{"id":57371,"date":"2020-03-30T15:43:43","date_gmt":"2020-03-30T14:43:43","guid":{"rendered":"http:\/\/content.n4stack.io\/?p=57371"},"modified":"2020-04-30T12:24:31","modified_gmt":"2020-04-30T11:24:31","slug":"azure-sentinel-network-ids","status":"publish","type":"post","link":"http:\/\/content.n4stack.io\/2020\/03\/30\/azure-sentinel-network-ids\/","title":{"rendered":"Network IDS & Azure Sentinel"},"content":{"rendered":"
[et_pb_section fb_built=”1″ _builder_version=”4.0.11″][et_pb_row _builder_version=”4.0.11″][et_pb_column type=”4_4″ _builder_version=”4.0.11″][et_pb_text _builder_version=”4.3.4″ header_3_text_color=”#e05206″ header_5_text_color=”#00a9e0″]<\/p>\n
I’ve been starting to use Azure Sentinel<\/a><\/span><\/span>\u00a0recently and explore some of its capabilities – there are currently about 40 built-in data-connectors that take logs from different services\/products.<\/span><\/span>\u00a0<\/span><\/p>\n <\/p>\n <\/p>\n <\/p>\n I decided to see if I could add integrations with some open-source network tools and\u00a0<\/span><\/span>Zeek<\/span><\/span><\/a> (formerly Bro) seemed like a perfect place to start. Rather than logging packets that match a specific rule (as is the focus of Snort\/Suricata),\u00a0<\/span><\/span>Zeek<\/span><\/span>\u00a0can be configured to log pretty much anything, out-of-the-box it logs metadata on all SSL connections, DNS lookups, HTTP requests etc.<\/span><\/span>\u00a0<\/span><\/p>\n <\/p>\n <\/p>\n <\/p>\n I won’t go through the basic setup for\u00a0<\/span><\/span>Zeek<\/span><\/span>\u00a0since that’s much better documented elsewhere<\/a><\/span><\/span>,<\/span><\/span>\u00a0suffice to say I installed Debian 10 on a small physical box and then installed\u00a0<\/span><\/span>Zeek<\/span><\/span>\u00a0via Apt. I then installed the Azure OMS agent which collects logs and sends them into Azure.<\/span><\/span>\u00a0<\/span><\/p>\n <\/p>\n <\/p>\n <\/p>\n