Microsoft Sentinel

Microsoft Sentinel – Configuring Windows Server using Azure Monitoring Agent

Using legacy agent, as discussed on the previous post is one option for configuring Windows servers for with Sentinel. As the name states, its a legacy option and has its own limitation. Last year, Microsoft came up with a new approach by making use of Azure Monitoring Agents. With this approach, the collected logs are sent to Azure Log Analytics Workspace, which is shared between Azure Monitoring as well as Microsoft Sentinel. The same data is also available for Microsoft Defender. As per Microsoft, all legacy agents currently in use will be replaced with Azure Monitoring Agent and the legacy agents are expected to retire on 31st Aug 2024.

Configuration is almost similar, when compared with the legacy agent installation. We need to do few more additional steps to complete the setup.

From the Sentinel Dashboard, Navigate to Data Connectors.

Search for “Windows Security Events via AMA” and select the connector from search result.

Click on Open Connector Page from the bottom right corner.

On the connector page, the difference compared to the legacy agent installation is that we don’t see any agent details. Instead, We have a messaged marked as an information which says that To collect data from non-azure VMs, they must have Azure Arc installed and enabled.

So we need to navigate to the Azure ARC portal. Azure Arc is a set of technologies that brings Azure security and cloud-native services to hybrid and multi cloud environments. From Azure Portal, search for “Azure ARC” and navigate to the Azure ARC portal. Select servers at the menu placed on left side.

Click on the + Add from the top menu.

Now, page will get redirected to “Add servers with Azure Arc”. This page has multiple options on deploying ARC Agent. The bottom-line is that “Azure Connected Agent” needs to get installed either manually or through script. Once installation is done, Need to get the agent connected to the Azure Tenant. If its a single server, Generate a script will help to create the script customized with the values specific to your environment.

Navigate through the initial screens. The final page will generate the script as well as gives the option for registering the subscription.

Registering is a one time activity. Just click on register and thats it.

Now, Copy the script and run it from the onprem server.

This script will do the following :

  1. Download the agent from the Microsoft Download Center.
  2. Install the agent on the server.
  3. Create the Azure Arc-enabled server resource and associate it with the agent. internet connectivity is not available from the server, get the msi installer downloaded first from here and get them copied to the respective onprem servers. The actual registration is happening by running azcmagent.exe, which is located in C:\Program Files\AzureConnectedMachineAgent. Extract that part alone and can do a manual installation if that’s required.

Running the script from PowerShell console is easy.

The script will halt in the middle to complete the device login and once authenticated, We can get the rules configured on Azure Sentinel.

Navigate to Azure Portal -> Sentinel -> Data Connectors -> Windows Security Events via AMA

Click on Open Connector page at the bottom right corner

Click on “+Create data collection rule” on the configuration

Enter the Rule Name, Subscription and Resource Group.

Click on Next

On the resources page, select the onprem computer

Click on Next

Select the events to stream.

Complete the validation and go ahead with creation

The new data collection rule will be visible on the configuration section

Events will start populating after a while.

Good luck !

Posted by Shabarinath in Microsoft Sentinel, 0 comments

Microsoft Sentinel – How to configure on-premise domain controller?

Microsoft Sentinel provides two different options on collecting security logs from an on-premise server. Here is the simple straight way using legacy agent option.

Navigate to the Data Connectors from Azure Sentinel dashboard.

Search for “Security Events via Legacy Agent” and click on “Open Connector” at the bottom right corner.

Download the agent from the link provided. Microsoft has two different agent types – One for VMs hosted in Azure and the other for VMs hosted in all other environments other than azure.

On the events to stream option, Select the appropriate one. Since I was not sure about the full list of events in different categories, I opted for “All Events”.

On the download agent page, We have the 32bit agent as well as 64bit agent. And the workspace ID and the key. Workspace ID and the keys are used while installing the agent on the on-premise server. If the server doesn’t have a direct internet connectivity, Microsoft gives us an option to use a gateway server. All on-premise servers will send logs to Log Analytics Gateway server and gateway server will then send the logs to Azure Log Analytics Workspace. Since I did this on my lab environment, I have unrestricted internet for the domain controllers. Hence, the events are directly sent to Azure LA workspace.

Now, navigate to the server. Get the agent downloaded and keep the workspace ID and the key handy. Primary key or secondary key – either one is required.

This agent is basically MOM agent with additional functionality for integrating with Azure Log Analytics.

On the welcome screen, click next. Accept the license agreement and click next.

Choose the installation folder

Choose “Connect the agent to Azure Log Analytics (OMS)” and click next

Now, Its the time to configure the workspace ID and the key. In case a proxy is used, configure the proxy settings too using the Advanced button.

Choose the Windows update option as per your wish and go ahead with the installation.

Once installation is complete, Verify the agent health from Control Panel -> Microsoft Monitoring Agent. If the connectivity is fine, A green tick mark will be visible on the status column.

In few minutes, the changes will be reflected on the azure sentinel connector page.

One of the main concerns on using legacy agent is on the time required on getting the events in Azure Log analytics. I did a small test to verify this and it was quick.

Here is the raw event from Windows Security event.

I then searched the Azure Log Analytics workspace. For the respective event, Microsoft is also stamping an additional filed called time collected. Time generated is the actual time event was triggered. Both fields are in UTC. If you see, the event got collected with in a minute once it was generated. And it was available in the Azure Log Analytics workspace with in 3-4 minutes.

Refer the Azure Sentinel data collection best practices here.

Posted by Shabarinath in Microsoft Sentinel, 0 comments