Configuring Data Collection and Analytics in Microsoft Sentinel (Part 3)

Introduction

Building on our previous posts, we’ll now delve into configuring data collection rules and setting up basic analytics in Microsoft Sentinel. Before we begin, create a Windows VM in the same Resource Group as the workbook.


This content originally appeared on DEV Community and was authored by Jimi

Introduction

Building on our previous posts, we'll now delve into configuring data collection rules and setting up basic analytics in Microsoft Sentinel. Before we begin, create a Windows VM in the same Resource Group as the workbook.

Configuring Data Collection Rules

To effectively leverage Microsoft Sentinel, we need to ensure that relevant data is being collected. Let's configure a data collection rule for Windows Security Events:

  1. Navigate to the Configuration section in Microsoft Sentinel and select Data Connectors.

    Locating Data connectors

  2. Search for and select Windows Security Events via AMA.

  3. Click Open connector page.

    Opening the connector page for Windows Security Events

  4. In the Configuration section, click +Create data collection rule.

    Creating a data collection rule

  5. Provide a name for the Data Collector, select your subscription, and choose the resource group.

    Creating the Data Collection Rule

  6. Expand the subscription tab, locate the Windows virtual machine you created, and select it.

    Locating the Windows VM

  7. In the Collect section, leave All Security Events selected.

    Choosing events to stream

  8. Click Review+Create and then Create.

Creating a Near Real-Time (NRT) Query Detector

To promptly identify potential threats, we'll set up a basic NRT query detector:

  1. In Microsoft Sentinel, navigate to the Configuration section and select Analytics.

    Locating Analytics

  2. Click +Create and choose NRT query rule.

    Creating a NRT query rule

  3. Provide a name for the query and select Privilege Escalation from the MITRE ATT&CK framework.

    Configuring Analytics Rule

  4. In the Rule Query section, input the following logic:

    SecurityEvent
    | where EventID == 4732
    | where TargetAccount == "Builtin\\Administrators"
    

    Configuring the Rule query

  5. Configure the query scheduling and other parameters as needed.

  6. Click Review+Create and then Create.

Configuring Automation

To streamline incident response, we'll create a basic automation rule:

  1. Return to the Configuration section in Microsoft Sentinel and select Automation.

    Locating Automation again

  2. Click +Create and choose automation rule.

    Creating an Automation rule

  3. Provide a name for the automation rule and assign an owner.

  4. Configure the automation logic and conditions.

    Assigning the rule to an owner

Summary

By following these steps you've set up Windows Security Event data collection, created near real-time query detectors, and configured basic automation rules in Microsoft Sentinel.

In the next post, we'll simulate an attack to validate the analytic and automation rules.


This content originally appeared on DEV Community and was authored by Jimi


Print Share Comment Cite Upload Translate Updates
APA

Jimi | Sciencx (2024-08-03T19:13:31+00:00) Configuring Data Collection and Analytics in Microsoft Sentinel (Part 3). Retrieved from https://www.scien.cx/2024/08/03/configuring-data-collection-and-analytics-in-microsoft-sentinel-part-3/

MLA
" » Configuring Data Collection and Analytics in Microsoft Sentinel (Part 3)." Jimi | Sciencx - Saturday August 3, 2024, https://www.scien.cx/2024/08/03/configuring-data-collection-and-analytics-in-microsoft-sentinel-part-3/
HARVARD
Jimi | Sciencx Saturday August 3, 2024 » Configuring Data Collection and Analytics in Microsoft Sentinel (Part 3)., viewed ,<https://www.scien.cx/2024/08/03/configuring-data-collection-and-analytics-in-microsoft-sentinel-part-3/>
VANCOUVER
Jimi | Sciencx - » Configuring Data Collection and Analytics in Microsoft Sentinel (Part 3). [Internet]. [Accessed ]. Available from: https://www.scien.cx/2024/08/03/configuring-data-collection-and-analytics-in-microsoft-sentinel-part-3/
CHICAGO
" » Configuring Data Collection and Analytics in Microsoft Sentinel (Part 3)." Jimi | Sciencx - Accessed . https://www.scien.cx/2024/08/03/configuring-data-collection-and-analytics-in-microsoft-sentinel-part-3/
IEEE
" » Configuring Data Collection and Analytics in Microsoft Sentinel (Part 3)." Jimi | Sciencx [Online]. Available: https://www.scien.cx/2024/08/03/configuring-data-collection-and-analytics-in-microsoft-sentinel-part-3/. [Accessed: ]
rf:citation
» Configuring Data Collection and Analytics in Microsoft Sentinel (Part 3) | Jimi | Sciencx | https://www.scien.cx/2024/08/03/configuring-data-collection-and-analytics-in-microsoft-sentinel-part-3/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.