Microsoft Sentinal Lab
Microsoft Sentinal Lab
Embedded Files
To help my learning, I created my own Microsoft Azure Lab with the intention of gaining experience with Microsoft Sentinel, including the creation of DCRs, LAWs, Resource groups and utilising VMS.
To help my learning, I created my own Microsoft Azure Lab with the intention of gaining experience with Microsoft Sentinel, including the creation of DCRs, LAWs, Resource groups and utilising VMS.
Initial Setup
I began my Azure labs using the Microsoft Learn modules, starting with Introduction to Microsoft Sentinel. To build on this, I supplemented my learning with YouTube tutorials and hands-on lab guides.
Creating my environment
Created a resource group for the lab environment.
Deployed a Server VM running Windows for log generation and monitoring.
Set up a Log Analytics Workspace (LAW).
Enabled Microsoft Sentinel on the LAW.
Connected an external VM to simulate authentication attempts and generate security events.
Verifying setup
To verify that I had set up my environment correctly, I conducted a couple of tests to show that my LAW was receiving data. I simulated multiple failed login attempts (Event ID 4625) and observed them in Sentinel and then verified successful logons (4624), process creation events (4688) to make sure I was getting the successful side too. I checked for my VM's heartbeat (running) and everything was running as planned.
Next steps (To be removed as the project develops).
Build my own analytic rules to play into common SOC workflows.
Brute force detection - Looking for a high number of Event ID 4625 failures from the same IP, user, or host within a short time window.
Privilege Escalation Detection - A close monitor of any 4672 events to try to catch assignment of sensitive privileges.
Page updated
Google Sites
Report abuse