Accessing and Using Microsoft Sentinel

  • 8 minutes to read

Purpose

This training document provides guidance on accessing Microsoft Sentinel, reviewing logs, and utilizing KQL (Kusto Query Language) to gather information for compliance with NIST 800-171 r2 and CMMC 2.0 standards. Following these procedures ensures secure and accurate analysis of security events.

1. Accessing Microsoft Sentinel

Prerequisites

  1. Ensure you have been granted the appropriate role-based access within Azure. Typically, this includes one of the following roles:

    • Microsoft Sentinel Reader: For viewing logs and reports.
    • Microsoft Sentinel Contributor: For running queries and creating reports.
    • Microsoft Sentinel Owner: For full administrative access.

  2. Verify multi-factor authentication (MFA) is enabled for your account as required by NIST 800-171 r2 security controls.

Steps to Access Sentinel

  1. Log in to the Azure Portal (GCC: https://portal.azure.com GCCH: https://portal.azure.us) using your organizational credentials.
  2. Navigate to Microsoft Sentinel by searching for “Sentinel” in the search bar or selecting it from the list of available resources.
  3. Select the appropriate Sentinel Workspace associated with your organization’s security operations.

2. Reviewing Logs in Microsoft Sentinel

Overview of Logs

Microsoft Sentinel collects and correlates logs from various data sources. Common log types include:

  • Azure Activity Logs: Tracks resource creation, deletion, and modification.
  • Sign-In Logs: Records user authentication events.
  • Audit Logs: Tracks changes in configurations and settings.
  • Custom Logs: Logs from on-premises or third-party systems.

Steps to Review Logs

  1. In the Sentinel Workspace, navigate to the Logs tab.
  2. Use the pre-built queries under Log Analytics to quickly identify:
    • Failed login attempts.
    • Unauthorized access attempts.
    • Resource modifications.
  3. Adjust the Time Range filter to narrow down the logs (e.g., Last 24 hours, 7 days, or a custom range).

Best Practices for Reviewing Logs

  • Regularly monitor high-risk events such as failed login attempts and abnormal data access.
  • Cross-reference logs to identify patterns or anomalies.
  • Export critical logs to secure storage for audit evidence.

3. Using KQL (Kusto Query Language) for Log Analysis

Introduction to KQL

KQL is a powerful query language used to filter and analyze data in Sentinel. Familiarity with its syntax is essential for efficient log reviews.

Top 20 KQL Queries for MS Sentinel

Query Definition When to Use
search "keyword" Searches for a specific keyword across all tables. Use this to quickly find occurrences of specific terms, such as “Unauthorized access.”
SigninLogs | where ResultType == 0 Filters sign-in logs to display only failed login attempts. Use this to identify failed authentication attempts.
SigninLogs | summarize count() Counts the total number of sign-in attempts. Use this to get an overview of sign-in activity.
SecurityEvent | where EventID == 4625 Filters security events to show only failed login events. Use this to detect failed logins on Windows systems.
SigninLogs | project UserPrincipalName, IPAddress Projects specific columns from the sign-in logs. Use this to analyze specific user and IP activity.
SecurityEvent | summarize count() by AccountName Aggregates failed login events by account name. Use this to identify accounts with the most failed login attempts.
SecurityEvent | where EventID == 4624 Filters security events to show successful logins. Use this to monitor successful logins.
SigninLogs | where Location == "Unknown" Filters sign-in logs for unknown locations. Use this to identify suspicious or unrecognized access locations.
SigninLogs | summarize count() by Location Aggregates sign-in attempts by geographic location. Use this to analyze sign-in patterns by location.
SigninLogs | where DeviceDetail contains "Linux" Filters logs to display Linux-based sign-ins. Use this to monitor specific device types or operating systems.
SecurityAlert | where Severity == "High" Filters security alerts to show only high-severity alerts. Use this to prioritize high-severity security incidents.
AzureActivity | where OperationName contains "Delete" Filters Azure activity logs for deletion operations. Use this to monitor unauthorized or unusual deletion activity.
AzureActivity | summarize count() by Caller Aggregates Azure activity by user. Use this to identify users performing frequent activities.
SecurityEvent | where AccountType == "Admin" Filters logs to show only administrative account activity. Use this to monitor admin account activity for compliance.
SigninLogs | where AuthenticationRequirement == "MFA" Filters sign-ins requiring multi-factor authentication. Use this to confirm compliance with MFA policies.
SecurityEvent | summarize count() by IPAddress Aggregates security events by IP address. Use this to detect IPs associated with multiple security events.
SecurityEvent | where EventID in (4624, 4625) Filters security events for both successful and failed logins. Use this to compare login successes and failures.
OfficeActivity | where Operation == "FileAccessed" Filters Office activity logs for file access operations. Use this to track file access activity.
SigninLogs | summarize avg(TimeGenerated) by UserPrincipalName Calculates average sign-in times by user. Use this to analyze user activity trends.
AuditLogs | where Activity contains "GroupUpdated" Filters audit logs for group update events. Use this to track changes to user groups and permissions.

Basic Syntax

Command Description Example  
search Finds a specific keyword in all tables. search "Unauthorized access"  
where Filters data based on conditions. `SigninLogs | where ResultType == 0`  
project Selects specific columns. `SigninLogs | project TimeGenerated, UserPrincipalName`  
summarize Aggregates data. `SigninLogs | summarize count() by UserPrincipalName`  

Example Queries

  1. List Failed Sign-Ins:

    SigninLogs
| where ResultType == 0
| project TimeGenerated, UserPrincipalName, IPAddress

  2. Count Unauthorized Access Attempts by User:

    SecurityEvent
| where EventID == 4625
| summarize count() by AccountName

  3. Identify High-Risk IPs:

    SigninLogs
| where Location in ("Unknown", "Suspicious Region")
| summarize count() by IPAddress

Best Practices for KQL Queries

  • Always test queries in a non-production environment before running them on live data.
  • Use comments (//) in queries to explain their purpose.
  • Save frequently used queries in Sentinel for quick access.

4. Compliance Considerations

When using Microsoft Sentinel to support NIST 800-171 r2 and CMMC 2.0 compliance:

  • Control 3.3.1 (Audit Log Retention): Ensure logs are retained for at least 90 days or per organizational policy.
  • Control 3.3.2 (Log Review): Schedule regular log reviews and document findings.
  • Control 3.3.5 (Correlating Logs): Use KQL queries to identify and investigate suspicious activities.
  • Control 3.13.5 (Multi-Factor Authentication): Verify access attempts comply with MFA requirements.

Documentation

  • Maintain an audit log review schedule and document results.
  • Save query outputs as evidence for audits.
  • Use Sentinel’s built-in workbook templates for automated reporting.

5. Troubleshooting

Common Issues

  • Access Denied: Verify your role in Azure and request appropriate permissions.
  • Query Errors: Double-check syntax and field names in KQL.
  • No Data Returned: Confirm that the data source is connected and logs are being ingested.

Support Resources

Conclusion

This training guide provides the foundational steps for accessing Microsoft Sentinel, reviewing logs, and using KQL for effective log analysis. Regularly reviewing and analyzing logs is critical to maintaining compliance with NIST 800-171 r2 and CMMC 2.0. Ensure you follow best practices and document all findings for audit purposes.