top of page

Microsoft Sentinel Implementation a Deep Dive - Part 5:Validating the Microsoft Sentinel Deployment

Previous Articles
 

Validating the Sentinel Deployment

Configure automation in Microsoft Sentinel

Configure automation in Microsoft Sentinel. Learn more about Create and use Microsoft Sentinel automation rules at https://learn.microsoft.com/azure/sentinel/create-manage-use-automation-rules.

In Microsoft Sentinel, go to the Configuration menu section and select Automation

Sentinel-5-1

Select Create and Automation rule

Sentinel-5-2

Enter an Automation Rule Name and select Assign owner from Actions

Sentinel-5-3

From the second drop-down under Actions, select Assign to Me to assign yourself the owner role.

Sentinel-5-4

Click on Apply

Sentinel-5-5

Perform a simulated Privilege Escalation attack

Use simulated attacks to test analytic rules in Microsoft Sentinel. Learn more about privilege escalation attack simulation at https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md.

Locate and select the virtual machine in Azure. Scroll down the menu items to Operations and select Run command

Sentinel-5-6

On the Run command pane, Select RunPowerShellScript

Sentinel-5-8

Paste the commands below to simulate the creation of an Admin account into the PowerShell Script form and select Run

Paste Content

net user theusernametoadd /add
net user theusernametoadd ThePassword1!
net localgroup administrators theusernametoadd /add
Sentinel-5-9

In the Output window, you should see The command completed successfully

Sentinel-5-10

Verify an incident is created from the simulated attack

Verify that an incident is created that matches the criteria for the analytic rule and automation. Learn more about Microsoft Sentinel incident management at https://learn.microsoft.com/azure/sentinel/incident-investigation.


In Microsoft Sentinel, go to the Threat management menu section and select Incidents

Sentinel-5-10

You should see an incident that matches the Severity and Title you configured in the NRT rule you created

Sentinel-5-11

Select the Incident and the Detail pane

Sentinel-5-12

The Owner assignment should be the Id we assigned, created from the Automation rule, and the Tactics and Techniques should be Privilege Escalation.

Sentinel-5-13

Select View full details to see all the Incident management capabilities and Incident Actions

Sentinel-5-14
 
Next Articles
3 views0 comments
bottom of page