Learning Path 8 - Lab 1 - Exercise 2 - Connect Windows devices to Microsoft Sentinel using data connectors

Lab scenario

Lab overview.

You’re a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to connect log data from the many data sources in your organization. The next source of data is Windows virtual machines inside and outside of Azure, like On-Premises environments or other Public Clouds.

Important: The lab exercises for Learning Path #8 are in a standalone environment. If you exit the lab before completing it, you will be required to re-run the configurations again.

Estimated time to complete this lab: 30 minutes

Task 1: Create a Windows Virtual Machine in Azure

In this task, you’ll create a Windows virtual machine in Azure.

  1. Login to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. In the Microsoft Edge browser, navigate to the Azure portal at https://portal.azure.com.

  3. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  4. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

  5. Select + Create a Resource. Hint: If you were already in the Azure Portal, you might need to select Microsoft Azure from the top bar to go Home.

  6. In the Search services and marketplace box, enter Windows 10 and select Microsoft Window 10 from the drop-down list.

  7. Select the box for Microsoft Window 10.

  8. Open the Plan drop-down list and select Windows 10 Enterprise, version 22H2.

  9. Select Start with a pre-set configuration to continue.

  10. Select Dev/Test and then select Continue to create a VM.

  11. Select Create new for Resource group, enter RG-AZWIN01 as Name and select OK.

    Note: This will be a new resource group for tracking purposes.

  12. In Virtual machine name, enter AZWIN01.

  13. Leave (US) East US as the default value for Region.

  14. Scroll down and review the Image for the virtual machine. If it appears empty, select Windows 10 Enterprise, version 22H2.

  15. Review the Size for the virtual machine. If it appears empty, select See all sizes, choose the first VM size under Most used by Azure users and select Select.

    Note: If you see the message: This image is not supported for Azure Automanage. To disable this feature,navigate to the Management tab. Otherwise, select a supported image. Go to the Management tab and disable “Automanage”. The creation process will succeed afterwards.

  16. Scroll down and enter a Username of your choosing. Hint: Avoid reserved words like admin or root.

  17. Enter a Password of your choosing. Hint: It might be easier to re-use your tenant password. It can be found in the resources tab.

  18. Scroll down to the bottom of the page and select the checkbox below Licensing to confirm you have the eligible license.

  19. Select Review + create and wait until the validation is passed.

    Note: If there is a Networking validation failure, select that tab, review its contents and then select Review + create again.

  20. Select Create. Wait for the Resource to be created, this may take a few minutes.

Task 2: Install Azure Arc on an On-Premises Server

In this task, you install Azure Arc on an on-premises server to make onboarding easier.

Important: The next steps are done in a different machine than the one you were previously working. Look for the Virtual Machine name references.

  1. Log in to WINServer virtual machine as Administrator with the password: Passw0rd! if necessary.

  2. Open the Microsoft Edge browser and navigate to the Azure portal at https://portal.azure.com.

  3. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  4. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

  5. In the Search bar of the Azure portal, type Arc, then select Azure Arc.

  6. In the navigation pane under Azure Arc resources select Machines

  7. Select + Add/Create, then select Add a machine.

  8. Select Generate script from the “Add a single server” section.

  9. In the Add a server with Azure Arc page, select the Resource group you created earlier under Project details. Hint: RG-Defender

    Note: If you haven’t already created a resource group, open another tab and create the resource group and start over.

  10. For Region, select (US) East Us from the drop-down list.

  11. Review the Server details and Connectivity method options. Keep the default values and select Next to get to the Tags tab.

  12. Review the default available tags. Select Next to get to the Download and run script tab.

  13. Scroll down and select the Download button. Hint: if your browser blocks the download, take action in the browser to allow it. In Microsoft Edge Browser, select the ellipsis button (…) if needed and then select Keep.

  14. Right-click the Windows Start button and select Windows PowerShell (Admin).

  15. Enter Administrator for “Username” and Passw0rd! for “Password” if you get a UAC prompt.

  16. Enter: cd C:\Users\Administrator\Downloads

    Important: If you do not have this directory, most likely means that you are in the wrong machine. Go back to the beginning of Task 4 and change to WINServer and start over.

  17. Type Set-ExecutionPolicy -ExecutionPolicy Unrestricted and press enter.

  18. Enter A for Yes to All and press enter.

  19. Type .\OnboardingScript.ps1 and press enter.

    Important: If you get the error “The term .\OnboardingScript.ps1 is not recognized…“, make sure you are doing the steps for Task 4 in the WINServer virtual machine. Other issue might be that the name of the file changed due to multiple downloads, search for ”.\OnboardingScript (1).ps1” or other file numbers in the running directory.

  20. Enter R to Run once and press enter (this may take a couple minutes).

  21. The setup process opens a new Microsoft Edge browser tab to authenticate the Azure Arc agent. Select your admin account, wait for the message “Authentication complete” and then go back to the Windows PowerShell window.

  22. When the installation finishes, go back to the Azure portal page where you downloaded the script and select Close. Close the Add servers with Azure Arc to go back to the Azure Arc Machines page.

  23. Select Refresh until WINServer server name appears and the Status is Connected.

    Note: This could take a couple of minutes.

Task 3: Connect an Azure Windows virtual machine

In this task, you’ll connect an Azure Windows virtual machine to Microsoft Sentinel.

  1. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  2. Select your Microsoft Sentinel Workspace you created earlier.

    1. In the Microsoft Sentinel left menus, scroll down to the Content management section and select Content Hub.
  3. In the Content hub, search for the Windows Security Events solution and select it from the list.

  4. On the Windows Security Events solution page select Install.

  5. When the installation completes select Manage

    Note: The Windows Security Events solution installs both the Windows Security Events via AMA and the Security Events via Legacy Agent Data connectors. Plus 2 Workbooks, 20 Analytic Rules, and 43 Hunting Queries.

  6. Select the Windows Security Events via AMA Data connector, and select Open connector page on the connector information blade.

  7. In the Configuration section, under the Instructions tab, select the Create data collection rule.

  8. Enter AZWINDCR for Rule Name, then select Next: Resources.

  9. Select +Add resource(s) to select the Virtual Machine we created.

  10. Expand RG-AZWIN01, then select AZWIN01.

  11. Select Apply and then select Next: Collect.

  12. Review the different Security Event collection option. Keep All Security Events and then select Next: Review + create.

  13. Select Create to save the Data Collection Rule.

  14. Wait a minute and then select Refresh to see the new data collection rule listed.

Task 4: Connect a non-Azure Windows Machine

In this task, you’ll add an Azure Arc connected, non-Azure Windows virtual machine to Microsoft Sentinel.

Note: The Windows Security Events via AMA data connector requires Azure Arc for non-Azure devices.

  1. Make sure you are in the Windows Security Events via AMA data connector configuration in your Microsoft Sentinel workspace.

  2. In the Instructions tab, under the Configuration section, edit the AZWINDCR data collection rule by selecting the pencil icon.

  3. Select Next: Resources, and expand your Subscription under Scope on the Resources tab.

    Hint: You can expand the whole Scope hierarchy by selecting the “>” before the Scope column.

  4. Expand RG-Defender (or the Resource Group your created), then select WINServer.

    Important: If you do not see WINServer, please refer to the Learning Path 3, Exercise 1, Task 4 where you installed Azure Arc in this server.

  5. Select Apply.

  6. Select Next: Collect, then Next: Review + create.

  7. Select Create after Validation passed is displayed.

Proceed to Exercise 3