Lab 27 OPTIONAL – Microsoft Sentinel Kusto Queries for Microsoft Entra data sources

In this lab, you explore Microsoft Sentinel by working with Microsoft Entra ID data sources and running hunting queries using Kusto Query Language (KQL). You review how to connect data sources, create a Microsoft Sentinel workspace, and execute queries as part of security operations tasks.

Note: This lab cannot be completed in the provided training lab environment at this time. We are leaving the lab step here, so you can optionally try it on your Bring You Own Subscription (BYOS) environment. Please read over the steps to see what is possible. We are actively working this lab to find a work-around in the lab environment, and will update it soon.

Login type: Azure resource login

Lab scenario

Microsoft Sentinel is Microsoft’s cloud-native SIEM and SOAR solution. Through connecting data sources from Microsoft and third-party security solutions, you have the ability to execute security operations tasks. In this lab exercise, you will create a Microsoft Sentinel workspace with data connectors to Microsoft Entra ID for executing hunting queries using Kusto Query Language (KQL).

Estimated time: 30 minutes

Exercise 1 - Configure Microsoft Sentinel for Kusto Queries

Task 1 - Create a Microsoft Sentinel workspace

  1. Sign in to the Microsoft Azure portal at https://portal.azure.com as a Global administrator.

  2. Search for and then select Microsoft Sentinel.

  3. Select + Create in the upper left corner.

  4. In the Add Microsoft Sentinel to a workspace tile, select + Create a new workspace.

  5. In Resource group, select Create new and enter Sentinel-RG.

  6. Name the workspace. Example - SentinelLogAnalytics.

  7. Select a Region close to you.

  8. Select Review + Create and then Create.

  9. After the deployment completes, select Go to resource.

  10. In the Microsoft Azure portal, search for and select Microsoft Sentinel.

  11. Select + Create, select the existing workspace that you created early, and then select Add to onboard the workspace to Microsoft Sentinel.

  12. If prompted, select OK to activate the Microsoft Sentinel free trial.

Task 2 - Add Microsoft Entra ID as a Data source

  1. On the Microsoft Sentinel, in the left navigation menu, expand the Content management, and select Content hub.

  2. Use the search box to look for Entra in the list of connectors, locate Microsoft Entra ID and mark the checkbox.

  3. To the right, a preview tile will open. Select Install.

  4. After the install finishes, in the left navigation menu, expand the Configuration, and select Data connectors.

    Note: You should show 1 Connector installed and see Microsoft Entra ID listed.

  5. Select Microsoft Entra ID and then select Open connector page.

  6. In the connector page, the instructions and next steps will be provided for the data connector. Verify that a check-mark is next to each of the Prerequisites to continue with the Configuration.

  7. Under Configuration, check the boxes for Sign-in logs and Audit logs. Additional log sources are available but are currently in Preview and out of scope for this course.

  8. Select Apply Changes.

  9. Notification will be provided that the changes were applied successfully. Navigate to the Microsoft Sentinel workspace by selecting the X on the top right of the connector page.

  10. Select Refresh on the **Microsoft Sentinel Data connectors** tile and the number 1 will show in the Connected count.

    Note: The Microsoft Entra ID data connector may take a few minutes to show in the active count.

Task 3 - Run Kusto query on User activity

  1. In Microsoft Sentinel, navigate to Logs under the General menu heading.

  2. Close the Welcome to Log Analytics window.

  3. A window will open with sample queries, select Audit, and search to find User IDs.

  4. Select Run.

  5. This will provide a list of User IDs on Microsoft Entra ID. Since we have just created the workspace, you may not see results. Note the format of the query.

Exercise summary

In this exercise, you created a Microsoft Sentinel workspace, connected the Microsoft Entra ID data connector for sign-in and audit logs, and ran KQL hunting queries against the data. This exercise showed how to bring identity telemetry into a SIEM and investigate it with Kusto Query Language.