Azurecloud~30 mins

Azure Sentinel for SIEM - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Azure Sentinel for SIEM

📖 Scenario: You are a security analyst setting up Azure Sentinel to monitor security events in your cloud environment. Azure Sentinel helps collect, detect, and respond to threats using data from various sources.

🎯 Goal: Build a simple Azure Sentinel workspace, connect a data source, create a detection rule, and enable alerting to monitor security events effectively.

📋 What You'll Learn

Create an Azure Sentinel workspace resource

Connect a data source (e.g., Azure Active Directory logs)

Create a detection rule using Kusto Query Language (KQL)

Enable alerting on the detection rule

💡 Why This Matters

🌍 Real World

Azure Sentinel is used by security teams to monitor cloud and on-premises environments for threats and respond quickly.

💼 Career

Skills in setting up and managing Azure Sentinel are valuable for cloud security engineers and analysts.

Progress0 / 4 steps

Create an Azure Sentinel workspace

Create an Azure Sentinel workspace resource named sentinelWorkspace in the resource group SecurityRG with location eastus.

Azure

# Your code here to create sentinelWorkspace resource

Need a hint?

Use Azure Resource Manager (ARM) template or Bicep syntax to create the workspace and enable Sentinel.

Connect Azure Active Directory logs as data source

Add a data connector resource named aadConnector to connect Azure Active Directory logs to the sentinelWorkspace.

Azure

resource sentinelWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
  name: 'sentinelWorkspace'
  location: 'eastus'
  properties: {
    sku: {
      name: 'PerGB2018'
    }
  }
}

resource sentinel 'Microsoft.SecurityInsights/sentinelOnboarding@2021-03-01-preview' = {
  name: '${sentinelWorkspace.name}/default'
  dependsOn: [sentinelWorkspace]
  properties: {}
}

# Your code here to add aadConnector resource

Need a hint?

Use the dataConnectors resource type and enable signInLogs and auditLogs.

Create a detection rule with KQL query

Create a scheduled analytics rule resource named failedSignInRule in sentinelWorkspace that detects failed sign-in attempts using this KQL query: SigninLogs | where ResultType != 0. Set the rule to run every 5 minutes.

Azure

resource sentinelWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
  name: 'sentinelWorkspace'
  location: 'eastus'
  properties: {
    sku: {
      name: 'PerGB2018'
    }
  }
}

resource sentinel 'Microsoft.SecurityInsights/sentinelOnboarding@2021-03-01-preview' = {
  name: '${sentinelWorkspace.name}/default'
  dependsOn: [sentinelWorkspace]
  properties: {}
}

resource aadConnector 'Microsoft.SecurityInsights/dataConnectors@2021-03-01-preview' = {
  name: '${sentinelWorkspace.name}/AzureActiveDirectory'
  dependsOn: [sentinel]
  properties: {
    dataTypes: {
      signInLogs: {
        state: 'Enabled'
      }
      auditLogs: {
        state: 'Enabled'
      }
    }
  }
}

# Your code here to add failedSignInRule resource

Need a hint?

Use the alertRules resource type and set queryFrequency and queryPeriod to 5 minutes (PT5M).

Enable alerting on the detection rule

Add an alert rule action group named emailActionGroup to failedSignInRule that sends email notifications to securityteam@example.com when the rule triggers.

Azure

resource sentinelWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
  name: 'sentinelWorkspace'
  location: 'eastus'
  properties: {
    sku: {
      name: 'PerGB2018'
    }
  }
}

resource sentinel 'Microsoft.SecurityInsights/sentinelOnboarding@2021-03-01-preview' = {
  name: '${sentinelWorkspace.name}/default'
  dependsOn: [sentinelWorkspace]
  properties: {}
}

resource aadConnector 'Microsoft.SecurityInsights/dataConnectors@2021-03-01-preview' = {
  name: '${sentinelWorkspace.name}/AzureActiveDirectory'
  dependsOn: [sentinel]
  properties: {
    dataTypes: {
      signInLogs: {
        state: 'Enabled'
      }
      auditLogs: {
        state: 'Enabled'
      }
    }
  }
}

resource failedSignInRule 'Microsoft.SecurityInsights/alertRules@2021-03-01-preview' = {
  name: '${sentinelWorkspace.name}/FailedSignInAttempts'
  dependsOn: [aadConnector]
  properties: {
    displayName: 'Detect Failed Sign-In Attempts'
    description: 'Detects failed sign-in attempts from Azure AD logs'
    severity: 'Medium'
    enabled: true
    queryFrequency: 'PT5M'
    queryPeriod: 'PT5M'
    query: 'SigninLogs | where ResultType != 0'
    triggerOperator: 'GreaterThan'
    triggerThreshold: 0
    tactics: [ 'InitialAccess' ]
    alertDetailsOverride: {
      alertDisplayNameFormat: 'Failed sign-in detected for {{Account}}'
    }
  }
}

# Your code here to add emailActionGroup to failedSignInRule

Need a hint?

Create an actionGroups resource with the email receiver and link it in the actions array of the alert rule.