Monitoring on-premise Devices with Sentinel Using Azure ARC

When it comes to hybrid clouds and multi-cloud environments, monitoring on-premise devices is a crucial requirement. Fortunately, Azure Cloud makes this task easier with Azure Sentinel, the powerful Microsoft SIEM platform.

Azure recently introduced Azure ARC as a solution for monitoring on-premise servers. This solution enables the management of a wide range of resources, including Windows Server on Azure, Linux on Azure, SQL Server, Azure Kubernetes Service, and Azure Arc-enabled data services.

By leveraging the ARC service, you can extend Azure’s management and security capabilities to your hybrid and multi-cloud environments, including your on-premise devices. This allows you to get a comprehensive view of your security posture and respond to incidents more efficiently by utilizing Microsoft Sentinel’s features such as data collection, analytics, threat detection, investigation, and response.

Benefits of onboarding to Azure Sentinel using Azure ARC

1. Gain comprehensive visibility into your security posture
2. Respond to incidents faster and more efficiently

So, let’s dive into how you can onboard your on-premise devices using Azure ARC.

Before getting started, make sure to follow these prerequisites:

Step 1: Enable Azure ARC on your Azure subscription by visiting the Azure portal, clicking on “All Services,” and searching for Azure ARC. Click on “Enable Azure ARC” and follow the provided instructions.

Step 2: Install the Azure Connected Machine agent on your on-premise devices. This agent allows you to connect your devices to Azure ARC and manage them from the Azure portal. You can download the Windows agent from the Microsoft Download Center.

Step 3: Register your on-premise device with Azure ARC. To do this, you need to generate the installation script from the Azure portal. Start by going to the Azure Portal and navigate to the “On the Servers – Azure Arc” page. Select “Add” at the upper left corner.

Step 4: On the “Select a method” page, choose the “Add a single server” tile and then select “Generate script.” (Note: If you need to add multiple servers, you can do so through Update Management or Multiple servers.)

Step 5: Clicking on “Add a single server” will take you to the script generation page.

Step 6: Provide the resource details, including subscription, resource group, server details, and connectivity method. You can also enable the auto-manage options, which automatically manage the service according to best practices, and the best part is, it’s all FREE!

Step 7: You can also add tags for safety purposes.

Step 8: Once done, download and run the script on your onboarding machine. Note that you may need to authenticate your machine using your Azure credentials.

Step 9: Enable Microsoft Sentinel on your Azure subscription. Visit the Azure portal, click on “All Services,” and search for Microsoft Sentinel. Click on “Add Microsoft Sentinel” and choose the workspace where you want to enable it.

Step 10: Connect your Azure ARC devices to Microsoft Sentinel by connecting your devices to the Log Analytics workspace. To do this, go to the Log Analytics workspace, select your workspace, go to the left side panel, click on “Agent,” and install the agent in the VM. Connect it to the Log Analytics workspace.

Once connected, you will see the connected devices.

Step 11: After onboarding, set a data collection rule in the data source to determine which logs you want to collect.

Wait for 24 hours for the logs to start flowing in as per the standard process. Once everything is set up correctly, you will see a spike in the Sentinel dashboard, indicating that you are ready to go.

Now you have successfully onboarded your on-premise devices using Azure ARC and connected them to Microsoft Sentinel. You can now start collecting data from your devices, creating analytics rules, detecting threats, investigating incidents, and responding to alerts using Microsoft Sentinel.