Azure Sentinel Incident Triage Challenge

Challenge to setup Azure Sentinel, collect logs from a Virtual Machine(VM), create a basic analytics rule and have the rule trigger.

Walkthrough

Create an Azure Sentinel Workspace

Create an Azure Sentinel resource using the existing Log Analytics workspace.

Must use the existing workspace calabws

Head over to Microsoft Sentinel and create it.

Make sure you have the calabws workspace selected.

Create a Data Collection Rule in Sentinel

Create a Data Collection Rule to collect Security Events from the Azure VM

Collection Rule name must be windows-event
Add the Azure VM ca-lab-vm to the data collection rule scope
The data collection must collect at least Common event stream

First we need to head over to the Log Analytics workspace and make sure that the VM is able to send logs to our workspace.

Shortly after you should see that the VM has connected to the workspace.

Now we start creating our collection rule within Sentinel. Head back to Microsoft Sentinel. Click the data connectors and add Windows Security Events via AMA.

Add the rule name windows-event.

Add the VM we added to the Log Analytics workspace.

Make sure we have Common selected.

Create an Analytics Rule to Run Scheduled Queries

Create an Analytics Rule to Run Scheduled Queries that satisfies the following:

The rule severity should be Medium
Query schedule should be set to run 5 minutes
The log inspection script must check for EventID 4625 to report failed logins
Use the query SecurityEvent | where EventID == 4625
Try RDP access into the Azure VM by supplying an incorrect password to generate events