Investigate Windows Security Events with Microsoft Sentinel

45 minutes
  • 4 Learning Objectives

About this Hands-on Lab

Microsoft Sentinel is a cloud-native SIEM (security information and event management) solution with SOAR (security orchestration, automation, and response) capabilities. You can use Microsoft Sentinel to collect, detect, investigate, and respond to security threats across your infrastructure. In this lab, you will deploy Microsoft Sentinel, generate some security alerts, and investigate those alerts.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Deploy Microsoft Sentinel

Add Microsoft Sentinel to the existing Log Analytics workspace.

Configure Data Connectors and Analytics Rules and Connect the Virtual Machine
  1. Configure the Windows Security Events data connector to collect data from the existing Windows VM.

  2. Enable the following analytics rules:

    • New user created and added to the built-in administrators group.
    • User account created and deleted within 10 mins.

    Note: Adjust the query schedule to 5 minutes for each analytics rule with events from the last 1 day.

  3. Connect the virtual machine to the Log Analytics workspace.

Simulate Events
  1. Log in to the existing Windows virtual machine.
  2. Create a new user account and add them to the Administrators local group.
  3. Delete the newly created user account.
Investigate the Incidents

Investigate the incidents in Microsoft Sentinel using the investigation graph.

Additional Resources

Lab Scenario

To help you walk through the lab, consider the following scenario:

You work as a cybersecurity engineer, and you have a large Windows server fleet that you need to manage the security for. You are looking at Microsoft Sentinel as a possible solution to collect, detect, investigate, and respond to security threat events.

Using an exsting resource group, you will complete the following:

  1. Deploy Microsoft Sentinel by adding it to the existing Log Analytics workspace.
  2. Configure the Windows Security Events data connector and enable some of the built-in analytics rules to alert when security events occur.
  3. Log in to the Windows VM and perform actions that generate security events.
  4. Use Microsoft Sentinel to investigate the incidents created by those events.

Lab Setup

The objectives for this hands-on lab can be completed using the Azure portal and the provided Windows virtual machine.

Note: To complete this lab, you will need to use a remote desktop client.

From the lab page, launch the Azure portal in a private browser window. (This option will read differently depending on your browser — for example, in Chrome, it reads Open Link in Incognito Window.) Then, sign in using the credentials provided.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?