Previous Articles
 
 
 
 
 
 
 

Validating the Sentinel Deployment

 

Configure automation in Microsoft Sentinel

 

Configure automation in Microsoft Sentinel. Learn more about Create and use Microsoft Sentinel automation rules at https://learn.microsoft.com/azure/sentinel/create-manage-use-automation-rules.

 

In Microsoft Sentinel, go to the Configuration menu section and select Automation

 
Sentinel-5-1
 

Select Create and Automation rule

 
Sentinel-5-2
 

Enter an Automation Rule Name and select Assign owner from Actions

 
Sentinel-5-3
 

From the second drop-down under Actions, select Assign to Me to assign yourself the owner role.

 
Sentinel-5-4
 

Click on Apply

 
Sentinel-5-5
 

Perform a simulated Privilege Escalation attack

 

Use simulated attacks to test analytic rules in Microsoft Sentinel. Learn more about privilege escalation attack simulation at https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md.

 

Locate and select the virtual machine in Azure. Scroll down the menu items to Operations and select Run command

 
Sentinel-5-6
 

On the Run command pane, Select RunPowerShellScript

 
Sentinel-5-8
 

Paste the commands below to simulate the creation of an Admin account into the PowerShell Script form and select Run

 

Paste Content

 
net user theusernametoadd /add
net user theusernametoadd ThePassword1!
net localgroup administrators theusernametoadd /add
 
Sentinel-5-9
 

In the Output window, you should see The command completed successfully

 
Sentinel-5-10
 

Verify an incident is created from the simulated attack

 

Verify that an incident is created that matches the criteria for the analytic rule and automation. Learn more about Microsoft Sentinel incident management at https://learn.microsoft.com/azure/sentinel/incident-investigation.

 
 
 

In Microsoft Sentinel, go to the Threat management menu section and select Incidents

 
Sentinel-5-10
 

You should see an incident that matches the Severity and Title you configured in the NRT rule you created

 
Sentinel-5-11
 

Select the Incident and the Detail pane

 
Sentinel-5-12
 

The Owner assignment should be the Id we assigned, created from the Automation rule, and the Tactics and Techniques should be Privilege Escalation.

 
Sentinel-5-13
 

Select View full details to see all the Incident management capabilities and Incident Actions

 
Sentinel-5-14
 
 
 
 
Next Articles
 

.

Leave a comment

Your email address will not be published. Required fields are marked *