Hint: You might have a Windows PowerShell window already open from previous exercises.

  7. Enter the following PowerShell command, adjusting for your specific Linux server information, and press enter:

     ssh insert-your-linux-IP-address-here -l insert-linux-user-name-here
    
  8. Enter yes to confirm the connection and then type the user’s password and press enter. Your screen should look something like this:

    linux login

  9. You are now ready to paste the 1.2 Install the CEF collector on the Linux machine command from the earlier step. Make sure that script from Azure is in the clipboard. In PowerShell right-click the top bar and choose Edit and then Paste.

  10. Once pasted and before to press Enter, add the character 3 to the word python as shown below:

    ConnectorScript

  11. Once the script is adjusted press Enter. The script will run against your Linux server remotely. When the script processes properly it should look like this screen:

    ConnectorScript

  12. Type exit to close the remote shell connection to LIN1.

Task 3: Connect a Linux host using the Syslog connector

In this task, you will connect a Linux host to Microsoft Sentinel with the Syslog connector.

  1. Go back to the Edge browser where you have your Microsoft Sentinel Portal open and close the “Common Event Format (CEF)” data connector page by selecting the ‘x’ in the top right corner.

  2. From the Data Connectors tab, search for the Syslog connector and select it from the list.

  3. Select Open connector page on the connector information blade.

  4. Under Configuration, open the Install agent on a non-Azure Linux Machine section.

  5. Select the link for Download & install agent for non-Azure Linux machine.

    Note: Your Log Analytics workspace should show 3 Windows computers connected. This corresponds to WIN2, WINServer and AZWIN01 virtual machines connected earlier.

  6. Select the tab for Linux servers.

    Note: Your Log Analytics workspace should show 1 Linux computers connected. This corresponds to LIN1 (ubuntu1) virtual machine connected earlier with the CEF connector.

  7. Select Log Analytics agent instructions.

  8. Copy the command in the Download and onboard agent for Linux area to the clipboard.

  9. Launch your LIN2 virtual machine. Login with the username as password provided by your lab hoster. Hint: You might need to press the Enter key to see the login prompt.

  10. Note the IP address for your LIN2 server. See the screenshot below as an example:

    linux login

  11. Go back to the WIN1 virtual machine. Select the Windows PowerShell used in the previous task.

  12. Enter the following PowerShell command, adjusting for your specific Linux server information, and press enter:

     ssh insert-your-linux-IP-address-here -l insert-linux-user-name-here
    
  13. Enter yes to confirm the connection and then type the user’s password and press enter. Your screen should look something like this:

    linux login

  14. You are now ready to paste the Download and onboard agent for Linux command from the earlier step. Make sure that script is in the clipboard. In PowerShell right-click the top bar and choose Edit and then Paste.

  15. Once the script is pasted, press Enter. The script will run against your Linux server remotely. Wait

  16. When it finished, type exit to close the remote shell connection to LIN2.

Task 4: Configure the facilities you want to collect and their severities for the Syslog connector

In this task, you will configure the Syslog collection facilities.

  1. Go back to the Edge browser where you have your Microsoft Sentinel Portal open and close the “Log Analytics workspace” page and the “Syslog” data connector page by selecting the ‘x’ in the top right corner twice.

  2. In Microsoft Sentinel portal, select Settings under Configuration and then the Workspace settings tab.

  3. Select Legacy agents management under the Settings area.

  4. Select the Syslog tab.

  5. Select the + Add facility button.

  6. Select auth from the drop-down menu for Facility name.

  7. Select the + Add facility button again.

  8. Select authpriv from the drop-down menu for Facility name.

  9. Select Apply to save your changes.

Proceed to Exercise 4