Monitoring on-premise Devices with Sentinel Using Azure ARC

When talking about Hybrid clouds & multi-cloud environments, the main requirement is to monitor on-premise devices. And yes, when it comes to Azure Cloud, the monitoring is way easier with Azure Sentinel (The mighty Microsoft SIEM platform).

But to monitor the On-premise servers now, azure introduced the solution Azure ARC. The solution manages a wide range of resources, including Windows Server on Azure, Linux on Azure, SQL Server, Azure Kubernetes Service, and Azure Arc-enabled data services.

With the ARC service, you can extend the Azure management and security capabilities to your hybrid and multi-cloud environments, including your on-premise devices.

Benefits of onboarding to Azure sentinel using Azure ARC

1. Because of Microsoft Sentinel features, such as data collection,
2. Analytics, 
3. Threat detection, investigation, and response
4. To get a comprehensive view of your security posture and respond to incidents faster and more efficiently.

So now we will see how you can onboard your on-premise devices using Azure ARC, 

As prerequisites:

You need to follow these steps:

Step 1. Enable Azure ARC on your Azure subscription. You can do this by going to the Azure portal, clicking All Services, and searching for Azure ARC. Then, click on Enable Azure ARC and follow the instructions.

Step 2. Install the Azure Connected Machine agent on your on-premise devices. This agent will allow you to connect your devices to Azure ARC and manage them from the Azure portal. Download the Windows agent from the Microsoft Download Center.

Step 3. You need to register your On-premise device with Azure ARC. To do that, you must Generate the installation script from the Azure portal.

So first, go to Azure Portal and go to On the Servers - Azure Arc page, and select Add at the upper left.

Step 4. On the Select, a method page, under the Add a single server tile, then select Generate script. (This is because I am trying to add a single server, If you need, you can add servers from Update Management or Multiple servers.)

Step 5. Once you click the Add a single server, it will navigate you to generate the script.

Step 6. Here you have to give the resource details such as subscription, Resource group, Server details, and Connectivity method, and mainly, you can enable the auto-to-manage options, which manage the best practice service automatically, and this is FREE!

Step 7. Next, you can add Tags for your safety purpose!

Step 8. Once you are done, you can download and run the script on your onboarding machine. 

Note. You may need to authenticate your machine using your Azure credentials.

 

Step 9. Now enable Microsoft Sentinel on your Azure subscription. You can do this by going to the Azure portal, clicking All Services, and searching for Microsoft Sentinel. Then, click Add Microsoft Sentinel and select the workspace where you want to enable it.

Step 10. Connect your Azure ARC devices to Microsoft Sentinel. You can do this by connecting your device to the Log Analytics workspace. To do this, go to the Log Analytics workspace and select your workspace and in the left side panel, go to agent and install the agent in the VM and connect it to the log analytics workspace.

Once you connect, you will see as below.

Step 11. Once you are onboarded, you need to set a Data collection rule in the data source; this will give the scope to which logs you can collect.

Once you save, you need to wait for 24 hours to get the logs as a standard; once all ok you will see a spike in the Sentinal dashboard, and you are ready to go.

Now! You have successfully onboarded your on-premise devices using Azure ARC and connected them to Microsoft Sentinel. Now you can start collecting data from your devices, creating analytics rules, detecting threats, investigating incidents, and responding to alerts using Microsoft Sentinel.