top of page

Microsoft Sentinel Implementation a Deep Dive - Part 5:Validating the Microsoft Sentinel Deployment

Previous Articles

Validating the Sentinel Deployment

Configure automation in Microsoft Sentinel

Configure automation in Microsoft Sentinel. Learn more about Create and use Microsoft Sentinel automation rules at

In Microsoft Sentinel, go to the Configuration menu section and select Automation


Select Create and Automation rule


Enter an Automation Rule Name and select Assign owner from Actions


From the second drop-down under Actions, select Assign to Me to assign yourself the owner role.


Click on Apply


Perform a simulated Privilege Escalation attack

Use simulated attacks to test analytic rules in Microsoft Sentinel. Learn more about privilege escalation attack simulation at

Locate and select the virtual machine in Azure. Scroll down the menu items to Operations and select Run command


On the Run command pane, Select RunPowerShellScript


Paste the commands below to simulate the creation of an Admin account into the PowerShell Script form and select Run

Paste Content

net user theusernametoadd /add
net user theusernametoadd ThePassword1!
net localgroup administrators theusernametoadd /add

In the Output window, you should see The command completed successfully


Verify an incident is created from the simulated attack

Verify that an incident is created that matches the criteria for the analytic rule and automation. Learn more about Microsoft Sentinel incident management at

In Microsoft Sentinel, go to the Threat management menu section and select Incidents


You should see an incident that matches the Severity and Title you configured in the NRT rule you created


Select the Incident and the Detail pane


The Owner assignment should be the Id we assigned, created from the Automation rule, and the Tactics and Techniques should be Privilege Escalation.


Select View full details to see all the Incident management capabilities and Incident Actions

Next Articles
3 views0 comments
bottom of page