Enhancing Your Microsoft Sentinel Environment with Content Hub Solution (Part 2)

Introduction

In our previous post, we established the foundation for a Microsoft Sentinel environment. Now, we’ll expand its capabilities by incorporating Content Hub solutions. These pre-built solutions accelerate threat detection and inves…


This content originally appeared on DEV Community and was authored by Jimi

Introduction

In our previous post, we established the foundation for a Microsoft Sentinel environment. Now, we'll expand its capabilities by incorporating Content Hub solutions. These pre-built solutions accelerate threat detection and investigation.

Deploying Content Hub Solutions

To start, we'll deploy several essential Content Hub solutions:

  1. Navigate to the Content Management section in your Microsoft Sentinel workspace and select Content Hub.

    Finding Content Hub

  2. Search for Windows Security Events and select View details.

    Selecting Windows Security Events

  3. Choose the Windows Security Events plan and click Create.

    Creating Windows Security Events plan

  4. Select the appropriate resource group and workspace, then click Review+Create.

    Configuring the Windows Security Events Plan

  5. Repeat steps 2-4 for Azure Activity and Microsoft Defender for Cloud solutions.

    Repeated steps for Azure Activity

    Repeated steps for Microsoft Defender for Cloud

Configuring Data Connectors

To effectively leverage these solutions, we need to set up data connectors:

Azure Activity Data Connector

  1. In the Content Hub, filter for Installed solutions and select Azure Activity.

    Selecting Azure Activity

  2. Choose Manage and then Open connector page.

    Opening connector page for Azure Activity

  3. Under Instructions, click Launch Azure Policy Assignment Wizard.

    Launching the Azure Policy Assignment Wizard

  4. Select your subscription and resource group.

    Configuring the Azure Activity

  5. In the Parameters tab, choose your Log Analytics workspace.

    Configuring the Activty Parameters

  6. In the Remediation tab, enable Create a remediation task and ensure the System Assigned Identity location is correct.

  7. Click Review+Create.

    Creating a remediation task

Defender for Cloud Data Connector

  1. Return to the Content Hub and select the Microsoft Defender for Cloud solution.

    Working on Microsoft Defender for Cloud

  2. Choose Manage and then Open connector page.

    Connector page for Microsoft Defender for cloud

  3. Locate your subscription and enable the Connected slider.

    Connecting to the Subscription

  4. Ensure By-directional sync is enabled.

  5. If you encounter issues, verify that you have a pricing plan enabled for your subscription in the Microsoft Defender portal.

Creating an Analytics Rule

To proactively identify potential threats, let's create an analytics rule:

  1. Go to the Analytics section in Microsoft Sentinel.

    Locating Analytics

  2. Under Rule templates, search for "Suspicious number of resource creation or deployment activities".

    Finding an Analytics rule

  3. Click the ellipsis and select Create rule.

    Creating an Analytics rule

  4. In the General tab click "Next: Set rule logic >."

    Leaving the plan details the same

  5. In the Query Scheduling section, set the query to run every hour and look up data from the last hour.

    Configuring the Query Scheduling

  6. Save the rule.

Adding Azure Activity Workbook

To gain valuable insights, we'll add the Azure Activity workbook:

  1. In the Content Hub, filter for Installed solutions and select Azure Activity.

    Selecting Azure Activity

  2. Choose Manage and then Configuration.

    Configuring the Azure Activity

  3. Select Azure Activity, choose your region, and click Save.

    Adding the Azure Activity to the workbook

Summary

By following these steps, you've significantly enhanced your Microsoft Sentinel environment.

In the next post, we'll explore how to configure a data connector data collection rule.


This content originally appeared on DEV Community and was authored by Jimi


Print Share Comment Cite Upload Translate Updates
APA

Jimi | Sciencx (2024-08-03T19:12:05+00:00) Enhancing Your Microsoft Sentinel Environment with Content Hub Solution (Part 2). Retrieved from https://www.scien.cx/2024/08/03/enhancing-your-microsoft-sentinel-environment-with-content-hub-solution-part-2/

MLA
" » Enhancing Your Microsoft Sentinel Environment with Content Hub Solution (Part 2)." Jimi | Sciencx - Saturday August 3, 2024, https://www.scien.cx/2024/08/03/enhancing-your-microsoft-sentinel-environment-with-content-hub-solution-part-2/
HARVARD
Jimi | Sciencx Saturday August 3, 2024 » Enhancing Your Microsoft Sentinel Environment with Content Hub Solution (Part 2)., viewed ,<https://www.scien.cx/2024/08/03/enhancing-your-microsoft-sentinel-environment-with-content-hub-solution-part-2/>
VANCOUVER
Jimi | Sciencx - » Enhancing Your Microsoft Sentinel Environment with Content Hub Solution (Part 2). [Internet]. [Accessed ]. Available from: https://www.scien.cx/2024/08/03/enhancing-your-microsoft-sentinel-environment-with-content-hub-solution-part-2/
CHICAGO
" » Enhancing Your Microsoft Sentinel Environment with Content Hub Solution (Part 2)." Jimi | Sciencx - Accessed . https://www.scien.cx/2024/08/03/enhancing-your-microsoft-sentinel-environment-with-content-hub-solution-part-2/
IEEE
" » Enhancing Your Microsoft Sentinel Environment with Content Hub Solution (Part 2)." Jimi | Sciencx [Online]. Available: https://www.scien.cx/2024/08/03/enhancing-your-microsoft-sentinel-environment-with-content-hub-solution-part-2/. [Accessed: ]
rf:citation
» Enhancing Your Microsoft Sentinel Environment with Content Hub Solution (Part 2) | Jimi | Sciencx | https://www.scien.cx/2024/08/03/enhancing-your-microsoft-sentinel-environment-with-content-hub-solution-part-2/ |

Please log in to upload a file.



There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

Related Posts