1
00:00:01,040 --> 00:00:04,270
In this demonstration, we'll do all our work in Microsoft Azure.

2
00:00:04,270 --> 00:00:07,760
Specifically, we'll look at the Log Analytics workspace,

3
00:00:07,760 --> 00:00:11,620
Microsoft Sentinel, and we'll revisit Defender for Cloud,

4
00:00:11,620 --> 00:00:13,690
which we've used a bit in the past,

5
00:00:13,690 --> 00:00:17,540
but it's always good to revisit to reintegrate our knowledge.

6
00:00:17,540 --> 00:00:21,410
You're looking at the desktop of a Windows 10 domain‑joined workstation.

7
00:00:21,410 --> 00:00:25,170
Not that it matters because as long as you've got an internet connection,

8
00:00:25,170 --> 00:00:27,440
you can get into the Azure portal.

9
00:00:27,440 --> 00:00:31,580
So here we are at portal.azure.com, and let's go over to Log Analytics.

10
00:00:31,580 --> 00:00:35,590
Recall that the Log Analytics workspace is where all the

11
00:00:35,590 --> 00:00:40,140
so‑called magic happens as far as collecting diagnostics logs

12
00:00:40,140 --> 00:00:44,620
for not just your Azure resources, but your off‑cloud resources as well,

13
00:00:44,620 --> 00:00:47,540
including your on‑premises servers.

14
00:00:47,540 --> 00:00:50,340
So you can see here I have one infrastructure workspace

15
00:00:50,340 --> 00:00:54,320
called tim‑laworkspace‑01 and another that I've created

16
00:00:54,320 --> 00:00:56,780
specifically for Microsoft Sentinel.

17
00:00:56,780 --> 00:00:59,030
That's what I called sentinel‑workspace.

18
00:00:59,030 --> 00:01:02,770
Let's take a look at my infrastructure workspace. And just

19
00:01:02,770 --> 00:01:04,570
to show you around here for a moment,

20
00:01:04,570 --> 00:01:10,880
if we come down under Workspace Data Sources, an easy way to onboard your

21
00:01:10,880 --> 00:01:15,230
Azure virtual machines is simply to come here. As you can see, I've got a

22
00:01:15,230 --> 00:01:19,670
Windows Server virtual machine that's not connected currently. I can

23
00:01:19,670 --> 00:01:24,240
deliver the Log Analytics agent to that machine very easily this way

24
00:01:24,240 --> 00:01:25,530
directly through the portal.

25
00:01:25,530 --> 00:01:25,840
Now,

26
00:01:25,840 --> 00:01:29,790
ideally, you can also onboard the machine into Log

27
00:01:29,790 --> 00:01:32,130
Analytics using the ARM template.

28
00:01:32,130 --> 00:01:34,840
You can add the extension syntax there.

29
00:01:34,840 --> 00:01:39,880
You also can configure your workspace itself for automatic onboarding.

30
00:01:39,880 --> 00:01:43,860
You can do that also, come to think of it, in Microsoft Defender for Cloud.

31
00:01:43,860 --> 00:01:47,620
So there's certainly lots of ways to ensure that your managed

32
00:01:47,620 --> 00:01:52,580
Azure virtual machines will send their diagnostics into the

33
00:01:52,580 --> 00:01:55,040
central Log Analytics workspace.

34
00:01:55,040 --> 00:01:57,670
Now I want to say that although the workspace is

35
00:01:57,670 --> 00:01:59,920
associated with an Azure region,

36
00:01:59,920 --> 00:02:03,370
the VMs that you see here will be both Windows and Linux Azure

37
00:02:03,370 --> 00:02:08,630
VMs in any location, that is any region, in any subscription

38
00:02:08,630 --> 00:02:11,340
that trusts your Azure AD tenant.

39
00:02:11,340 --> 00:02:15,600
Now as far as your off‑cloud machines, again, there's lots of different options.

40
00:02:15,600 --> 00:02:19,800
The manual route is to come up to Agents management, and you can

41
00:02:19,800 --> 00:02:23,540
download and install the Log Analytics agent right here. You can

42
00:02:23,540 --> 00:02:27,190
grab the installer, and then when you run the installer on the

43
00:02:27,190 --> 00:02:32,640
destination machine, you provide the workspace ID and primary key.

44
00:02:32,640 --> 00:02:38,050
Now this is for Windows Server, not for Windows workstations, so I'm not sure,

45
00:02:38,050 --> 00:02:41,340
I don't think it would work for this Windows 10 machine.

46
00:02:41,340 --> 00:02:45,440
So, therefore, why don't I, through the magic of video editing,

47
00:02:45,440 --> 00:02:49,430
come on over to one of my on‑premises Windows Server machines,

48
00:02:49,430 --> 00:02:51,250
and let me just show you how this works.

49
00:02:51,250 --> 00:02:53,340
It's a good thing to understand.

50
00:02:53,340 --> 00:02:57,600
Now this is the Log Analytics agent, but notice that the executable is

51
00:02:57,600 --> 00:03:01,340
MMASetup. That stands for a Microsoft Management Agent.

52
00:03:01,340 --> 00:03:04,740
They're all synonymous terms. Please be aware of that.

53
00:03:04,740 --> 00:03:09,240
So let's open up that file and run the installer again. You may very well

54
00:03:09,240 --> 00:03:13,400
have something like Configuration Manager running on‑prem where you don't

55
00:03:13,400 --> 00:03:15,950
need to worry about manually installing software.

56
00:03:15,950 --> 00:03:20,040
I'm doing this intentionally to show you the flow.

57
00:03:20,040 --> 00:03:22,020
So it goes under the software,

58
00:03:22,020 --> 00:03:25,230
the agent goes under Program Files\Microsoft Monitoring

59
00:03:25,230 --> 00:03:28,850
Agent. And we want to choose Connect the agent to Azure

60
00:03:28,850 --> 00:03:30,420
Log Analytics. And as, again,

61
00:03:30,420 --> 00:03:35,350
I told you, all the product name changes, Operations Management Sweet, or OMS,

62
00:03:35,350 --> 00:03:39,530
was the original name for the product, so don't be thrown off by that. In

63
00:03:39,530 --> 00:03:42,430
order to authenticate the agent into the workspace,

64
00:03:42,430 --> 00:03:46,900
we're going to need the workspace ID and one of the two API keys. So

65
00:03:46,900 --> 00:03:51,550
let me copy the workspace ID, and I'll Ctrl+V that in, and I'll just

66
00:03:51,550 --> 00:03:55,540
grab one of the API keys. Notice the Regenerate buttons. Those are

67
00:03:55,540 --> 00:03:59,830
very important because we want to ensure to cycle those every so often

68
00:03:59,830 --> 00:04:05,000
to prevent leakage and possible unauthorized servers reporting into

69
00:04:05,000 --> 00:04:06,340
the workspace.

70
00:04:06,340 --> 00:04:08,450
I'm not on a Government, or sovereign, cloud.

71
00:04:08,450 --> 00:04:11,260
I'm in Azure Commercial, so I'll leave that alone.

72
00:04:11,260 --> 00:04:13,390
Click Next. And there you have it.

73
00:04:13,390 --> 00:04:15,320
Now you might be wondering a couple things.

74
00:04:15,320 --> 00:04:16,140
One,

75
00:04:16,140 --> 00:04:20,200
how can you configure the Microsoft Monitoring Agent after it's installed

76
00:04:20,200 --> 00:04:24,730
on a Windows machine that could be an EC2 instance in Amazon, could be a

77
00:04:24,730 --> 00:04:28,310
physical or virtual machine running on‑premises? It doesn't matter a bit.

78
00:04:28,310 --> 00:04:33,610
Well, the way you get to those agent properties on the workstation is

79
00:04:33,610 --> 00:04:34,890
through Control Panel.

80
00:04:34,890 --> 00:04:40,810
So let me open up the old‑fashioned Control Panel applet here, and

81
00:04:40,810 --> 00:04:44,000
you want to find Microsoft Monitoring Agent. And this is something

82
00:04:44,000 --> 00:04:46,980
important for the sake of Sentinel as well.

83
00:04:46,980 --> 00:04:51,790
We'll go to Azure Log Analytics (OMS), and you can actually configure

84
00:04:51,790 --> 00:04:55,650
Windows virtual machines to report to more than one Log Analytics

85
00:04:55,650 --> 00:05:00,240
workspace. You could just do Add, and were given an opportunity to supply

86
00:05:00,240 --> 00:05:02,850
another workspace ID and workspace key.

87
00:05:02,850 --> 00:05:06,850
So this means this machine could simultaneously report to our

88
00:05:06,850 --> 00:05:10,970
infrastructure Log Analytics instance, as well as our Microsoft

89
00:05:10,970 --> 00:05:13,670
Sentinel instance, you see? All right,

90
00:05:13,670 --> 00:05:17,150
so that is that. The other thing, let me come back into the portal

91
00:05:17,150 --> 00:05:20,540
here, if we go to Agents configuration, this is where we can

92
00:05:20,540 --> 00:05:24,250
customize the Windows event log streams that we're gathering, as

93
00:05:24,250 --> 00:05:26,170
well as performance counters.

94
00:05:26,170 --> 00:05:29,960
Now nothing is going to be collected by default, so you can add those in

95
00:05:29,960 --> 00:05:34,150
and remove them when you don't need them anymore, and you can grab custom,

96
00:05:34,150 --> 00:05:38,750
as well as built‑in logs and performance counters. You're wondering, is it

97
00:05:38,750 --> 00:05:43,010
possible to have custom, custom logs, that is ones that your developers

98
00:05:43,010 --> 00:05:44,570
have created from scratch?

99
00:05:44,570 --> 00:05:46,230
Oh yeah, absolutely.

100
00:05:46,230 --> 00:05:54,000
Right here, Custom logs. There's a good Docs article on this. Check the exercise files for more details on that