Azure Sentinel Incident Triage Challenge

Challenge to setup Azure Sentinel, collect logs from a Virtual Machine(VM), create a basic analytics rule and have the rule trigger.

Walkthrough

Create an Azure Sentinel Workspace

Create an Azure Sentinel resource using the existing Log Analytics workspace.

  • Must use the existing workspace calabws

Head over to Microsoft Sentinel and create it.

Make sure you have the calabws workspace selected.

Create a Data Collection Rule in Sentinel

Create a Data Collection Rule to collect Security Events from the Azure VM

  • Collection Rule name must be windows-event

  • Add the Azure VM ca-lab-vm to the data collection rule scope

  • The data collection must collect at least Common event stream

First we need to head over to the Log Analytics workspace and make sure that the VM is able to send logs to our workspace.

Shortly after you should see that the VM has connected to the workspace.

Now we start creating our collection rule within Sentinel. Head back to Microsoft Sentinel. Click the data connectors and add Windows Security Events via AMA.

Add the rule name windows-event.

Add the VM we added to the Log Analytics workspace.

Make sure we have Common selected.

Create an Analytics Rule to Run Scheduled Queries

Create an Analytics Rule to Run Scheduled Queries that satisfies the following:

  • The rule severity should be Medium

  • Query schedule should be set to run 5 minutes

  • The log inspection script must check for EventID 4625 to report failed logins

  • Use the query SecurityEvent | where EventID == 4625

  • Try RDP access into the Azure VM by supplying an incorrect password to generate events

We're going to generate our logs first instead of later on so we can see the rule working before we create it.

Enter incorrect credentials a few times to create logs.

Now we can start creating our Analytics rule.

Make sure alert threshold is greater than 0 so it fires if any hits happen.

Leave default settings.

Leave default settings.

Click Create.

Triage and Close At Lease One Incident

Close at least one incident from the Sentinel Incidents Dashboard

  • Ensure that you try RDP access into Azure VM using an incorrect password

  • Wait for about 5 minutes for the analytics rule to run and analyze the data

  • Close at least one of the incidents generated by analytics rule

After a few minutes we can see an incident was created. Nothing left to do except close the incident.

Last updated