To publish a Monitor Alert and make it visible in Microsoft Sentinel, you can follow these general steps:
- Create a Monitor Alert: First, you need to create a Monitor Alert in your preferred monitoring solution. This can be done by setting up monitoring rules to detect specific events or conditions. For example, you could set up a Monitor Alert to trigger when a user account is locked out.
- Configure the alert to send data to Azure Event Hub: Once you have created the Monitor Alert, you need to configure it to send data to Azure Event Hub. Azure Event Hub is a data streaming service that can receive and process large amounts of data in real-time. This is a required step to integrate your Monitor Alert with Microsoft Sentinel.
- Create a Microsoft Sentinel connector: After you have set up the Monitor Alert to send data to Azure Event Hub, you need to create a Microsoft Sentinel connector. This is done within the Microsoft Sentinel console. A connector is used to collect data from various sources and send it to Microsoft Sentinel for processing and analysis.
- Configure the connector to receive data from Azure Event Hub: Within the Microsoft Sentinel connector, you need to configure it to receive data from Azure Event Hub. This will allow the connector to receive the Monitor Alert data sent from your monitoring solution.
- Validate the data and create analytics rules: Once the data is received in Microsoft Sentinel, you can validate it to ensure that the Monitor Alert is working correctly. You can then create analytics rules to process the data and generate insights and alerts.
- Configure alert notifications: Finally, you need to configure alert notifications in Microsoft Sentinel to ensure that the right people are notified when an alert is triggered. You can configure notifications to be sent via email, SMS, or other channels.
By following these steps, you can publish a Monitor Alert and make it visible in Microsoft Sentinel. This will enable you to monitor and analyze your organization's security data in real-time and respond quickly to potential threats.
Hope this helps!
No, custom analytic rules will be in Sentinel portal. You should be able to find them in the table under the Active rules tab on the main Analytics page. If you need to edit, enable, duplicate, etc., it would be from there.