Demonstrating Microsoft Sentinel features, that include security incidents, alerts, workbooks, meaningful hunting queries,
For any SIEM solution, good demos and simulations rely on predictable ingested data.
Our new Sentinel ingestion-SampleData-as-a-service uses Azure monitor new API to ingest and manipulate raw events into Sentinel instances.
This tool provides a simple way to ingest sample data at one time or in a scheduled manner into a built-in table or a custom table. it accepts log files (JSON or CSV) hosted on GitHub public repositories or Azure Storage accounts (with SAS key protection).
Users can also transform these logs before they're sent to the destination table with this solution.
We can use this solution to ingest data on demand into the above-mentioned tables:
This tool can be used to address the following business use cases:
Delays in log ingestion
Functionality of the analytical rule engine
Creation of incidents
Scenario for automation (add automation role when incident and alert are created).
To deploy this solution, logic with user with deployment permission and navigate to this GitHub repository and press Deploy.
On the Azure template deployment page review the above for inputs properties:
As soon as the installation is complete, enter the relevant resource group and review the new resources.
Follow the above diagram during the post-deployment phase to assign permissions to the two managed identities. Please note that the permission assignment may change if the solution is deployed in a different resource group than the target sentinel.
This is the post deployment needed permission:
Identity Type |
Permission |
Scope |
|
|
|
Automation account Manage Identity |
Automation Contributor |
Workspace resource group |
Automation account Manage Identity |
Log analytics Contributor |
Workspace resource group |
Automation account Manage Identity |
monitoring analytics Contributor |
Workspace resource group |
Automation account Manage Identity |
monitoring metrics publisher |
Solution RG |
Azure function Manage Identity |
Reader |
Workspace resource group |
We are ready to ingest some sample data!!
When we open the workbook and approve the trusted zone notification, we see the above input properties. These input properties will be discussed in the section above
The filePath properties will expect files from public GitHub repository or storage account (can be under SAS key protection)
Example location on GitHub can be https://raw.githubusercontent.com/Yaniv-Shasha/Sentinel/master/Sample_Data/scenarios/Security Event ...
Example for Storage account file input:
Depending on the input file define: CSV/JSON
Select destination Table.
Please note that input file schema needs to be aligned with the distention table schema to successfully ingest data
Reference for table schema can be found here Azure Monitor table reference index by category | Microsoft Docs
For custom tables the target table schema can be defined with two options.
A startdate (aka TimeGenerated) is an important field, and in this section, we will share the different use cases around it.
** If the user specifies to ingest the data on a schedule, the solution will disregard time-generated fields and push the data at the nearest time, then it will use the schedule.
Users can overwrite data from the sample file using this option.
By using Azure Monitor's brand-new API, the solution lets users modify values before ingestion occurs.
The user must choose a column in the replace list for the ingestion to begin. If the user does not wish to overwrite a column, they need to select a column and not modify it.
On the above screenshot, select the Account column, and change the replacement value to a brand-new account name.
One-time or periodic ingestion can be defined by users
1a. - One-time ingestion: The user must press the ingest button
Now it's time to simulate sample data and create great demos in Microsoft Sentinel!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.