Microsoft Sentinel Missing

Lucidum can help you accurately identify assets that are not running Microsoft Sentinel. In most cases, you want Sentinel monitoring your corporate infrastructure. In this example, we define the corporate infrastructure as the “crown jewels”, those servers that are crucial to your business.

After Lucidum ingests data from your security solutions, Lucidum uses graph data, machine learning, and predictive analytics to detect and classify all assets and users, even those not detected by the solutions in your environment.

You can then create queries to find a list of all assets without Microsoft Sentinel and then export the list, or create dashboards.

Prerequisites #

Connectors enable Lucidum to ingest data from your environment and discover, identify, and classify assets, data, and users.

Lucidum includes pre-built connectors for the most commonly used solutions for security, vulnerability scanning, cloud, data warehouse, identity management, logs, network, endpoint management, IP management, file sharing, and devops.

To configure a connector, you provide credentials that allow Lucidum secure, read-only access to the deployed solution. Lucidum then makes read-only API calls to ingest data from the solution.

To uncover all information in your environment, Lucidum recommends you configure Lucidum connectors for all of the solutions that you use, for example:

• The directory solutions in your environment (For example, Azure AD, Microsoft AD, Jump Cloud, PingOne, OpenLDAP)
• The cloud solutions in your environment (for example, AWS, Azure, Google Cloud, Oracle Cloud)
• The SSO solutions and identify and access management solutions in your environment (for example, Okta, AWS IAM, PingOne, OneLogic, SecurAuth)
• The DHCP solutions in your environment (For example, Infoblox, Efficient IP, BlueCat)
• The Mobile Device Management solutions in your environment (for example, Addigy, Citrix Endpoint, Jamf Pro, Kandji)
• The VPN solutions in your environment (For example, Cisco AnyConnect, FortiClient, Palo Alto VPN, Citrix Gateway, Zscaler Private Access)
• The Endpoint Management solutions in your environment (for example, Jamf, Intune, Citrix Endpoint Management, Symantec Endpoint Management, Hexnode)
• The Endpoint Protection solutions in your environment (for example, Microsoft Defender for Endpoint, Trellix Endpoint Security, Symantec Endpoint Protection, SentinelOne, Crowdstrike Falcon)
• The Endpoint Detection and Response solutions in your environment (for example, SentinelOne, Falcon Crowdstrike, Trend Micro XDR, Check Point Harmony Endpoint, Cortex XDR)
• The cloud security solutions in your environment for cloud assets (for example, Netskope, Illumio Core, Orca, Trend Micro Cloud One, Sophos Central)
• The anti-virus solutions or vulnerability management solutions in your environment (for example, Burp Suite, Cycognito, Greenbone, Kenna, Microsoft Defender, Qualys, Rapid7, Tenable, Vulcan)
• The SIEM solutions in your environment (for example, Splunk, Trellix, Exabeam, QRadar, Microsoft Sentinel)

After Lucidum ingests data from these systems, Lucidum uses graph data, machine learning, and predictive analytics to detect and classify all assets and users, even those not detected by the solutions in your environment.

You can then view prebuilt dashboards, query Lucidum databases, export query results, or create custom dashboards.

Finding Assets that are Not Running Microsoft Sentinel #

To find all the “crown jewels” in your environment, we use a query like:

Using the list of crown jewels, we searched for assets that are not running the Sentinel agent. We use a query like this: