Microsoft Azure Sentinel is a cloud-native security information and event management (SIEM) tool that provides intelligent security analytics for your organization. This guide will walk you through the process of setting up Azure Sentinel to inject Peakhour events from Log Analytics into a custom table. This will help security engineers better understand and analyse Peakhour events to enhance the security posture of their organization.
Prerequisites:#
- An Azure subscription.
- Access to the Azure Portal.
- A Log Analytics workspace.
Step 1: Grab Azure monitor workspace keys#
- Log into your Azure dashboard
- Navigate to the Log Analytics workspace
- Select Settings > Agents
- Expand 'Log Analytics agent instructions'
- Take note of:
- Workspace ID
- Primary key or Secondary key
Step 2: Configure Peakhour to Forward Logs to Azure Log Analytics#
- Log into your Peakhour dashboard.
- Navigate to the domain for which you want to forward logs to Azure.
- Under Log Forwarding, go to the Azure monitoring agent form.
- Enter the following information obtained from Azure:
- Workspace ID: This can be found in your Log Analytics workspace.
- Shared Key: Use either the primary or secondary key from your Log Analytics workspace.
- Enter the desired table name (suggested is PeakhourEvent). The custom table will be automatically created by Azure when ingesting the logs.
- Select the log type to be 'Event'
- Submit the configuration
Step 3: Set up the Data Collection Rule in Azure Sentinel#
- Navigate to the Azure Sentinel dashboard in the Azure Portal.
- In the left-hand menu, under Configuration click on "Analytics"
- Click Create "Scheduled query rule".
- In the "General" tab, give your rule a name, and set the rule type to "Scheduled".
- In the "Set Rule logic" tab, enter the following Kusto Query Language (KQL) query to fetch the peakhour events from the Log Analytics workspace:
PeakhourEvent_CL
- In the "Alert enrichment" section, add the following fields to enrich the Peakhour events with additional information:
Identity | Identifier | Value |
---|---|---|
IP | Address | client_s |
Host | FullName | host_s |
Url | Url | path_s |
- Additional values from the Peakhour event can be added as required in 'Custom details'
- In Query scheduling, adjust the run time as required for your environment.
- In the "Incident settings" tab, define your settings as per your requirements.
- Click on the "Review + create" button to validate your settings, and then click on "Create" to create the data collection rule.
Step 4: Verify the Integration#
Now that you have set up the integration, it's important to verify that the Peakhour events are being collected and stored in the custom table.
- Navigate to the Azure Sentinel dashboard in the Azure Portal.
- In the left-hand menu, click on "Logs".
- In the query editor, enter the following KQL query:
PeakhourEvent_CL
| take 10
- Click on "Run" to execute the query. You should see the most recent Peakhour events in the custom table, along with the enriched fields.
This how-to guide has shown you the process of setting up Azure Sentinel to inject peakhour logs from Log Analytics into a custom table. By following these steps, security engineers can better monitor, analyse, and respond to Peakhour events, improving the overall security of their organization.