How to create alerts from Azure sentinel in log analytics


The requirements:

  • Experience for log analytics and setting up alerts ( the guidance assumes you have configured all the requirements)
  • Azure Sentinel integration data sources
  • Log Analytics Workspace linked to Sentinel
  • Azure Sentinel Alert Rule
  • Integration in Analytics workspace of Azure AD, Virtual machine logs for analysis

Usefull Links


https://docs.microsoft.com/en-us/azure/sentinel/quickstart-onboard

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/


Create the alert rule from analytics in sentinel

Click ont the rule template and hit create

Configure any rule logics and naming conventions

You can also simulate how many alerts the rule would generate when enabled

Once the alert is enabled is ready to trigger

Once the alert is configured ( in our case we havea case of an unusual RDP login by a new legit admin in the system , that would be a false positive becase we know is a legit access ). This created an incident in sentinel


Now here is the trick, if we launch the following query we can see al the Sentinel incidences in the last 7 Days ( log analytics query )

SecurityAlert
| where ProductName == "Azure Sentinel"

We can create now an alert rule to alert us whenever there is alerts, clicking in new alert rule !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.