SC-200T00A

Microsoft Security
Operations Analyst
Author name
Date

© Copyright Microsoft Corporation. All rights reserved.

Learning Path 7:
Connect logs to
Microsoft Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Agenda

• Manage content in Microsoft Sentinel

• Connect data to Microsoft Sentinel using data connectors

• Connect Microsoft services to Microsoft Sentinel

• Connect Microsoft Defender XDR to Microsoft Sentinel

• Connect Windows hosts to Microsoft Sentinel

• Connect Common Event Format logs to Microsoft Sentinel

• Connect syslog data sources to Microsoft Sentinel

• Connect threat indicators to Microsoft Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Manage content in
Microsoft Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Use solutions from the content hub

2 Connect repositories to deploy content

© Copyright Microsoft Corporation. All rights reserved.

Content hub solutions

1 Data connectors 5 Hunting queries

2 Parsers 6 Notebooks

3 Workbooks 7 Watchlists

4 Playbooks and Azure Logic Apps custom

Analytics rules 8
connectors

© Copyright Microsoft Corporation. All rights reserved.

Connect repositories to Microsoft Sentinel workspace

When creating custom content, you can store and manage it in your own Microsoft Sentinel
workspaces, or an external source control repository, including GitHub and Azure DevOps
repositories. Managing your content in an external repository allows you to make updates to that
content outside of Microsoft Sentinel, and have it automatically deployed to your workspaces.

GitHub Azure DevOps

© Copyright Microsoft Corporation. All rights reserved.

Connect data to
Microsoft Sentinel using
data connectors

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Explain the use of data connectors in Microsoft Sentinel

2 Describe the Microsoft Sentinel data connector providers

3 Explain the Common Event Format and Syslog connector differences in Microsoft Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Ingest log data with Data connectors

To collect log data, you need to connect your data sources with Microsoft Sentinel Connectors. You install
Content Hub Solutions that include the data connectors.

© Copyright Microsoft Corporation. All rights reserved.

Describe data connector providers

Microsoft Defender XDR and related Defender services

Microsoft Azure Services

Windows Security Events (via AMA)

Vendor connectors

Custom connectors (see next slide)

Common Event Format (CEF) connector

© Copyright Microsoft Corporation. All rights reserved.

Describe data connector providers – continued
Custom Connectors
1 Codeless Connector Platform (CCP)

2 Log Analytics Agent

3 Logstash plugin

4 Logic Apps

5 PowerShell

6 The Log Analytics API

7 Azure Functions

© Copyright Microsoft Corporation. All rights reserved.

Connect Microsoft services
to Microsoft Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Connect Microsoft services data connectors

2 Explain how connectors auto-create incidents in Microsoft Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Plan for Microsoft services connectors

Prerequisites: Configuration:
Defender for cloud Windows Security Events Create incidents:
requires Workspace: Read via AMA connector (SecurityAlert table only)
and write permissions creates DCRs

© Copyright Microsoft Corporation. All rights reserved.

Connect the Microsoft Defender for Cloud connectors
There are two Microsoft Defender
for Cloud connectors.
The Subscription-based Microsoft
Defender for Cloud (Legacy)
connector allows you to stream
your security alerts from Microsoft
Defender for Cloud into the
Microsoft Sentinel SecurityAlert
table.

© Copyright Microsoft Corporation. All rights reserved.

Connect the Microsoft Defender for Cloud connectors - continued
The Tenant-based Microsoft Defender for Cloud (Preview) connector allows you to stream your
MDC alerts into the Microsoft Sentinel SecurityAlert table, and into Defender XDR alerts and
Incidents

© Copyright Microsoft Corporation. All rights reserved.

Connect the Microsoft
Office 365 connector

The Office 365 activity log connector

provides insight into ongoing user
activities. You will get details of
operations such as file downloads,
access requests sent, changes to group
events, set-mailbox, and details of the
user who performed the actions.

© Copyright Microsoft Corporation. All rights reserved.

 Connect the Entra ID connector
Gain insights into Entra ID by
connecting Audit and Sign in logs
to Microsoft Sentinel to gather
insights around Entra ID
scenarios.

© Copyright Microsoft Corporation. All rights reserved.

Connect the Entra ID Protection connector

The Entra ID Protection

connector provides a
consolidated view of at-risk
users, risk events, and
vulnerabilities, with the ability
to remediate risk immediately
and
set policies to auto remediate
future events.

© Copyright Microsoft Corporation. All rights reserved.

Other Azure Content Hub Solutions with data connectors

Azure Activity

Azure DDos Protection

Azure Firewall

Azure Key Vault

Azure SQL Databases

Azure Web Application Firewall (WAF)

© Copyright Microsoft Corporation. All rights reserved.

Connect Microsoft Defender
XDR to Microsoft Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Activate the Microsoft Defender XDR connector in Microsoft Sentinel

2 Activate the Microsoft Defender for Cloud connector in Microsoft Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Plan for Microsoft Defender XDR connectors

Microsoft Defender XDR

Microsoft Defender for Office 365

Microsoft Defender for IoT

© Copyright Microsoft Corporation. All rights reserved.

Connect the Microsoft Defender XDR connector
The Microsoft Defender XDR connector is installed by the Microsoft Defender XDR solution and lets
you stream advanced hunting.

© Copyright Microsoft Corporation. All rights reserved.

Connect other Microsoft Defender connectors

Microsoft Sentinel provides

built-in connectors for other
Microsoft Defender solutions.
Source Microsoft Defender for Cloud

Source Microsoft Defender for IoT

© Copyright Microsoft Corporation. All rights reserved.

Connect Windows hosts to
Microsoft Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Connect Azure Windows Virtual Machines to Microsoft Sentinel

2 Connect non-Azure Windows hosts to Microsoft Sentinel

3 Configure Azure Monitor Agent to collect security events

© Copyright Microsoft Corporation. All rights reserved.

Plan for Windows hosts security events
Data Ingestion Options using Content Hub Solutions

Windows Security Events Windows server DNS (via Windows Forwarded

(via AMA) Solution AMA) Solution Events Solution

The solutions install data connectors for AMA and uses data collection rules (DCR)

© Copyright Microsoft Corporation. All rights reserved.

Windows Security Events via AMA Connector

Benefits: Limitations: Requirements:

• Manage collection • Some features are • Data Collection Rules
settings at scale currently available only (DCR)
• Azure Monitoring Agent in public preview • Non-Azure VM’s/devices
shared with other require Azure Arc
solutions
• Security & performance
improvements
• Cost savings by using
data collection rules

© Copyright Microsoft Corporation. All rights reserved.

Windows Security Events via AMA Connector

© Copyright Microsoft Corporation. All rights reserved.

Azure VMs and non-Azure Windows Machines DCR Resources

© Copyright Microsoft Corporation. All rights reserved.

Windows Security Events DCR collection

© Copyright Microsoft Corporation. All rights reserved.

Connect Common Event
Format logs to Microsoft
Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Explain the Common Event Format connector deployment options in Microsoft Sentinel

2 Explain the Common Event Format and Syslog connector differences in Microsoft Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Plan for Common Event Format (CEF) connector
Deploys a Syslog Forwarder server to support the communication between the appliance and
Microsoft Sentinel.

The server consists of a dedicated Linux machine with the Azure Monitor Agent for Linux installed.

Many of the Microsoft Sentinel Data Connectors that are vendor-specific utilize the CEF Connector.

Deployment options include Azure and on-premises based.

CEF is recommended over the Syslog Connector because CEF provides parsed message data.

© Copyright Microsoft Corporation. All rights reserved.

CEF log collection architecture

This diagram illustrates the architecture of CEF log collection in Microsoft Sentinel, using
the Common Event Format (CEF) via AMA (Preview) connector.

© Copyright Microsoft Corporation. All rights reserved.

Connect your external solution using the CEF connector

Create a data collection

rule and use the link
provided on the
connector page. You will
run the script on the
designated machine.

© Copyright Microsoft Corporation. All rights reserved.

Connect syslog data sources
to Microsoft Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Describe the Syslog Data Collection Rule (DCR) configuration in Microsoft Azure

2 Understand the Azure Monitor Agent for Linux deployment

3 Create and configure the DCR to send data to Microsoft Sentinel

4 Create a parser using KQL in Microsoft Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Plan for the syslog connector

Overview How it works

Stream events from Linux-based, Syslog- Syslog is an event logging protocol that is
supporting machines or appliances into common to Linux. When the Azure Monitor
Microsoft Sentinel using the Azure Monitor Agent for Linux is installed on your VM or
Agent for Linux and Data Collection Rules appliance, the process configures the local
(DCRs). Syslog daemon to forward messages to the
agent on TCP port 25224.
The host’s native Syslog daemon will collect
local events of the specified types and forward The agent then sends the message to your
them locally to the agent, which will stream Log Analytics workspace over HTTPS, where it
them to your Log Analytics workspace. is parsed into an event log entry in the Syslog
table in Microsoft Sentinel > Logs.

© Copyright Microsoft Corporation. All rights reserved.

Syslog Architecture

© Copyright Microsoft Corporation. All rights reserved.

Collect data from Azure Linux hosts using a syslog DCR

Adding Azure Linux Virtual Machines as a Syslog DCR resource will deploy the Azure Monitor agent

© Copyright Microsoft Corporation. All rights reserved.

Connect non-Azure Linux Hosts using Azure Arc

When connecting non-Azure Linux hosts, you provision them using Azure Arc.

© Copyright Microsoft Corporation. All rights reserved.

Configure the Data Collection Rule to collect and deliver

The Data Collection Rule will only collect events with the facilities and severities that are specified
in its configuration.

© Copyright Microsoft Corporation. All rights reserved.

Parse syslog data with KQL

// save as a function named: MyParser

Syslog
| where ProcessName contains "squid"
| extend URL = extract("(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )
([^ :]*)",3,SyslogMessage),
SourceIP = extract("([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.
([0-9]{1,3}))",2,SyslogMessage),
User = extract("(CONNECT |GET )([^ ]* )([^ ]+)",3,SyslogMessage),
RemotePort = extract("(CONNECT |GET )([^ ]*)(:)([0-9]*)",4,SyslogMessage),
Domain = extract("(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )
([^ :\\/]*)",3,SyslogMessage)
// use the function/parser
MyParser

© Copyright Microsoft Corporation. All rights reserved.

Connect threat indicators
to Microsoft Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Install the Threat Intelligence Content Hub Solution

2 Use Threat Intelligence Analytic rules, Hunting queries and Workbooks

3 Configure Threat Intelligence connectors in Microsoft Sentinel

View threat indicators (ThreatIntelligenceIndicator) in Microsoft Sentinel

4
Logs

© Copyright Microsoft Corporation. All rights reserved.

Plan for the Threat Intelligence Solution

The Threat Intelligence Solution provides Threat Intelligence Data Connectors

Analytic rules generate alerts and

incidents based on matches of log Threat intelligence – TAXII
events from your threat indicators.

Workbooks provide summarized Threat Intelligence Upload Indicators

information about the threat indicators API (Preview)

Hunting queries allow security Microsoft Defender Threat Intelligence

investigators to use threat indicators (Preview)

Data connectors to ingest data into

Microsoft Sentinel Threat Intelligence Platforms

© Copyright Microsoft Corporation. All rights reserved.

Install the threat intelligence Content Hub Solution

The Threat Intelligence

solution provides four
data connectors:
• Threat Intelligence Platforms

• Threat Intelligence Upload

Indicators API
• Microsoft Defender Threat
Intelligence
• Threat Intelligence TAXII

© Copyright Microsoft Corporation. All rights reserved.

 Configure Threat Intelligence Analytic Rule templates

Use the Threat Intelligence Analytic Rule templates to create incidents from alerts
triggered by the rules.
© Copyright Microsoft Corporation. All rights reserved.
 Connect Threat Intelligence Upload Indicators API data
Connect to Microsoft
Sentinel’s data plane
API directly from
applications using
REST methods. Or
use this connector to
send threat
indicators to
Microsoft Sentinel
from your Threat
Intelligence Platform
(TIP)

© Copyright Microsoft Corporation. All rights reserved.

View Threat Intelligence Indicators

© Copyright Microsoft Corporation. All rights reserved.

Lab 01 – Connect logs to
Microsoft Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Lab Exercises for Learning Path 7

1 Connect data to Microsoft Sentinel using data connectors

2 Connect the Microsoft Defender for Cloud data connector to Microsoft Sentinel

3 Connect the Azure Activity data connector to Microsoft Sentinel

4 Connect Windows devices to Microsoft Sentinel using data connectors

5 Connect Linux hosts to Microsoft Sentinel using data connectors

© Copyright Microsoft Corporation. All rights reserved.

Learning Path Recap
In this learning path, we covered:

•Sentinel Connectors: Microsoft Sentinel provides various data connectors to connect logs
and data sources
•Content Hub Solutions: Content Hub Solutions include data connectors, parsers,
workbooks, analytics rules, hunting queries, notebooks, watchlists, and playbooks
•Data Collection Rules: Data Collection Rules (DCR) are used to manage collection settings
at scale, improve security and performance, and save costs
•Threat Intelligence: The Threat Intelligence Content Hub Solution provides connectors for
TAXII, Microsoft Defender Threat Intelligence, and Threat Intelligence Platforms
•Microsoft Defender: Microsoft Sentinel provides built-in connectors for Microsoft Defender
solutions, including Microsoft Defender XDR, Microsoft Defender for Cloud, and Microsoft
Defender for IoT

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.