SIEM and XDR in one place

Previous Articles

Part 1:  Microsoft Sentinel Implementation a Deep Dive- Part 1: Workspace Deployment

Part 2: Microsoft Sentinel Implementation a Deep Dive – Part 2: Microsoft Sentinel Deployment

Part 3: Microsoft Sentinel Implementation a Deep Dive – Part 3: Configuring Data Connectors

Part 4: Microsoft Sentinel Implementation a Deep Dive – Part 4: Deploy VM to Validate the Microsoft Sentinel Deployment

Validating the Sentinel Deployment

Configure automation in Microsoft Sentinel

Configure automation in Microsoft Sentinel. Learn more about Create and use Microsoft Sentinel automation rules at https://learn.microsoft.com/azure/sentinel/create-manage-use-automation-rules.

In Microsoft Sentinel, go to the Configuration menu section and select Automation

Select Create and Automation rule

Enter an Automation Rule Name and select Assign owner from Actions

From the second drop-down under Actions, select Assign to Me to assign yourself the owner role.

Click on Apply

Perform a simulated Privilege Escalation attack

Use simulated attacks to test analytic rules in Microsoft Sentinel. Learn more about privilege escalation attack simulation at https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md.

Locate and select the virtual machine in Azure. Scroll down the menu items to Operations and select Run command

On the Run command pane, Select RunPowerShellScript

Paste the commands below to simulate the creation of an Admin account into the PowerShell Script form and select Run

Paste Content

net user theusernametoadd /add
net user theusernametoadd ThePassword1!
net localgroup administrators theusernametoadd /add

In the Output window, you should see The command completed successfully

Verify an incident is created from the simulated attack

Verify that an incident is created that matches the criteria for the analytic rule and automation. Learn more about Microsoft Sentinel incident management at https://learn.microsoft.com/azure/sentinel/incident-investigation.

In Microsoft Sentinel, go to the Threat management menu section and select Incidents

Select the Incident and the Detail pane

The Owner assignment should be the Id we assigned, created from the Automation rule, and the Tactics and Techniques should be Privilege Escalation.

Select View full details to see all the Incident management capabilities and Incident Actions

Next Articles

Part 6: Microsoft Sentinel Implementation a Deep Dive – Part 6: Ingesting Microsoft 365 Logs and validation

Author

Leave a comment

Your email address will not be published. Required fields are marked *