Task 1: Deploy a Microsoft Sentinel Content Hub solution
In Microsoft Sentinel, go to the Content management menu section and select Content Hub.
Search for and select Windows Security Events.
Select the link for View details.
Select Windows Security Events plan, and select Create.
Select the RG2 resource group that includes the Microsoft Sentinel workspace, and select the Workspace.
Select Next to the Data Connectors tab (solution will deploy 2 data connectors).
Select Next to the Workbooks tab (solution installs workbooks).
Select Next to the Analytics tab (solutions installs analytics rules).
Select Next to the Hunting queries tab (solution instals hunting queries).
Select Review + create.
Select Create.
Repeat these steps for the Azure Activity and the Microsoft Defender for Cloud solutions.
Task 2 - Set up the data connector for Azure Activity
In Microsoft Sentinel, go to the Content management menu section and select Content Hub.
In the Content hub, filter Status for Installed solutions.
Select the Azure Activity solution and select Manage.
Select the Azure Activity Data connector and select Open connector page.
In the Configuration area under the Instructions tab, scroll down to 2. Connect your subscriptions..., and select Launch Azure Policy Assignment Wizard>.
In the Basics tab, select the ellipsis button (…) under Scope and select your subscription from the drop-down list and click Select.
Select the Parameters tab, choose your workspace from the Primary Log Analytics workspace drop-down list.
Select the Remediation tab and select the Create a remediation task checkbox.
Select the Review + Create button to review the configuration.
Select Create to finish.
Task 3: Set up the for Defender for Cloud data connector
In Microsoft Sentinel, go to the Content management menu section and select Content Hub.
In the Content hub, filter Status for Installed solutions.
Select the Microsoft Defender for Cloud solution and select Manage.
Select the Subscription-based Microsoft Defender for Cloud (Legacy) Data connector and select Open connector page.
In the Configuration area under the Instructions tab, scroll down to your subscription and move the slider in the Status column to Connected.
Make sure Bi-directional sync is Enabled.
Task 4: Create an analytics rule
In Microsoft Sentinel, go to the Configuration menu section and select Analytics.
In the Rule templates tab, search for Suspicious number of resource creation or deployment activities.
Select the Suspicious number of resource creation or deployment activities, and select Create rule.
Leave the defaults on the General tab and select Next: Set rule logic >.
Leave the default Rule query and configure Query scheduling using the setting value as 1 hour for both 'run query every' and 'lookup data from the last'.
Leave the defaults and select Next: Automated response >.
Leave the defaults and select Next: Review and create >.
Select Save.
Task 5: Ensure that the Azure Activity workbook is available in My workbooks.
In Microsoft Sentinel, go to the Content management menu section and select Content Hub.
In the Content hub, filter Status for Installed solutions.
Select the Azure Activity solution and select Manage.
Select the Azure Activity workbook checkbox, and then select Configuration.
Select the Azure Activity workbook and select Save.
Choose the Azure Region for your Microsoft Sentinel workspace.
Top comments (0)