Learning Path 7 - Lab 1 - Exercise 1 - Modify a Microsoft Security rule

Lab scenario

Lab overview.

You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to detect and mitigate threats using Microsoft Sentinel. First, you need to filter the alerts coming from Defender for Cloud into Microsoft Sentinel, by Severity.

Task 1: Activate a Microsoft Security Rule

In this task, you will activate a Microsoft Security rule.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. In the Edge browser, navigate to the Azure portal at (https://portal.azure.com).

  3. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  4. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

  5. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  6. Select your Microsoft Sentinel Workspace you created in the previous labs.

  7. Select Analytics from the Configuration area. By default, you will see the Active rules.

  8. Select the Create incidents based on Microsoft Defender for Cloud. This rule was activated by the Defender for Cloud connector we configured in “Module 6 - Exercise 1 - Task 4”.

  9. On the right blade, select the Edit button.

  10. Scroll down the page and under “Analytics rule logic - Filter by Severity”, select the Custom drop-down list.

  11. Unselect Low for the severity level and go back to the rule.

  12. Select the Next: Automated response button and then select Next: Review button.

  13. Review the changes made and select the Save button. The Analytics rule will be saved.

Proceed to Exercise 2