Enhancing Your Microsoft Sentinel Environment with Content Hub Solution (Part 2)

Introduction

In our previous post, we established the foundation for a Microsoft Sentinel environment. Now, we'll expand its capabilities by incorporating Content Hub solutions. These pre-built solutions accelerate threat detection and investigation.

Deploying Content Hub Solutions

To start, we'll deploy several essential Content Hub solutions:

1. Navigate to the Content Management section in your Microsoft Sentinel workspace and select Content Hub.

   

2. Search for Windows Security Events and select View details.

   

3. Choose the Windows Security Events plan and click Create.

   

4. Select the appropriate resource group and workspace, then click Review+Create.

   

5. Repeat steps 2-4 for Azure Activity and Microsoft Defender for Cloud solutions.

   

   

Configuring Data Connectors

To effectively leverage these solutions, we need to set up data connectors:

Azure Activity Data Connector

1. In the Content Hub, filter for Installed solutions and select Azure Activity.

   

2. Choose Manage and then Open connector page.

   

3. Under Instructions, click Launch Azure Policy Assignment Wizard.

   

4. Select your subscription and resource group.

   

5. In the Parameters tab, choose your Log Analytics workspace.

   

6. In the Remediation tab, enable Create a remediation task and ensure the System Assigned Identity location is correct.

7. Click Review+Create.

   

Defender for Cloud Data Connector

1. Return to the Content Hub and select the Microsoft Defender for Cloud solution.

   

2. Choose Manage and then Open connector page.

   

3. Locate your subscription and enable the Connected slider.

   

4. Ensure By-directional sync is enabled.

5. If you encounter issues, verify that you have a pricing plan enabled for your subscription in the Microsoft Defender portal.

Creating an Analytics Rule

To proactively identify potential threats, let's create an analytics rule:

1. Go to the Analytics section in Microsoft Sentinel.

   

2. Under Rule templates, search for "Suspicious number of resource creation or deployment activities".

   

3. Click the ellipsis and select Create rule.

   

4. In the General tab click "Next: Set rule logic >."

   

5. In the Query Scheduling section, set the query to run every hour and look up data from the last hour.

   

6. Save the rule.

Adding Azure Activity Workbook

To gain valuable insights, we'll add the Azure Activity workbook:

1. In the Content Hub, filter for Installed solutions and select Azure Activity.

   

2. Choose Manage and then Configuration.

   

3. Select Azure Activity, choose your region, and click Save.

   

Summary

By following these steps, you've significantly enhanced your Microsoft Sentinel environment.

In the next post, we'll explore how to configure a data connector data collection rule.