Exercise overview

You’re a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to connect log data from the many data sources in your organization. The next source of data is Windows virtual machines inside and outside of Azure, like On-Premises environments or other Public Clouds.

Exercise instructions

Task 1: Access the Microsoft Sentinel Workspace

In this task, you will access your Microsoft Sentinel workspace.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. Open the Microsoft Edge browser.

  3. In the Edge browser, navigate to the Azure portal at https://portal.azure.com.

    Note: Select the Resourses tab for the Username and Password for the lab. Use the LabUser-XXXXXXXX@LODSPRODXXX.onmicrosoft.com account for this lab.

  4. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  5. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

  6. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  7. Select your Microsoft Sentinel Workspace that you created in the previous lab.

  8. Proceed to the next task.

Task 2: Install the Windows Security Events solution

  1. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  2. Select your Microsoft Sentinel Workspace you created earlier.

    1. In the Microsoft Sentinel left navigation menu, scroll down to the Content management section and select Content Hub.

  4. In the Content hub, search for the Windows Security Events solution and select it from the list.

  5. On the Windows Security Events solution page select Install.

  6. When the installation completes select Manage

    Note: The Windows Security Events solution installs both the Windows Security Events via AMA and the Security Events via Legacy Agent Data connectors. Plus 2 Workbooks, 20 Analytic Rules, and 43 Hunting Queries.

  7. Select the Windows Security Events via AMA Data connector, and select Open connector page on the connector information blade.

In the next task, we will setup this connector by creating data collection rule (DCR), and adding a Microsoft Azure Windows virtual machine to it.

Task 3:  Connect an Azure Windows virtual machine to Microsoft Sentinel

  1. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  2. Select your Microsoft Sentinel Workspace you created earlier.

  3. In the Microsoft Sentinel left navigation menu, scroll down to Configuration and select Data Connectors.

  4. Look for the Windows Security Events via AMA connector that you created in the previous exercise.

  5. Select the Windows Security Events via AMA Data connector and select Open connector page on the connector information blade.

  6. In the Configuration section, under the Instructions tab, select the Create data collection rule.

  7. Enter AZWINDCR for Rule Name, then select Next: Resources.

  8. Select +Add resource(s) to select the Virtual Machine we created.

  9. Expand the MOC Subscription-lodxxxxxxxx subscription and the RG2 resource group, then select VM1.

  10. Select Next: Collect.

  11. Review the different Security Event collection option. Keep All Security Events and then select Next: Review + create.

  12. Select Create to save the Data Collection Rule.

  13. It will take a few minutes to see the new data collection rule listed. You can select Refresh as needed. You can also select the Bell notification icon to see the progress of the rule creation. You should see that the rule creation “Successflly installed” the AMA agent extension on the VM1 virtual machine”.

Proceed to Exercise 4