Edit

Share via

Enhance threat detection with Global Secure Access in Microsoft Sentinel

Global Secure Access integrates with Microsoft Sentinel, so organizations can stream network traffic logs, audit logs, and alerts directly into Sentinel. This integration uses Microsoft Entra diagnostic settings and a Global Secure Access content hub package with preconfigured workbooks and analytics rules to enhance security monitoring and visualization. By using this integration, organizations can correlate Global Secure Access data with other Microsoft security services to improve threat detection and response across their environments.

Prerequisites

To integrate Global Secure Access with Microsoft Sentinel, you need the following configurations and permissions:

  • Microsoft Sentinel, enabled on a Log Analytics workspace. For more information, see create a Log Analytics workspace.
  • Global Secure Access, configured with traffic forwarding profiles such as Microsoft 365, Internet Access, and Private Access.
  • A Microsoft Entra ID data connector, configured according to the instructions in Send data to Microsoft Sentinel using the Microsoft Entra ID data connector.
  • An active Azure subscription.
  • Microsoft Entra Security Administrator role to configure diagnostic settings.
  • Microsoft Sentinel Contributor permissions for the resource group that the workspace belongs to, to install or manage solutions and configure analytics in the content hub.
  • Contributor permissions for the subscription where the Microsoft Sentinel workspace resides to enable Microsoft Sentinel.

Configure Microsoft Entra diagnostic settings

To configure Microsoft Entra diagnostic settings so Global Secure Access can stream data to your Log analytics workspace:

  1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.
  2. Browse to Entra ID > Monitoring & health > Diagnostic settings. The General settings appear by default.
  3. Select Add diagnostic setting to create a new setting.
  4. Enter a Diagnostic setting name.
  5. In the Logs section, select the following Categories:
  6. In the Destination details section, select Send to Log Analytics workspace.
  7. From the Log Analytics workspace menu, select your Sentinel workspace.
  8. Select Save.
    Screenshot of the Diagnostic setting screen showing the selected log categories and destination details.

Install the Global Secure Access solution from the Sentinel Content hub

The Global Secure Access solution includes two workbooks and four analytics rules. To install the solution:

  1. Sign in to the Microsoft Defender portal.

  2. Browse to Microsoft Sentinel > Content management > Content hub.

  3. To find the Global Secure Access solution in the Content hub, enter "Global Secure Access" in the Search field.
    Screenshot of the Global Secure Access solution as a search result.

  4. Select the Global Secure Access solution. Its description opens.

  5. To add the solution to your workspace, select Install.
    Screenshot of the solution description with the Install button highlighted.

Enable enriched Microsoft 365 logs (optional)

Enriched Microsoft 365 logs combine Microsoft 365 OfficeActivity data with Global Secure Access NetworkAccessTraffic logs. This enrichment provides more context such as device ID, operating system, and original IP address to audit events. This extra information is critical for diagnosing issues like blocked access or performance anomalies.

To enable this workbook:

  1. Follow the steps in Configure Microsoft Entra diagnostic settings.
  2. In the Logs section, select the OfficeActivity category.
  3. From the Log Analytics workspace menu, select the same Sentinel workspace.
  4. Select Save.

Validate the data flow

To validate the data flow from Global Secure Access to Microsoft Sentinel:

  1. Sign in to the Microsoft Defender portal.
  2. Browse to Microsoft Sentinel > Configuration > Tables.
  3. In the Tables view, use filters or search to confirm that the following Sentinel tables are in the workspace:
  • NetworkAccessTraffic
  • NetworkAccessAlerts
  • NetworkAccessConnectionEvents
  • RemoteNetworkHealthLogs
  • OfficeActivity (if you enabled enriched Microsoft 365 logs)
    Screenshot of the workspace tables showing the Sentinel tables.

Note

Microsoft Sentinel creates tables when it ingests data into the Log Analytics workspace. If there's no data ingestion, the table doesn't exist in the workspace.

Enable analytics rules

You enable or customize analytics rules from the Global Secure Access solution. For more information, see Create and manage analytics rules in Microsoft Sentinel.

Screenshot of Global Secure Access-related analytics rules.

Analytics rules can:

  • Detect abnormal denials from specific source IPs to destination IP addresses.
  • Detect a source IP scanning for open ports.
  • Detect changes in the protocol used for specific destination ports.
  • Detect connections that occur outside the defined operational hours.

View the preconfigured workbooks

The Global Secure Access solution includes two workbooks: Enhanced Microsoft 365 logs and Network Traffic Insights. To view a workbook dashboard:

  1. Sign in to the Microsoft Defender portal.
  2. Browse to Microsoft Sentinel > Content management > Content hub.
  3. In the Content hub, expand the Global Secure Access solution.
  4. Select one of the preconfigured workbooks.
  5. Select View Template. The workbook dashboard opens.

Screenshot of the Network Traffic Insights dashboard showing a graph of usage over time.

Related content

  • Last updated on