You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/application-gateway/for-containers/siem-integration-with-sentinel.md
+11-10Lines changed: 11 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -64,9 +64,9 @@ In this QuickStart guide, you set up:
64
64
65
65
66
66
6. Create rule query based on your access logs:
67
-
1. Example Scenario: A user sends encrypted data through a specific URL.
68
-
2. Goal: Detect threats from a HostName with RequestURI **"/secret/path"**.
69
-
3. Create query:
67
+
- Example Scenario: A user sends encrypted data through a specific URL.
68
+
- Goal: Detect threats from a HostName with RequestURI **"/secret/path"**.
69
+
- Create query:
70
70
71
71
```bash
72
72
# Example Query
@@ -76,18 +76,19 @@ In this QuickStart guide, you set up:
76
76
77
77
This query filters `AGCAccessLogs` based on conditions related to hostname and request URI.
78
78
79
-
7. Detect associated IPs by Entity Mapping:
79
+
8. Detect associated IPs by Entity Mapping:
80
80
<img src="./media/siem-integration-with-sentinel/entity-mapping.png" alt="A screenshot of the entity mapping." width="80%">
81
81
82
-
8. Set Query Scheduling:
83
-
1. Run for every 5 hours.
84
-
2. Look up data for every 5 hours.
85
-
9. **Review + Create**.
82
+
9. Set Query Scheduling:
83
+
- Run for every 5 hours.
84
+
- Look up data for every 5 hours.
85
+
11. **Review + Create**.
86
86
87
87
88
88
## Test Incident
89
89
90
-
1. An incident occurs after the rule is active. Now we're ready to send some traffic with **/secret/path** to our sample application, via the FQDN (fully qualified domain name) assigned to the frontend. Use the following command to get the FQDN:
90
+
1. Send traffic into the URL to create an incident:
91
+
- Now we're ready to send some traffic with **/secret/path** to our sample application, via the FQDN (fully qualified domain name) assigned to the frontend. Use the following command to get the FQDN:
91
92
92
93
```bash
93
94
fqdn=$(kubectl get gateway gateway-01 -n test-infra -o jsonpath='{.status.addresses[0].value}')
@@ -123,4 +124,4 @@ In this QuickStart guide, you set up:
123
124
124
125
[Automate Playbook and Alerts](../../azure-monitor/../sentinel/automation/automation.md) to create an alert for extra security measures and communication.
125
126
126
-
Congratulations, You can now create security barriers on your logs and investigate any incidents!
127
+
Congratulations, you can now create security barriers on your logs and investigate any incidents!
0 commit comments