Learning Path 9 - Lab 1 - Exercise 1 - Modify a Microsoft Security rule
Lab scenario
You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to detect and mitigate threats using Microsoft Sentinel. First, you need to filter the alerts coming from Defender for Cloud into Microsoft Sentinel, by Severity.
Important: The lab exercises for Learning Path #9 are in a standalone environment. If you exit the lab before completing it, you will be required to re-run the configurations again.
Estimated time to complete this lab: 10 minutes
Task 1: Activate a Microsoft Security Rule
In this task, you will activate a Microsoft Security rule.
-
Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.
-
In the Microsoft Edge browser, navigate to the Azure portal at (https://portal.azure.com).
-
In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.
-
In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.
-
In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.
-
Select the Microsoft Sentinel Workspace provided.
-
Select Analytics from the Configuration area.
-
Select the + Create button from the command bar and select Microsoft incident creation rule.
-
Under Name, enter Create incidents based on Defender for Cloud.
-
Scroll down and under Microsoft security service select Microsoft Defender for Cloud.
-
Under Filter by Severity, select the Custom option and select Low, Medium and High for the severity level and go back to the rule.
-
Select the Next: Automated response button and then select the Next: Review and create button.
-
Review the changes made and select the Save button. The Analytics rule will be saved and incidents will be created if there is an Alert in Defender for Cloud.
-
You will now have the one Fusion and one Microsoft Security alert types.