Learning Path 6 - Lab 1 - Exercise 2 - Connect Windows devices to Microsoft Sentinel using data connectors

Lab scenario

Lab overview.

You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to connect log data from the many data sources in your organization. The next source of data are Windows virtual machines inside and outside of Azure, like On-Premises environments or other Public Clouds.

Task 1: Create a Windows Virtual Machine in Azure

In this task, you will create a Windows virtual machine in Azure.

  1. Login to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. In the Edge browser, navigate to the Azure portal at https://portal.azure.com.

  3. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  4. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

  5. Select + Create a Resource. Hint: If you were already in the Azure Portal, you might need to select Microsoft Azure from the top bar to go Home.

  6. In the Search services and marketplace box, enter Windows 10 and select Microsoft Window 10 from the drop-down list.

  7. Open the Plan drop-down list and select Windows 10 Enterprise, version 21H2. Select Start with a pre-set configuration to continue.

  8. Select Dev/Test and then select Continue to create a VM.

  9. Select Create new for Resource group, enter RG-AZWIN01 as Name and select OK.

    Note: This will be a new resource group for tracking purposes.

  10. In Virtual machine name, enter AZWIN01.

  11. Leave (US) East US as the default value for Region.

  12. Scroll down and review the Size for the virtual machine. If it appears empty, select See all sizes, choose the first VM size under Most used by Azure users and click Select.

  13. Enter a Username of your choosing. Hint: Avoid reserved words like admin or root.

  14. Enter a Password of your choosing. Hint: It might be easier to re-use your tenant password. It can be found in the resources tab.

  15. Scroll down to the bottom of the page and select the checkbox below Licensing to confirm you have the eligible license.

  16. Select Review + create and wait until the validation is passed.

  17. Select Create. Wait for the Resource to be created, this may take a few minutes.

Task 2: Connect an Azure Windows virtual machine

In this task, you will connect an Azure Windows virtual machine to Microsoft Sentinel.

  1. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  2. Select your Microsoft Sentinel Workspace you created earlier.

  3. From the Data Connectors Tab, search for the Windows Security Events via AMA connector and select it from the list.

  4. Select Open connector page on the connector information blade.

  5. In the Configuration section, select the Create data collection rule.

  6. Enter AZWIN01DCR for Rule Name, then select Next: Resources.

  7. Select +Add resource(s).

  8. Expand RG-AZWIN01, then select AZWIN01.

  9. Select Apply.

  10. Select Next: Collect, then Next: Review + create.

  11. Select Create.

  12. Wait a minute and then select Refresh to see the new data collection rule listed.

Task 3: Connect a non-Azure Windows Machine

In this task, you will install Azure Arc and connect a non-Azure Windows virtual machine to Microsoft Sentinel.

Important: The next steps are done in a different machine than the one you were previously working. Look for the Virtual Machine name references.

Important: The Windows Security Events via AMA data connector requires Azure Arc for non-Azure devices.

  1. Login to WIN2 virtual machine as Admin with the password: Pa55w.rd.

  2. Open the Microsoft Edge browser.

  3. Open a browser and log into the Azure Portal at https://portal.azure.com with the credentials you have been using in the previous labs.

  4. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  5. In the Enter password dialog box, copy and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

  6. In the Search bar of the Azure portal, type Arc, then select Azure Arc.

  7. In the navigation pane under Infrastructure select Servers

  8. Select + Add.

  9. Select Generate script in the “Add a single server” section.

  10. Select Next to get to the Resource details tab.

  11. Select the Resource group you created earlier. Hint: RG-Defender

    Note: If you haven’t already created a resource group, open another tab and create the resource group and start over.

  12. Review the Server details and Connectivity method options. Keep the default values and select Next to get to the Tags tab.

  13. Select Next to get to the Download and run script tab.

  14. Scroll down and select the Download button. Hint: if your browser blocks the download, take action in the browser to allow it. In Edge Browser, select the ellipsis button (…) if needed and then select Keep.

  15. Right-click the Windows Start button and select Windows PowerShell (Admin).

    Note: You may need to search for Windows PowerShell. In the search box type in PowerShell. You should see the Windows PowerShell App appear. Select the Run as Administrator option.

  16. In case you get a UAC prompt, enter Administrator for “Username” and Passw0rd! for “Password”, else skip to next step.

  17. Enter: cd C:\Users\Admin\Downloads

  18. Type Set-ExecutionPolicy -ExecutionPolicy Unrestricted and press enter.

  19. Enter A for Yes to All and press enter.

  20. Type .\OnboardingScript.ps1 and press enter.

    Important: If you get the error “The term .\OnboardingScript.ps1 is not recognized…“, make sure you are doing the steps for Task 3 on the WIN2 virtual machine. Other issue might be that the name of the file changed due to multiple downloads, search for ”.\OnboardingScript (1).ps1” or other file numbers in the running directory.

  21. Enter R to Run once and press enter (this may take a couple minutes).

  22. The setup process will open a new Edge browser tab to authenticate the Azure Arc agent. Select your admin account, wait for the message “Authentication complete” and then go back to the Windows PowerShell window.

  23. When the installation finishes, go back to the Azure portal page where you downloaded the script and select Close. Close the Add servers with Azure Arc to go back to the Azure Arc Servers page.

  24. Select Refresh until WIN2 name appears.

    Note: This could take a few minutes.

  25. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  26. Select your Microsoft Sentinel Workspace you created earlier.

  27. From the Data Connectors Tab, search for the Windows Security Events via AMA connector and select it from the list.

  28. Select Open connector page on the connector information blade.

  29. In the Configuration section, select the Create data collection rule.

  30. Enter WIN2 for Rule Name, then select Next: Resources.

  31. Select +Add resource(s).

  32. Expand rg-defender (or the Resource Group your created), then select WIN2.

  33. Select Apply.

  34. Select Next: Collect, then Next: Review + create.

  35. Select Create.

  36. Wait a few minutes and then select Refresh to see the new data collection rule listed.

Task 4: Onboard Microsoft Defender for Endpoint Device

In this task, you will on-board a device to Microsoft Defender for Endpoint.

VERY IMPORTANT: If you completed the labs for “Module 2 - Exercise 1” of this course AND have been saving your Virtual Machines until now, you can skip this task. Otherwise, you need to onboard again the WIN1 machine to Defender for Endpoint.

Important: The next steps are done in a different machine than the one you were previously working. Look for the Virtual Machine name references.

  1. Login to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. In the Edge browser, go to the Microsoft 365 Defender portal at (https://security.microsoft.com) and login with the Tenant Email credentials if you are not currently in the portal.

  3. Select Settings from the left menu bar, then from the Settings page select Endpoints.

  4. Select Onboarding in the Device management section.

  5. Select Download onboarding package.

  6. Extract the downloaded .zip file.

  7. Run the Windows Command Prompt as Administrator and agree to any User Account Control prompts that appear.

  8. Run the WindowsDefenderATPLocalOnboardingScript.cmd file that you just extracted as administrator. Note: By default the file should be in the c:\users\admin\downloads directory. Answer Y to questions presented by the script.

  9. From the Onboarding page in the portal, copy the detection test script and run it in an open command window. You may have to open a new Administrator: Command Prompt window by typing CMD in the windows search bar and choose to Run as Administrator.

  10. In the Microsoft 365 Defender portal in the Endpoints area, select Device inventory. You should now see your device in the list.

Proceed to Exercise 3