Configure and Deploy Microsoft Sentinel as a Security Information and Event Management (SIEM) Solution

Introduction

In today’s digital landscape, protecting an organization’s IT infrastructure from evolving threats is more critical than ever. A robust Security Information and Event Management (SIEM) solution forms the backbone of modern cybersecurity strategies, providing centralized visibility, threat detection, and incident response capabilities. Microsoft Sentinel, a cloud-native SIEM and SOAR solution built on Azure, offers a comprehensive and scalable approach to securing hybrid and multi-cloud environments.

Deploying Microsoft Sentinel as a SIEM solution empowers security teams to collect, analyse, and act on security data from a variety of sources, including cloud services, on-premises infrastructure, and third-party platforms. It provides advanced features such as AI-driven threat detection, real-time monitoring, and automated incident response, helping organizations streamline their security operations and stay ahead of potential threats.

This step-by-step guide walks you through the process of deploying Microsoft Sentinel, from setting up its foundational Log Analytics Workspace to configuring data connectors, analytics rules, and response automation. Whether you are new to Sentinel or looking to refine your security setup, this guide ensures you can build a powerful SIEM solution tailored to your organization's unique needs.

Step 1: Prepare Your Azure Environment

1. Verify Permissions:

   • To enable Microsoft Sentinel, you need contributor permissions to the subscription in which the Microsoft Sentinel workspace resides.

   • To use Microsoft Sentinel, you need either contributor or reader permissions on the resource group that the workspace belongs.

2. Set Up an Azure Log Analytics Workspace:

   • Sign in to your account in Azure Portal. Create a free account if you do not have one.

   • On the search bar, search for Log Analytics Workspaces and select.

   • Click +Create.

     

     • Create a new resource group. This is essential to enforce least privilege access control at this level.

     • Choose a unique name.

     • Select the region closest to your infrastructure.

     • Click Review and create

       

     • click Create to create the workspace

3. Enable Microsoft Sentinel

   • On the search bar, search for and select Microsoft Sentinel.

     

   • Click +Create

     

   • Select the Log Analytics Workspace created earlier.

   • Click Add

   • 

4. Assign a Microsoft Sentinel role to a user:

   To manage Sentinel, at least Microsoft Sentinel Contributor or Microsoft Sentinel Reader role is needed. Assign this role at the resource group level. Microsoft Sentinel Reader can view data, incidents, workbooks, and other Microsoft Sentinel resources while Microsoft Sentinel Contributor can view data, incidents, workbooks, and other Microsoft Sentinel resources, manage incidents (assign, dismiss, etc.), create and edit workbooks, create and edit analytics rules, and other Microsoft Sentinel resources.

   • On the search bar, search for and select resource group

   • Open the resource group created

     

   • Select Access control (IAM)

   • Select +Add and Add role assignment

     

   • In the Job function roles search bar, search for and select Microsoft Sentinel Contributor role

   • Click next

     

   • In the members tab, under assign access to, Select user, group or service principal.

   • Select +select members

     

   • Search for and select a user account with Azure Contributor or Owner role (you can use your account)

   • Click Select

     

   • Select review + assign

   • Select review + assign again to add the role

     

Step 2: Install Microsoft Sentinel Content Hub Solutions and Data Connectors

Microsoft Sentinel Content Hub solutions serve as a centralized platform for accessing and deploying pre-built content designed to enhance the capabilities of Microsoft Sentinel in threat detection, investigation, and response. These solutions include analytics rules, hunting queries, playbooks, workbooks, data connectors, and other resources that help organizations quickly integrate threat intelligence, automate security processes, and gain actionable insights.

Deploy a Microsoft Sentinel Content Hub solution:

1. Install Windows Security Events

   • In the Microsoft sentinel, Open your log analytics

     

   • Go to content management

   • Select Content Hub

     

   • Search for and select Windows Security Events

   • Select view details link

     

   • Under plan, select Windows Security Events and Click Create

   • 

   • On the Basic tab, select the resource group that contains the Microsoft Sentinel workspace

   • Select the workspace.

     

   • Next go to Data Connectors tab (solution will deploy 2 data connectors)

   • Next go to Workbooks tab (solution installs workbooks)

   • Next go to Analytics tab (solutions installs analytics rules)

   • Select Next to the Hunting queries tab (solution instals hunting queries)

   • Select Review and Create

   • Create

     

     

   • Repeat these steps to install Azure Activity.

   • Repeat these steps to install Defender for Cloud.

2. Install Azure Activity

   

   

3. Install Microsoft Defender for Cloud

   

Set up the data connector for Azure Activity

• In the Microsoft sentinel, go to content management

• Select Content Hub

• Filter Status for Installed solutions.

• Select the Azure Activity solution and select Manage.

  

• Select the Azure Activity Data connector and select Open connector page.

  

• In the Configuration area under Instructions, scroll down to number 2. Connect your subscriptions through diagnostic settings new pipeline

• Select Launch Azure Policy Assignment Wizard.

  

• In the Basics tab, select the ellipsis button (…) under Scope

• Select your subscription from the drop-down list

• Select your resource group from the drop-down list

• Click Select.

  

• Select the Parameters tab, choose your workspace from the Primary Log Analytics workspace drop-down list.

  

• Select the Remediation tab and select the Create a remediation task checkbox.

• 

• Select the Review + Create button to review the configuration.

• Select Create to finish.

  

Set up the Defender for Cloud data connector

• In the Microsoft sentinel, go to content management

• Select Content Hub

• Filter Status for Installed solutions.

• Select Microsoft Defender for Cloud solution and select Manage.

  

• Under content name, Select the Subscription-based Microsoft Defender for Cloud (Legacy) Data connector and select Open connector page

  

• In the Configuration area, scroll down to your subscription and move the slider in the Status column to Connected.

• Make sure Bi-directional sync is Enabled

  

Step 3: Configure Analytics Rules

1. Set Up Analytics Rules:

   • In Microsoft Sentinel, go to the Configuration menu section and select Analytics.

   • Go to rule templates tab, search for and select Suspicious number of resource creation or deployment activities*.*

   • Click the ellipses button click create rule

     

   • Leave the defaults on the General tab and select Next: Set rule logic.

     

   • In the Rule query section leave the default.

   • In the Query scheduling section, set Run query every to 1 hour and Lookup data from the last to 1 hour.

     

   • Leave Incident and automated response settings at default

   • Next**: Review and create**

   • Save

     

Ensure that the Azure Activity workbook is available in My workbooks

1. In Microsoft Sentinel, go to the Content management menu section and select Content Hub.

2. In the Content hub, filter Status for Installed solutions.

3. Select the Azure Activity solution and select Manage.

4. Select the Azure Activity workbook checkbox, and then select Configuration.

   

5. Select the Azure Activity workbook and select Save.

   

6. Choose the Azure Region for your Microsoft Sentinel workspace.

7. Click yes

   

Step 4: Configure a Data Connector Data Collection Rule

1. Create Data Collection Rules

   Data Collection Rules (DCRs) in Microsoft Sentinel allow you to collect and manage data from various sources, such as Azure VMs, on-premises systems, and custom logs. Follow the steps below to create and configure DCRs:
   Initiate the Creation Process:

• Create a window virtual machine is you do not have any.

• In Microsoft Sentinel, go to configuration.

• Select Data connectors.

• Search for and select Windows Security Events via AMA

• Select Open connector page

  

• In the Configuration area, select +Create data collection rule

• On the Basics tab enter a Rule Name

• click Next Resources

  

• On the Resources tab expand your subscription and the RG1 resource group in the Scope column

• Select VM1, and then select Next: Collect >

  

• On the Collect tab leave the default of All Security Events

• Select Next: Review + create

• Select Create

2. Create a near real-time (NRT) query detection

   • In Microsoft Sentinel, go to the Configuration

   • select Analytics

   • Select + Create, and NRT query rule

     

   • Enter a Name for the rule

   • Select Privilege Escalation from Tactics and techniques.

   • 

   • Select Next: Set rule logic

   • Enter the KQL query into the Rule query form

       SecurityEvent 
       | where EventID == 4732
       | where TargetAccount == "Builtin\\Administrators"
     

     

   • Select Next: Incident settings

   • Select Next: Automated response

   • Select Next: Review + Create

   • When validation is complete select Save

     

3. Configure automation in Microsoft Sentinel

   • In Microsoft Sentinel, go to the Configuration

   • Select Automation

   • Select + Create, and Automation rule

     

   • Enter an Automation rule name,

   • Under Actions select Assign owner

   • Assign the user account you assigned Access IAM role to earlier (your account) as the owner

   • Select Apply

     

Step 5: Test and Validate Analytic and Automation Rules

To validate that the Microsoft Sentinel deployment is receiving security events and creating incidents from virtual machines that run Windows., you should perform a simulated attack. You will perform a simple Privilege Escalation attack on your virtual machine.

1. Perform Simulated Attack:

   • Locate and select the virtual machine in Azure

   • Go to Operations on the left pane

   • Select Run command

   • On the Run command pane, select RunPowerShellScript

   • Copy the commands below to simulate the creation of an Admin account into the PowerShell Script form

   • Select Run

        net user theusernametoadd /add
        net user theusernametoadd ThePassword1!
        net localgroup administrators theusernametoadd /add
     

     

   • In the Output window you should see The command completed successfully three times

2. Verify Incidence Creation

   • In Microsoft Sentinel, go to the Threat management

   • Select Incidents

   • You should see an incident that matches the Severity and Title you configured in the NRT rule you created

   • Select the Incident and the detail pane opens

     

   • The Owner assignment should be the user account, created from the Automation rule

   • The Tactics and techniques should be Privilege Escalation (from the NRT rule)

Select View full details to see all the Incident management capabilities and Incident actions

Conclusion

Deploying Microsoft Sentinel as a SIEM solution provides organizations with a powerful, scalable, and intelligent tool to protect against evolving security threats. By following this step-by-step guide, you can effectively set up Sentinel to centralize monitoring, detect vulnerabilities, and respond to incidents with speed and precision. Its seamless integration with a wide range of data sources, AI-driven insights, and automation capabilities ensures a proactive and efficient approach to securing your infrastructure. With Sentinel in place, your organization can strengthen its cybersecurity posture, achieve compliance objectives, and stay resilient in the face of ever-changing challenges.