Microsoft Azure AZ-801 — Section 5: Identify and remediate Windows Server security issues by using Azure services

40. Monitor on-premises servers & Azure IaaS VMs by using Microsoft Sentinel

I’d like to now look into using Microsoft Sentinel to monitor our different servers, whether they be physical servers or whether they be virtual servers, virtual machines hosted either on-premises or even in Azure.

First thing is, if we go to Google and we just type, what is Microsoft Sentinel, it will tell you that Sentinel used to be called Azure Sentinel, and they recently changed the name to Microsoft Sentinel. So, we’re going to go to this little article here on the Learn documents, which is Microsoft’s official educational area for learning about products. And they tell you that basically Sentinel is both a SIEM and a SOAR based system, which is the security information and event management and also security orchestration, automation response. In other words, it is a way of grabbing log data all into one place, analyzing that log data as well as kind of putting it all in order, enumerating it, and aggregate it, correlating it all in order. It also normalizes it. So, it could be different logs from different places, and it’s going to put it in the same formatting. And then the orchestration side of it means that it can it can act upon things, so it can respond. So, as you can see, it collects data, detects previously undetected threats, investigate threats, and then response. That is what Sentinel is going to do for us.

How do we activate Sentinel? To do that, we’re going to go over to portal.azure.com. We’re going to click the menu button. We’re going to go to all services. All right. And then we’re going to just do a quick search in all services for the word sentinel. All right. So, we’ll just put that in. And once that appears up on the screen here, we’ll go into it. Microsoft Sentinel here. So, we’re going to click on it.

In order to use Sentinel, you need something called a log analytics workspace. So, when you go to create Microsoft Sentinel, a log analytics workspace is a resource in Azure that can pull log information. It can basically store log information. Keep in mind, this does cost a little bit of money to store this information. All right. We’re going to go to create a new log analytics workspace or new workspace. All right. Create a resource group. Well, I’m going to call it. Sentinel. All right. And it might help if I spell it correctly. Sentinel RG for Sentinel Resource Group. So, we’ll click Okay to that. We’re going to click, review and create. We must have left something out here. I did. I didn’t. Scroll down. There we go. So, let’s give it a name, and we will just call this sentinel. Log work space. For lack of a better name. And then I’m going to choose East us as my region. I’m going to click, review and create. All right. And now it’s just double checking everything. And I’m going to click to create. And I will just pause the recording while that’s being created. All right.

Once that is done, here it is right here. I’m going to go ahead and click to because it says Add Microsoft Sentinel to the Workspace. This is going to connect it all together. All right, so we’re just clicking add on that. Waiting on waiting on that to complete. All right. Says it was successfully added. You’ve successfully added Microsoft Sentinel.

So, Microsoft Sentinel is now basically on-boarded into Azure and linked to your log analytics workspace. So, now all of that is connected together.

How do I connect my on-premises machine into Sentinel? Well, first off, I am sitting in front of NYC-SVR1 doing this just as a heads up. Let me open my browser back open here. Now, I’m going to go here to my log analytics workspace. All right, We’ll click on that. And from there, it brings me into the log analytics workspace itself. All right. And right down here, talks about connect a data source. All right. If you wanted to connect an Azure Virtual machine, you can actually do that. You can connect Azure virtual machines by using this right here, connect data source to Azure Virtual Machine.

If you have any Azure virtual machines, you can just connect those directly, which is really easy to do. But in this case, I’m dealing with a machine that is on-premises, right? So going back here, looking at our log analytics workspace, you’re going to see an area here called Agents Management, this blade right here. So, we’re going to click on Agents management. All right. And from there, we’re going to we’ve got Windows Server. We’re not doing Linux right now. We’re doing Windows Server. So, we would drop this down and we’re going to download the Windows Agent 64 bit. So, we’ll go ahead and click on that. All right. And it’s going to go ahead and download that agent. So, we’re letting that download. Once that’s done, I’ll be able to just go ahead and open that up and we will go through the process of installing it. So, I’m going to open that up. It’s going to go ahead and click on it. As always, my virtual machine is going a bit slow just because it doesn’t have a lot of memory. But here we go. So, the Microsoft monitoring agent set up. I’m going to go ahead and click Next on that. I’m going to agree, click Next. All right. Do you want to connect the agent to Azure Log Analytics? Connect to the agent to the Microsoft Azure Log Analytics service and lets you choose the workspace connect to wsj.com. I don’t have System Center Operations manager server installed on-premises, so I’m not going to choose that one. All right. So, from there, we’ll click Next. All right. And just continue along with the setup here. Workspace ID and Workspace Key.

Here we are on this same web page here and there is the workspace ID, right? So we’re going to open that up and we’re just going to paste that in. All right. And then the workspace key will copy that. Okay. And it says you’re using Azure Cloud commercial. Yes, in my case. So, I’m going to click Next. And then it says Microsoft updates offer security, important updates for Windows and other Microsoft products, including this product updates are delivered using your automatic update settings. If you want to use automatic update, you can to keep it updated. But I’m just going to go ahead and click Install. All right. So, I’m going to go ahead and pause recording while that’s installing. All right. That just takes, maybe, like a minute. And then once that’s done, I’m going to click Finish and I’ve now officially installed my agent and you may need a wait about 5 minutes and then refresh the web browser, but it should show up right here. Windows Computers connected.

We installed the agent just directly on the server and they call that the legacy client because now what you can do, you can also utilize Azure Arc, the Windows Microsoft Arc service, where you can install that, which I’m not really getting into Arc in this video, but you can connect that. Another thing you can do is you can use what’s called a log analytics gateway. This is helpful if you have a machines with no internet connectivity to log analytics workspace, for example, maybe, you’re in an air gap. The network like a high security network, like in the military or something like that. This is a gateway that you could use for connecting. You can export import information and connect to this gateway and utilize a gateway to do it. If you’re interested in that, you can Learn more right there. All right.

So, now that we’ve done that, that’s all connected. If I come over here to the menu button, let’s go to all services. And we’ll just do a quick search for The Sentinel. All right. All right. So, just doing a quick search. Well, it’s not very quick because as I’ve mentioned, my virtual machine is struggling with the only having three gigs of RAM here, but going to Microsoft Sentinel. We’ll be able to see our instance here, sent in a log workspace and then clicking on that we should have all the options available to us regarding Sentinel. All right. So, it’ll show us. We’ve got we’ve already got some events that it’s going to show us and we can look at analytics information. We have any analytics information. I’m going to cascade this real quick here. Let’s just bring that in. All right. There’s a severity level here if Microsoft. It looks like fusion is enabled. We can click on that and look at that event information. All right. Um.

The other thing you can do, the other thing you keep in mind is that, you know, I’m just connecting my on-premises server to this. But Sentinel has data connectors for all sorts of services, not just the on-premises Microsoft Server, but even third party services that will grab information and pull it in and then you can search through that analytic data. So, you can see if you have connected to any of these other services. There’s lots and lots and lots of services here that you can click on and you can connect to if you want. So, that’s something to keep in mind as well. And they’ve got some features here in preview, like the minor corporation attack capabilities. But this is just showing you if you’re connected in any of these other services, which I’m not. So, but that is something you could check out.

Something else is kind of interesting. If we go back over here to the menu button, go to resource groups. Sentinel allows something called KQL which is the Kusto Query Language. I’m not going to get deep into that in this course is kind of outside the scope of this course. But if you learn about this query language very similar, like SQL. But if we come over here to our workspace here. Our log analytics workspace. Let’s go back to our agent here and we’ll click on our server. Click. See them in logs. This will bring us into the query language query dialog box here, and I can actually run queries against the log data that’s already collecting from my server. Okay. So, right now it says it’s running a query. It’s running a bit sluggish. But you can learn this Kusto Query Language and you can write pretty advanced filters with these queries. Like I could filter through and say, you know, show me the server error event number, but I only want to see specific event ID numbers and things like that. And it’s going to generate that log data and show that log data up under here for you. All right. So, you kind of have to think about what you’re doing in this case here. It’s looking at heartbeats where the heartbeat OSType is equal to Windows. The category is the Azure Monitor agent. It’s summarizing time generated by source ID, sort by computer render. So, you had multiple computers linked to this. You could see all of those. So, you can see NYC-SVR1.exam lab practice.com is reporting data currently to this log analytics workspace, which, of course, gives Sentinel the ability to look through for threats and alerts and things like that.

So, that is the concepts behind connecting your server into Microsoft Central.

41. Identify & remediate security issues on-premises servers & VMs by using Defender

Now, something that’s very important to us in pretty much all aspects of both on-premises as well as cloud is obviously the focus on security and it’s important for Microsoft to provide us with a way to integrate all of our security services and be able to monitor the goings on in our both our cloud environment as well as our on-premises environment involving security.

So, Microsoft actually done that. They created a feature called the Azure Security Center. But I want to also show you that the name has changed just recently. It’s now known as Defender for Cloud. So, to manage the Microsoft Security Center the way the Azure Security Center, the way we would do that generally was we would just go here to the menu button, we’d go to Azure Active Directory. From there, we can click on the security blade down here, here on the left. Go to security. And then once we get into security, there was an option here called Security Center. So, if we click on that security center option here, you will notice that they’re now saying Microsoft Defender for Cloud. Eventually they’re going to probably change this over to where you just go straight into Defender for Cloud. But at the creation of this video, this is the way that it worked. So, from there we can click on Microsoft Defender for Cloud and we can go straight into the portal, which again was formerly known as the Security Center, but pretty much looks the same as it did. Ultimately, they’ve just done a lot of just a few things have been renamed, but they’ve they’re trying to essentially create this all in one place right here in Azure where we can see security related items involving our on-premises services as well as our Azure services.

One thing to consider here is once you get into Microsoft Defender for Cloud the first time, you can click on getting started. And if you kind of scroll down a little bit, it’ll talk a little bit about the cost here. So, if you look here to the right, you can see what the cost is to use Microsoft Defender for Cloud. So, in my case, I’ve got three servers. It mentions here 15 per dollars per month per server. I don’t have any of these other services. I do have a storage account warns you how much that will be per transaction.

The only thing I kind of warn you about here is just to understand the cost that’s going to be involved here when you want to utilize the server. And so right now it’s telling you that you can get started with a 30-day free trial and there’s some reading material there you can look at. And then when you’re ready, you can click on the upgrade here and it tells you that it’s going to start your trial. All right. And so you get that 30-day free trial will cost you anything just to just to get started with it.

Now, you can go ahead and click on Install agents. And of course, that’s going to make sure that the agents are deployed via the log analytics for the machines that are tied to your log analytics that we’ve looked at in a previous discussion. So, from there, once I do that, I can click on overview here and I can see gives me kind of a quick glimpse of everything. Including some of the most prevalent recommendations. Regulatory compliance workload protections. You know, a lot of this stuff you can click on and examine it, but you can also go a little deeper and go down here to secure score. And Microsoft is going to kind of break down everything for you on the secure score. They can also give you an overall score eventually.

This can take a little while for it kicks in, but it’s kind of neat because what they’ll do is they’re going to rank your environment against other environments that are around the same size as yours based on how many machines and things like that you’ve got.

Eventually you’ll see that they’re up here and then you can also click on View recommendations and it’s going to give you some recommendations on things you can do to improve your score.

So, if I scroll down, I can see all these different things, these different recommendations that it’s given me. So, things like Virtual machine should encrypt. Disk log analytics agent should be installed on all virtual machines. So, lots and lots of stuff here that I can take a look at and I can also click on that and it’s going to give me even more information. It’s going to essentially give me a description of what needs to be done. In a lot of cases. It’ll also tell you step by step on what you can do to improve it. So, this is really-really awesome. The fact that it can do this like vulnerability assessment and tell me the things that are weak in my environment, both in the cloud as well as on-premises. I can also look at security alerts, if I have any security alerts, by clicking on the security alerts blade. Once that loads up, you’ll see some additional information once this has been out there for a while and security assessments and all that have been ran in your environment, again, this does take time. Once those security assessments have been running, you’ll get information such as severity level lets you know what the alerts are, what kind of alerts it’s discovered, all that fun stuff and. If you want. You even have the ability to download this information to a little CSV file, which is like a little spreadsheet. All right. Some pretty neat little things here you can play around with and get a feel for. The main thing to be aware of here is that security center is now the Defender for Cloud that it can it can be integrated with the help of log analytics. It can be integrated with your Azure virtual machines as well as your on-premises machines. And then from there you’re able to generate nice little reports and get a good feel for the objects that you that you’re managing. And if there’s any kind of security issues that are involved. All right.

Looking over here on inventory, as you can see, I can see all the devices, the virtual machines, physical machines that are associated here. And I’ve got both. I’ve got a couple of virtual machines. Currently, the monitoring agent is not installed on those. I’ve got my physical machine, which I do have it installed from a previous look we installed log analytics in a previous lesson, but my virtual machines here, you can see these virtual machines currently don’t have it. I can click on those and even as you can see, it takes me to resource health here. And also of course, notice it says Preview. Any time you see that word preview, just remember that there they’re still working on this. This is not finalized yet. But as you can see, it says the monitoring agent is not installed on this virtual machine. That’s because I haven’t associated it yet with log analytics. But you can see how to do that in a previous lesson. But all in all, this is a really great capability, really great feature. The only thing I warn you about is just make sure that your 30-day trial, you can get rid of this after the 30 days if you want. That way it’s not hitting your trial tenant.