In this blog, we'll examine the various options available for storing and searching Sentinel logs beyond the default 90-day retention period. This could be due to regulatory requirements or simply as a means of maintaining a secure backup of your log data. Join 64 other subscribers Follow Nathan Gau's SCOM blog on WordPress.As an Azure Sentinel user, you may have encountered the need to store and search your log data for extended periods of time. You can have this solution up and running in a few minutes time. I kept the namespaces the same between the management packs to allow for ease of migration should you choose to move in that direction. If you want to forward additional events/alerts into the cloud, review this post. He has written some really good analytics rules and had a lot more coming. Step 11, import Rod’s components on the Sentinel side. You are welcome to skip this piece if you’re getting data into the Alert and Event tables from SCOM, but if you aren’t getting data from SCOM in the cloud, I’d revisit it. You must have the advisor MPs before you do this step. I don’t have a good explanation for that at the moment, but this timing is VERY important. I would note that I have been able to successfully get data to sync to the cloud without doing this… It has also, however, been the fix that I need in order to get data to move to the cloud. Step 10, You need to add your SCOM management server(s) as managed computers in order to ensure that they send data into the cloud as doing this ahead of downloading MPs has been known to cause issues with downloading MPs. Step 9, re-import your old overrides management pack back into SCOM. These are the same 3 items that you copied. DO NOT REPLACE THE ALIAS (highlighted below), replace only the ID, Version, and Public key token info taken from the above pack. Step 8, edit the custom management pack exported in Step 2. Copy those 3 lines highlighted (they will be different from this screenshot, so do not type them). You only need the ID, Version, and Public key token info. This is a screenshot of what you’ll need to grab from the custom MP created in step 6. The namespace between these MPs is the same, which means all of the rules and overrides for your original customization can be re-imported into SCOM, but you’ll need to change the refence info. Step 8, From this custom MP, you’re going to want to copy the reference information. Step 7, export this custom MP to disk and then delete it from SCOM. You simply need the management pack information in the references section of this customization. It doesn’t matter which one, you’re going to delete this. Step 6, Create an override of any of the rules/monitors in this pack and store in a custom MP. This will potentially add some costs to the deployment, but it should remain considerably lower than if you configured the Microsoft Monitoring Agent to talk directly to Log Analytics as is typically done today. Optionally, add the unsealed management pack to enable forwarding of security events specifically required by Sentinel. Step 5, Install On Prem Security Monitoring for Sentinel. Step 3, back up your security monitoring overrides management pack(s) You can find it doing a search for Operations Manager in the solutions section of Log Analytics. Step 2, From Log Analytics, add the Alert Management solution to your workspace. If you are having problems at this stage, you should troubleshoot. Once connected, ensure that the advisor MPs download. For instance, East US is supported, while East US2 is not. Ensure that your Log Analytics Workspace is in a datacenter that supports SCOM connections.TLS 1.2 will need to be configured on your SCOM management servers.There are also a couple of things to watch out for here: However, if not, Sentinel can be extended to connect to other workspaces. Ideally this should be the same workspace that Sentinel is using. Step 1, if you haven’t already done this, connect your SCOM environment to a Log Analytics Workspace.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |