top of page

Microsoft Sentinel Implementation a Deep Dive - Part 4: Validating Microsoft Sentinel Deployment

Previous Articles
 

Validating the Microsoft Sentinel Deployment

In this article Let's create a Windows virtual machine in Azure to test Microsoft Sentinel Deployment.


Open a new tab and navigate to the Azure portal at https://portal.azure.com.


Click on Create a Resource.

Sentinel-4-1

In the Search Services and Marketplace box, enter Windows 10 and select Microsoft Windows 10 from the drop-down list.

Sentinel-4-2

Select the box for Microsoft Windows 10. Open the Plan drop-down list and select Windows 10 Enterprise, version 22H2.

Sentinel-4-3

Select Start with a pre-set configuration to continue. Select resource group and other details as per your Azure Subscription


In the Virtual machine name, In my case, Windows 10.

Leave (US) East US as the default value for Region


Scroll down and review the Image for the virtual machine. If it appears empty, select Windows 10 Enterprise, version 22H2.


Select any right configuration for the Size for the virtual machine. If it appears empty, select See all sizes, choose the first VM size under Most used by Azure users and select Select.


Scroll down and enter a Username and Enter a Password

Sentinel-4-4

Scroll down to the bottom of the page and select the checkbox below Licensing to confirm you have the eligible license.


Select Review + Create and wait until the validation is passed.

Sentinel-4-5

Select Create. It will take some time to complete.

Configure Data Collection Rule(DCR) in Microsoft Sentinel

Configure a Windows Security Events via AMA connector. Learn more about Windows Security Events via AMA connector at https://learn.microsoft.com/azure/sentinel/data-connectors/windows-security-events-via-ama.

In Microsoft Sentinel, go to the Configuration menu section and select Data connectors

Sentinel-4-6

Search for and select Windows Security Events via AMA

Sentinel-4-7

Select Open connector page

Sentinel-4-8

In the Configuration area, Click on Create data collection rule

Sentinel-4-9

On the Basics tab enter a Rule Name

On the Resources tab expand your subscription and the resource group in the Scope.

Select Virtual Machine and then Click on  Next: Collect

Sentinel-4-10

On the Collect tab leave the default of All Security Events. and Click on Next: Review + Create

Sentinel-4-13

Click on Create

Sentinel-4-14
Sentinel-4-14

Create a near real-time (NRT) query detection

Detect threats with near-real-time (NRT) analytic rules in Microsoft Sentinel. Learn more about NRT Analytic rules in Microsoft Sentinel at https://learn.microsoft.com/azure/sentinel/near-real-time-rules.

In the Microsoft Sentinel, Go to the Configuration menu section and select Analytics

Sentinel-4-1

Select Create, and NRT query rule

Sentinel-4-16

Enter a Name for the rule, and select Privilege Escalation from Tactics and Techniques.

Sentinel-4-17

Select Next: Set rule logic >

Sentinel-4-18

Enter the KQL query into the Rule Query form

Sentinel-4-19

Paste the Content below in the Rule Query

SecurityEvent
| where EventID == 4732
| where TargetAccount == "Builtin\\Administrators"
Sentinel-4-20

Leave Incident settings and Automated response with default settings

Select Next: Review + Create

Sentinel-4-21

When validation is complete click on Save

Sentinel-4-22
 
Next Articles
5 views0 comments
bottom of page