Previous Articles

n

Part 1:  Microsoft Sentinel Implementation a Deep Dive- Part 1: Workspace Deployment

n

Part 2: Microsoft Sentinel Implementation a Deep Dive – Part 2: Microsoft Sentinel Deployment

n

Part 3: Microsoft Sentinel Implementation a Deep Dive – Part 3: Configuring Data Connectors

n


n

Validating the Microsoft Sentinel Deployment

n

In this article Let's create a Windows virtual machine in Azure to test Microsoft Sentinel Deployment.

n

n

Open a new tab and navigate to the Azure portal at https://portal.azure.com.

n

n

Click on Create a Resource.

n

Sentinel-4-1

n

In the Search Services and Marketplace box, enter Windows 10 and select Microsoft Windows 10 from the drop-down list.

n

Sentinel-4-2

n

Select the box for Microsoft Windows 10. Open the Plan drop-down list and select Windows 10 Enterprise, version 22H2.

n

Sentinel-4-3

n

Select Start with a pre-set configuration to continue. Select resource group and other details as per your Azure Subscription

n

n

In the Virtual machine name, In my case, Windows 10.

n

nLeave (US) East US as the default value for Region

n

n

Scroll down and review the Image for the virtual machine. If it appears empty, select Windows 10 Enterprise, version 22H2.

n

n

Select any right configuration for the Size for the virtual machine. If it appears empty, select See all sizes, choose the first VM size under Most used by Azure users and select Select.

n

n

Scroll down and enter a Username and Enter a Password

n

Sentinel-4-4

n

Scroll down to the bottom of the page and select the checkbox below Licensing to confirm you have the eligible license.

n

n

Select Review + Create and wait until the validation is passed.

n

Sentinel-4-5

n

Select Create. It will take some time to complete.

n

Configure Data Collection Rule(DCR) in Microsoft Sentinel

n

Configure a Windows Security Events via AMA connector. Learn more about Windows Security Events via AMA connector at https://learn.microsoft.com/azure/sentinel/data-connectors/windows-security-events-via-ama.

n

In Microsoft Sentinel, go to the Configuration menu section and select Data connectors

n

Sentinel-4-6

n

Search for and select Windows Security Events via AMA

n

Sentinel-4-7

n

Select Open connector page

n

Sentinel-4-8

n

In the Configuration area, Click on Create data collection rule

n

Sentinel-4-9

n

On the Basics tab enter a Rule Name

n

On the Resources tab expand your subscription and the resource group in the Scope.

n

Select Virtual Machine and then Click on  Next: Collect

n

Sentinel-4-10

n

On the Collect tab leave the default of All Security Events. and Click on Next: Review + Create

n

Sentinel-4-13

n

Click on Create

n

Sentinel-4-14

n

Sentinel-4-14

n

Create a near real-time (NRT) query detection

n

Detect threats with near-real-time (NRT) analytic rules in Microsoft Sentinel. Learn more about NRT Analytic rules in Microsoft Sentinel at https://learn.microsoft.com/azure/sentinel/near-real-time-rules.

n

In the Microsoft Sentinel, Go to the Configuration menu section and select Analytics

n

Sentinel-4-1

n

Select Create, and NRT query rule

n

Sentinel-4-16

n

Enter a Name for the rule, and select Privilege Escalation from Tactics and Techniques.

n

Sentinel-4-17

n

Select Next: Set rule logic >

n

Sentinel-4-18

n

Enter the KQL query into the Rule Query form

n

Sentinel-4-19

n

Paste the Content below in the Rule Query

n

Sentinel-4-20

n

Leave Incident settings and Automated response with default settings

n

Select Next: Review + Create

n

Sentinel-4-21

n

When validation is complete click on Save

n

Sentinel-4-22

n


n

Next Articles

n

Part 5: Microsoft Sentinel Implementation a Deep Dive – Part 5: Validating the Microsoft Sentinel Deployment

n

Part 6: Microsoft Sentinel Implementation a Deep Dive – Part 6: Ingesting Microsoft 365 Logs and validation

Leave a comment

Your email address will not be published. Required fields are marked *