Learning Path 8 - Lab 1 - Exercise 3 - Explore Entity Behavior Analytics

Lab scenario

You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You already created Scheduled and Microsoft Security Analytics rules.

You need to configure Microsoft Sentinel to perform Entity Behavior Analytics to discover anomalies and provide entity analytic pages.

Important: The lab exercises for Learning Path #9 are in a standalone environment. If you exit the lab before completing it, you will be required to re-run the configurations again.

Estimated time to complete this lab: 15 minutes

Task 1: Explore Entity Behavior

In this task, you will explore Entity behavior analytics in Microsoft Sentinel.

Note: Microsoft Sentinel has been predeployed in your Azure subscription with the name sentinelworkspace-01, and the required Content Hub solutions have been installed.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. Open the Microsoft Edge browser.

  3. In the Edge browser, navigate to Defender XDR at https://security.microsoft.com.

  4. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  5. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

    Note: You may be prompted to enter the Temporary Access Pass (TAP) instead of a password. This is also provided in the resources tab. If prompted, copy and paste the TAP value and select Sign in.

  6. In the Microsoft Defender navigation menu, scroll down and expand the System section.

  7. Select Settings, and then select Microsoft Sentinel.

  8. Select the sentinelworkspace-01 workspace.

  9. In the popout window, select and expand the Entity behavior analytics section.

  10. Select Configure UEBA.

  11. On the UEBA (User and Entity Behavior Analytics) page, on the UEBA tab,verify that the UEBA feature is enabled, and review the connected data sources.

  12. Use the breadcrumb links at the top of the page to go back to the Microsoft Sentinel settings page.

  13. Select the sentinelworkspace-01 workspace.

  14. On the Settings page, scroll down and expand the Anomalies section.

  15. Read through the paragraph, and verify that the Detect Anomalies switchis On.

  16. Select the Configure anomalies in analytics link.

Task 2: Confirm and review Anomalies rules

In this task, you will confirm Anomalies analytics rules are enabled.

  1. You should be now at the Analytics page, Anomalies tab.

  2. Confirm that the Status column for the rules is Enabled.

  3. Select any rule and then select Edit on the rule blade.

  4. Review the General tab information. Notice the Mode is Production and then select Next: Configuration.

  5. Review the Configuration tab information. Notice that you cannot change the Anomaly score threshold.

  6. Then select Cancel button on the lower right to exit the Analytics rule wizard.

  7. Scroll right to the analytics rule you selected until see and select the ellipsis (…) icon.

  8. Select Duplicate and scroll left to review the new rule with the FLGT tab at the beginning of the name.

  9. Select FLGT rule and then select Edit on the rule blade.

  10. Review the General tab information. Notice the Mode is Flighting and then select Next: Configuration.

  11. Review the Configuration tab information. Notice that you can now change the Anomaly score threshold.

  12. Set the value to 1 and then select Next: Submit Feedback.

  13. Select Next: Review and Create and then Save to update the rule.

    Note: You can upgrade the Flighting rule to Production by changing the setting on this rule and save the changes. The Production rule will become the Flighting rule afterwards.

Proceed to Exercise 4