Configure a data connector Data Collection Rule

bdporomon

Baridiilo Poromon

Posted on August 29, 2024

Configure a data connector Data Collection Rule

Task 1: Configure Data Collection rules (DCRs) in Microsoft Sentinel

In Microsoft Sentinel, go to the Configuration menu section and select Data connectors.

Image description

Search for and select Windows Security Events via AMA.

Select Open connector page.

Image description

In the Configuration area, select +Create data collection rule.

Image description

On the Basics tab enter a Rule Name.

Image description

On the Resources tab expand your subscription and the RG1 resource group in the Scope column.

Select VM1, and then select Next: Collect >

Image description

On the Collect tab leave the default of All Security Events.

Image description

Select Next: Review + create >, then select Create.

Task 2 - Create a near real-time (NRT) query detection.

In Microsoft Sentinel, go to the Configuration menu section and select Analytics.

Image description
Select + Create, and NRT query rule (Preview).

Enter a Name for the rule, and select Privilege Escalation from Tactics and techniques.

Image description

Select Next: Set rule logic >.

Enter the KQL query into the Rule query form:

code
SecurityEvent
| where EventID == 4732
| where TargetAccount == "Builtin\Administrators"

Image description

Select Next: Incident settings >, and select Next: Automated response >.

Select Next: Review + Create.

When validation is complete select Save.

Task 3: Configure automation in Microsoft Sentinel

In Microsoft Sentinel, go to the Configuration menu section and select Automation.

Image description
Select + Create, and Automation rule.

Enter an Automation rule name, and select Assign owner from Actions
Assign Operator1 as the owner.

Image description
Select Apply

💖 💪 🙅 🚩
bdporomon
Baridiilo Poromon

Posted on August 29, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related