Configuring Data Collection and Analytics in Microsoft Sentinel (Part 3)
Jimi
Posted on August 3, 2024
Introduction
Building on our previous posts, we'll now delve into configuring data collection rules and setting up basic analytics in Microsoft Sentinel. Before we begin, create a Windows VM in the same Resource Group as the workbook.
Configuring Data Collection Rules
To effectively leverage Microsoft Sentinel, we need to ensure that relevant data is being collected. Let's configure a data collection rule for Windows Security Events:
-
Navigate to the Configuration section in Microsoft Sentinel and select Data Connectors.
Search for and select Windows Security Events via AMA.
-
Click Open connector page.
-
In the Configuration section, click +Create data collection rule.
-
Provide a name for the Data Collector, select your subscription, and choose the resource group.
-
Expand the subscription tab, locate the Windows virtual machine you created, and select it.
-
In the Collect section, leave All Security Events selected.
Click Review+Create and then Create.
Creating a Near Real-Time (NRT) Query Detector
To promptly identify potential threats, we'll set up a basic NRT query detector:
-
In Microsoft Sentinel, navigate to the Configuration section and select Analytics.
-
Click +Create and choose NRT query rule.
-
Provide a name for the query and select Privilege Escalation from the MITRE ATT&CK framework.
-
In the Rule Query section, input the following logic:
SecurityEvent | where EventID == 4732 | where TargetAccount == "Builtin\\Administrators"
Configure the query scheduling and other parameters as needed.
Click Review+Create and then Create.
Configuring Automation
To streamline incident response, we'll create a basic automation rule:
-
Return to the Configuration section in Microsoft Sentinel and select Automation.
-
Click +Create and choose automation rule.
Provide a name for the automation rule and assign an owner.
-
Configure the automation logic and conditions.
Summary
By following these steps you've set up Windows Security Event data collection, created near real-time query detectors, and configured basic automation rules in Microsoft Sentinel.
In the next post, we'll simulate an attack to validate the analytic and automation rules.
Posted on August 3, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
August 3, 2024