DEV Community

Cover image for Configuring Data Collection and Analytics in Microsoft Sentinel (Part 3)
Jimi
Jimi

Posted on • Updated on

Configuring Data Collection and Analytics in Microsoft Sentinel (Part 3)

#azure #microsoft #security #cloud

Introduction

Building on our previous posts, we'll now delve into configuring data collection rules and setting up basic analytics in Microsoft Sentinel. Before we begin, create a Windows VM in the same Resource Group as the workbook.

Configuring Data Collection Rules

To effectively leverage Microsoft Sentinel, we need to ensure that relevant data is being collected. Let's configure a data collection rule for Windows Security Events:

  1. Navigate to the Configuration section in Microsoft Sentinel and select Data Connectors.

    Locating Data connectors

  2. Search for and select Windows Security Events via AMA.

  3. Click Open connector page.

    Opening the connector page for Windows Security Events

  4. In the Configuration section, click +Create data collection rule.

    Creating a data collection rule

  5. Provide a name for the Data Collector, select your subscription, and choose the resource group.

    Creating the Data Collection Rule

  6. Expand the subscription tab, locate the Windows virtual machine you created, and select it.

    Locating the Windows VM

  7. In the Collect section, leave All Security Events selected.

    Choosing events to stream

  8. Click Review+Create and then Create.

Creating a Near Real-Time (NRT) Query Detector

To promptly identify potential threats, we'll set up a basic NRT query detector:

  1. In Microsoft Sentinel, navigate to the Configuration section and select Analytics.

    Locating Analytics

  2. Click +Create and choose NRT query rule.

    Creating a NRT query rule

  3. Provide a name for the query and select Privilege Escalation from the MITRE ATT&CK framework.

    Configuring Analytics Rule

  4. In the Rule Query section, input the following logic:

    SecurityEvent
| where EventID == 4732
| where TargetAccount == "Builtin\\Administrators"

    Configuring the Rule query

  5. Configure the query scheduling and other parameters as needed.

  6. Click Review+Create and then Create.

Configuring Automation

To streamline incident response, we'll create a basic automation rule:

  1. Return to the Configuration section in Microsoft Sentinel and select Automation.

    Locating Automation again

  2. Click +Create and choose automation rule.

    Creating an Automation rule

  3. Provide a name for the automation rule and assign an owner.

  4. Configure the automation logic and conditions.

    Assigning the rule to an owner

Summary

By following these steps you've set up Windows Security Event data collection, created near real-time query detectors, and configured basic automation rules in Microsoft Sentinel.

In the next post, we'll simulate an attack to validate the analytic and automation rules.

Top comments (0)

Read next

mrcaption49 profile image

Session, Cookie, JWT, Token, SSO, and OAuth 2.0

Pranav Bakare -

alisson_podgurski profile image

Transforming Complexity into Simplicity: The Power of .NET Aspire

Alisson Podgurski -

kodebae profile image

How to remove a leaked .env file from GitHub permanently...

Kodebae -

danshari profile image

Using reCAPTCHA v3 with Next.js 14

Zach Koch -