Azure Sentinel is a cloud-native SIEM (Security information and event management) solution with SOAR (security orchestration, automation, and response) capabilities. You can use Azure Sentinel to collect, detect, investigate, and respond to security threats across your infrastructure. In this lab, you will deploy Azure Sentinel, generate some security alerts, and investigate those alerts.
Successfully complete this lab by achieving the following learning objectives:
- Deploy Azure Sentinel
Add Azure Sentinel to the existing Log Analytics workspace.
- Configure Data Connectors and Analytics Rules and Connect the Virtual Machine
Configure the Windows Security Events data connector to collect data from the existing Windows VM.
Enable the following analytics rules:
- New user created and added to the built-in administrators group.
- User account created and deleted within 10 mins.
Note: Adjust the query schedule to 5 minutes for each analytics rule with events from the last 1 day.
Connect the virtual machine to the Log Analytics workspace.
- Simulate Events
- Log in to the existing Windows virtual machine.
- Create a new user account and add them to the Administrators local group.
- Delete the newly created user account.
- Investigate the Incidents
Investigate the incidents in Azure Sentinel using the investigation graph.