Comments (4)
hi Marc, thanks again for your great feedback. I am glad that you like the work done.
I cannot follow up with the first point, when I fallow the described path I cannot continue from "Virtual Machines > $MachineName - click on connect". Can you please add more info to this point
Point 2 is good one, I have already done some testing on this part. Unfortunately there is to much variation in configuration of each data connector, I need to find a way to dynamically resolve the connector properties. Maybe It's an idea to start with a set of most used connectors for now, please let me know what you think about it and which are your most used connectors? Maybe we can create a separate PS script to do this for your scenario for the time being?
from azsentinel.
Hi Pouyan,
Indeed, the option when selected has a different name compared to the 'top bar'. Basically I mean the path of enabling a connector on an (Azure) vm. Let's take the 'Security Events' connector for example. Full click-path is:
Home > Azure Sentinel workspaces > Azure Sentinel - Data connectors > Security Events > Open connector page > Install agent on Azure Windows Virtual Machine > Download & install agent for Azure Windows Virtual machines > Select the VMS you want > click on connect
I totally understand to start small with most important data connectors. Imho that would be 'Security Events'. Tbh, other connectors are not really in my interest at this moment.
Along side that, I would prefer to be able to configure the 'advanced settings' (Home > Azure Sentinel Workspaces > $WorkspaceName > Workspace settings > Advanced Settings) before enabling other data connectors. The reason for this is that it allows me to import Sysmon logs into Sentinel.
But again, I may be in a corner case here.
from azsentinel.
hi Marc,
Thanks for the extra info, that clarifies a lot. So the agent that you want to enable is actually the log analytics workspace agent "MicrosoftMonitoringAgent". You can enable this trough JOSN ARM or PowerShell by running the following:
$workspaceName = "your workspace name"
$VMresourcegroup = "**"
$VMresourcename = "**"
$workspace = (Get-AzOperationalInsightsWorkspace).Where({$_.Name -eq $workspaceName})
if ($workspace.Name -ne $workspaceName)
{
Write-Error "Unable to find OMS Workspace $workspaceName. Do you need to run Select-AzureRMSubscription?"
}
$workspaceId = $workspace.CustomerId
$workspaceKey = (Get-AzOperationalInsightsWorkspaceSharedKeys -ResourceGroupName $workspace.ResourceGroupName -Name $workspace.Name).PrimarySharedKey
$vm = Get-AzVM -ResourceGroupName $VMresourcegroup -Name $VMresourcename
$location = $vm.Location
# For Windows VM uncomment the following line
Set-AzVMExtension -ResourceGroupName $VMresourcegroup -VMName $VMresourcename -Name 'MicrosoftMonitoringAgent' -Publisher 'Microsoft.EnterpriseCloud.Monitoring' -ExtensionType 'MicrosoftMonitoringAgent' -TypeHandlerVersion '1.0' -Location $location -SettingString "{'workspaceId': '$workspaceId'}" -ProtectedSettingString "{'workspaceKey': '$workspaceKey' }"
# For Linux VM uncomment the following line
# Set-AzVMExtension -ResourceGroupName $VMresourcegroup -VMName $VMresourcename -Name 'OmsAgentForLinux' -Publisher 'Microsoft.EnterpriseCloud.Monitoring' -ExtensionType 'OmsAgentForLinux' -TypeHandlerVersion '1.0' -Location $location -SettingString "{'workspaceId': '$workspaceId'}" -ProtectedSettingString "{'workspaceKey': '$workspaceKey' }"
Regarding the second point I will keep you posted when we have a working function to enable the solutions.
from azsentinel.
Thanks, got it to work via templates.
Really looking forward on your solution for the data connectors!
from azsentinel.
Related Issues (20)
- Bug Report HOT 1
- Import-AzSentinelDataConnector doesn't configure AzureSecurityCenter Data Connector
- Import-AzSentinelAlertRule fails when passing multiple JSON files HOT 5
- Bug Report HOT 2
- [Feature Request] Support new anomaly rule type
- [Feature Request] Retry-able errors HOT 2
- Entities Mapping HOT 5
- Alert Details Settings
- Bug Report: Issue with Taxii Data Connectors HOT 1
- Import-AzSentinelAlertRule update to support CustomDetails HOT 1
- New-AzSentinelAlertRule does not work with tactic parameter even if the values are formatted correctly HOT 4
- Set-AzSentinel: Response status code does not indicate success: 401 (Unauthorized) HOT 1
- [Feature Request] Support new ThreatIntelligence rule kind
- Set-Sentinel returns with status code 400
- Failed to import "AzureResource" entityType and "ResourceId" field.
- Set-AzSentinel: Unable to enable Sentinel on workspace with error message: Response status code does not indicate success: 404 (Not Found). HOT 5
- Import-AzSentinelAlertRule with invalid rule does not cause exception
- Add capability to deploy Techniques in analytics rule for Microsoft Sentinel
- Bug Report HOT 1
- New-AzSentinelAlertRule doesnt work HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azsentinel.