Learning Path 9 - Lab 1 - Exercise 3 - Create a Scheduled Query from a template

Lab scenario

You’re a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to detect and mitigate threats using Microsoft Sentinel. After connecting your data sources to Microsoft Sentinel, you create custom analytics rules to help discover threats and anomalous behaviors in your environment.

Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for your SOC to triage and investigate, and respond to threats with automated tracking and reMediation processes.

Important: The lab exercises for Learning Path #9 are in a standalone environment. If you exit the lab before completing it, you will be required to re-run the configurations again.

Estimated time to complete this lab: 45 minutes

Note: Microsoft Sentinel has been predeployed in your Azure subscription with the name defenderWorkspace, and the required Content Hub solutions have been installed.

To sucessfully complete this task you wil need to complete the following prerequisite tasks.

Prerequisite task: Connect the Azure Activity data connector

In this task, you will connect the Azure Activity data connector.

  1. In the Microsoft Sentinel navigation menu, scroll down to the Content management section and select Content Hub.

  2. In the Content hub, search for the Azure Activity solution and select it from the list.

  3. On the Azure Activity solution details page select Manage.

    Note: The Azure Activity solution installs the Azure Activity Data connector, 12 Analytic rules, 14 Hunting queries and 1 Workbook.

  4. Select the Azure Activity Data connector and select Open connector page.

  5. In the Configuration area under the Instructions tab, scroll down to “2. Connect your subscriptions…”, and select Launch Azure Policy Assignment Wizard>.

  6. In the Basics tab, select the ellipsis button (…) under Scope and select your MOC Subscription-XXXXXXXXXXX subscription from the drop-down list and click Select.

  7. Select the Parameters tab, choose your uniquenameDefender workspace from the Primary Log Analytics workspace drop-down list. This action will apply the subscription configuration to send the information to the Log Analytics workspace.

  8. Select the Remediation tab and select the Create a remediation task checkbox. This action will apply the policy to existing Azure resources.

  9. Select the Review + Create button to review the configuration.

  10. Select Create to finish.

  11. Please wait for the Azure Activity data connector to display a Connected status before proceeding.

Task 1: Create a Scheduled Query rule

In this task, you create a Microsoft Sentinel analytics scheduled query rule.

Note: The following tasks currently work best in the Azure Preview portal - https://preview.portal.azure.com/.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. In the Sign in dialog box, copy and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  3. In the Enter password dialog box, copy and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

  4. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  5. Select the Microsoft Sentinel defenderWorkspace.

  6. Select Analytics from the Configuration area.

  7. Make sure that you are in the Rule templates tab in the command bar and search for the New CloudShell User rule.

  8. From the rule summary blade, make sure you’re receiving data by reviewing the green icon under Data sources: Azure Activity.

    Note: If you do not see it in a connected state, and you reran Learning Path 8 Lab, Exercise 1, Task 3, as noted above, you may need to wait a few minutes for the process to complete.

  9. Select Create rule to continue.

  10. In the Analytics rule wizard, on the General tab, change the Severity to Medium.

  11. Select Next: Set rule logic > button:

  12. For the rule query, select View query results. You shouldn’t receive any results nor any errors.

  13. Close the Logs window by selecting the upper right X and select OK to discard to save changes to go back to the wizard.

  14. Scroll down and under Query scheduling set the following:

    Setting Value
    Run Query every 5 minutes
    Lookup data from the last 1 Days

    Note: We are purposely generating many incidents for the same data. This enables the Lab to use these alerts.

  15. Under the Alert threshold area, leave the value unchanged since we want the alert to register every event.

  16. Under the Event grouping area, leave the Group all events into a single alert as the selected option since we want to generate a single alert every time it runs, as long as the query returns more results than the specified alert threshold above.

  17. Select the Next: Incident settings > button.

  18. On the Incident settings tab, review the default options.

  19. Select the Next: Automated response > button.

  20. Select the Next: Review and create > button.

  21. Select Save.

Task 2: Edit your new rule

  1. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  2. Select your Microsoft Sentinel Workspace.

  3. Select Analytics from the Configuration area.

  4. Make sure that you are in the Active rules tab in the command bar and select the New CloudShell User rule.

  5. Right click the rule and select Edit from the pop-up menu.

  6. Select the Next: Set rule logic > button.

  7. Select the Next: Incident settings > button.

  8. Select the Next: Automated response > button.

  9. On the Automated response tab under Automation rules, select + Add new.

  10. For the Automation rule name, enter Tier 2.

  11. For the Actions, select Assign owner.

  12. Then select Assign to me.

  13. Select Apply

  14. Select the Next: Review and create > button.

  15. Select Save.

Task 3: Test your new rule

In this task, you test your new scheduled query rule.

  1. In the top bar of the Azure portal, Select the icon >_ that corresponds to the Cloud Shell. You might need to select the ellipsis icon first (…) if your display resolution is too low.

  2. In the Welcome to Azure Cloud Shell window, select Powershell.

  3. On the Getting started page, select Mount storage account, and then select your MOC Subscription-XXXXXXXXXXX from the storage account subscription drop-down menu item and select the Apply button.

    Important: Do not select the No storage account required radio button option. This wil cause the incident creation to fail.

  4. On the Mount storage account page, select We will create a storage account for you, and then select Next.

  5. Wait until the Cloud Shell is provisioned, then close the Azure Cloud Shell window.

  6. In the Search bar of the Azure portal, type Activity and then select Activity Log.

  7. Make sure the following Operation name items appear: List Storage Account Keys and Update Storage Account Create. These are the operations that the KQL query you reviewed earlier will match to generate the alert. Hint: You might need to select Refresh to update the list.

  8. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  9. Select your Microsoft Sentinel Workspace.

  10. Select the Incidents menu option under Threat management.

  11. Select the Auto-refresh incidents toggle.

  12. You should see the newly created Incident.

    Note: The event that triggers the incident may take 5+ minutes to process. Continue with the next exercise, you will come back to this view later.

  13. Select the Incident and review the information in the right blade.

Proceed to Exercise 4