Rediger

Del via

Setting up Microsoft Sentinel for Azure Managed HSM

  • Artikkel

You can use Microsoft Sentinel to automatically detect suspicious activity on your Azure resources. Microsoft Sentinel comes with many out-of-the-box connectors for Microsoft services, which integrate in real time. You can find the specific "Solution Package" for protecting Azure Key Vaults in the Microsoft Sentinel's Content Hub. You can use this for Managed HSM as well. However, there are a few key steps to take to ensure you are using it for Managed HSM properly.

  1. Follow the instructions found in Quickstart: Onboard to Microsoft Sentinel | Microsoft Learn to enable Microsoft Sentinel.

  2. Navigate to your Microsoft Sentinel workspace, and then select Content hub under Content management.

    A screenshot of the content hub under content management in the Microsoft Sentinel workspace.

    1. Search for Azure Key Vault in the Content Hub and select it.

      A screenshot of the search for Azure Key Vault in the Content Hub.

    2. Select Install on the sidebar that appears.

      A screenshot of the install option in the sidebar for Azure Key Vault.

    3. Select Analytics under Configuration.

      A screenshot of analytics under configuration in Microsoft Sentinel.

    4. Select Rule templates, and then search for Azure Key Vault or use the filter to filter Data sources to Azure Key Vault.

      A screenshot of the rule templates filtered by the Azure Key Vault data source.

    5. Use the rule template that matches your use case best. In this example, we select Sensitive Key Vault operations. In the sidebar that appears, select Create rule.

      A screenshot of the create rule option for sensitive Key Vault operations.

    6. In the Set rule logic tab, edit the rule query. Change "VAULTS" to "MANAGEDHSMS". In this example, we also changed the SensitiveOperationList to include key-related operations only.

      A screenshot of the set rule logic tab with the rule query for Managed HSM.

    7. In this example, we schedule the query to run once every hour.

      A screenshot of the schedule query to run every hour.

    8. Review and save the rule. You should now see the rule you created on the Analytics page.

      A screenshot of the created rule on the analytics page.

    9. You can test the rule by creating and deleting a key. The KeyDelete operation is one of the sensitive operations searched by the Analytic Rule named "Sensitive Azure Managed HSM operations".

Next Steps