Microsoft Sentinel is a cloud-native SIEM (security information and event management) solution with SOAR (security orchestration, automation, and response) capabilities. You can use Microsoft Sentinel to collect, detect, investigate, and respond to security threats across your infrastructure. In this lab, you will deploy Microsoft Sentinel, generate some security alerts, and investigate those alerts.
Successfully complete this lab by achieving the following learning objectives:
- Deploy Microsoft Sentinel
Add Microsoft Sentinel to the existing Log Analytics workspace.
- Configure Data Connectors and Analytics Rules and Connect the Virtual Machine
Configure the Windows Security Events data connector to collect data from the existing Windows VM.
Enable the following analytics rules:
- New user created and added to the built-in administrators group.
- User account created and deleted within 10 mins.
Note: Adjust the query schedule to 5 minutes for each analytics rule with events from the last 1 day.
Connect the virtual machine to the Log Analytics workspace.
- Simulate Events
- Log in to the existing Windows virtual machine.
- Create a new user account and add them to the Administrators local group.
- Delete the newly created user account.
- Investigate the Incidents
Investigate the incidents in Microsoft Sentinel using the investigation graph.