DEV Community

Cover image for Enhancing Your Microsoft Sentinel Environment with Content Hub Solution (Part 2)
Jimi
Jimi

Posted on • Updated on

Enhancing Your Microsoft Sentinel Environment with Content Hub Solution (Part 2)

Introduction

In our previous post, we established the foundation for a Microsoft Sentinel environment. Now, we'll expand its capabilities by incorporating Content Hub solutions. These pre-built solutions accelerate threat detection and investigation.

Deploying Content Hub Solutions

To start, we'll deploy several essential Content Hub solutions:

  1. Navigate to the Content Management section in your Microsoft Sentinel workspace and select Content Hub.

    Finding Content Hub

  2. Search for Windows Security Events and select View details.

    Selecting Windows Security Events

  3. Choose the Windows Security Events plan and click Create.

    Creating Windows Security Events plan

  4. Select the appropriate resource group and workspace, then click Review+Create.

    Configuring the Windows Security Events Plan

  5. Repeat steps 2-4 for Azure Activity and Microsoft Defender for Cloud solutions.

    Repeated steps for Azure Activity

    Repeated steps for Microsoft Defender for Cloud

Configuring Data Connectors

To effectively leverage these solutions, we need to set up data connectors:

Azure Activity Data Connector

  1. In the Content Hub, filter for Installed solutions and select Azure Activity.

    Selecting Azure Activity

  2. Choose Manage and then Open connector page.

    Opening connector page for Azure Activity

  3. Under Instructions, click Launch Azure Policy Assignment Wizard.

    Launching the Azure Policy Assignment Wizard

  4. Select your subscription and resource group.

    Configuring the Azure Activity

  5. In the Parameters tab, choose your Log Analytics workspace.

    Configuring the Activty Parameters

  6. In the Remediation tab, enable Create a remediation task and ensure the System Assigned Identity location is correct.

  7. Click Review+Create.

    Creating a remediation task

Defender for Cloud Data Connector

  1. Return to the Content Hub and select the Microsoft Defender for Cloud solution.

    Working on Microsoft Defender for Cloud

  2. Choose Manage and then Open connector page.

    Connector page for Microsoft Defender for cloud

  3. Locate your subscription and enable the Connected slider.

    Connecting to the Subscription

  4. Ensure By-directional sync is enabled.

  5. If you encounter issues, verify that you have a pricing plan enabled for your subscription in the Microsoft Defender portal.

Creating an Analytics Rule

To proactively identify potential threats, let's create an analytics rule:

  1. Go to the Analytics section in Microsoft Sentinel.

    Locating Analytics

  2. Under Rule templates, search for "Suspicious number of resource creation or deployment activities".

    Finding an Analytics rule

  3. Click the ellipsis and select Create rule.

    Creating an Analytics rule

  4. In the General tab click "Next: Set rule logic >."

    Leaving the plan details the same

  5. In the Query Scheduling section, set the query to run every hour and look up data from the last hour.

    Configuring the Query Scheduling

  6. Save the rule.

Adding Azure Activity Workbook

To gain valuable insights, we'll add the Azure Activity workbook:

  1. In the Content Hub, filter for Installed solutions and select Azure Activity.

    Selecting Azure Activity

  2. Choose Manage and then Configuration.

    Configuring the Azure Activity

  3. Select Azure Activity, choose your region, and click Save.

    Adding the Azure Activity to the workbook

Summary

By following these steps, you've significantly enhanced your Microsoft Sentinel environment.

In the next post, we'll explore how to configure a data connector data collection rule.

Top comments (0)