Practitioner Level

Investigate Windows Security Events with Azure Sentinel

45 minutes

4 Learning Objectives

Azure Sentinel is a cloud-native SIEM (Security information and event management) solution with SOAR (security orchestration, automation, and response) capabilities. You can use Azure Sentinel to collect, detect, investigate, and respond to security threats across your infrastructure. In this lab, you will deploy Azure Sentinel, generate some security alerts, and investigate those alerts.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Deploy Azure Sentinel

Add Azure Sentinel to the existing Log Analytics workspace.

Configure Data Connectors and Analytics Rules and Connect the Virtual Machine

Configure the Windows Security Events data connector to collect data from the existing Windows VM.
Enable the following analytics rules:
- New user created and added to the built-in administrators group.
- User account created and deleted within 10 mins.
Note: Adjust the query schedule to 5 minutes for each analytics rule with events from the last 1 day.
Connect the virtual machine to the Log Analytics workspace.

Simulate Events

Log in to the existing Windows virtual machine.
Create a new user account and add them to the Administrators local group.
Delete the newly created user account.

Investigate the Incidents

Investigate the incidents in Azure Sentinel using the investigation graph.

Additional Resources

Lab Scenario

To help you walk through the lab, consider the following scenario:

You work as a cyber security engineer, and you have a large Windows server fleet that you need to manage the security for. You are looking at Azure Sentinel as a possible solution to collect, detect, investigate and, respond to security threat events.

Using an exsting resource group, you will complete the following:

Deploy Azure Sentinel by adding it to the existing Log Analytics workspace.
Configure the Windows Security Events data connector and enable some of the built-in analytics rules to alert when security events occur.
Log in to the Windows VM and perform actions that generate security events.
Use Azure Sentinel to investigate the incidents created by those events.

Lab Setup

The objectives for this hands-on lab can be completed using the Azure portal and the provided Windows virtual machine.

Note: To complete this lab, you will need to use a remote desktop client.

Windows: Microsoft Remote Desktop on Windows 10

MacOS: Microsoft Remote Desktop

Linux: Remmina

From the lab page, launch the Azure portal in a private browser window. (This option will read differently depending on your browser — for example, in Chrome, it reads Open Link in Incognito Window.) Then, sign in using the credentials provided.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started

Who’s going to be learning?

Myself My Organization