Learning Path 6 - Lab 1 - Exercise 1 - Configure your Microsoft Sentinel environment

Lab scenario

You’re a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You need to understand the configuration of the Microsoft Sentinel environment to ensure it meets the company requirements to minimize cost, meet compliance regulations, and provide the most manageable environment for your security team to perform their daily job responsibilities.

Important: The lab exercises for Learning Path #6 are in a standalone environment. If you exit the lab before completing it, you will be required to re-run the configurations again.

Estimated time to complete this lab: 30 minutes

Optional task - Connect Microsoft Sentinel to Microsoft Defender XDR

To understand how Microsoft Sentinel is onboarded to Microsoft Defender XDR, you can perform the instructions for this simulated exercise - Connect Microsoft Sentinel to Defender XDR.

<!—1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

        1. In the Microsoft Edge browser, navigate to Defender XDR at <https://security.microsoft.com>.
      
        1. In the **Sign in** dialog box, copy, and paste in the tenant Email account for the admin username provided by your lab hosting provider and then select **Next**.
    
        1. In the **Enter password** dialog box, copy, and paste in the admin's tenant password provided by your lab hosting provider and then select **Sign in**.
    
            >**Note:** You may be prompted to enter the *Temporary Access Pass* (TAP) instead of a password.
       
        1. In the Microsoft Defender navigation menu, scroll down and expand the **System** section.
    
        1. Select **Settings**, and then select **Microsoft Sentinel**.
    
        1. In the *SIEM workspaces*, *Workspaces* pane, the **SentinelWorkspace-01** workspace is listed as Primary and shows a *Connected* Status.
    
        1. Select the **SentinelWorkspace-01** to open the workspace settings options.
    
        1. Expand each of the different sections to explore the available configuration options.
    
        >**Warning:** Do not select the *Disconnect* or *Remove Microsoft Sentinel* icon links. Doing so can impact the functionality of your environment. --->

<!—1. While still on the workspace settings options page, expand Log Analytics settings, and select the Configure Log Analytics workspace link.

    1. This opens a new browser tab to the Azure portal's Log Analytics workspace settings for the **SentinelWorkspace-01**.
    
    1. Scroll down the navigation menu and expand the *Settings* section, then select **Usage and estimated costs**.
    
    1. Select **Data retention** from the menu items.
    
    1. Change data retention period to **180 days**.
    
    1. Select **OK**.
    
    1. Return to the Microsoft Defender XDR browser tab, and close the workspace settings options page. --->

Task 1: Create a Watchlist

In this task, you create a watchlist in Microsoft Sentinel.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. In the Microsoft Edge browser, navigate to Defender XDR at https://security.microsoft.com.

  3. In the Sign in dialog box, copy, and paste in the tenant Email account for the admin username provided by your lab hosting provider and then select Next.

  4. In the Enter password dialog box, copy, and paste in the admin’s tenant password provided by your lab hosting provider and then select Sign in.

    Note: You may be prompted to enter the Temporary Access Pass (TAP) instead of a password.

  5. In the search box at the bottom of the Windows 11 screen, enter Notepad. Select Notepad from the results.

  6. Type Hostname then enter for a new line.

  7. From row 2 of the notepad, copy the following hostnames, each one in a different line:

     Host1
 Host2
 Host3
 Host4
 Host5

  8. From the menu select, File - Save As, Name the file HighValue.csv, change the file type to All files(.) and select Save. Hint: The file can be saved in the Documents folder.

  9. Close Notepad.

  10. In the Microsoft Defender navigation menu, scroll to and expand the Microsoft Sentinel section.

  11. Expand the Configuration menu, and select Watchlist.

  12. Select + New from the command bar.

  13. In the Watchlist wizard, enter the following:

    General setting Value
    Name HighValueHosts
    Description High Value Hosts
    Watchlist alias HighValueHosts

  14. Select, Next: Source >.

  15. Select Browse for files under Upload file and browse for the HighValue.csv file you created.

  16. In the SearchKey field, select Hostname.

  17. Select Next: Review and Create >.

  18. Review the settings you entered and select Create.

  19. The screen returns to the Watchlist page.

  20. Select Refresh from the menu to see the new watchlist.

  21. Select the HighValueHosts watchlist and on the right pane, select View in logs.

    Important: It could take up to ten minutes for the watchlist to appear. Please continue to with the following task and run this command on the next lab.

    Note: You can now use the _GetWatchlist(‘HighValueHosts’) in your own KQL statements to access the list. The column to reference would be Hostname.

Task 2: Create a Threat Indicator

In this task, you create an indicator in Microsoft Sentinel.

  1. In Microsoft Sentinel, expand the Threat management menu, and select the Threat intelligence option.

  2. Select the Open Intel management button.

    Note: This opens a page for consolidated Intel management within the Microsoft Threat Intelligence section of Defender XDR.

  3. Select + New from the command bar.

  4. Select the TI Object.

  5. From the Object type dropdown, select Indicator.

  6. Select the + New observable dropdown and select Domain name.

  7. For Domain, enter a domain name, for example type contoso.com.

  8. In the Name field, enter the same value used for the Domain.

  9. In the Indicator types, select malicious-activity.

  10. Set the Valid from field to today’s date.

  11. Scroll down to the Description and enter This domain is known to be malicious.

  12. Select Add.

  13. In the Microsoft Defender navigation menu, scroll up and expand the Investigation & Response section.

  14. Expand the Hunting section and select Advanced hunting.

    Note: In the default New Query 1 tab, the _GetWatchList(‘HighValueHosts’) query should still be there, and will now produce results if run.

  15. Select the + sign to create a new query tab.

  16. Run the following KQL statement.

     ThreatIntelIndicators

    Note: It could take up to five minutes for the indicator to appear.

  17. Scroll the results to the right to see the ObservableValue column. You can also run the following KQL statement to just see the ObservableValue column.

     ThreatIntelIndicators 
 | project ObservableValue

Task 3: Configure log retention

In this task, you’ll change the retention period for the SecurityEvent table.

  1. In the Microsoft Defender navigation menu, scroll down and expand the Microsoft Sentinel section.

  2. Expand the Configuration section and select Tables.

  3. In the Search box, type SecurityEvent, and then select the table SecurityEvent from the results.

    Note: There will be multiple variations of the SecurityEvent table. We recommend selecting the correctSecurityEvent_CL table.

  4. Select the Data retention settings gear icon.

    Note: This opens a page with Analytics tier and Data lake tier settings.

  5. Change the Analytics retention period to 90 days.

  6. The Total retention period is now Same as Analytics retention (90 days).

  7. Select Save to apply the changes.

  8. Select the radio button for Data lake tier, and notice that Retention is set to 180 days.

You have completed the lab