While we’ve made connecting things from on-premises to the cloud for Azure Sentinel extremely easy, there’s always been a sort of hesitancy for defined reasons. Obviously, no one should ever consider installing the OMS/MMA or AMA agent on literally every Windows device in the organization – though truth told – I have been part of customer deployments where they were adamant about doing so. The subsequent costs eventually convinced them of our initial recommendations.
But, Windows servers is an area that makes sense, particularly those servers that maintain the local domain, DNS, identity services, etc. You know the long list.
Myself, and a couple colleagues, Nathan Gau and Cameron Fuller, have been working on a solution. Nathan has really done the heavy lifting and Cameron has supplied his resources including managing the timelines. I’ve been alongside to supply my Sentinel knowledge and KQL skills for visualizations, Analytics Rules, and data research.
The solution is based on an on-premises System Center Operations Manager (SCOM) deployment. By installing a special management pack, a central SCOM server can collect events from on-premises managed systems (servers AND workstations), filter the events, and then forward those alerts directly to Azure Sentinel. So, instead of sending big log files to the cloud – which can be costly – the SCOM-based “syslog” server forwards only the necessary events collected on-premises before sending data to the cloud. I know you can understand the implications of this. This solution seeks to solve many things.
Oops…did I say “syslog”? See below…
As Cameron has explained, this solution was born from a recent SCOMathon: Integrating on-prem security information to Azure Sentinel via SCOM
Yes…this does require a SCOM environment. SCOM is still used widely today, and then there are many customers that own SCOM licenses and may not even realize it.
To better understand this solution fully, Nathan has provided some valuable information in the following resources:
- Installing and Configuring On Prem Security Monitoring for Sentinel Integration
- On Prem Security Monitoring For Sentinel Management Pack Summary
- SCOM Security Monitoring and Sentinel Integration
- Forwarding Additional Alerts and/or Events into the Cloud
- Syslog Support for SCOM using On Prem Security Monitoring for Sentinel
The solution is contained in the following GitHub repository: On-Prem Security Monitoring for Sentinel
The repository contains the required management pack, a sample Workbook, parsers, and some sample Analytics Rules. Just like anything for Azure Sentinel, once you can recognize the type of data and how the data is contained in tables, creating your own goodness is easy.
This project is ongoing. As new recommendations and suggestions are proposed, we plan on working out the details and including them in the solution. Look for new Workbooks and Analytics Rules to rollout periodically.
Stay tuned for more…
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
[Subscribe to the Bi-Weekly Azure Security Center Newsletter]