Skip to main content
Skip table of contents

Microsoft Sentinel Missing

Introduction

Lucidum can help you accurately identify assets that are not running Microsoft Sentinel. In most cases, you want Sentinel monitoring your corporate infrastructure. In this example, we define the corporate infrastructure as the “crown jewels”, those servers that are crucial to your business.

After Lucidum ingests data from your security solutions, Lucidum uses graph data, machine learning, and predictive analytics to detect and classify all assets and users, even those not detected by the solutions in your environment.

You can then create queries to find a list of all assets without Microsoft Sentinel and then export the list, or create dashboards.

Prerequisites

Connectors enable Lucidum to ingest data from your environment and discover, identify, and classify assets, data, and users.

Lucidum includes pre-built connectors for the most commonly used solutions for security, vulnerability scanning, cloud, data warehouse, identity management, logs, network, endpoint management, IP management, file sharing, and devops.

To configure a connector, you provide credentials that allow Lucidum secure, read-only access to the deployed solution. Lucidum then makes read-only API calls to ingest data from the solution.

To uncover all information in your environment, Lucidum recommends you configure Lucidum connectors for all of the solutions that you use, for example:

  • The directory solutions in your environment (For example, Azure AD, Microsoft AD, Jump Cloud, PingOne, OpenLDAP,)

  • The cloud solutions in your environment (for example, AWS, Azure, Google Cloud, Oracle Cloud)

  • The SSO solutions and identify and access management solutions in your environment (for example, Okta, AWS IAM, PingOne, OneLogic, SecurAuth)

  • The DHCP solutions in your environment (For example, Infoblox, Efficient IP, BlueCat)

  • The Mobile Device Management solutions in your environment (for example, Addigy, Citrix Endpoint, Jamf Pro, Kandji)

  • The VPN solutions in your environment (For example, Cisco AnyConnect, FortiClient, Palo Alto VPN, Citrix Gateway, Zscaler Private Access)

  • The Endpoint Management solutions in your environment (for example, Jamf, Intune, Citrix Endpoint Management, Symantec Endpoint Management, Hexnode)

  • The Endpoint Protection solutions in your environment (for example, Microsoft Defender for Endpoint, Trellix Endpoint Security, Symantec Endpoint Protection, SentinelOne, Crowdstrike Falcon)

  • The Endpoint Detection and Response solutions in your environment (for example, SentinelOne, Falcon Crowdstrike, Trend Micro XDR, Check Point Harmony Endpoint, Cortex XDR)

  • The cloud security solutions in your environment for cloud assets (for example, Netskope, Illumio Core, Orca, Trend Micro Cloud One, Sophos Central)

  • The anti-virus solutions or vulnerability management solutions in your environment (for example, Burp Suite, Cycognito, Greenbone, Kenna, Microsoft Defender, Qualys, Rapid7, Tenable, Vulcan)

  • The SIEM solutions in your environment (for example, Splunk, Trellix, Exabeam, QRadar, Microsoft Sentinel)

After Lucidum ingests data from these systems, Lucidum uses graph data, machine learning, and predictive analytics to detect and classify all assets and users, even those not detected by the solutions in your environment.

You can then view prebuilt dashboards, query Lucidum databases, export query results, or create custom dashboards.

Finding Assets that are Not Running Microsoft Sentinel

To find all the “crown jewels” in your environment, we use a query like:

CODE 
Lucidum Asset Name exists
AND
Public Facing == yes
AND
Data Classification match Confidential
AND
CVE List exists

This query finds public facing servers that include confidential corporate information.

Using the list of crown jewels, we searched for assets that are not running the Sentinel agent. We use a query like this:

CODE 
Lucidum Asset Name exists
AND
Public Facing == yes
AND
Data Classification match Confidential
AND
CVE List exists
AND
Data Sources not match Microsoft Sentinel Hearbeat

Using the results of these queries, we can create as dashboard like this:

This dashboard includes:

  • Crown Jewels. This chart displays a count of assets that are public facing, have a data classification of “confidential”, and are affected by CVEs.

  • Crown Jewels w/o Sentinel. This chart displays a count of crown jewels that are not running a Sentinel agent.

  • Crown Jewels w/o Sentinel with critical CVEs. This chart displays a count of crown jewels that are not running a Sentinel agent and have critical CVEs.

  • Crown Jewels w/o Sentinel with high CVEs. This chart displays a count of crown jewels that are not running a Sentinel agent and have high CVEs.

  • Crown Jewels w/o Sentinel by department. This chart displays a count of crown jewels that are not running a Sentinel agent, by department.

  • Crown Jewels w/o Sentinel by manager. This chart displays a count of crown jewels that are not running a Sentinel agent, by manager.

  • Crown Jewels w/o Sentinel by IP Address. This chart displays a count of crown jewels that are not running a Sentinel agent, by IP address.

  • Crown Jewels w/o Sentinel by OS. This chart displays a count of crown jewels that are not running a Sentinel agent, by operating system.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close