top of page

Microsoft Sentinel Implementation a Deep Dive - Part 4: Validating Microsoft Sentinel Deployment

Previous Articles

Validating the Microsoft Sentinel Deployment

In this article Let's create a Windows virtual machine in Azure to test Microsoft Sentinel Deployment.

Open a new tab and navigate to the Azure portal at

Click on Create a Resource.


In the Search Services and Marketplace box, enter Windows 10 and select Microsoft Windows 10 from the drop-down list.


Select the box for Microsoft Windows 10. Open the Plan drop-down list and select Windows 10 Enterprise, version 22H2.


Select Start with a pre-set configuration to continue. Select resource group and other details as per your Azure Subscription

In the Virtual machine name, In my case, Windows 10.

Leave (US) East US as the default value for Region

Scroll down and review the Image for the virtual machine. If it appears empty, select Windows 10 Enterprise, version 22H2.

Select any right configuration for the Size for the virtual machine. If it appears empty, select See all sizes, choose the first VM size under Most used by Azure users and select Select.

Scroll down and enter a Username and Enter a Password


Scroll down to the bottom of the page and select the checkbox below Licensing to confirm you have the eligible license.

Select Review + Create and wait until the validation is passed.


Select Create. It will take some time to complete.

Configure Data Collection Rule(DCR) in Microsoft Sentinel

Configure a Windows Security Events via AMA connector. Learn more about Windows Security Events via AMA connector at

In Microsoft Sentinel, go to the Configuration menu section and select Data connectors


Search for and select Windows Security Events via AMA


Select Open connector page


In the Configuration area, Click on Create data collection rule


On the Basics tab enter a Rule Name

On the Resources tab expand your subscription and the resource group in the Scope.

Select Virtual Machine and then Click on  Next: Collect


On the Collect tab leave the default of All Security Events. and Click on Next: Review + Create


Click on Create


Create a near real-time (NRT) query detection

Detect threats with near-real-time (NRT) analytic rules in Microsoft Sentinel. Learn more about NRT Analytic rules in Microsoft Sentinel at

In the Microsoft Sentinel, Go to the Configuration menu section and select Analytics


Select Create, and NRT query rule


Enter a Name for the rule, and select Privilege Escalation from Tactics and Techniques.


Select Next: Set rule logic >


Enter the KQL query into the Rule Query form


Paste the Content below in the Rule Query

| where EventID == 4732
| where TargetAccount == "Builtin\\Administrators"

Leave Incident settings and Automated response with default settings

Select Next: Review + Create


When validation is complete click on Save

Next Articles
5 views0 comments
bottom of page