Previous Articles
Part 1: Microsoft Sentinel Implementation a Deep Dive- Part 1: Workspace Deployment
Part 2: Microsoft Sentinel Implementation a Deep Dive – Part 2: Microsoft Sentinel Deployment
Part 3: Microsoft Sentinel Implementation a Deep Dive – Part 3: Configuring Data Connectors
Validating the Sentinel Deployment
Configure automation in Microsoft Sentinel
Configure automation in Microsoft Sentinel. Learn more about Create and use Microsoft Sentinel automation rules at https://learn.microsoft.com/azure/sentinel/create-manage-use-automation-rules.
In Microsoft Sentinel, go to the Configuration menu section and select Automation
Select Create and Automation rule
Enter an Automation Rule Name and select Assign owner from Actions
From the second drop-down under Actions, select Assign to Me to assign yourself the owner role.
Click on Apply
Perform a simulated Privilege Escalation attack
Use simulated attacks to test analytic rules in Microsoft Sentinel. Learn more about privilege escalation attack simulation at https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md.
Locate and select the virtual machine in Azure. Scroll down the menu items to Operations and select Run command
On the Run command pane, Select RunPowerShellScript
Paste the commands below to simulate the creation of an Admin account into the PowerShell Script form and select Run
Paste Content
net user theusernametoadd /add net user theusernametoadd ThePassword1! net localgroup administrators theusernametoadd /add
In the Output window, you should see The command completed successfully
Verify an incident is created from the simulated attack
Verify that an incident is created that matches the criteria for the analytic rule and automation. Learn more about Microsoft Sentinel incident management at https://learn.microsoft.com/azure/sentinel/incident-investigation.
In Microsoft Sentinel, go to the Threat management menu section and select Incidents
Select the Incident and the Detail pane
The Owner assignment should be the Id we assigned, created from the Automation rule, and the Tactics and Techniques should be Privilege Escalation.
Select View full details to see all the Incident management capabilities and Incident Actions
Next Articles
Part 6: Microsoft Sentinel Implementation a Deep Dive – Part 6: Ingesting Microsoft 365 Logs and validation