SIEM and XDR in one place

Previous Articles

Part 1:  Microsoft Sentinel Implementation a Deep Dive- Part 1: Workspace Deployment

Part 2: Microsoft Sentinel Implementation a Deep Dive – Part 2: Microsoft Sentinel Deployment

Part 3: Microsoft Sentinel Implementation a Deep Dive – Part 3: Configuring Data Connectors

Validating the Microsoft Sentinel Deployment

  • In this article Let’s create a Windows virtual machine in Azure to test Microsoft Sentinel Deployment.
  • Open a new tab and navigate to the Azure portal at https://portal.azure.com.
  • Click on Create a Resource.

In the Search Services and Marketplace box, enter Windows 10 and select Microsoft Windows 10 from the drop-down list.

Select the box for Microsoft Windows 10. Open the Plan drop-down list and select Windows 10 Enterprise, version 22H2.

Select Start with a pre-set configuration to continue. Select resource group and other details as per your Azure Subscription

In the Virtual machine name, In my case, Windows 10.

Leave (US) East US as the default value for Region

Scroll down and review the Image for the virtual machine. If it appears empty, select Windows 10 Enterprise, version 22H2.

Select any right configuration for the Size for the virtual machine. If it appears empty, select See all sizes, choose the first VM size under Most used by Azure users and select Select.

Scroll down and enter a Username and Enter a Password

Scroll down to the bottom of the page and select the checkbox below Licensing to confirm you have the eligible license.

Select Review + Create and wait until the validation is passed.

Select Create. It will take some time to complete.

Configure Data Collection Rule(DCR) in Microsoft Sentinel

Configure a Windows Security Events via AMA connector. Learn more about Windows Security Events via AMA connector at https://learn.microsoft.com/azure/sentinel/data-connectors/windows-security-events-via-ama.

In Microsoft Sentinel, go to the Configuration menu section and select Data connectors

Search for and select Windows Security Events via AMA

Select Open connector page

In the Configuration area, Click on Create data collection rule

  • On the Basics tab enter a Rule Name
  • On the Resources tab expand your subscription and the resource group in the Scope.
  • Select Virtual Machine and then Click on  Next: Collect

On the Collect tab leave the default of All Security Events. and Click on Next: Review + Create

Click on Create

Create a near real-time (NRT) query detection

Detect threats with near-real-time (NRT) analytic rules in Microsoft Sentinel. Learn more about NRT Analytic rules in Microsoft Sentinel at https://learn.microsoft.com/azure/sentinel/near-real-time-rules.

In the Microsoft Sentinel, Go to the Configuration menu section and select Analytics

Select Create, and NRT query rule

Enter a Name for the rule, and select Privilege Escalation from Tactics and Techniques.

Select Next: Set rule logic >

Enter the KQL query into the Rule Query form

Paste the Content below in the Rule Query

SecurityEvent
| where EventID == 4732
| where TargetAccount == "Builtin\\Administrators"

Leave Incident settings and Automated response with default settings

Select Next: Review + Create

When validation is complete click on Save

Next Articles

Part 5: Microsoft Sentinel Implementation a Deep Dive – Part 5: Validating the Microsoft Sentinel Deployment

Part 6: Microsoft Sentinel Implementation a Deep Dive – Part 6: Ingesting Microsoft 365 Logs and validation

Author

Leave a comment

Your email address will not be published. Required fields are marked *