Course Lab

learning.appsecengineer.com/portal/course-
info/lab/ZXZlbnRfOWQyNGU3NDEtZjRiZS00YWJjLTlkZmEtNGY3NTFjNTliMDdi/c3ViamVjdF8zZTU3N2JhNC03YzQ0LTRhNDYtODkxZC0wYmFkMmUzYzU1NGU=/bGFiXzk4OG
NjMDg0LWU0ZTQtNDViYS1hYjc3LTI3NzdhNjY2MmI1YQ==

Azure Sentinel: A Comprehensive Guide to Cloud-Native SIEMtimer 19 minsscience 6 Labslibrary_books 10 Subjects

23%

Lab: Log Analytics Workspace

1/6
 0:29:04

Overview

Instructions

Azure Sentinel

Log Analytics Workspace

Important Information
For this lab, you will be accessing your Azure Account through our Lab Environment. This will need you to configure Azure CLI on
the Lab environment. We have taken several precautions to make this experience more secure. We have added:

TLS 1.2 to access each lab environment to ensure that your credentials are always encrypted in transit
An optional, Authenticated mode that adds an additional access control through HTTP Basic Authentication and a randomly
generated password, to ensure that the lab can be accessed only with the appropriate credentials. To ensure maximum security
of your Azure, please do the following:
DO NOT use your company's Azure Account. We recommend getting a throwaway Azure account for learning
Generate your Azure username and Password before using this lab and deactivate it immediately after you are done with the
lab
Ensure that you follow "Teardown" instructions in this lab and watch the Teardown videos to not incur unnecessary charges on
your account
Ensure that you use the "Authenticated" mode in our Lab environment. This adds an additional layer of access control to the
lab environment If you are not comfortable with any of the above, you can commence the lab, download the code for the lab
and use it on a machine of your choice. You will be responsible for downloading the necessary dependencies to get it to work/
Please note. We're NOT responsible for any charges or overages you incur on your Azure Account.

Introduction
Hi AppSecEngineer,

Azure Sentinel is a cloud-native security information and event management (SIEM) solution that provides intelligent security
analytics and threat intelligence across the enterprise. It helps detect, prevent, and respond to threats in real time using AI and
machine learning. With Azure Sentinel, you can collect data at cloud scale across all users, devices, applications, and infrastructure,
both on-premises and in multiple clouds. It simplifies security operations by providing a single solution for alert detection, threat
visibility, proactive hunting, and threat response.

Log Analytics is a cloud-based log management solution that provides a unified platform for log collection, storage, and analytics. It is
a cloud-based solution that provides a unified platform for log collection, storage, and analytics.

In this lab we will setup Log Analytics Workspace and explore its capabilities.

Azure Setup
Once you provision the server Click on Access button.

In the appeared window click on Terminal and select New terminal option.

Let's create a sandboxed Azure environment and configure the credentials file.(environmental)

asectl init azure

Fetch Azure credentials

Expand Explorer in the web IDE

Go to azure-creds.txt file.

Copy the azure_useremail and azure_password

2/6
 Click on Azure Portal Login Link, enter azure_useremail and azure_password then click on sign in

Setup Azure CLI

az login --use-device-code

You will be prompted with this message

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code <random-value> to
authenticate.

Now access this url https://microsoft.com/devicelogin then select the recently logged in account and validate with the above
<random-value>

You should see a response similar to this

Retrieving tenants and subscriptions for the selection...

[Tenant and subscription selection]

No Subscription name Subscription ID Tenant

----- ------------------- ------------------------------------ --------
[1] * ASE 9bd6ba94-b6bb-4db6-bb2d-195c89122943 we45.com

The default is marked with an *; the default tenant is 'we45.com' and subscription is 'ASE' (9bd6ba94-b6bb-4db6-bb2d-
195c89122943).

Select a subscription and tenant (Type a number or Enter for no changes):

Just click on Enter to select the default subscription and tenant.

Implementation
We have two options to deploy the infrastructure.

Writing your own terraform code from scratch by following the instructions mentioned in the lab D.I.Y. Approach
Using our pre-written terraform code placed in the path /root/azure-sentinel/log-workspace Pre-written Approach.

If you would like to use our pre-written terraform code, skip the DO IT YOURSELF(D.I.Y.)Approach section and move Pre-written
Approach

DO IT YOURSELF (D.I.Y.) Approach

Change Directory

cd /root/azure-sentinel/Developer

We have created an empty file with the name main.tf` under the Developer Directory. You will write the terraform code in this
file and save it. Finally, you will deploy the infrastructure by following the below steps.

To open the file in the web IDE

Expand Explorer in the web IDE

Go to /root/azure-sentinel/Developer folder
Right-click on main.tf file and select Open Preview option

Let's go through each block of code and understand what it does and how it works. Then we will leverage the same code to create
our own terraform code and deploy the infrastructure.

Provider Configuration

provider "azurerm" {
subscription_id = var.subscription_id
features {}
}

This Terraform configuration sets up the AzureRM provider version 3.43 from HashiCorp, allowing Terraform to manage resources in
Microsoft Azure. The provider block with features {} initializes Azure-specific settings with default values. The
required_providers section ensures the correct provider version is used for compatibility with Azure services.It uses the default

3/6
configuration, assuming you've already authenticated with Azure CLI.

Variables

variable "location" {
default = "West US"
}
variable "resourcegroupname" {
default = "my-ase-default-rg"
}
variable "subscription_id" {
type = string
description = "The Azure subscription ID"
}

This Terraform configuration defines three variables. The location sets a default region where resources will be created, in this case,
"West US". The resourcegroupname defines the default name for the resource group. The subscription_id is a placeholder for the
Azure subscription ID, which you'll need to provide. These variables make it easier to manage resources in Azure by allowing
changes without modifying the entire code.

Random String

resource "random_string" "random" {

length = 8
upper = false
lower = true
special = false
}

This resource block generates a random string of 8 characters with lowercase letters. It's useful for creating unique names for
resources like storage accounts, virtual machines, or other Azure services. The random string is stored in the random resource and
can be referenced in other resource blocks.

Log Analytics Workspace

resource "azurerm_log_analytics_workspace" "ase-log-workspace" {

name = "${random_string.random.result}-log-workspace"
location = var.location
resource_group_name = var.resourcegroupname
sku = "PerGB2018"
retention_in_days = 30
}

This resource creates an Azure Log Analytics workspace. It's a centralized platform for collecting and analyzing logs from various
Azure resources. The workspace uses the "PerGB2018" pricing model and retains data for 30 days.

Outputs

output "log_workspace_name" {
value = azurerm_log_analytics_workspace.ase-log-workspace.name
}

This output block defines an output variable log_workspace_name that returns the name of the Log Analytics workspace created in
the resource block. It allows you to access the workspace name after deployment for further configuration or integration with other
resources.

Please copy the above code blocks in each instruction and paste it into the main.tf` file and save it.

If you have followed the above instructions, you have created your own terraform code. Now you can skip the Using our pre-written
terraform code section and move to the next section Deploying the infrastructure

Using our pre-written terraform code

Change Directory

cd /root/azure-sentinel/log-workspace

Deploying the infrastructure

4/6
After writing the terraform code or using the pre-written code, you can now deploy the infrastructure.

Terraform is a tool designed for building, changing, and versioning infrastructure safely and efficiently. It supports both popular
service providers and custom in-house solutions.

1. Initialize Terraform: This step will download the necessary plugins.

terraform init

2. Set the Subscription ID: Export the subscription ID as a variable.

export subscription_id=$(az account show --query id --output tsv)

3. Set the Resource Group Name: Export the resource group name to variables.

export resourcegroupname=$(az group list --query [0].name --output tsv)

4. Deploy Resources: Apply the Terraform configuration to deploy your resources.

terraform apply -auto-approve -var="subscription_id=$subscription_id" -var="resourcegroupname=$resourcegroupname"

The above command will create the infrastructure. It will take some time to complete.

Log Analytics Workspace

1. Open your web browser and go to the Azure Portal.
2. Log in with your Azure account credentials.
3. In the Azure Portal, search for Log Analytics workspaces in the search bar.
4. Click on the Log Analytics workspaces service.
5. You will see the newly created Log Analytics workspace in the list.(The name of the workspace will be in the format <random-
string>-workspace-logs).

Explore Log Analytics Workspace

1. Click on the newly created Log Analytics workspace.
2. In the Overview section, you can see the workspace details, such as the workspace ID, subscription, resource group, and
location.
3. Click on the Logs option in the left-hand menu to open the Log Analytics query editor.
4. You can run queries using the Kusto Query Language (KQL) to analyze the data collected by the workspace.(At present, there
will be no data to query as we haven't configured any data sources).

Teardown

Change Directory to your working terraform directory.

If you have followed the DO IT YOURSELF(D.I.Y.)Approach section, please change the directory to /root/azure-
sentinel/Developer

cd /root/azure-sentinel/Developer

If you have followed the Pre-written Approach section, please change the directory to /root/azure-sentinel/log-
workspace

Change Directory

cd /root/azure-sentinel/log-workspace

Note: Make sure you are in the correct directory before executing the following commands.

To delete all resources, use the following command:

terraform destroy -auto-approve -var="subscription_id=$subscription_id" -var="resourcegroupname=$resourcegroupname"

Ensure you're using the same terminal where the values for subscription_id and resourcegroupname have been set. If not,
please set their values by referring to the Deploying the Infrastructure section.

This will delete all the resources which we have created using terraform

5/6
 References:
Azure Terraform Provider
Azure Log Analytics

Course Content

close

Overview of Log Analytics Workspaces

1 mins

Lab: Log Analytics Workspace

6/6