Note: This lab builds on Lab 01 and Lab 02. To complete this lab, you will need an Azure subscription. in which you have administrative access.

General guidelines

  • When creating objects, use the default settings unless there are requirements that require different configurations.
  • Only create, delete, or modify objects to achieve the stated requirements. Unnecessary changes to the environment may adversely affect your final score.
  • If there are multiple approaches to achieving a goal, always choose the approach the requires the least amount of administrative effort.

We need to configure Microsoft Sentinel to receive security events from virtual machines that run Windows.

Architecture diagram

Diagram of Windows Security Events via AMA using DCR

Skilling tasks

You need to validate the Microsoft Sentinel deployment to meet the following requirements:

  • Configure the Windows Security Events via AMA connector to collect all security events from only a virtual machine named VM1.
  • Create a near-real-time (NRT) query rule to generate an incident based on the following query.
SecurityEvent 
| where EventID == 4732
| where TargetAccount == "Builtin\\Administrators"
  • Create an automation rule that assigns Operator1 the Owner role for incidents that are generate by the NRT rule.

Exercise instructions

Note: In the following tasks, to access Microsoft Sentinel, select the workspace you created in Lab 01.

Task 1 - Configure Data Collection rules (DCRs) in Microsoft Sentinel

Configure a Windows Security Events via AMA connector. Learn more about Windows Security Events via AMA connector.

  1. In Microsoft Sentinel, go to the Configuration menu section and select Data connectors
  2. Search for and select Windows Security Events via AMA
  3. Select Open connector page
  4. In the Configuration area, select +Create data collection rule
  5. On the Basics tab enter a Rule Name
  6. On the Resources tab expand your subscription and the RG1 resource group in the Scope column
  7. Select VM1, and then select Next: Collect >
  8. On the Collect tab leave the default of All Security Events
  9. Select Next: Review + create >, then select Create

Task 2 - Create a near real-time (NRT) query detection

Detect threats with near-real-time (NRT) analytic rules in Microsoft Sentinel. Learn more about NRT Analytic rules in Microsoft Sentinel.

  1. In Microsoft Sentinel, go to the Configuration menu section and select Analytics
  2. Select + Create, and NRT query rule (Preview)
  3. Enter a Name for the rule, and select Privilege Escalation from Tactics and techniques.
  4. Select Next: Set rule logic >

  5. Enter the KQL query into the Rule queryform

    SecurityEvent 
| where EventID == 4732
| where TargetAccount == "Builtin\\Administrators"
  6. Select Next: Incident settings >, and select Next: Automated response >
  7. Select Next: Review + Create
  8. When validation is complete select Save

Task 3 - Configure automation in Microsoft Sentinel

Configure automation in Microsoft Sentinel. Learn more about Create and use Microsoft Sentinel automation rules.

  1. In Microsoft Sentinel, go to the Configuration menu section and select Automation
  2. Select + Create, and Automation rule
  3. Enter an Automation rule name, and select Assign owner from Actions
  4. Assign Operator1 as the owner.
  5. Select Apply