Previous Articles
Part 1: Microsoft Sentinel Implementation a Deep Dive- Part 1: Workspace Deployment
Part 2: Microsoft Sentinel Implementation a Deep Dive – Part 2: Microsoft Sentinel Deployment
Part 3: Microsoft Sentinel Implementation a Deep Dive – Part 3: Configuring Data Connectors
Validating the Microsoft Sentinel Deployment
- In this article Let’s create a Windows virtual machine in Azure to test Microsoft Sentinel Deployment.
- Open a new tab and navigate to the Azure portal at https://portal.azure.com.
- Click on Create a Resource.
In the Search Services and Marketplace box, enter Windows 10 and select Microsoft Windows 10 from the drop-down list.
Select the box for Microsoft Windows 10. Open the Plan drop-down list and select Windows 10 Enterprise, version 22H2.
Select Start with a pre-set configuration to continue. Select resource group and other details as per your Azure Subscription
In the Virtual machine name, In my case, Windows 10.
Leave (US) East US as the default value for Region
Scroll down and review the Image for the virtual machine. If it appears empty, select Windows 10 Enterprise, version 22H2.
Select any right configuration for the Size for the virtual machine. If it appears empty, select See all sizes, choose the first VM size under Most used by Azure users and select Select.
Scroll down and enter a Username and Enter a Password
Scroll down to the bottom of the page and select the checkbox below Licensing to confirm you have the eligible license.
Select Review + Create and wait until the validation is passed.
Select Create. It will take some time to complete.
Configure Data Collection Rule(DCR) in Microsoft Sentinel
Configure a Windows Security Events via AMA connector. Learn more about Windows Security Events via AMA connector at https://learn.microsoft.com/azure/sentinel/data-connectors/windows-security-events-via-ama.
In Microsoft Sentinel, go to the Configuration menu section and select Data connectors
Search for and select Windows Security Events via AMA
Select Open connector page
In the Configuration area, Click on Create data collection rule
- On the Basics tab enter a Rule Name
- On the Resources tab expand your subscription and the resource group in the Scope.
- Select Virtual Machine and then Click on Next: Collect
On the Collect tab leave the default of All Security Events. and Click on Next: Review + Create
Click on Create
Create a near real-time (NRT) query detection
Detect threats with near-real-time (NRT) analytic rules in Microsoft Sentinel. Learn more about NRT Analytic rules in Microsoft Sentinel at https://learn.microsoft.com/azure/sentinel/near-real-time-rules.
In the Microsoft Sentinel, Go to the Configuration menu section and select Analytics
Select Create, and NRT query rule
Enter a Name for the rule, and select Privilege Escalation from Tactics and Techniques.
Select Next: Set rule logic >
Enter the KQL query into the Rule Query form
Paste the Content below in the Rule Query
SecurityEvent
| where EventID == 4732
| where TargetAccount == "Builtin\\Administrators"
Leave Incident settings and Automated response with default settings
Select Next: Review + Create
When validation is complete click on Save
Next Articles
Part 5: Microsoft Sentinel Implementation a Deep Dive – Part 5: Validating the Microsoft Sentinel Deployment
Part 6: Microsoft Sentinel Implementation a Deep Dive – Part 6: Ingesting Microsoft 365 Logs and validation