├── .github └── workflows │ └── pages.yml ├── CODE_OF_CONDUCT.md ├── Gemfile ├── Gemfile.lock ├── LICENSE ├── README.md ├── SECURITY.md ├── SUPPORT.md ├── _config.yml ├── _includes └── components │ └── breadcrumbs.html ├── docs ├── Ex01 │ ├── 0101.md │ ├── 0102.md │ ├── 0103.md │ └── Ex01.md ├── Ex02 │ ├── 0201.md │ ├── 0202.md │ ├── 0203.md │ └── Ex02.md ├── Ex03 │ ├── 0301.md │ ├── 0302.md │ ├── 0303.md │ ├── 0304.md │ ├── 0305.md │ ├── 0306.md │ ├── 0307.md │ └── Ex03.md ├── Ex04 │ ├── 0401.md │ ├── 0402.md │ └── Ex04.md ├── Ex05 │ ├── 0501.md │ ├── 0502.md │ └── Ex05.md ├── Ex06 │ ├── 0601.md │ ├── 0602.md │ └── Ex06.md ├── Ex07 │ ├── 0701.md │ ├── 0702.md │ ├── 0703.md │ └── Ex07.md ├── Ex08 │ ├── 0801.md │ ├── 0802.md │ └── Ex08.md ├── Ex09 │ ├── 0901.md │ ├── 0902.md │ └── Ex09.md ├── Ex10 │ ├── 1001.md │ ├── 1002.md │ └── Ex10.md ├── media │ ├── 5qoyf33h.jpg │ ├── Add-MS-Sentinel-to-a-work-1.png │ ├── Add-MS-Sentinel-to-workspace.png │ ├── Add-Workspace.png │ ├── Breadcrumbs-MS-Sentinel.png │ ├── Compromised-Msg.png │ ├── Configure Azure Activity-RG.png │ ├── Configure Azure Activity-Scope-Subscr.png │ ├── Configure Azure Activity-Scope.png │ ├── Configure Azure Activity-workspace.png │ ├── ConfigureAzureActivity-Create.png │ ├── ConfigureAzureActivity-ManagedId.png │ ├── ConfigureAzureActivity-Notifications.png │ ├── ConfigureAzureActivity-RG.png │ ├── ConfigureAzureActivity-Scope.png │ ├── ConfigureAzureActivity-workspace.png │ ├── Data-connectors-breadcrumb-data-connectors.png │ ├── Data-connectors-breadcrumb-syslog.png │ ├── Data-connectors-breadcrumb.png │ ├── E1-T1-S10-Workspace-Refresh.png │ ├── E1-T1-S13-Sentinel-Trial.png │ ├── E1-T1-S2-Az-RG.png │ ├── E1-T1-S3-Azure-Search-for-Sentinel.png │ ├── E1-T1-S3-Azure-Sentinel-Search-Results.png │ ├── E1-T1-S3b-Azure-Search-for-Sentinel.png │ ├── E1-T1-S4-Create-Sentinel.png │ ├── E1-T1-S6-Add-Workspace.png │ ├── E1-T2-S10-Select-Create-Data-Collection-Rule.png │ ├── E1-T2-S13-Select-Linux1.png │ ├── E1-T2-S15-Set-SysLog-Level.png │ ├── E1-T2-S16-Refresh-Data-Rules.png │ ├── E1-T2-S2-Data-Connectors.png │ ├── E1-T2-S2-S4-Syslog-Prereq.png │ ├── E1-T2-S2-Search-Select-Syslog.png │ ├── E1-T2-S2-Search-Syslog.png │ ├── E1-T2-S3-Syslog-Pane.png │ ├── E1-T2-S4-Syslog-Faculties.png │ ├── E1-T2-S4-Syslog-Prereqs.png │ ├── E1-T2-S7-Syslog-Via-AMA.png │ ├── E1-T2a-S2-More-Content-At-Content-Hub.png │ ├── E1-T2a-S3-Provider-Microsoft.png │ ├── E1-T2a-S5-Install-Syslog.png │ ├── E2-T1-S10-Incident-settings.png │ ├── E2-T1-S10-Notepad5.png │ ├── E2-T1-S11-Alert-grouping.png │ ├── E2-T1-S11-Notepad6.png │ ├── E2-T1-S11-Start-Win-Term_Admin.png │ ├── E2-T1-S11b-Start-Win-Term_Admin.png │ ├── E2-T1-S12-Notepad7.png │ ├── E2-T1-S12-UAC.png │ ├── E2-T1-S13-Notepad8.png │ ├── E2-T1-S13-Review-create-Previous.png │ ├── E2-T1-S14-Notepad10.png │ ├── E2-T1-S14-Paste-Warning.png │ ├── E2-T1-S15-Notepad9.png │ ├── E2-T1-S18-SSH-Success.png │ ├── E2-T1-S2-Analytics.png │ ├── E2-T1-S2-Az-Svcs-VM.png │ ├── E2-T1-S3-Create-Scheduled-query-rule.png │ ├── E2-T1-S3-Public-IP.png │ ├── E2-T1-S3-RG-RG.png │ ├── E2-T1-S4-Ana-rule-details-Name.png │ ├── E2-T1-S4-RG-LogA.png │ ├── E2-T1-S5-Ana-rule-details-Severity.png │ ├── E2-T1-S5-LogA-Agents-Mgt-Linux-Servers.png │ ├── E2-T1-S5-LogA-Agents-Mgt.png │ ├── E2-T1-S7-Ana-rule-Wiz-Rule-query.png │ ├── E2-T1-S7-LogA-Agents-Mgt-Download-and-onboard.png │ ├── E2-T1-S8-Notepad1.png │ ├── E2-T1-S8-Notepad2.png │ ├── E2-T1-S8-Notepad3.png │ ├── E2-T1-S8-Query-Sched-Minutes.png │ ├── E2-T1-S9-Query-Sched-Lookup-data.png │ ├── E2-T2-S12-Notepad4.png │ ├── E3-T1-S2-Sentinel-LogA.png │ ├── E3-T1-S2-Sentinel-LogAb.png │ ├── E3-T1-S2-Sentinel.png │ ├── E3-T1-S4-Data-connectors.png │ ├── E3-T2-S15-Expand-Right-Panel.png │ ├── E3-T2-S4-Sentinel-Overview.png │ ├── E3-T4-S10-Add-Watchlist-Alias.png │ ├── E3-T4-S13-Add-Hosts-Hostname.png │ ├── E3-T4-S14-Save-Logic-App-Design.png │ ├── E3-T4-S4-Follow-False-Branch.png │ ├── E3-T4-S5-Create-New-Watchlist.png │ ├── E3-T4-S7-fx-Icon.png │ ├── Faculty.png │ ├── Hamburger-Menu.png │ ├── Home.png │ ├── Linux-servers-see-in-logs.png │ ├── Linux-servers-tab.png │ ├── Linux1-SSH-Fingerpring.png │ ├── LogAgent.png │ ├── MS-Sentinel-Legacy-Agents-Syslog-Notif.png │ ├── MS-Sentinel-Legacy-Agents-Syslog.png │ ├── Paste-Anyway-cat.png │ ├── Paste-Anyway.png │ ├── RG1-Workspace.png │ ├── ResourceGroups.png │ ├── SC-200-Lab_Diagrams_Mod7_L1_Ex5.png │ ├── SC-200-Lab_Diagrams_Mod7_L1_Ex6.png │ ├── SC200_sysmon_attack3.png │ ├── See-them-in-Logs-x.png │ ├── See-them-in-logs-Linux1.png │ ├── Sentinel-Dashboard.png │ ├── Sentinel-Incidents.png │ ├── SplunkData_json_file.png │ ├── SplunkData_json_file2.png │ ├── Syslog.png │ ├── actions2entries.png │ ├── activerulesdetails.png │ ├── activerulesdetailsedit.png │ ├── addarule.png │ ├── addarulebaseblobs.png │ ├── addaruledetails.png │ ├── addfacilitysyslog.png │ ├── addresources.png │ ├── addroleassignment.png │ ├── addroleassignmentowner.png │ ├── amacreatedatacollectionrule.png │ ├── analytics-rule-wizard-general.png │ ├── analyticsrulewizardgeneral.png │ ├── automated_response_add_new.png │ ├── automatedresponsetab.png │ ├── automation-breadcrumb.png │ ├── automation-rules-configure-permissions.png │ ├── automation-rules-more-content.png │ ├── automation_rule_config2.png │ ├── automationrulesaddnew.png │ ├── automationsearchbyname.png │ ├── azureservicesmicrosoftsentinel.png │ ├── bell_notification_icon.png │ ├── breadcrumbdataconnectors.png │ ├── breadcrumbsyslog.png │ ├── cat-output-2.png │ ├── cat-output.png │ ├── clipboard.png │ ├── close_queries.png │ ├── close_run_paybook_on_incident.png │ ├── close_sentinel_logs.png │ ├── close_welcome_to_log_analytics.png │ ├── configuration_menu_analytics.png │ ├── create_microsoft_sentinel_alert.png │ ├── createexportruledestination.png │ ├── createexportrulesource.png │ ├── data-connectors-windows-security-events.png │ ├── dataconnectorsama.png │ ├── dataconnectorssyslog.png │ ├── delete_analytics_rule.png │ ├── deleteme.txt │ ├── download_rdp_file.png │ ├── dynamiccontentdialog.png │ ├── dynamiccontentdialog2.png │ ├── enable_disable_toggle.png │ ├── enable_fail_validation.png │ ├── enable_pass_validation.png │ ├── entities_window.png │ ├── entity_mapping.png │ ├── error_codeless_connector.png │ ├── facilitysyslogconfig.png │ ├── hide_blade.png │ ├── incident_activity_log.png │ ├── incident_assign_to_me.png │ ├── incident_comment.png │ ├── incident_status_closed.png │ ├── incident_tag.png │ ├── incident_tasks_add.png │ ├── incident_tasks_blade.png │ ├── install-windowssecurityevents.png │ ├── installed_rules.png │ ├── installed_rules2.png │ ├── invalid_query_x_close.png │ ├── invalid_query_x_close2.png │ ├── investigation_entities.png │ ├── investigation_timeline.png │ ├── investigation_workstation5_node_info.png │ ├── linux1connect.png │ ├── list_entry_enabled.png │ ├── loganaliticsdeploymentcomplete.png │ ├── loganalyticsworkspacescreate.png │ ├── logicappdesignerbluesection.png │ ├── logicappdesignercondition.png │ ├── logicappdesignerfinal.png │ ├── logicappdesignerwatchlists.png │ ├── manageplaybookpermissions.png │ ├── manually_translated.png │ ├── manually_translated2.png │ ├── microsoft_sentinel_analytics.png │ ├── microsoftsentineladdtoworkspace.png │ ├── microsoftsentinelcreate.png │ ├── minimizepanel.png │ ├── mky9t3ei.jpg │ ├── native_rdp.png │ ├── native_rdp_download.png │ ├── nextsteps.png │ ├── not-ready-message.png │ ├── opennotifications.png │ ├── openyourworkspaceagentsconfiguration.png │ ├── pao8dq3n.jpg │ ├── playbooktemplatestab.png │ ├── privileged-administrator-roles.png │ ├── query_scheduling.png │ ├── queryscheduling.png │ ├── ready_to_migrate.png │ ├── ready_to_migrate_b.png │ ├── redundancygrs.png │ ├── refresh_data_collection_rule.png │ ├── refreshconfiguration.png │ ├── relevantanalyticstemplates.png │ ├── remote_desktop_connection.png │ ├── remote_desktop_connection_2.png │ ├── role-assignment-conditions.png │ ├── run_playbook.png │ ├── search_startupbat.png │ ├── security-event-rule-template.png │ ├── securityevent_expanded.png │ ├── securityevent_expanded2.png │ ├── select_mssen2go.png │ ├── select_view_query_results.png │ ├── select_view_query_results2.png │ ├── selectlastbox.png │ ├── selectlogicappcontributor.png │ ├── selectlogicapps.png │ ├── selectmanagedidentity.png │ ├── selectmanagedidentitymembers.png │ ├── selectmembers.png │ ├── selectmicrosoftsentinelcontributor.png │ ├── selectwinscope.png │ ├── sentinel_instance.png │ ├── set_incident_active.png │ ├── siem_migration.png │ ├── skillable_SC-200-Lab_Diagrams_Mod7_L1_Ex5.png │ ├── skillable_SC-200-Lab_Diagrams_Mod7_L1_Ex6.png │ ├── skillable_SC-200-Lab_Diagrams_Mod7_L1_Ex7.png │ ├── skillable_SC-200-Lab_Diagrams_Mod7_L1_Ex8.png │ ├── skillable_SC-200-Lab_Diagrams_Mod7_L1_Ex9.png │ ├── splunk_entry_fully_translated.png │ ├── splunk_entry_fully_translated2.png │ ├── splunk_entry_partially_translated.png │ ├── splunk_entry_partially_translated2.png │ ├── splunk_migrated_prefix.png │ ├── splunk_migrated_prefix2.png │ ├── startup_regkey_incident.png │ ├── syslogconfiginstall.png │ ├── target_query_error.png │ ├── target_query_error2.png │ ├── typetexticon.png │ ├── virtual_machine_scope.png │ ├── virtualmachineslinux1.png │ ├── watchlists-utilities-install.png │ ├── wget.png │ ├── windows-security-events-create-rule.png │ ├── windows_security_events_create_dcr.png │ ├── windows_security_events_install.png │ ├── windows_security_events_open_connector_page.png │ └── workstation5_connect_connect.png └── resources │ └── SplunkData.json └── index.md /.github/workflows/pages.yml: -------------------------------------------------------------------------------- 1 | # This workflow uses actions that are not certified by GitHub. 2 | # They are provided by a third-party and are governed by 3 | # separate terms of service, privacy policy, and support 4 | # documentation. 5 | 6 | # Sample workflow for building and deploying a Jekyll site to GitHub Pages 7 | name: Deploy Jekyll site to Pages 8 | 9 | on: 10 | push: 11 | branches: ["main"] 12 | paths-ignore: 'Solution/**' 13 | 14 | # Allows you to run this workflow manually from the Actions tab 15 | workflow_dispatch: 16 | 17 | # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages 18 | permissions: 19 | contents: read 20 | pages: write 21 | id-token: write 22 | 23 | # Allow one concurrent deployment 24 | concurrency: 25 | group: "pages" 26 | cancel-in-progress: true 27 | 28 | jobs: 29 | # Build job 30 | build: 31 | runs-on: ubuntu-latest 32 | steps: 33 | - name: Checkout 34 | uses: actions/checkout@v3 35 | - name: Setup Ruby 36 | uses: ruby/setup-ruby@v1 37 | with: 38 | ruby-version: '3.1' # Not needed with a .ruby-version file 39 | bundler-cache: true # runs 'bundle install' and caches installed gems automatically 40 | cache-version: 0 # Increment this number if you need to re-download cached gems 41 | path-ignore: 'Solution/**' 42 | - name: Setup Pages 43 | id: pages 44 | uses: actions/configure-pages@v2 45 | - name: Build with Jekyll 46 | # Outputs to the './_site' directory by default 47 | run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" 48 | env: 49 | JEKYLL_ENV: production 50 | - name: Upload artifact 51 | # Automatically uploads an artifact from the './_site' directory by default 52 | uses: actions/upload-pages-artifact@v1 53 | 54 | # Deployment job 55 | deploy: 56 | environment: 57 | name: github-pages 58 | url: "${{ steps.deployment.outputs.page_url }}" 59 | runs-on: ubuntu-latest 60 | needs: build 61 | steps: 62 | - name: Deploy to GitHub Pages 63 | id: deployment 64 | uses: actions/deploy-pages@v1 65 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Microsoft Open Source Code of Conduct 2 | 3 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 4 | 5 | Resources: 6 | 7 | - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) 8 | - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) 9 | - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns 10 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | 3 | gem "jekyll", "~> 4.3" # installed by `gem jekyll` 4 | # gem "webrick" # required when using Ruby >= 3 and Jekyll <= 4.2.2 5 | 6 | gem "just-the-docs", "0.4.2" # pinned to the current release 7 | # gem "just-the-docs" # always download the latest release 8 | -------------------------------------------------------------------------------- /Gemfile.lock: -------------------------------------------------------------------------------- 1 | GEM 2 | remote: https://rubygems.org/ 3 | specs: 4 | addressable (2.8.1) 5 | public_suffix (>= 2.0.2, < 6.0) 6 | colorator (1.1.0) 7 | concurrent-ruby (1.1.10) 8 | em-websocket (0.5.3) 9 | eventmachine (>= 0.12.9) 10 | http_parser.rb (~> 0) 11 | eventmachine (1.2.7) 12 | ffi (1.15.5) 13 | forwardable-extended (2.6.0) 14 | http_parser.rb (0.8.0) 15 | i18n (1.12.0) 16 | concurrent-ruby (~> 1.0) 17 | jekyll (4.3.0) 18 | addressable (~> 2.4) 19 | colorator (~> 1.0) 20 | em-websocket (~> 0.5) 21 | i18n (~> 1.0) 22 | jekyll-sass-converter (>= 2.0, < 4.0) 23 | jekyll-watch (~> 2.0) 24 | kramdown (~> 2.3, >= 2.3.1) 25 | kramdown-parser-gfm (~> 1.0) 26 | liquid (~> 4.0) 27 | mercenary (>= 0.3.6, < 0.5) 28 | pathutil (~> 0.9) 29 | rouge (>= 3.0, < 5.0) 30 | safe_yaml (~> 1.0) 31 | terminal-table (>= 1.8, < 4.0) 32 | webrick (~> 1.7) 33 | jekyll-sass-converter (2.2.0) 34 | sassc (> 2.0.1, < 3.0) 35 | jekyll-seo-tag (2.8.0) 36 | jekyll (>= 3.8, < 5.0) 37 | jekyll-watch (2.2.1) 38 | listen (~> 3.0) 39 | just-the-docs (0.4.2) 40 | jekyll (>= 3.8.5) 41 | jekyll-seo-tag (>= 2.0) 42 | rake (>= 12.3.1) 43 | kramdown (2.4.0) 44 | rexml 45 | kramdown-parser-gfm (1.1.0) 46 | kramdown (~> 2.0) 47 | liquid (4.0.3) 48 | listen (3.7.1) 49 | rb-fsevent (~> 0.10, >= 0.10.3) 50 | rb-inotify (~> 0.9, >= 0.9.10) 51 | mercenary (0.4.0) 52 | pathutil (0.16.2) 53 | forwardable-extended (~> 2.6) 54 | public_suffix (5.0.0) 55 | rake (13.0.6) 56 | rb-fsevent (0.11.2) 57 | rb-inotify (0.10.1) 58 | ffi (~> 1.0) 59 | rexml (3.3.3) 60 | strscan 61 | rouge (4.0.0) 62 | safe_yaml (1.0.5) 63 | sassc (2.4.0) 64 | ffi (~> 1.9) 65 | strscan (3.1.0) 66 | terminal-table (3.0.2) 67 | unicode-display_width (>= 1.1.1, < 3) 68 | unicode-display_width (2.3.0) 69 | webrick (1.7.0) 70 | 71 | PLATFORMS 72 | arm64-darwin-21 73 | x86_64-darwin-19 74 | x86_64-linux 75 | 76 | DEPENDENCIES 77 | jekyll (~> 4.3) 78 | just-the-docs (= 0.4.2) 79 | 80 | BUNDLED WITH 81 | 2.3.9 82 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Microsoft Corporation. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Project 2 | 3 | > This repo has been populated by an initial template to help get you started. Please 4 | > make sure to update the content to build a great experience for community-building. 5 | 6 | As the maintainer of this project, please make a few updates: 7 | 8 | - Improving this README.MD file to provide a great experience 9 | - Updating SUPPORT.MD with content about this project's support experience 10 | - Understanding the security reporting process in SECURITY.MD 11 | - Remove this section from the README 12 | 13 | ## Contributing 14 | 15 | This project welcomes contributions and suggestions. Most contributions require you to agree to a 16 | Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us 17 | the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. 18 | 19 | When you submit a pull request, a CLA bot will automatically determine whether you need to provide 20 | a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions 21 | provided by the bot. You will only need to do this once across all repos using our CLA. 22 | 23 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 24 | For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or 25 | contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. 26 | 27 | ## Trademarks 28 | 29 | This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft 30 | trademarks or logos is subject to and must follow 31 | [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general). 32 | Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. 33 | Any use of third-party trademarks or logos are subject to those third-party's policies. 34 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Security 4 | 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet) and [Xamarin](https://github.com/xamarin). 6 | 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/security.md/definition), please report it to us as described below. 8 | 9 | ## Reporting Security Issues 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues.** 12 | 13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/security.md/msrc/create-report). 14 | 15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/security.md/msrc/pgp). 16 | 17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). 18 | 19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: 20 | 21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) 22 | * Full paths of source file(s) related to the manifestation of the issue 23 | * The location of the affected source code (tag/branch/commit or direct URL) 24 | * Any special configuration required to reproduce the issue 25 | * Step-by-step instructions to reproduce the issue 26 | * Proof-of-concept or exploit code (if possible) 27 | * Impact of the issue, including how an attacker might exploit the issue 28 | 29 | This information will help us triage your report more quickly. 30 | 31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/security.md/msrc/bounty) page for more details about our active programs. 32 | 33 | ## Preferred Languages 34 | 35 | We prefer all communications to be in English. 36 | 37 | ## Policy 38 | 39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/security.md/cvd). 40 | 41 | 42 | -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | # TODO: The maintainer of this repo has not yet edited this file 2 | 3 | **REPO OWNER**: Do you want Customer Service & Support (CSS) support for this product/project? 4 | 5 | - **No CSS support:** Fill out this template with information about how to file issues and get help. 6 | - **Yes CSS support:** Fill out an intake form at [aka.ms/onboardsupport](https://aka.ms/onboardsupport). CSS will work with/help you to determine next steps. 7 | - **Not sure?** Fill out an intake as though the answer were "Yes". CSS will help you decide. 8 | 9 | *Then remove this first heading from this SUPPORT.MD file before publishing your repo.* 10 | 11 | # Support 12 | 13 | ## How to file issues and get help 14 | 15 | This project uses GitHub Issues to track bugs and feature requests. Please search the existing 16 | issues before filing new issues to avoid duplicates. For new issues, file your bug or 17 | feature request as a new Issue. 18 | 19 | For help and questions about using this project, please **REPO MAINTAINER: INSERT INSTRUCTIONS HERE 20 | FOR HOW TO ENGAGE REPO OWNERS OR COMMUNITY FOR HELP. COULD BE A STACK OVERFLOW TAG OR OTHER 21 | CHANNEL. WHERE WILL YOU HELP PEOPLE?**. 22 | 23 | ## Microsoft Support Policy 24 | 25 | Support for this **PROJECT or PRODUCT** is limited to the resources listed above. 26 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | title: TechExcel Sentinel onboarding 2 | description: The goal of this lab is to practice configuring an environment designed for managing Windows and Linux security events in Azure Sentinel. 3 | theme: just-the-docs 4 | 5 | aux_links: 6 | "TechExcel: Sentinel onboarding and migration acceleration (level 300 / CSU) lab": 7 | - "https://github.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/" 8 | 9 | callouts_level: quiet # or loud 10 | callouts: 11 | highlight: 12 | color: yellow 13 | important: 14 | title: Important 15 | color: blue 16 | new: 17 | title: New 18 | color: green 19 | note: 20 | title: Note 21 | color: purple 22 | warning: 23 | title: Warning 24 | color: red 25 | -------------------------------------------------------------------------------- /_includes/components/breadcrumbs.html: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /docs/Ex01/0101.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '1. Configure data storage for up to 15 years' 3 | layout: default 4 | nav_order: 1 5 | parent: 'Lab 1 Exercise 1: Configure the Azure environment for Microsoft Sentinel' 6 | --- 7 | 8 | # Task 1.1: Configure data storage for up to 15 years 9 | 10 | In this task you'll configure data storage for up to 15 years to comply with legal requirements, improve business continuity in the event of disasters or outages, and provide a source for long-term data analysis and insight services. 11 | 12 | The following document may help you complete this task. 13 | 14 | - [Configure a lifecycle management policy](https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal#create-or-manage-a-policy) 15 | 16 | --- 17 | 18 | 1. Sign in to @lab.VirtualMachine(Windows 11).SelectLink using these credentials: 19 | 20 | | | | 21 | |:--|:--| 22 | | Username | **Your Windows user** | 23 | | Password | **Your Windows password** | 24 | 25 | 1. Open Microsoft Edge, go to the [Azure portal](https://portal.azure.com), then sign in using these credentials: 26 | 27 | | | | 28 | |:--|:--| 29 | | Username | **Your Azure user** | 30 | | Password | **Your Azure password** | 31 | 32 | {: .warning } 33 | > If you encounter the **Welcome to Microsoft Azure** screen select **Get started** and then select **Skip** the next two screens. 34 | 35 | 1. In the Azure search box, search for and select **Storage Accounts**. 36 | 37 | 1. In the list of storage accounts, select the account named **genstor\***. 38 | 39 | 1. On the **Storage account** pane, in the left navigation, under **Data management**, select **Lifecycle management**, and then select **+ Add a rule**. 40 | 41 | ![addarule.png](../media/addarule.png) 42 | 43 | 1. On the Add a rule page, complete the fields using the following table and then select **Next**: 44 | 45 | | Field | Value | 46 | |:-----|:-----| 47 | | Rule name | **15year** | 48 | | Rule scope | **Limit blobs with filters** | 49 | | Blob type | **Block blobs** | 50 | | Blob subtype | **Base blobs** | 51 | 52 | ![addaruledetails.png](../media/addaruledetails.png) 53 | 54 | 1. On the **Base blobs** tab, complete the fields using the following table and then select **Next**: 55 | 56 | | Field | Value | 57 | |:-----|:-----| 58 | | Base blobs were | **Created** | 59 | | More than (days ago) | **5475** | 60 | | Then | **Delete the blob** | 61 | 62 | {: .note } 63 | > Azure retention rules are always calculated in number of days. In this situation **15 years** equals **5475 days**. 64 | 65 | ![addarulebaseblobs.png](../media/addarulebaseblobs.png) 66 | 67 | 1. On the **Filter set** tab, accept the defaults, and then select **Add**. 68 | -------------------------------------------------------------------------------- /docs/Ex01/0102.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '2. Configure storage account as geo-redundant storage' 3 | layout: default 4 | nav_order: 2 5 | parent: 'Lab 1 Exercise 1: Configure the Azure environment for Microsoft Sentinel' 6 | --- 7 | 8 | # Task 1.2: Configure storage account as geo-redundant storage 9 | 10 | In this task you'll ensure that the primary storage account is configured as geo-redundant storage to ensure high availability, disaster recovery, and regulatory compliance. 11 | 12 | The following document may help you complete this task. 13 | 14 | - [Change how a storage account is replicated](https://learn.microsoft.com/en-us/azure/storage/common/redundancy-migration?tabs=portal) 15 | 16 | --- 17 | 18 | 1. On the **Storage account** pane, in the left navigation, under **Data management**, select **Redundancy**. 19 | 20 | 1. On the Redundancy page, change the Redundancy field from **Locally-redundant storage (LRS)** to **Geo-redundant storage (GRS)**, then select **Save**. 21 | 22 | ![redundancygrs.png](../media/redundancygrs.png) 23 | 24 | {: .note } 25 | > The failover scenario from primary to secondary regions will be displayed once the synchronization has completed. This can take a few minutes. You can continue with the next task while this process executes in the background. 26 | -------------------------------------------------------------------------------- /docs/Ex01/0103.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '3. Configure Microsoft Sentinel to export data into the Storage account' 3 | layout: default 4 | nav_order: 3 5 | parent: 'Lab 1 Exercise 1: Configure the Azure environment for Microsoft Sentinel' 6 | --- 7 | 8 | # Task 1.3: Configure Microsoft Sentinel to export data into the Storage account 9 | 10 | In this task you'll set up Microsoft Sentinel to export data into the storage account for long-term retention, improved security, and to allow integration with other Azure services improving data analytics and workflows. 11 | 12 | The following document may help you complete this task. 13 | 14 | - [Log Analytics workspace data export in Azure Monitor](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-data-export?tabs=portal) 15 | 16 | --- 17 | 18 | 1. In the Azure search box, enter **Log Analytics workspaces**, and then select **Log Analytics workspaces** from the results. 19 | 20 | 1. On the Log Analytics workspace page, select **+ Create**. 21 | 22 | ![loganalyticsworkspacescreate.png](../media/loganalyticsworkspacescreate.png) 23 | 24 | 1. On the Create Log Analytics workspaces page, complete the fields using the following table, then select **Review + Create**: 25 | 26 | | Field | Value | 27 | |:-----|:-----| 28 | | Subscription | Default: **@lab.CloudSubscription.Name** | 29 | | Resource Group | **@lab.CloudResourceGroup(RG1).Name** | 30 | | Name | **loganalytics-workspace** | 31 | | Region | **@lab.CloudResourceGroup(RG1).Location** | 32 | 33 | 1. Once the validation has passed, select **Create**. 34 | 35 | 1. Once the deployment has completed and you get a notification, select **Go to resource**. 36 | 37 | ![loganaliticsdeploymentcomplete.png](../media/loganaliticsdeploymentcomplete.png) 38 | 39 | 1. In the loganalytics-workspace page, on the **loganalytics-workspace** menu, under **Settings** select **Data export**. 40 | 41 | 1. On the Data export page, select **+ New export rule**. 42 | 43 | 1. On the Create export rule page, on the **Basics** tab, enter the rule name **exporttostorage**, then select **Next**. 44 | 45 | 1. On the **Source** tab, select the **Table name** checkbox to select all the entries in the list. 46 | 47 | {: .note } 48 | > This list represents the data points you'd like to export. 49 | 50 | ![createexportrulesource.png](../media/createexportrulesource.png) 51 | 52 | 1. Select **Next**. 53 | 54 | 1. On the **Destination** tab, complete the fields using the table below and then select **Next**: 55 | 56 | | Field | Value | 57 | |:-----|:-----| 58 | | Destination type | **Storage account** | 59 | | Subscription | **@lab.CloudSubscription.Name** | 60 | | Storage account | **genstor\*** | 61 | 62 | ![createexportruledestination.png](../media/createexportruledestination.png) 63 | 64 | 1. Select **Create** to create the export rule. 65 | -------------------------------------------------------------------------------- /docs/Ex01/Ex01.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: 'Lab 1 Exercise 1: Configure the Azure environment for Microsoft Sentinel' 3 | layout: default 4 | nav_order: 2 5 | has_children: true 6 | --- 7 | 8 | # Lab 1: Introduction to Microsoft Sentinel, Azure Monitoring agent, and syslog incident monitoring 9 | 10 | # Exercise 1: Configure the Azure environment for Microsoft Sentinel 11 | 12 | As part of the Humongous IT efforts on cloud modernization, Elisabeth Eriksson, the Azure admin, is in charge of preparing the Azure environment to leverage Microsoft Sentinel for comprehensive threat detection and response. The preparatory steps she undertakes include: 13 | 14 | - Configuring long-term data storage for up to 15 years, essential for meeting legal retention mandates, enhancing business continuity, and facilitating in-depth data analysis for strategic insights. 15 | - Establishing the primary storage account with Geo-Redundant Storage to ensure data is highly available, aiding in disaster recovery and meeting compliance requirements. 16 | - Integrating Microsoft Sentinel to funnel data into the configured storage account, ensuring data is preserved for security analysis, while also enabling synergy with other Azure services for improved analytics and process automation. 17 | 18 | These actions are critical for the cloud modernization and standardization initiative approved by Humongous IT’s board, as they move towards a more secure and efficient cloud infrastructure. 19 | 20 | 21 | -------------------------------------------------------------------------------- /docs/Ex02/0201.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '1. Create a Microsoft Sentinel instance in Azure' 3 | layout: default 4 | nav_order: 1 5 | parent: 'Lab 1 Exercise 2: Stand up Microsoft Sentinel with Windows and Linux data connectors' 6 | --- 7 | 8 | # Task 2.1: Create a Microsoft Sentinel instance in Azure 9 | 10 | In this task you'll enable Microsoft Sentinel to set up data connectors to monitor and protect your environment. 11 | 12 | The following documents may help you complete this task. 13 | 14 | - [Quickstart: Onboard Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/quickstart-onboard) 15 | - [Create a Log Analytics workspace](https://learn.microsoft.com/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal) 16 | 17 | --- 18 | 19 | 1. In the Azure search box, enter **Microsoft Sentinel**, and then select **Microsoft Sentinel** from the results. 20 | 21 | 1. On the menu, select **+ Create** to add Sentinel to the loganalytics-workspace that you created previously. 22 | 23 | ![microsoftsentinelcreate.png](../media/microsoftsentinelcreate.png) 24 | 25 | 1. On the Add Microsoft Sentinel to a workspace page, under **Workspace**, select **loganalytics-workspace**, and then select **Add**. 26 | 27 | ![microsoftsentineladdtoworkspace.png](../media/microsoftsentineladdtoworkspace.png) 28 | 29 | {: .warning } 30 | > If the addition of Microsoft Sentinel to the workspace fails retry the addition of the workspace. 31 | 32 | 1. Once Microsoft Sentinel has successfully been added to the **loganalytics-workspace** workspace select **OK** to close the **Microsoft Sentinel free trial activated** message. 33 | -------------------------------------------------------------------------------- /docs/Ex02/0202.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '2. Set up a data connector for Linux' 3 | layout: default 4 | nav_order: 2 5 | parent: 'Lab 1 Exercise 2: Stand up Microsoft Sentinel with Windows and Linux data connectors' 6 | --- 7 | 8 | # Task 2.2: Set up a data connector for Linux 9 | 10 | Now that we set up Microsoft Sentinel, we can configure our Data Collectors. For this task, we’ll be connecting Syslog. 11 | 12 | Syslog is an event logging protocol that's common to Linux. You can use the Syslog daemon built into Linux devices and appliances to collect local events of the types you specify, and have it send those events to Microsoft Sentinel using the Log Analytics agent for Linux. 13 | 14 | The following documents may help you complete this task. 15 | 16 | - [Microsoft Sentinel data connectors](https://learn.microsoft.com/azure/sentinel/connect-data-sources) 17 | - [Connect SysLog - Configure your Linux machine or appliance](https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-your-linux-machine-or-appliance) 18 | 19 | --- 20 | 21 | 1. On the Microsoft Sentinel page, under **Configuration**, select **Data connectors**. 22 | 23 | 1. On the Connectors summary bar select **More content at Content hub**. 24 | 25 | ![E1-T2a-S2-More-Content-At-Content-Hub.png](../media/E1-T2a-S2-More-Content-At-Content-Hub.png) 26 | 27 | 1. On the Content hub page select the **Provider** filter and clear the **All** checkbox. 28 | 29 | 1. In the **Provider** search box, enter **Microsoft** , select **Microsoft** from the results, and then select **Apply**. 30 | 31 | ![E1-T2a-S3-Provider-Microsoft.png](../media/E1-T2a-S3-Provider-Microsoft.png) 32 | 33 | 1. On the Content hub page in the search box, enter **Syslog**, and then select **Syslog** from the results. 34 | 35 | 1. On the **Syslog details** panel, review the description, and then select **Install**. 36 | 37 | ![E1-T2a-S5-Install-Syslog.png](../media/E1-T2a-S5-Install-Syslog.png) 38 | 39 | 1. When the installation of the Syslog connector has completed, return to the Data connectors page by selecting **Microsoft Sentinel Data connectors** on the breadcrumb at the top of the page. 40 | 41 | ![Data-connectors-breadcrumb.png](../media/Data-connectors-breadcrumb.png) 42 | 43 | 1. On the Microsoft Sentinel Data connectors page, in the **Search by name or provider** box, enter **Syslog**. 44 | 45 | ![E1-T2-S7-Syslog-Via-AMA.png](../media/E1-T2-S7-Syslog-Via-AMA.png) 46 | 47 | {: .warning } 48 | > If the **Syslog via AMA** data connector does not appear in the list, select **Refresh** from the menu. 49 | 50 | 1. Select the **Syslog via AMA** connector from the list to configure the Linux system log connector. 51 | 52 | 1. On the **Syslog via AMA** pane, select **Open connector page**. 53 | 54 | 1. On the Syslog via AMA page, under **Configuration**, select **+Create data collection rule**. 55 | 56 | ![E1-T2-S10-Select-Create-Data-Collection-Rule.png](../media/E1-T2-S10-Select-Create-Data-Collection-Rule.png) 57 | 58 | 1. On the **Basic** tab of the Create Data Collection Rule page, complete the fields using the table below and then select **Next: Resources >**: 59 | 60 | | Field | Value | 61 | |:-----|:-----| 62 | | Rule name | **linuxdata** | 63 | | Subscription | **@lab.CloudSubscription.Name** | 64 | | Resource group | **@lab.CloudResourceGroup(RG1).Name** | 65 | 66 | 1. On the **Resources** tab of the Create Data Collection Rule page, expand the **@lab.CloudSubscription.Name** scope and then expand the **@lab.CloudResourceGroup(RG1).Name**. 67 | 68 | 1. Select the **Linux1** Virtual Machine checkbox, and then select **Next: Collect >**: 69 | 70 | ![E1-T2-S13-Select-Linux1.png](../media/E1-T2-S13-Select-Linux1.png) 71 | 72 | 1. On the **Collect** tab of the Create Data Collection Rule page, scroll down to the **LOG_SYSLOG** facility and set the **Minimum log level** to **LOG_NOTICE** and then select **Next: Review + create >**. 73 | 74 | ![E1-T2-S15-Set-SysLog-Level.png](../media/E1-T2-S15-Set-SysLog-Level.png) 75 | 76 | 1. Once the validation has passed select **Create**. 77 | 78 | {: .note } 79 | > If the Syslog data connector process is slow to fully complete you can monitor for completion by opening the notifications panel. To do this select the bell icon at the top of the Azure screen and examine the notification titled **Connecting VM 'Linux1'...*** 80 | > 81 | >![opennotifications.png](../media/opennotifications.png) 82 | 83 | 1. On the Syslog via AMA page, in the Configuration section, select **Refresh** until the data collection rule **linuxdata** is shown in the list. 84 | 85 | ![E1-T2-S16-Refresh-Data-Rules.png](../media/E1-T2-S16-Refresh-Data-Rules.png) 86 | 87 | 1. On the Syslog via Legacy Connector page, in the **Configuration** section, expand the option **Install agent on Azure Linux Virtual Machine**. 88 | 89 | ![syslogconfiginstall.png](../media/syslogconfiginstall.png) 90 | 91 | 1. Select the **Download & install agent for Azure Linux Virtual machines** link. 92 | 93 | 1. From the list of Virtual machines, select the entry named **Linux1**. 94 | 95 | ![virtualmachineslinux1.png](../media/virtualmachineslinux1.png) 96 | 97 | 1. To complete the connection, on the Linux1 page, select **Connect**. 98 | 99 | ![linux1connect.png](../media/linux1connect.png) 100 | 101 | {: .note } 102 | > This process can take a couple of minutes to complete. 103 | 104 | 1. Once the connection has completed, return to the Syslog via Legacy Agent page by selecting **Syslog via Legacy Agent** in the breadcrumb navigation at the top of the page. 105 | 106 | ![Data-connectors-breadcrumb-syslog.png](../media/Data-connectors-breadcrumb-syslog.png) 107 | 108 | 1. On the Syslog page, at the bottom of the Configuration section, select the **Open your workspace agents configuration** link. 109 | 110 | ![openyourworkspaceagentsconfiguration.png](../media/openyourworkspaceagentsconfiguration.png) 111 | 112 | 1. Select **+ Add facility** to define the facilities to collect and then select **syslog** from the list. 113 | 114 | ![addfacilitysyslog.png](../media/addfacilitysyslog.png) 115 | 116 | 1. Un-select all checkboxes except the **Notice** checkbox and then select **Apply**. 117 | 118 | ![facilitysyslogconfig.png](../media/facilitysyslogconfig.png) 119 | -------------------------------------------------------------------------------- /docs/Ex02/0203.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '3. Set up a data connector for Windows' 3 | layout: default 4 | nav_order: 3 5 | parent: 'Lab 1 Exercise 2: Stand up Microsoft Sentinel with Windows and Linux data connectors' 6 | --- 7 | 8 | # Task 2.3: Set up a data connector for Windows 9 | 10 | Here we'll connect Security Events via AMA and create a data collection rule for our Windows machine. The Azure Monitor agent uses data collection rules (DCR) to configure data to collect from each agent. Data collection rules enable the manageability of collection settings at scale for different groups of environments or machines, which results in lower cost and fewer events. 11 | 12 | The following documents may help you complete this task. 13 | 14 | - [Find your Microsoft Sentinel data connector - Microsoft Learn](https://learn.microsoft.com/en-us/azure/sentinel/data-connectors-reference#windows-security-events-via-ama) 15 | - [Collect Security Events in Microsoft Sentinel with the new AMA agent and DCR](https://jeffreyappel.nl/collect-security-events-in-sentinel-with-the-new-ama-agent-and-dcr/#:~:text=For%20enabling%20the%20new%20connector%2C%20take%20the%20following,Security%20events%204%20Open%20the%20connector%20page%20%283%29) 16 | - [Manage Azure Monitor Agent](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal) 17 | 18 | --- 19 | 20 | 1. Return to the Microsoft Sentinel Data connectors page by selecting it in the breadcrumb navigation at the top of the page. 21 | 22 | ![Data-connectors-breadcrumb-data-connectors.png](../media/Data-connectors-breadcrumb-data-connectors.png) 23 | 24 | 1. On the Data connectors page, select **More content at Content hub**. 25 | 26 | ![E1-T2a-S2-More-Content-At-Content-Hub.png](../media/E1-T2a-S2-More-Content-At-Content-Hub.png) 27 | 28 | 1. On the Content hub page, select the **Provider** filter and unselect the **All** checkbox. 29 | 30 | 1. In the **Search** box, enter **Microsoft**, select Microsoft, and then select **Apply**. 31 | 32 | ![E1-T2a-S3-Provider-Microsoft.png](../media/E1-T2a-S3-Provider-Microsoft.png) 33 | 34 | 1. On the Content hub page, in the **Search** box, enter **Windows Security Events**, and then select Windows Security Events from the results. 35 | 36 | 1. On the Windows Security Events details page, review the description, and then select **Install**. 37 | 38 | ![install-windowssecurityevents.png](../media/install-windowssecurityevents.png) 39 | 40 | 1. When the installation of the Windows Security Events connector has completed, select **Microsoft Sentinel Data connectors** on the breadcrumb navigation at the top of the page to return to the Data connectors page. 41 | 42 | ![Data-connectors-breadcrumb.png](../media/Data-connectors-breadcrumb.png) 43 | 44 | 1. On the Microsoft Sentinel Data connectors page, in the **Search by name or provider** search box, enter **Windows Security Events**. 45 | 46 | ![data-connectors-windows-security-events.png](../media/data-connectors-windows-security-events.png) 47 | 48 | {: .warning } 49 | > If the **Windows Security Events via AMA** Data connector does not appear in the list select **Refresh** from the menu. 50 | 51 | 1. Select **Windows Security Events via AMA** connector to configure the Windows Security Events connector . 52 | 53 | 1. On the right, on the **Windows Security Events via AMA** pane, select **Open connector page**. 54 | 55 | 1. On the Windows Security Events via AMA page, in the **Configuration** section, select **+Create data collection rule**. 56 | 57 | ![amacreatedatacollectionrule.png](../media/amacreatedatacollectionrule.png) 58 | 59 | 1. On the **Create Data Collection Rule** panel, on the **Basics** tab, in the **Rule Name** box, enter **windowsdata**. 60 | 61 | 1. Verify that the subscription is set to **@lab.CloudSubscription.Name** and the Resource Group is set to **@lab.CloudResourceGroup(RG1).Name** and then select **Next : Resources >**. 62 | 63 | 1. On the **Resources** tab, expand **@lab.CloudSubscription.Name**, and then expand **@lab.CloudResourceGroup(RG1).Name** 64 | 65 | 1. Select the **Windows1** Virtual machine scope checkbox, and then select **Next : Collect >**. 66 | 67 | ![selectwinscope.png](../media/selectwinscope.png) 68 | 69 | 1. On the **Collect** tab, leave the **All Security Events** option selected, and then select **Next : Review + create >**. 70 | 71 | 1. Once the validation has passed, on the **Review + create** tab select **Create**. 72 | 73 | 1. On the Windows Security Events AMA page, in the Configuration section, select **Refresh** until the data collection rule **windowsdata** is shown in the list. 74 | 75 | ![refreshconfiguration.png](../media/refreshconfiguration.png) 76 | -------------------------------------------------------------------------------- /docs/Ex02/Ex02.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: 'Lab 1 Exercise 2: Stand up Microsoft Sentinel with Windows and Linux data connectors' 3 | layout: default 4 | nav_order: 3 5 | has_children: true 6 | --- 7 | 8 | # Exercise 2: Stand up Microsoft Sentinel with Windows and Linux data connectors 9 | 10 | Now that the prerequisite Azure setup has been completed you've been assigned the task of standing up Microsoft Sentinel and instantiating Windows and Linux data connectors. 11 | 12 | Connecting Microsoft Sentinel to the workspace previously created will automatically configure a new instance of Microsoft Sentinel in the Azure environment. Once this has been completed the task of creating data connectors will complete the setup and configuration of Microsoft Sentinel. 13 | -------------------------------------------------------------------------------- /docs/Ex03/0301.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '1. Create an Analytics rule using the Windows Security events clear template' 3 | layout: default 4 | nav_order: 1 5 | parent: 'Lab 1 Exercise 3: Data Operations' 6 | --- 7 | 8 | # Task 3.1: Create an Analytics rule using the Windows Security events clear template 9 | 10 | In this task you'll create an Analytics rule to handle Windows Security event log clearing incidents and create automation to report on these incidents. 11 | 12 | {: .note } 13 | > Events are being triggered in this lab every 5 minutes, incidents should eventually appear on their own. 14 | 15 | The following documents may help you complete this task. 16 | 17 | - [Azure Sentinel: Using rule templates](https://techcommunity.microsoft.com/t5/itops-talk-blog/azure-sentinel-using-rule-templates/ba-p/2028427) 18 | 19 | --- 20 | 21 | 1. Return to the Microsoft Sentinel Data connectors page by selecting it in the breadcrumb navigation at the top of the page. 22 | 23 | ![Data-connectors-breadcrumb.png](../media/Data-connectors-breadcrumb.png) 24 | 25 | 1. On the left navigation, scroll down to **Configuration**, then select **Analytics**. 26 | 27 | 1. On the **Rule templates** tab in the **Search by ID, name, tactic or technique** box search for and select **NRT Security Event log cleared**. 28 | 29 | ![security-event-rule-template.png](../media/security-event-rule-template.png) 30 | 31 | 1. On the **NRT Security Event log cleared** panel to the right review the details and select **Create rule** 32 | 33 | 1. On the Analytics rule wizard - Create new NRT rule page, on the **General** tab, accept the defaults and select **Next : Set rule logic >**. 34 | 35 | 1. On the **Set rule logic** tab, review the values and select **Next : Incident settings >** 36 | 37 | 1. On the **Incident settings** tab, review the values and select **Next : Automated response >**. 38 | 39 | 1. On the **Automated response** tab, select **Next : Review + create >**. 40 | 41 | {: .note } 42 | > A new automation rule will be added to this template later in this exercise. 43 | 44 | 1. Once the validation has completed successfully select **Save**. 45 | -------------------------------------------------------------------------------- /docs/Ex03/0302.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '2. Create a Microsoft Sentinel Playbook' 3 | layout: default 4 | nav_order: 2 5 | parent: 'Lab 1 Exercise 3: Data Operations' 6 | --- 7 | 8 | # Task 3.2: Create a Microsoft Sentinel Playbook 9 | 10 | In this task, you’ll create an Analytics rule to handle Linux Syslog injection compromise incidents. A playbook template is a pre-built, tested, and ready-to-use workflow that can be customized to meet your needs. Templates can also serve as a reference for best practices when developing playbooks from scratch, or as inspiration for new automation scenarios. 11 | 12 | Playbook templates are not active playbooks themselves, until you create a playbook (an editable copy of the template) from them. 13 | 14 | The following documents may help you complete this task. 15 | 16 | - [Automate threat response with playbooks in Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks) 17 | - [Create and customize Microsoft Sentinel playbooks from built-in templates](https://learn.microsoft.com/en-us/azure/sentinel/use-playbook-templates) 18 | 19 | --- 20 | 21 | 1. In the upper left, select the hamburger icon ![Hamburger-Menu.png](../media/Hamburger-Menu.png), then select **Home** to return to the Microsoft Azure home page. 22 | 23 | 1. On the Microsoft Azure Home page, under **Azure services**, select **Microsoft Sentinel**. 24 | 25 | ![azureservicesmicrosoftsentinel.png](../media/azureservicesmicrosoftsentinel.png) 26 | 27 | 1. On the Microsoft Sentinel page, from the list select the workspace named **LogAnalytics-workspace**. 28 | 29 | ![E3-T1-S2-Sentinel-LogAb.png](../media/E3-T1-S2-Sentinel-LogAb.png) 30 | 31 | {: .note } 32 | > A message titled **Microsoft Sentinel free trial activated** may be displayed. You can safely select **OK** to close this dialog. 33 | 34 | 1. On the **Microsoft Sentinel** pane, in the left navigation scroll down to **Configuration**, and select **Automation**. 35 | 36 | 1. On the **Automation rules** tab scroll to the bottom of the page and select **Configure permissions**. 37 | 38 | ![automation-rules-configure-permissions.png](../media/automation-rules-configure-permissions.png) 39 | 40 | 1. On the Manage permissions page select the resource group **@lab.CloudResourceGroup(RG1).Name** from the list and then select **Apply**. 41 | 42 | {: .note } 43 | > The resource group **@lab.CloudResourceGroup(RG1).Name** will be moved from the **Browse** tab to the **Current permissions** tab. 44 | 45 | 1. To return to the Microsoft Sentinel Automation page select **Cancel**. 46 | 47 | 1. On the Microsoft Sentinel Automation page select the **More content at Content hub** link. 48 | 49 | ![automation-rules-more-content.png](../media/automation-rules-more-content.png) 50 | 51 | 1. On the Content hub page select the Provider filter and clear the **All** box 52 | 53 | 1. Search for and select **Microsoft**, and then select **Apply**. 54 | 55 | ![E1-T2a-S3-Provider-Microsoft.png](../media/E1-T2a-S3-Provider-Microsoft.png) 56 | 57 | 1. On the Content hub page in the search box, search for and then select **Watchlists Utilities**. 58 | 59 | 1. On the **WatchlistsUtilities details** panel review the description and then select **Install**. 60 | 61 | ![watchlists-utilities-install.png](../media/watchlists-utilities-install.png) 62 | 63 | 1. Return to the Microsoft Sentinel Automation page by selecting the **Microsoft Sentinel Automation** breadcrumb navigation at the top of the page. 64 | 65 | ![automation-breadcrumb.png](../media/automation-breadcrumb.png) 66 | 67 | 1. On the Microsoft Sentinel Automation page select the **Playbook templates (Preview)** tab. 68 | 69 | ![playbooktemplatestab.png](../media/playbooktemplatestab.png) 70 | 71 | {: .warning } 72 | > If the list of Playbook templates does not appear in the list select **Refresh** from the menu at the top of the Microsoft Sentinel Automation page. 73 | 74 | 1. In the **Search by name** search box, search for and select **Add Host to Watchlist - Incident Trigger**. 75 | 76 | ![automationsearchbyname.png](../media/automationsearchbyname.png){350} 77 | 78 | 1. On the right in the **Add Host to Watchlist - Incident Trigger** panel select **Create playbook**. 79 | 80 | {: .note } 81 | > If the right panel is not visible select the **<<** icon to expand the panel. 82 | > ![E3-T2-S15-Expand-Right-Panel.png](../media/E3-T2-S15-Expand-Right-Panel.png) 83 | 84 | 1. On the Create playbook page, on the **Basics** tab, review the fields and select **Next : Parameters>**. 85 | 86 | 1. On the **Parameters** tab, enter the Watchlist Alias **SecurityEventLogClear** and then select **Next : Connections >**. 87 | 88 | 1. On the **Connections** tab, select **Next : Review and create >**. 89 | 90 | 1. On the **Review and create** tab, review all the settings and select **Create playbook** and wait for the deployment to complete. 91 | 92 | {: .note } 93 | > You can select the **Bell** icon at the top to monitor the deployment progress. 94 | -------------------------------------------------------------------------------- /docs/Ex03/0303.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '3. Add Role-based permission assignments' 3 | layout: default 4 | nav_order: 3 5 | parent: 'Lab 1 Exercise 3: Data Operations' 6 | --- 7 | 8 | # Task 3.3: Add Role-based permission assignments 9 | 10 | In this task you'll configure roles and permissions for Microsoft Sentinel to access the appropriate services. 11 | 12 | The following documents may help you complete this task. 13 | 14 | - [Roles and permissions in Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/roles#other-roles-and-permissions) 15 | - [Assign Azure roles using the Azure portal](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal) 16 | 17 | --- 18 | 19 | 1. For the **Owner** permissions, on the upper left, select the hamburger icon ![Hamburger-Menu.png](../media/Hamburger-Menu.png), then select **Resource groups**. 20 | 21 | 1. On the Resource groups page, in the list of resource groups select **RG1**. 22 | 23 | 1. On the **RG1** pane, in the left navigation select **Access control (IAM)**. 24 | 25 | 1. On the RG1 Access control (IAM) page, on the menu, select **+ Add** > **Add role assignment**. 26 | 27 | ![addroleassignment.png](../media/addroleassignment.png) 28 | 29 | 1. On the Add role assignment page select the **Privileged administrator roles** tab. 30 | 31 | ![privileged-administrator-roles.png](../media/privileged-administrator-roles.png) 32 | 33 | 1. In the **Search by role name, description, or ID** search box, search for and select **Owner** and then select **Next**. 34 | 35 | ![addroleassignmentowner.png](../media/addroleassignmentowner.png) 36 | 37 | 1. On the Add role assignment page, on the **Members** tab select **+ Select members**. 38 | 39 | ![selectmembers.png](../media/selectmembers.png) 40 | 41 | 1. On the **Select members** panel, in the **Search by name or email address** search box, search for and select **@lab.CloudPortalCredential(User1).Username** and then select **Select**. 42 | 43 | 1. On the Add role assignment page, select **Next** to progress to the **Conditions** tab. 44 | 45 | 1. In the **What user can do** option select **Allow user to assign all roles (highly privileged)** and then select **Review + assign**. 46 | 47 | ![role-assignment-conditions.png](../media/role-assignment-conditions.png) 48 | 49 | 1. Select **Review + assign**. 50 | 51 | 1. For the **Logic App Contributor** permissions, on the RG1 Access control (IAM) page, select **+ Add** and then select **Add role assignment**. 52 | 53 | ![addroleassignment.png](../media/addroleassignment.png) 54 | 55 | 1. In the **Search by role name, description, or ID** search box, search for and select **Logic App Contributor** and then select **Next**. 56 | 57 | ![selectlogicappcontributor.png](../media/selectlogicappcontributor.png) 58 | 59 | 1. On the Add role assignment page, on the **Members** tab, select **+ Select members**. 60 | 61 | ![selectmembers.png](../media/selectmembers.png) 62 | 63 | 1. On the **Select members** panel, in the **Search by name or email address** search box, search for and select **@lab.CloudPortalCredential(User1).Username** and then select **Select**. 64 | 65 | 1. On the Add role assignment page, select **Next**. 66 | 67 | 1. Select **Review + assign**. 68 | 69 | 1. For the **Microsoft Sentinel Contributor** permissions, on the RG1 Access control (IAM) page, select **+ Add** and then select **Add role assignment**. 70 | 71 | 1. In the **Search by role name, description, or ID** search box, search for and select **Microsoft Sentinel Contributor**, and then select **Next**. 72 | 73 | ![selectmicrosoftsentinelcontributor.png](../media/selectmicrosoftsentinelcontributor.png) 74 | 75 | 1. On the Add role assignment page, on the **Members** tab, set the **Assign access to** field to **Managed identity** and then select **+ Select members**. 76 | 77 | ![selectmanagedidentitymembers.png](../media/selectmanagedidentitymembers.png) 78 | 79 | 1. On the **Select managed identities** panel in the **Managed identity** field select **Logic app (1)**. 80 | 81 | 1. Select the managed identity **Add-HostToWatchlist-IncidentTrigger** and then select **Select**. 82 | 83 | ![selectmanagedidentity.png](../media/selectmanagedidentity.png) 84 | 85 | 1. On the Add role assignment page, select **Next** and then select **Review + assign**. 86 | -------------------------------------------------------------------------------- /docs/Ex03/0304.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '4. Modify the Logic app' 3 | layout: default 4 | nav_order: 4 5 | parent: 'Lab 1 Exercise 3: Data Operations' 6 | --- 7 | 8 | # Task 3.4: Modify the Logic app 9 | 10 | Using a premade Logic app, Add-HostToWatchlist-IncidentTrigger, this task will walk you through the Logic app designer to modify it. Azure Logic Apps integration platform provides hundreds of prebuilt connectors so you can connect and integrate apps, data, services, and systems more easily and quickly. You can focus more on designing and implementing your solution's business logic and functionality, not on figuring out how to access your resources. 11 | 12 | The following document may help you complete this task. 13 | 14 | - [Manage logic apps in the Azure portal](https://learn.microsoft.com/en-us/azure/logic-apps/manage-logic-apps-with-azure-portal) 15 | - [Overview - Azure Logic Apps Microsoft Learn](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-overview) 16 | 17 | --- 18 | 19 | 1. In the Azure **Search resources, services, and docs (G+/)** search box, search for and select **Logic apps**. 20 | 21 | ![selectlogicapps.png](../media/selectlogicapps.png) 22 | 23 | 1. On the Logic apps page, select the logic app named **Add-HostToWatchlist-IncidentTrigger**. 24 | 25 | 1. On the Add-HostToWatchlist-IncidentTrigger page, in the left navigation, under **Development Tools** select **Logic app designer**. 26 | 27 | 1. Under the **Condition - is watchlist available - MDFC** box follow the logic flow under the **False ^** label to the bottom of the tree 28 | 29 | ![E3-T4-S4-Follow-False-Branch.png](../media/E3-T4-S4-Follow-False-Branch.png) 30 | 31 | 1. Scroll to the bottom of the designer and select the last blue box labelled **Watchlists - Create a new watchlist with data** to expand it. 32 | 33 | ![E3-T4-S5-Create-New-Watchlist.png](../media/E3-T4-S5-Create-New-Watchlist.png) 34 | 35 | 1. Replace the **Specify Watchlist Fields** with the following text: 36 | 37 | ``` 38 | { 39 | "contentType": "text/csv", 40 | "description": "Watchlist from CSV content", 41 | "displayName": "", 42 | "itemsSearchKey": "HostName", 43 | "numberOfLinesToSkip": 1, 44 | "provider": "Microsoft", 45 | "rawContent": "HostName\r\n", 46 | "source": "Local file" 47 | } 48 | ``` 49 | 50 | 1. In the **Specify Watchlist Fields** field, place the cursor in the value section of the **displayName** key pair and then display the **Insert Expression** dialog by selecting the **fx** icon. 51 | 52 | ![E3-T4-S7-fx-Icon.png](../media/E3-T4-S7-fx-Icon.png) 53 | 54 | 1. Select the **Dynamic content** tab and then search for, and select, the variable **Watchlist alias**. 55 | 56 | 1. To insert the variable definition into the Watchlist Fields select **Add**. 57 | 58 | ![E3-T4-S10-Add-Watchlist-Alias.png](../media/E3-T4-S10-Add-Watchlist-Alias.png) 59 | 60 | 1. In the **Specify Watchlist Fields** field, place the cursor in the value section of the **rawContent** key pair before the closing quote and then display the **Insert Expression** dialog by selecting the **fx** icon. 61 | 62 | 1. Select the **Dynamic content** tab and then search for, and select, the Entity **Hosts Hostname**. 63 | 64 | 1. To insert the variable definition into the Watchlist Fields select **Add**. 65 | 66 | ![E3-T4-S13-Add-Hosts-Hostname.png](../media/E3-T4-S13-Add-Hosts-Hostname.png) 67 | 68 | 1. Verify that the contents of the **Specify Watchlist fields** field match the following image and then select **Save**: 69 | 70 | ![E3-T4-S14-Save-Logic-App-Design.png](../media/E3-T4-S14-Save-Logic-App-Design.png) 71 | -------------------------------------------------------------------------------- /docs/Ex03/0305.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '5. Add automation to the Windows Security event log clear incident' 3 | layout: default 4 | nav_order: 5 5 | parent: 'Lab 1 Exercise 3: Data Operations' 6 | --- 7 | 8 | # Task 3.5: Add automation to the Windows Security event log clear incident 9 | 10 | In this task, you’ll configure the Windows data connector to be linked to the modified Logic app. Automation rules streamline the use of automation in Microsoft Sentinel, enabling you to simplify complex workflows for your threat response orchestration processes. 11 | 12 | The following document may help you complete this task. 13 | 14 | - [Automate threat response in Microsoft Sentinel with automation rules](https://learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules) 15 | - [Create and use Microsoft Sentinel automation rules to manage response](https://learn.microsoft.com/en-us/azure/sentinel/create-manage-use-automation-rules) 16 | 17 | --- 18 | 19 | 1. In the upper left, select the hamburger icon ![Hamburger-Menu.png](../media/Hamburger-Menu.png), then select **Home** to return to the Microsoft Azure home page. 20 | 21 | 1. On the Microsoft Azure Home page, under **Azure services**, select **Microsoft Sentinel**. 22 | 23 | ![azureservicesmicrosoftsentinel.png](../media/azureservicesmicrosoftsentinel.png) 24 | 25 | 1. On the Microsoft Sentinel page, select **LogAnalytics-workspace**. 26 | 27 | 1. On the left navigation, under **Configuration** select **Analytics**. 28 | 29 | 1. From the list of Active rules, select the Medium severity rule named **NRT Security Event log cleared**. 30 | 31 | {: .note } 32 | > If necessary, open the **Active rules details** panel on the right by selecting the **<<** icon. 33 | > 34 | > ![activerulesdetails.png](../media/activerulesdetails.png) 35 | 36 | 1. On the **Security Event log cleared details** panel, select **Edit**. 37 | 38 | ![activerulesdetailsedit.png](../media/activerulesdetailsedit.png) 39 | 40 | 1. On the Analytics rule wizard - Edit existing scheduled rule page, on the **General** tab, review the fields and select the **Automated response** tab. 41 | 42 | ![automatedresponsetab.png](../media/automatedresponsetab.png) 43 | 44 | 1. On the **Automated response** tab select **+ Add new**. 45 | 46 | ![automationrulesaddnew.png](../media/automationrulesaddnew.png) 47 | 48 | 1. In the **Create new automation rule** panel, set the **Automation rule name** to **WinWatchlist**. 49 | 50 | 1. Set the first value in **Actions** to **Run playbook**. 51 | 52 | 1. In the second value in **Actions**, select the **Add-HostToWatchlist-IncidentTrigger** playbook. 53 | 54 | ![actions2entries.png](../media/actions2entries.png) 55 | 56 | 1. Review the rest of the fields and select **Apply**. 57 | 58 | 1. On the Automated response tab, select **Next : Review + create >**. 59 | 60 | 1. Once the Validation process has completed successfully select **Save**. 61 | -------------------------------------------------------------------------------- /docs/Ex03/0306.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '6. Configure an Azure Analytics rule for Linux' 3 | layout: default 4 | nav_order: 6 5 | parent: 'Lab 1 Exercise 3: Data Operations' 6 | --- 7 | 8 | # Task 3.6: Configure an Azure Analytics rule for Linux 9 | 10 | In this task, you’ll use Sentinel to create a new high priority Scheduled Query Rule for Linux. 11 | 12 | The following documents may help you complete this task. 13 | 14 | - [Create custom analytics rules to detect threats](https://learn.microsoft.com/azure/sentinel/detect-threats-custom) 15 | - [Collect data from Linux-based sources using Syslog](https://learn.microsoft.com/azure/sentinel/connect-syslog) 16 | - [Data collection best practices](https://learn.microsoft.com/azure/sentinel/best-practices-data) 17 | 18 | --- 19 | 20 | 1. On the Microsoft Sentinel Analytics page, select **+ Create** > **Scheduled query rule**. 21 | 22 | ![E2-T1-S3-Create-Scheduled-query-rule.png](../media/E2-T1-S3-Create-Scheduled-query-rule.png) 23 | 24 | 1. On the Analytics rule wizard - Create a new scheduled rule, on the General tab, under **Analytics rule details** complete the form using the values in the table below: 25 | 26 | | Field | Value | 27 | |:----|:----| 28 | | Name | ****Linux Custom Rule**** | 29 | | Severity | **High** | 30 | | Status | **Enabled** | 31 | 32 | ![analytics-rule-wizard-general.png](../media/analytics-rule-wizard-general.png) 33 | 34 | 1. Select **Next: Set rule logic**. 35 | 36 | 1. On the **Set rule logic** tab, in the **Rule query** box, enter the following query. 37 | 38 | ```Rule-query-wrap-nocolor 39 | Syslog | where Facility contains "syslog" |where ProcessID == "65536" | project HostName, HostIP, Computer, TimeGenerated, SourceSystem 40 | ``` 41 | 42 | {: .note } 43 | > This query searches for the event code that triggers an incident in Sentinel. 44 | 45 | 1. Under **Query scheduling**, set **Run query every** to **5 minutes**. 46 | 47 | ![E2-T1-S8-Query-Sched-Minutes.png](../media/E2-T1-S8-Query-Sched-Minutes.png) 48 | 49 | 1. To configure the Incident settings select **Next : Incident settings >**. 50 | 51 | 1. On the **Incident settings** tab, under **Incident settings**, verify that **Create incidents from alerts triggered by this analytics rule** is set to **Enabled**. 52 | 53 | ![E2-T1-S10-Incident-settings.png](../media/E2-T1-S10-Incident-settings.png) 54 | 55 | 1. Under **Alert grouping**, verify that **Group related alerts, triggered by this analytics rule, into incidents**, is set to **Disabled** and then select **Next: Automated response >**. 56 | 57 | ![E2-T1-S11-Alert-grouping.png](../media/E2-T1-S11-Alert-grouping.png) 58 | 59 | 1. On the **Automated response** tab select **Next: Review + create**. 60 | 61 | 1. On the **Review and create** tab, after validation completes, review the settings, then select **Save**. 62 | 63 | {: .note } 64 | > Upon review, if any of the settings are incorrect, select **Previous** to return to the appropriate tab. 65 | > 66 | >![E2-T1-S13-Review-create-Previous.png](../media/E2-T1-S13-Review-create-Previous.png) 67 | 68 | 1. Once complete, the Microsoft Sentinel Analytics page will display. 69 | -------------------------------------------------------------------------------- /docs/Ex03/0307.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '7. Test the Analytics rules' 3 | layout: default 4 | nav_order: 7 5 | parent: 'Lab 1 Exercise 3: Data Operations' 6 | --- 7 | 8 | # Task 3.7: Test the Analytics rules 9 | 10 | In this task you'll use Sentinel to create a new high priority Scheduled Query Rule for Linux. 11 | 12 | {: .warning } 13 | > Azure and Microsoft Sentinel can take a significant amount of time to cycle through their queues. This can delay the reporting of incidents by up to 30 minutes. 14 | > 15 | > If all steps during this lab have completed successfully it's still possible for the tests in this task to not return any results in the interim. 16 | 17 | --- 18 | 19 | 1. On the **Microsoft Sentinel Analytics** pane, in the left navigation, under **Threat management** select **Incidents**. 20 | 21 | 1. To confirm that the Windows Security incident has been reported, in the **Search by ID, title, tags, owner or product** search box, enter **NRT Security Event log cleared** and select **Enter**. 22 | - One or more entries should appear in the list of incidents. 23 | 24 | 1. To confirm that the Linux Syslog incident has been reported, in the **Search by ID, title, tags, owner or product** search box, enter **Linux Custom Rule** and select **Enter**. 25 | - One or more entries should appear in the list of incidents. 26 | 27 | 1. To confirm that the Windows Security event Watchlist has been created, in the left navigation, under **Configuration** select **Watchlist**. 28 | - The watchlist named **SecurityEventLogClear** should be displayed in the list of Watchlists. 29 | 30 | {: .warning } 31 | > If the **SecurityEventLogClear** Watchlist doesn't appear in the list, select **Refresh** from the menu. 32 | -------------------------------------------------------------------------------- /docs/Ex03/Ex03.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: 'Lab 1 Exercise 3: Data Operations' 3 | layout: default 4 | nav_order: 4 5 | has_children: true 6 | --- 7 | 8 | # Exercise 3: Data Operations 9 | 10 | Now that Microsoft Sentinel has been set up, storage has been configured and data connectors for the Linux and Windows VMs have been created it's time to set up and configure the specific data operations that will be monitored for and reported on. 11 | 12 | As the Azure administrator, you'll need to configure Microsoft Sentinel to handle some representative events in Windows and Linux. For this exercise you'll need to do the following: 13 | 14 | - Create an Analytics rule to handle Windows Security event log clearing incidents and create automation to report on these incidents. 15 | - Create an Analytics rule to handle Linux Syslog injection compromise incidents. 16 | - Configure roles and permissions for Microsoft Sentinel to access the appropriate services. 17 | - Test the Analytics rules to verify that the correct incidents are trapped and reported. 18 | - Modify the Add-HostToWatchList Logic App. 19 | - Configure the Windows data connector to be linked to the modified Logic app. 20 | - Configure an Azure Analytics rule for Linux. 21 | -------------------------------------------------------------------------------- /docs/Ex04/0401.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '1. Export the Splunk data' 3 | layout: default 4 | nav_order: 1 5 | parent: 'Lab 2 Exercise 1: Import Splunk data into Microsoft Sentinel' 6 | --- 7 | 8 | # Task 1.1: Export the Splunk data 9 | 10 | Exporting Splunk data is a straightforward process. For easiest migration it is best to use the json data format. Also, pay attention when identifying the desired rules to be migrated as not all rules can be converted to Azure Sentinel data analytics rules. 11 | 12 | {: .warning } 13 | > You will not require Splunk to complete this task for this lab. These instructions assume that you have access to Splunk and are familiar with the process required to export the data. 14 | 15 | The following document provides more information regarding the process of exporting and migrating Splunk data to Azure Sentinel. 16 | 17 | - [Migrate Splunk detection rules to Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/migration-splunk-detection-rules) 18 | 19 | --- 20 | 21 | 1. Sign in to @lab.VirtualMachine(Windows 11).SelectLink using these credentials: 22 | 23 | | | | 24 | |:--|:--| 25 | | Username | **@lab.VirtualMachine(Windows 11).Username** | 26 | | Password | **@lab.VirtualMachine(Windows 11).Password** | 27 | 28 | 1. Simulate the export of the Splunk data to the **SplunkData.json** file by selecting this link: [Export Splunk data](https://github.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/blob/main/docs/resources/SplunkData.json). 29 | 30 | 1. Open the exported Splunk data file, **SplunkData.json** using Visual Studio Code or a simple text editor like Notepad, and verify that the file contains a valid JSON object. 31 | 32 | ![SplunkData_json_file.png](../media/SplunkData_json_file.png) 33 | 34 | 1. Search the Splunk data file for the following entries. These will be used as part of the validation exercise. 35 | 36 | - AWS CreateAccessKey 37 | - Multiple Okta Users With Invalid Credentials From The Same IP 38 | - 7zip CommandLine To SMB Share Path 39 | - CIM - Top Data Model Accelerations 40 | - CIM - Top Data Model Accelerations by Run Duration 41 | -------------------------------------------------------------------------------- /docs/Ex04/0402.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '2. Import the Splunk data into Azure Sentinel using SIEM Migration' 3 | layout: default 4 | nav_order: 2 5 | parent: 'Lab 2 Exercise 1: Import Splunk data into Microsoft Sentinel' 6 | --- 7 | 8 | # Task 1.2: Import the Splunk data into Azure Sentinel using SIEM Migration 9 | 10 | SIEM migration in Azure Sentinel removes the complexity of converting data analytics rules from the Splunk data rules import process. 11 | 12 | The following document may help you complete this task. 13 | 14 | - [Migrate to Microsoft Sentinel with the SIEM migration experience](https://learn.microsoft.com/en-us/azure/sentinel/siem-migration) 15 | 16 | --- 17 | 18 | 1. Open Microsoft Edge, go to the **[Azure Portal](https://portal.azure.com)** then sign in using these credentials: 19 | 20 | | | | 21 | |:--|:--| 22 | | Username | **@lab.CloudPortalCredential(User1).Username** | 23 | | Password | **@lab.CloudPortalCredential(User1).Password** | 24 | 25 | {: .warning } 26 | > If you encounter the **Welcome to Microsoft Azure** screen select **Get started** and then select **Skip** on the next two screens. 27 | 28 | 1. In the **Stay signed in?** dialog box, select the **Don't show this again** box and then select **Yes**. 29 | 30 | {: .note } 31 | > If you encounter the **Welcome to Microsoft Azure** page select the **Get started** button and then select **Skip** on the next two pages to bypass the survey and Azure tour. 32 | 33 | 1. In the search bar of the Azure portal, enter and select **Microsoft Sentinel**. 34 | 35 | 1. Select the Sentinel instance with the prefix **MSSen2Go...** from the list. 36 | 37 | ![sentinel_instance.png](../media/sentinel_instance.png) 38 | 39 | 1. On the **Microsoft Sentinel** menu, under **Content management**, select **Content hub**. 40 | 41 | 1. On the **Content hub** menu, select **SIEM Migration**. 42 | 43 | ![siem_migration.png](../media/siem_migration.png) 44 | 45 | 1. On the **Prerequisites** tab, review the prerequisites necessary for Splunk data import, and then select **Next: Upload file >**. 46 | 47 | {: .note } 48 | > The instructions provided at the top of the **Upload file** tab provide details on how to export the data from the Splunk instance. This lab assumes that this step has already been completed. 49 | 50 | 1. Open **Windows File Explorer**, then go to the **C:\Users\Admin\Desktop** folder. 51 | 52 | 1. Drag the **SplunkData.json** file to the **Upload file** box in Edge. 53 | 54 | A green circle with a checkmark next to the filename will indicate that the file has been appropriately selected. 55 | 56 | {: .note } 57 | >Alternatively, you can select the **Browser for files** link in the **Upload file** section to navigate to, and select, the **C:\Users\Admin\Desktop\SplunkData.json** file. 58 | 59 | 1. Select **Next : Configure Rules >** to upload the Splunk data file and define the migration rules. 60 | 61 | {: .note } 62 | > Some rules will be fully recognized and translated while some may only be partially translated or failed. Partially translated rules may require updates to fully migrate the information to Sentinel. Failed translations will not be recognized by Sentinel. 63 | 64 | 1. On the **Configure Rules** tab, in the **Name** column, select the **ESCU - Windows Query Registry Reg Save - Rule** rule entry that has a Translation State status of **Fully Translated**. 65 | 66 | {: .note } 67 | > Make sure the **Translation State** is **Fully Translated**. 68 | 69 | 1. On the **ESCU - Windows Query Registry Reg Save - Rule** pane, review the details of the translated rule, including the rule query, run frequency and other parameters. 70 | 71 | ![splunk_entry_fully_translated2.png](../media/splunk_entry_fully_translated2.png) 72 | 73 | 1. Back on the **Configure Rules** tab, clear the **Filter** field, then enter and select the **ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule** rule entry that has a Translation State status of **Partially Translated**. 74 | 75 | 1. On the **ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule** pane, review the details of the partially translated rule, then select **Edit**. 76 | 77 | 78 | ![splunk_entry_partially_translated2.png](../media/splunk_entry_partially_translated2.png) 79 | 80 | 1. On the **Edit SIEM migration rule** pane, under the **Target Query** box, note the following error message. It indicates that an error was detected in the Kusto Query Language (KQL) query. 81 | 82 | ![target_query_error2.png](../media/target_query_error2.png) 83 | 84 | 1. If you're familiar with this issue, modify the Target query to correct the query. 85 | 86 | 1. If you're not sure how to correct the query, use the following steps: 87 | 88 | {: .note } 89 | > To attempt to translate the Splunk query to MS KQL you can use Copilot AI or other tools to do the work for you. 90 | 91 | 1. In the **Source Query** box, highlight and then copy the entire query. 92 | 93 | 1. Open a new tab in Edge. 94 | 95 | 1. Go to **[http://copilot.microsoft.com](http://copilot.microsoft.com)** to access Microsoft Copilot. 96 | 97 | 1. In the chat box type: 98 | 99 | >**translate this splunk rule to KQL:** 100 | 101 | 1. On a new line in the chat box paste the **Source Query** copied previously and then **submit** the text. 102 | 103 | 1. Copy the resulting KQL query from Copilot and paste it into the **Target Query** box on the **Edit SIEM migration rule** pane. 104 | 105 | {: .note } 106 | > A new error will be displayed under the **Target Query** box. This error indicates that a table couldn't be resolved. This table may not exist in Sentinel which will prevent the successful execution of this rule. 107 | 108 | 1. To complete the update select **Save Changes**. 109 | 110 | 1. The Translation State of the **ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule** SIEM rule has changed from **Partially Translated** to **Manually Translated**. 111 | 112 | ![manually_translated2.png](../media/manually_translated2.png) 113 | 114 | 1. In the **SIEM Migration** rules list ensure that the **Deploy** switch has been enabled for the following rules and then select **Next : Review and migrate >**. 115 | 116 | * ESCU - Windows Query Registry Reg Save - Rule 117 | * ESCU - Windows Rapid Authentication on Multiple Hosts - Rule 118 | * ESCU - Windows Remote Access Software BRC4 Loaded Dll - Rule 119 | * ESCU - Windows RDP Connection Successful - Rule 120 | 121 | ![ready_to_migrate.png](../media/ready_to_migrate_b.png) 122 | 123 | 1. Clear the filter, then search for **ESCU - Windows Updates** and note that the Translation State for the following rules is currently **Not Translated**. 124 | 125 | * ESCU - Windows Updates Install Failures 126 | * ESCU - Windows Updates Install Successes 127 | 128 | >{: .note } 129 | >These rules could not be automatically translated by the SIEM Migration engine and will have to be re-created manually. 130 | 131 | 1. To continue with the migration select **Next : Review and migrate >**. 132 | 133 | 1. Review the list of SIEM Migration rules to ensure that the appropriate rules have been selected and then select **Deploy**. 134 | 135 | >{: .note } 136 | >It may take a couple of minutes to complete the installation of the queries into Sentinel and build out the analytics rules. 137 | 138 | 1. Once the installation of all the SIEM Migration rules has completed select **Done** to return to the **Microsoft Sentinel \| Content hub** panel. 139 | 140 | ![installed_rules2.png](../media/installed_rules2.png) 141 | 142 | 1. On the confirmation screen select **OK** to complete the migration. 143 | -------------------------------------------------------------------------------- /docs/Ex04/Ex04.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: 'Lab 2 Exercise 1: Import Splunk data into Microsoft Sentinel' 3 | layout: default 4 | nav_order: 5 5 | has_children: true 6 | --- 7 | 8 | # Lab 2: Importing Splunk data into Microsoft Sentinel 9 | 10 | # Exercise 1: Import Splunk data into Microsoft Sentinel 11 | 12 | Elisabeth, the Azure administrator has been assigned the task of exporting data analytics rules from Splunk and importing them into Azure Sentinel. In order to do this she will have to: 13 | 14 | - Export the required data analytics rules from Splunk. 15 | 16 | {: .note } 17 | > In this lab the actual export of the data rules has already been completed and you'll be able to review the exported file. 18 | 19 | - Import the Splunk data file into Azure Sentinel using SIEM migration. 20 | - Verify the Splunk migration of data analytics rules in Azure Sentinel. 21 | - Enable migrated Splunk data analytics rules in Azure Sentinel. 22 | -------------------------------------------------------------------------------- /docs/Ex05/0501.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '1. Verify the Splunk data migration into Sentinel' 3 | layout: default 4 | nav_order: 1 5 | parent: 'Lab 2 Exercise 2: Verify the Splunk migration' 6 | --- 7 | 8 | # Task 2.1: Verify the Splunk data migration into Sentinel 9 | 10 | You'll explore the migrated Splunk data using the Sentinel analytics rule wizard to verify the converted rules in your environment. 11 | 12 | --- 13 | 14 | 1. On the **Microsoft Sentinel** menu, under **Configuration**, select **Analytics**. 15 | 16 | ![configuration_menu_analytics.png](../media/configuration_menu_analytics.png) 17 | 18 | {: .warning } 19 | > You may encounter an error message indicating that one or more Codeless Connectors are not valid. The **Amazon Web Services** connector is not properly defined. This error can be ignored for this lab. 20 | > 21 | >![error_codeless_connector.png](../media/error_codeless_connector.png) 22 | 23 | 1. On the **Active rules** tab, note that the imported Splunk rules are shown in the list with the prefix **[Splunk Migrated]**. 24 | 25 | ![splunk_migrated_prefix.png](../media/splunk_migrated_prefix.png) 26 | 27 | 1. Select the **Name** column heading to sort the Active rules list by name. 28 | 29 | 1. Select the third rule, **[Splunk Migrated] CIM - Top Data Model Accelerations**, to display the details in the right panel. 30 | 31 | {: .note } 32 | > If the right panel is not displayed select the **<<** icon on the right side to display it. 33 | 34 | 1. On the right panel select **Edit** to modify the selected analytics rule. 35 | 36 | 1. Select **Next : Set rule logic** to display the rule query and parameter details. 37 | 38 | 1. In the Rule query section select the **View query results >** link to display the **Logs** query dialog panel. 39 | 40 | ![select_view_query_results.png](../media/select_view_query_results.png) 41 | 42 | {: .note } 43 | > Notice that this query isn't a proper KQL query which is indicated by the error that's displayed in the **Results** section. 44 | 45 | 1. Select the **X** icon at the top right (not the browser "X") to close the **Logs** query dialog panel and then select **OK** to discard any edits. 46 | 47 | ![invalid_query_x_close.png](../media/invalid_query_x_close.png) 48 | 49 | 1. Select the **X** icon at the top right (not the browser "X") to close the **Analytics rule wizard** dialog. 50 | 51 | 1. Select the **[Splunk Migrated] AWS CreateAccessKey** entry in the list to display the details in the right panel. 52 | 53 | {: .note } 54 | > If the right panel is not displayed select the **<<** icon on the right side to display it. 55 | 56 | 1. Select **Edit** to display the **Analytics rule wizard** dialog and then select **Next : Set rule logic >**. 57 | 58 | 1. Select the **View query results >** link to display the **Logs** query dialog panel. 59 | 60 | Since there are no errors associated with this we can expect the query to complete successfully. 61 | 62 | 1. Select the **Run** button to execute the Analytics rule query. 63 | 64 | {: .note } 65 | > This query completes correctly but returns no results at this time. The KQL query is properly formatted and no issues in the schema are surfaced. 66 | -------------------------------------------------------------------------------- /docs/Ex05/0502.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '2. Enable migrated Splunk rules in Sentinel' 3 | layout: default 4 | nav_order: 2 5 | parent: 'Lab 2 Exercise 2: Verify the Splunk migration' 6 | --- 7 | 8 | # Task 2.2: Enable migrated Splunk rules in Sentinel 9 | 10 | Now that the Splunk data rules have been imported, converted and verified in Microsoft Sentinel, we'll need to enable the rules so that Sentinel can take over the detection of incidents in your environment. 11 | 12 | The following document may help you complete this task. 13 | 14 | - [Enable an Azure Activity rule](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Training/Azure-Sentinel-Training-Lab/Modules/Module-3-Analytics-Rules.md) 15 | 16 | --- 17 | 18 | 1. Return to the **Microsoft Sentinel - Analytics** panel. 19 | 20 | 1. Select the **[Splunk Migrated] Multiple Okta Users With Invalid Credentials From The Same IP** entry in the list to display the details in the **[Splunk Migrated] Multiple Okta Users With Invalid Credentials From The Same IP** pane. 21 | 22 | {: .note } 23 | > If the right panel is not displayed select the **<<** icon on the right side to display it. 24 | 25 | 1. On the **[Splunk Migrated] Multiple Okta Users With Invalid Credentials From The Same IP** pane, select **Edit**. 26 | 27 | 1. Change **Status** from **Disabled** to **Enabled** and then select the **Review + create** tab. 28 | 29 | ![enable_disable_toggle.png](../media/enable_disable_toggle.png) 30 | 31 | {: .note } 32 | >If there's an error in the query it will fail the validation and can't be enabled. 33 | > 34 | > ![enable_fail_validation.png](../media/enable_fail_validation.png) 35 | 36 | 1. Return to the **Microsoft Sentinel - Analytics** panel and select the **[Splunk Migrated] AWS CreateAccessKey** entry in the list to display the details in the **[Splunk Migrated] AWS CreateAccessKey** pane. 37 | 38 | 1. On the right panel select **Edit** to edit the selected analytics rule. 39 | 40 | 1. Change the **Status** from **Disabled** to **Enabled** and then select the **Review + create** tab. 41 | 42 | {: .note } 43 | >This rule does not contain any issues in the Query and will pass validation 44 | > 45 | >![enable_pass_validation.png](../media/enable_pass_validation.png) 46 | 47 | 1. Once the Analytics rule has been validated select **Save** to commit the update of the Analytics rule and then return to the **Microsoft Sentinel - Analytics** pane. 48 | 49 | {: .note } 50 | >The Status of the updated Analytics rule in the list should now be updated to **Enabled**. If it hasn't been updated select the **Refresh** link in the top menu to update the list. 51 | > 52 | > ![list_entry_enabled.png](../media/list_entry_enabled.png) 53 | -------------------------------------------------------------------------------- /docs/Ex05/Ex05.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: 'Lab 2 Exercise 2: Verify the Splunk migration' 3 | layout: default 4 | nav_order: 6 5 | has_children: true 6 | --- 7 | 8 | # Exercise 2: Verify the Splunk migration 9 | 10 | Now that the Splunk data rules have been imported into Azure Sentinel and converted it's important to verify that the rules have been configured correctly prior to being enabled. This task is an important part of the Splunk data rules import and conversion process and should be completed prior to enabling any migrated Splunk rules. 11 | -------------------------------------------------------------------------------- /docs/Ex06/0601.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '1. Understand the attacks' 3 | layout: default 4 | nav_order: 1 5 | parent: 'Lab 3 Exercise 1: Understand detection modeling' 6 | --- 7 | 8 | # Task 1.1: Understand the attacks 9 | 10 | {: .important } 11 | > **You will perform no actions in this exercise.** These instructions are only an explanation of the attacks you will perform in the next exercise. Please read this page carefully. 12 | 13 | The attack patterns are based on [an open-source project](https://github.com/redcanaryco/atomic-red-team "https://github.com/redcanaryco/atomic-red-team"). 14 | 15 | ## Attack 1 - Persistence with Registry Key Add 16 | 17 | Attackers will add a program in the Run Registry key. This achieves persistence by making the program run every time the user logs on. 18 | 19 | ```nocopy 20 | REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "SOC Test" /t REG_SZ /F /D "C:\temp\startup.bat" 21 | ``` 22 | 23 | ## Attack 2 - User Add and Elevate Privilege 24 | 25 | Attackers will add new users and elevate the new user to the Administrators group. This enables the attacker to logon with a different account that is privileged. 26 | 27 | ```nocopy 28 | net user badactor /add 29 | net user badactor Passw0rd123!@# /add 30 | net localgroup administrators badactor /add 31 | ``` 32 | 33 | 34 | ## Attack 3 - DNS / C2 35 | 36 | Attacker will send a large volume of DNS queries to a command and control (C2) server. The intent is to trigger threshold-based detection on the number of DNS queries either from a single source system or to a single target domain. 37 | 38 | ```nocopy 39 | param( 40 | [string]$Domain = "microsoft.com", 41 | [string]$Subdomain = "subdomain", 42 | [string]$Sub2domain = "sub2domain", 43 | [string]$Sub3domain = "sub3domain", 44 | [string]$QueryType = "TXT", 45 | [int]$C2Interval = 8, 46 | [int]$C2Jitter = 20, 47 | [int]$RunTime = 240 48 | ) 49 | $RunStart = Get-Date 50 | $RunEnd = $RunStart.addminutes($RunTime) 51 | $x2 = 1 52 | $x3 = 1 53 | Do { 54 | $TimeNow = Get-Date 55 | Resolve-DnsName -type $QueryType $Subdomain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout 56 | if ($x2 -eq 3 ) 57 | { 58 | Resolve-DnsName -type $QueryType $Sub2domain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout 59 | $x2 = 1 60 | } 61 | else 62 | { 63 | $x2 = $x2 + 1 64 | } 65 | if ($x3 -eq 7 ) 66 | { 67 | Resolve-DnsName -type $QueryType $Sub3domain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout 68 | $x3 = 1 69 | } 70 | else 71 | { 72 | $x3 = $x3 + 1 73 | } 74 | $Jitter = ((Get-Random -Minimum -$C2Jitter -Maximum $C2Jitter) / 100 + 1) +$C2Interval 75 | Start-Sleep -Seconds $Jitter 76 | } 77 | Until ($TimeNow -ge $RunEnd) 78 | ``` 79 | 80 | --- 81 | -------------------------------------------------------------------------------- /docs/Ex06/0602.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '2. Understand Detection Modeling' 3 | layout: default 4 | nav_order: 2 5 | parent: 'Lab 3 Exercise 1: Understand detection modeling' 6 | --- 7 | 8 | # Task 1.2: Understand Detection Modeling 9 | 10 | {: .important } 11 | > **You will perform no actions in this exercise.** These instructions are only an explanation of the attacks you will perform in the next exercise. Please read this page carefully. 12 | 13 | The attack-detect configuration cycle used in this lab represents all data sources even though you are only focused on two specific data sources. 14 | 15 | To build a detection, you first start with building a KQL statement. Since you'll attack a host, you'll have representative data to start building the KQL statement. 16 | 17 | After you have the KQL statement, you create the analytics rule. 18 | 19 | Once the rule triggers and creates the alerts and incidents, you then investigate to decide if you're providing fields that help Security Operations Analysts in their investigation. 20 | 21 | Next, you'll make other changes to the analytics rule. 22 | 23 | {: .note } 24 | > Some alerts will be triggered in a shorter time-frame just for our lab purpose. 25 | -------------------------------------------------------------------------------- /docs/Ex06/Ex06.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: 'Lab 3 Exercise 1: Understand detection modeling' 3 | layout: default 4 | nav_order: 7 5 | has_children: true 6 | --- 7 | 8 | # Lab 3: Create detections and perform investigations using Microsoft Sentinel 9 | 10 | # Exercise 1: Understand detection modeling 11 | 12 | Following the successful migration of Splunk data into Microsoft Sentinel, Humongous IT moves forward in strengthening its defense mechanisms. Sydney Mattos, the Security Operations Analyst, is now tasked to understand detection modeling. This crucial step in their security enhancement initiative focuses on analyzing simulated attacks and developing detection models. Her work aims to fortify Humongous IT's threat identification capabilities, an essential upgrade in the company’s proactive defense strategy post-migration. 13 | 14 | The following documents may help you understand detection modeling in Microsoft Sentinel. 15 | 16 | - [Work with anomaly detection analytics rules in Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/work-with-anomaly-rules) 17 | - [Tutorial: Detect threats by using analytics rules in Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/tutorial-log4j-detection) 18 | 19 | --- 20 | -------------------------------------------------------------------------------- /docs/Ex07/0701.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '1. Target machine setup' 3 | layout: default 4 | nav_order: 1 5 | parent: 'Lab 3 Exercise 2: Set up the environment' 6 | --- 7 | 8 | # Task 2.1: Target machine setup 9 | 10 | 11 | In this task, you'll configure a Remote Desktop connection to the target machine on which the attacks will be performed. 12 | 13 | The following document may help you understand RDP connections to Azure virtual machines. 14 | 15 | - [Connect to Azure Virtual Desktop with the Remote Desktop client for Windows](https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-windows?pivots=remote-desktop-msi) 16 | 17 | --- 18 | 19 | 1. Sign in to @lab.VirtualMachine(Windows 11).SelectLink using these credentials: 20 | 21 | | | | 22 | |:--|:--| 23 | | Username | **@lab.VirtualMachine(Windows 11).Username** | 24 | | Password | **@lab.VirtualMachine(Windows 11).Password** | 25 | 26 | 1. Open Microsoft Edge, go to the **[Azure Portal](https://portal.azure.com)**, then sign in using these credentials: 27 | 28 | | | | 29 | |:--|:--| 30 | | Username | **@lab.CloudPortalCredential(User1).Username** | 31 | | Password | **@lab.CloudPortalCredential(User1).Password** | 32 | 33 | {: .warning } 34 | > If you encounter the **Welcome to Microsoft Azure** screen select **Get started** and then select **Skip** for the next two screens. 35 | 36 | 1. On the Microsoft Azure Home page, in the **Azure services** section, select **Virtual machines**. 37 | 38 | 1. In the list of virtual machines select the entry named **WORKSTATION5**. 39 | 40 | 1. On the **WORKSTATION5 Overview** pane, select the **Connect** link from the upper menu and then select **Connect**. 41 | 42 | ![workstation5_connect_connect.png](../media/workstation5_connect_connect.png) 43 | 44 | {: .note } 45 | > In order to be connected, the Virtual Machine must be in a started and running status. 46 | > 47 | > If the Virtual Machine is not running, you can select the **Start** option from the menu to start the VM. 48 | > 49 | > If you encounter an *agent status is not ready* message wait a few minutes and select **Refresh** from the menu. 50 | > ![not-ready-message.png](../media/not-ready-message.png) 51 | 52 | 1. On the **WORKSTATION5 Connect** pane in the **Native RDP** tile select **Download RDP file**. 53 | 54 | ![native_rdp_download.png](../media/native_rdp_download.png) 55 | 56 | 1. To save the RDP file to the downloads folder, in the **Downloads** dialog, select **Keep**. 57 | 58 | ![download_rdp_file.png](../media/download_rdp_file.png) 59 | 60 | 1. To initiate the Remote Desktop session to the WORKSTATION5 Azure VM select the downloaded **WORKSTATION5.rdp** file from the **C:\Users\Admin\Downloads** folder. 61 | 62 | 1. To complete the connection, in the **Remote Desktop Connection** dialog box select **Don't ask me again for connections to this computer** and then select **Connect**. 63 | 64 | ![remote_desktop_connection.png](../media/remote_desktop_connection.png) 65 | 66 | 1. To log in to the **WORKSTATION5** VM sign in using these credentials: 67 | 68 | | | | 69 | |:--|:--| 70 | | Username | **WinAdmin** | 71 | | Password | **Passw0rd!1234** | 72 | 73 | 1. On the **Remote Desktop Connection** dialog box select **Don't ask me again for connections to this computer** and then select **Yes**. 74 | 75 | ![remote_desktop_connection_2.png](../media/remote_desktop_connection_2.png) 76 | 77 | {: .note } 78 | > It may take some time for the login to complete. 79 | > 80 | > Also, because this VM has been set up as part of the startup of this lab you may have to complete the **Getting Started** survey. To complete the survey, select **Next** and then select **Accept**. 81 | 82 | 1. In the search of the task bar, enter **command**. Command Prompt will be displayed in the search results. 83 | 84 | 1. To allow the app to run, select **Run as Administrator** and then, in the User Account Control window that appears, select **Yes**. 85 | 86 | 1. In the Command Prompt, create a Temp folder in the root directory using the following commands and press **Enter**. 87 | 88 | ```CommandPrompt 89 | cd \ 90 | mkdir temp 91 | cd temp 92 | ``` 93 | -------------------------------------------------------------------------------- /docs/Ex07/0702.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '2. Connect the target machine to Microsoft Sentinel - All Events DCR' 3 | layout: default 4 | nav_order: 2 5 | parent: 'Lab 3 Exercise 2: Set up the environment' 6 | --- 7 | 8 | # Task 2.2: Connect the target machine to Microsoft Sentinel - All Events DCR 9 | 10 | 11 | In this task, you'll connect the target machine on which the attacks will be performed to Microsoft Sentinel using the built-in *All Security Events* data collection rule. 12 | 13 | The following document may help you understand Sentinel data connectors for Windows virtual machines. 14 | 15 | - [Connect Windows devices to Microsoft Sentinel using data connectors](https://microsoftlearning.github.io/SC-200T00A-Microsoft-Security-Operations-Analyst/Instructions/Labs/LAB_AK_06_Lab1_Ex2_Connect_Windows.html) 16 | 17 | --- 18 | 19 | 1. Minimize the RDP session to return to the @lab.VirtualMachine(Windows 11).SelectLink VM. 20 | 21 | 1. If necessary, open Microsoft Edge, go to the [Azure portal](https://portal.azure.com), then sign in using these credentials: 22 | 23 | | | | 24 | |:--|:--| 25 | | Username | **@lab.CloudPortalCredential(User1).Username** | 26 | | Password | **@lab.CloudPortalCredential(User1).Password** | 27 | 28 | {: .warning } 29 | > If you encounter the **Welcome to Microsoft Azure** screen, select **Get started** and then select **Skip** for the next two screens. 30 | 31 | 1. In the search bar of the Azure portal, type **Microsoft Sentinel**, then select **Microsoft Sentinel** from the results. 32 | 33 | 1. In the list of Microsoft Sentinel Workspaces, select the workspace named **MSSen2Go\***. 34 | 35 | ![select_mssen2go.png](../media/select_mssen2go.png) 36 | 37 | 1. In the Microsoft Sentinel left menu, scroll down to the **Content management** section and select **Content hub**. 38 | 39 | 1. On the **Content hub** panel in the **Search...** field search for the **Windows Security Events** solution and then select it from the list. 40 | 41 | 1. On the **Windows Security Events** panel to the right, select **Install** and wait for the installation job to complete. 42 | 43 | ![windows_security_events_install.png](../media/windows_security_events_install.png){150} 44 | 45 | {: .note } 46 | > The Windows Security Events solution installs both the Windows Security Events via AMA and the Security Events via Legacy Agent Data connectors. Plus two Workbooks, 20 Analytic Rules, and 43 Hunting Queries. 47 | 48 | 1. When the installation completes, select **Windows Security Events** from the list and then, in the right blade, select **Manage**. 49 | 50 | {: .note } 51 | > You can monitor the status of the Install job from the Bell notifications icon at the top of the Microsoft Azure page 52 | > 53 | >![bell_notification_icon.png](../media/bell_notification_icon.png) 54 | 55 | 1. On the **Windows Security Events** blade, in the Content list, select the **Windows Security Events via AMA** data connector. 56 | 57 | 1. On the **Data connectors** blade, select the **Windows Security Events via AMA** connector, then select **Open connector page**. 58 | 59 | ![windows_security_events_open_connector_page.png](../media/windows_security_events_open_connector_page.png) 60 | 61 | 1. In the **Configuration** section, select **+Create data collection rule**. 62 | 63 | ![windows_security_events_create_dcr.png](../media/windows_security_events_create_dcr.png) 64 | 65 | 1. On the **Create Data Collection Rule** blade, in the **Basic** tab, use the following table to complete the fields and then select **Next: Resources >**. 66 | 67 | ||| 68 | |:---|:---| 69 | |Rule name|**WindowsDCR**| 70 | |Subscription|**@lab.CloudSubscription.Name**| 71 | |Resource group|**@lab.CloudResourceGroup(RG1).Name**| 72 | 73 | 1. On the **Resources** tab expand the **@lab.CloudSubscription.Name** subscription scope, then expand the **@lab.CloudResourceGroup(RG1).Name** resource group scope, then select the virtual machine **WORKSTATION5**. 74 | 75 | ![virtual_machine_scope.png](../media/virtual_machine_scope.png) 76 | 77 | 1. Select **Next: Collect >**. 78 | 79 | 1. On the **Collect** tab ensure that **All Security Events** is selected and then select **Next: Review + create >**. 80 | 81 | 1. On the **Review + create** tab, wait for the validation to pass and then select **Create** 82 | 83 | 1. When the data collection rule has been properly created you'll be returned to the **Windows Security Events via AMA** page. In the **Configuration** section select **Refresh** to display the newly created data collection rule in the list. 84 | 85 | ![refresh_data_collection_rule.png](../media/refresh_data_collection_rule.png) 86 | -------------------------------------------------------------------------------- /docs/Ex07/0703.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '3. Connect the target machine to Microsoft Sentinel - Custom Events DCR' 3 | layout: default 4 | nav_order: 3 5 | parent: 'Lab 3 Exercise 2: Set up the environment' 6 | --- 7 | 8 | # Task 2.3: Connect the target machine to Microsoft Sentinel - Custom Events DCR 9 | 10 | 11 | In this task, you'll connect the target machine on which the attacks will be performed to Microsoft Sentinel using a custom data collection rule targeting specific Windows Event IDs. 12 | 13 | --- 14 | 15 | 1. On the **Windows Security Events via AMA** blade in the **Configuration** section, select **+Create data collection rule**. 16 | 17 | ![windows_security_events_create_dcr.png](../media/windows_security_events_create_dcr.png) 18 | 19 | 1. On the **Create Data Collection Rule** blade, in the **Basic** tab, use the following table to complete the fields and then select **Next: Resources >**. 20 | 21 | ||| 22 | |:---|:---| 23 | |Rule name|**CustomDCR**| 24 | |Subscription|**@lab.CloudSubscription.Name**| 25 | |Resource group|**@lab.CloudResourceGroup(RG1).Name**| 26 | 27 | 1. On the **Resources** tab expand the **@lab.CloudSubscription.Name** subscription scope, then expand the **@lab.CloudResourceGroup(RG1).Name** resource group scope, then select the virtual machine **WORKSTATION5**. 28 | 29 | ![virtual_machine_scope.png](../media/virtual_machine_scope.png) 30 | 31 | 1. Select **Next: Collect >**. 32 | 33 | 1. To save the custom event expressions to the data collection rule, on the **Collect** tab, in the *Select which events to stream* section, select **Custom**, enter the following event list in the custom box and then select **Add**. 34 | 35 | **"Security!\*[System[(EventID=5136 or EventID=5139)]]","Security!\*[System[(EventID=5137)]]","Security!\*[System[(EventID=5141)]]","Security!\*[System[(EventID=4662 or EventID=4661)]]","Security!\*[System[(EventID=4768 or EventID=4769)]]","Security!\*[System[(EventID=4688)]]** 36 | 37 | 1. Advance to the next tab by selecting **Next: Review + create >**. 38 | 1. On the **Review + create** tab wait for the validation to pass and then select **Create** 39 | 40 | 1. When the data collection rule has been properly created you will be returned to the **Windows Security Events via AMA** page. In the **Configuration** section select **Refresh** to display the newly created data collection rule in the list. 41 | -------------------------------------------------------------------------------- /docs/Ex07/Ex07.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: 'Lab 3 Exercise 2: Set up the environment' 3 | layout: default 4 | nav_order: 8 5 | has_children: true 6 | --- 7 | 8 | # Exercise 2: Set up the environment 9 | 10 | At Humongous IT, following the implementation of Microsoft Sentinel, the focus now shifts to connecting log data from various data sources. A key aspect is ensuring Windows virtual machines in Azure, similar to on-premises environments, are configured to allow Sentinel to detect threats and circulate alerts effectively. 11 | 12 | {: .note } 13 | > Non-cloud virtual machines can also be connected to Microsoft Azure. This scenario is, however, not covered as part of this lab. 14 | -------------------------------------------------------------------------------- /docs/Ex08/0801.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '1. Persistence attack with registry key add' 3 | layout: default 4 | nav_order: 1 5 | parent: 'Lab 3 Exercise 3: Conduct attacks' 6 | --- 7 | 8 | # Task 3.1: Persistence attack with registry key add 9 | 10 | In this task, you'll initiate a persistence attack on the connected Azure VM which has the Azure Monitor Agent pre-configured. 11 | 12 | The following document may help you understand detecting persistent attacks. 13 | 14 | - [The two-pronged approach to detecting persistent adversaries](https://www.microsoft.com/en-us/security/blog/2017/04/13/the-two-pronged-approach-to-detecting-persistent-adversaries/) 15 | 16 | --- 17 | 18 | 1. Maximize the **WORKSTATION5** remote desktop session. 19 | 20 | {: .note } 21 | > **Note:** If the remote desktop session has been closed you can re-open it by selecting the **WORKSTATION5.rdp** file found in **C:\Users\Admin\Downloads** and using these credentials: 22 | 23 | | | | 24 | |:--|:--| 25 | | Username | **WinAdmin** | 26 | | Password | **Passw0rd!1234** | 27 | 28 | 1. If necessary, open a Command Prompt with the option **Run as Administrator** and then, in the User Account Control window that appears, select **Yes**. 29 | 30 | 1. To simulate program persistence run this command and select **Enter**. 31 | 32 | ```CommandPrompt 33 | REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "SOC Test" /t REG_SZ /F /D "C:\temp\startup.bat" 34 | 35 | ``` 36 | -------------------------------------------------------------------------------- /docs/Ex08/0802.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '2. Privilege elevation attack with user add' 3 | layout: default 4 | nav_order: 2 5 | parent: 'Lab 3 Exercise 3: Conduct attacks' 6 | --- 7 | 8 | # Task 3.2: Privilege elevation attack with user add 9 | 10 | In this task, you will initiate a privilege elevation attack with a specific user. 11 | 12 | The following document may help you understand detecting privilege elevation attacks. 13 | 14 | - [Elevation of Privilege](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/elevation-of-privilege) 15 | 16 | --- 17 | 18 | 1. To simulate the creation of an Admin account, run this command and select **Enter**. 19 | 20 | ```CommandPrompt 21 | net user badactor Passw0rd123!@# /add 22 | net localgroup administrators badactor /add 23 | ``` 24 | -------------------------------------------------------------------------------- /docs/Ex08/Ex08.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: 'Lab 3 Exercise 3: Conduct attacks' 3 | layout: default 4 | nav_order: 9 5 | has_children: true 6 | --- 7 | 8 | # Exercise 3: Conduct attacks 9 | 10 | ## Lab scenario 11 | 12 | 15 | 16 | You're going to simulate the attacks that you'll later use to detect and investigate in Microsoft Sentinel. 17 | 18 | {: .note } 19 | > An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Perform%20simulated%20attacks)** is available that allows you to click through this lab scenario at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. 20 | -------------------------------------------------------------------------------- /docs/Ex09/0901.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '1. Persistence attack detection' 3 | layout: default 4 | nav_order: 1 5 | parent: 'Lab 3 Exercise 4: Create Detections' 6 | --- 7 | 8 | # Task 4.1: Persistence attack detection 9 | 10 | {: .important } 11 | > The next steps are done with a different machine than the one you were previously working with. Look for the virtual machine name references. 12 | 13 | In this task, you'll create a detection for the first attack of the previous exercise, a persistence attack. 14 | 15 | The following document may help you understand detecting persistent threat attacks. 16 | 17 | - [Microsoft Sentinel SOC 101: How to Detect and Mitigate Advanced Persistent Threats (APTs) with Microsoft Sentinel](https://rodtrent.substack.com/p/microsoft-sentinel-soc-101-how-to-07c) 18 | 19 | --- 20 | 21 | 1. Minimize the RDP session to return to the @lab.VirtualMachine(Windows 11).SelectLink VM. 22 | 23 | 1. If necessary, open Microsoft Edge, go to the [Azure portal](https://portal.azure.com), then sign in using these credentials: 24 | 25 | | | | 26 | |:--|:--| 27 | | Username | **@lab.CloudPortalCredential(User1).Username** | 28 | | Password | **@lab.CloudPortalCredential(User1).Password** | 29 | 30 | {: .warning } 31 | > If you encounter the **Welcome to Microsoft Azure** screen, select **Get started** and then select **Skip** for the next two screens. 32 | 33 | 1. In the search bar of the Azure portal, type **Sentinel**, then select **Microsoft Sentinel** from the results. 34 | 35 | 1. In the list of Microsoft Sentinel Workspaces, select the workspace named **MSSen2Go\***. 36 | 37 | ![select_mssen2go.png](../media/select_mssen2go.png) 38 | 39 | 1. On the Microsoft Sentinel pane, under **General** select **Logs**. 40 | 41 | 1. Close the **Welcome to Log Analytics** window by selecting the associated **X** icon at the upper right. 42 | 43 | ![close_welcome_to_log_analytics.png](../media/close_welcome_to_log_analytics.png) 44 | 45 | 1. Close the **Queries** window by selecting the associated **X** icon at the upper right. 46 | 47 | ![close_queries.png](../media/close_queries.png) 48 | 49 | 1. Verify that the *SecurityEvent* table is being populated with the specific Process event (EventId = 4688) enter the following KQL statement in the query space and select **Run**. 50 | 51 | ```KQL 52 | SecurityEvent 53 | | where Activity startswith "4688" 54 | | where AccountType == "User" 55 | | where CommandLine startswith "REG" 56 | ``` 57 | 58 | {: .warning } 59 | > Do not proceed until this query returns valid results. It can take up to 10 minutes for the SecurityEvent table to retrieve the initial event. 60 | 61 | 1. To recall the tables where we have this data, replace the text in the query window with the following KQL statement and select **Run**. 62 | 63 | ```KQL 64 | search "temp\\startup.bat" 65 | ``` 66 | 67 | 1. The table *SecurityEvent* looks to have the data already normalized and easy for us to query. Expand the row to see all the columns related to the record. 68 | 69 | ![search_startupbat.png](../media/search_startupbat.png) 70 | 71 | 1. From the results, we now know that the Threat Actor is using reg.exe to add keys to the Registry key and the program is located in C:\temp. **Run** the following statement to replace the *search* operator with the *where* operator in our query: 72 | 73 | ```KQL 74 | SecurityEvent 75 | | where Activity startswith "4688" 76 | | where Process == "reg.exe" 77 | | where CommandLine startswith "REG" 78 | ``` 79 | 80 | 1. It's important to help the Security Operations Center Analyst by providing as much context about the alert as you can. This includes projecting Entities for use in the investigation graph. **Run** the following query: 81 | 82 | ```KQL 83 | SecurityEvent 84 | | where Activity startswith "4688" 85 | | where Process == "reg.exe" 86 | | where CommandLine startswith "REG" 87 | | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectUserName 88 | ``` 89 | 90 | 1. Now that you have a good detection rule you can create a new scheduled rule. In the Logs window, select the **+ New alert rule** in the command bar and then select **Create Microsoft Sentinel alert**. 91 | 92 | ![create_microsoft_sentinel_alert.png](../media/create_microsoft_sentinel_alert.png) 93 | 94 | {: .note } 95 | > You might need to select the ellipsis (...) button in the command bar. 96 | 97 | 1. On the Analytics rule wizard, **General** tab, complete the fields using the following table and then select **Next : Set rule logic >**: 98 | 99 | |Setting|Value| 100 | |---|---| 101 | |Name|**Startup RegKey**| 102 | |Description|**Startup RegKey in c:\temp**| 103 | |Severity|High| 104 | |Tactics|**Persistence**| 105 | 106 | 1. On the **Set rule logic** tab, the **Rule query** should be populated already with a KQL query. Use the following table to verify the entities under **Alert enhancement - Entity mapping**. 107 | 108 | |Entity|Identifier|Data Field| 109 | |:----|:----|:----| 110 | |**Account**|**FullName**|**AccountCustomEntity**| 111 | |**Host**|**Hostname**|**HostCustomEntity**| 112 | 113 | ![entity_mapping.png](../media/entity_mapping.png) 114 | 115 | {: .note } 116 | > If the values don't appear in this section, add them from the drop down fields. 117 | 118 | 1. In the **Query scheduling** section complete the fields using the following table: 119 | 120 | |Setting|Value| 121 | |---|---| 122 | |Run Query every|5 minutes| 123 | |Lookup data from the last|1 Days| 124 | 125 | ![query_scheduling.png](../media/query_scheduling.png) 126 | 127 | {: .note } 128 | > We're purposely generating many incidents for the same data. This enables the lab to use these alerts. 129 | 130 | 1. Leave the rest of the options with the defaults values. Select the **Next: Incident settings>** button. 131 | 132 | {: .note } 133 | > Do not modify the **Start running** settings. Changing this to run at a specific time in the future will delay the initial execution of the Sentinel alert. This may be desirable in real-world scenarios but could prevent the successful completion of this lab. 134 | 135 | 136 | 1. For the **Incident settings** tab, leave the default values and select the **Next: Automated response >** button. 137 | 138 | 1. On the **Automated response** tab under **Automation rules**, select **Add new**. 139 | 140 | ![automated_response_add_new.png](../media/automated_response_add_new.png) 141 | 142 | 1. Use the settings in the table to configure the automation rule and select **Apply**. 143 | 144 | |Setting|Value| 145 | |:----|:----| 146 | |Automation rule name|**Startup RegKey**| 147 | |Trigger|When incident is created| 148 | |Actions|Add task| 149 | |Task Title|**Send Email**| 150 | 151 | {: .note } 152 | > You can define one or more actions to be run as a result of the trigger including **Playbooks** which are the preferred action container. Playbooks are efficient and effective modules that can be configured to provide various functions including sending an email notification, shutting down a machine, or any number of security administration actions. 153 | 154 | ![automation_rule_config2.png](../media/automation_rule_config2.png) 155 | 156 | 1. On the **Automated response** tab select the **Next: Review + create >** button. 157 | 158 | 1. On the **Review + create** tab, when the configuration has been validated, select **Save** to create the new scheduled Analytics rule. 159 | -------------------------------------------------------------------------------- /docs/Ex09/0902.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '2. Privilege elevation attack detection' 3 | layout: default 4 | nav_order: 1 5 | parent: 'Lab 3 Exercise 4: Create Detections' 6 | --- 7 | 8 | # Task 4.2: Privilege elevation attack detection 9 | 10 | In this task, you'll create a detection for the second attack of the previous exercise, a privilege elevation attack. 11 | 12 | The following document may help you understand detecting persistent threat attacks. 13 | 14 | - [Detecting privilege escalation with Azure AD service principals in Microsoft Sentinel](https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/) 15 | 16 | --- 17 | 18 | 1. In the Microsoft Sentinel portal, select **Logs** from the **General** section. 19 | 20 | 1. Run the following KQL Statement to identify any entry that refers to administrators: 21 | 22 | ```KQL 23 | search "administrators" 24 | | summarize count() by $table 25 | ``` 26 | 27 | 1. The result might show events from different tables, but in our case, we want to investigate the SecurityEvent table. The EventID and event that we are looking at is "4732 - A member was added to a security-enabled local group". With this, we'll identify adding a member to a privileged group. Run the following KQL query to confirm: 28 | 29 | ```KQL 30 | SecurityEvent 31 | | where EventID == 4732 32 | | where TargetAccount == "Builtin\\Administrators" 33 | ``` 34 | 35 | 1. Expand the row to see all the columns related to the record. The username of the account added as Administrator doesn't show. The issue is that instead of storing the username, we have the Security Identifier (SID). 36 | 37 | ![securityevent_expanded.png](../media/securityevent_expanded.png) 38 | 39 | 1. **Run** the following KQL to match the SID to the username that was added to the Administrators group: 40 | 41 | ```KQL 42 | SecurityEvent 43 | | where EventID == 4732 44 | | where TargetAccount == "Builtin\\Administrators" 45 | | extend Acct = MemberSid, MachId = SourceComputerId 46 | | join kind=leftouter ( 47 | SecurityEvent 48 | | summarize count() by TargetSid, SourceComputerId, TargetUserName 49 | | project Acct1 = TargetSid, MachId1 = SourceComputerId, UserName1 = TargetUserName) on $left.MachId == $right.MachId1, $left.Acct == $right.Acct1 50 | ``` 51 | 52 | ![SC200_sysmon_attack3.png](../media/SC200_sysmon_attack3.png) 53 | 54 | 1. Expand the row to show the resulting columns. In the last row we see the name of the added user under the *UserName1* column that we *project* within the KQL query. It's important to help the Security Operations Analyst by providing as much context about the alert as you can. This includes projecting Entities for use in the investigation graph. 55 | 56 | ![securityevent_expanded2.png](../media/securityevent_expanded2.png) 57 | 58 | 1. Run the following query: 59 | 60 | ```KQL 61 | SecurityEvent 62 | | where EventID == 4732 63 | | where TargetAccount == "Builtin\\Administrators" 64 | | extend Acct = MemberSid, MachId = SourceComputerId 65 | | join kind=leftouter ( 66 | SecurityEvent 67 | | summarize count() by TargetSid, SourceComputerId, TargetUserName 68 | | project Acct1 = TargetSid, MachId1 = SourceComputerId, UserName1 = TargetUserName) on $left.MachId == $right.MachId1, $left.Acct == $right.Acct1 69 | | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName1 70 | ``` 71 | 72 | 1. Now that you have a good detection rule, in the Logs window, select **+ New alert rule** in the command bar and then select **Create Microsoft Sentinel alert**. 73 | 74 | {: .note } 75 | > You might need to select the ellipsis (...) button in the command bar. 76 | 77 | 1. On the Analytics rule wizard, **General** tab, complete the fields using the following table and then select **Next : Set rule logic >**: 78 | 79 | |Setting|Value| 80 | |---|---| 81 | |Name|**SecurityEvent Local Administrators User Add**| 82 | |Description|**User added to Local Administrators group**| 83 | |Severity|**High**| 84 | |Tactics|**Privilege Escalation**| 85 | 86 | 87 | 1. On the **Set rule logic** tab, the **Rule query** should be populated already with a KQL query. Use the following table to complete the **Query scheduling** section and then select **Next: Incident settings >**. 88 | 89 | |Setting|Value| 90 | |---|---| 91 | |Run Query every|5 minutes| 92 | |Lookup data from the last|1 Days| 93 | 94 | ![query_scheduling.png](../media/query_scheduling.png) 95 | 96 | {: .note } 97 | > We're purposely generating many incidents for the same data. This enables the lab to use these alerts. 98 | 99 | 1. For the **Incident settings** tab, leave the default values and select **Next: Automated response >** and then select **Next: Review + create >**. 100 | 101 | 1. On the **Review + create** tab, after the validation has passed, select the **Save** button to create the new scheduled Analytics rule. 102 | 103 | 1. To return to the **Microsoft Sentinel** blade, close the **Microsoft Sentinel - Logs** query panel by selecting the **X** icon in the top right and then, in the close confirmation popup dialog box, select **OK**. 104 | 105 | ![close_sentinel_logs.png](../media/close_sentinel_logs.png) 106 | 107 | 1. On the **Microsoft Sentinel** page, select the Sentinel instance starting with **MSSen2Go\*** from the list. 108 | 109 | 1. In the **Configuration** section of the left menu select **Analytics** to display the list of Analytics Rules. 110 | 111 | {: .note } 112 | > If the Log Analytics rules that you just created don't appear in the list, select the **Refresh** option from the upper menu for the **Microsoft Sentinel - Analytics** blade. 113 | 114 | 1. To display the rule details on the right, select the **SecurityEvent Local Administrators User Add** Log Analytics rule. 115 | 116 | {: .note } 117 | > To display the right details blade, select the **<<** icon at the very right of the Active rule list. 118 | > 119 | >![microsoft_sentinel_analytics.png](../media/microsoft_sentinel_analytics.png) 120 | -------------------------------------------------------------------------------- /docs/Ex09/Ex09.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: 'Lab 3 Exercise 4: Create Detections' 3 | layout: default 4 | nav_order: 10 5 | has_children: true 6 | --- 7 | 8 | # Exercise 4: Create Detections 9 | 10 | At Humongous IT, with Microsoft Sentinel in place, the Security Operations team will leverage Log Analytics KQL queries to craft custom analytics rules. These rules aim to identify threats and unusual behaviors, alert on significant event conditions, generate incidents for investigation, and automate threat remediation processes. 11 | 12 | Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for your SOC to triage and investigate, and respond to threats with automated tracking and remediation processes. 13 | 14 | {: .note } 15 | > An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Create%20detections)** is available that allows you to click through this lab scenario at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. 16 | 17 | -------------------------------------------------------------------------------- /docs/Ex10/1001.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '1. Explore an incident' 3 | layout: default 4 | nav_order: 1 5 | parent: 'Lab 3 Exercise 5: Investigate incidents' 6 | --- 7 | 8 | # Task 5.1: Explore an incident 9 | 10 | In this task, you'll explore an incident using the Sentinel Incidents blade. 11 | 12 | The following document may help you understand incident investigation. 13 | 14 | - [Investigate incidents with Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/investigate-cases) 15 | 16 | --- 17 | 18 | 1. If necessary, open Microsoft Edge, go to the **[Azure Portal](https://portal.azure.com)**, then sign in using these credentials: 19 | 20 | | | | 21 | |:--|:--| 22 | | Username | **@lab.CloudPortalCredential(User1).Username** | 23 | | Password | **@lab.CloudPortalCredential(User1).Password** | 24 | 25 | {: .warning } 26 | > If you encounter the **Welcome to Microsoft Azure** screen, select **Get started** and then select **Skip** for the next two screens. 27 | 28 | 1. In the Search bar of the Azure portal, type **Microsoft Sentinel**, then select **Microsoft Sentinel**. 29 | 30 | 1. In the list of Microsoft Sentinel Workspaces, select the workspace named **MSSen2Go\***. 31 | 32 | ![select_mssen2go.png](../media/select_mssen2go.png) 33 | 34 | 1. In the left menu, under **Threat management**, select **Incidents**. 35 | 36 | 1. Review the list of incidents. 37 | 38 | {: .note } 39 | > The Analytics rules are generating alerts and incidents on the same specific log entry. Remember that this was done in the *Query scheduling* configuration to generate more alerts and incidents to be utilized in the lab. 40 | 41 | 1. Select one of the **Startup RegKey** incidents. 42 | 43 | 1. Review the incident details on the right blade that opened. Scroll down and select the **View full details** button. 44 | 45 | ![startup_regkey_incident.png](../media/startup_regkey_incident.png) 46 | 47 | {: .note } 48 | > If the "New incident experience" pop-up appears, follow the prompts by reading the information and selecting the **Next** button. 49 | 50 | {: .warning } 51 | > If you encounter an "**Unknown error 0**" issue when viewing the full details, perform the following actions before continuing: 52 | >- Refresh the Browser by pressing **F5** or **Ctrl-F5** 53 | > 54 | > If refreshing the browser doesn't correct the issue, attempt the following: 55 | >- Delete the **Startup RegKey** rule from the **Microsoft Sentinel - Analytics** blade 56 | >- Recreate the **Startup RegKey** using the instructions from Exercise 4 Task 1. 57 | > 58 | >![delete_analytics_rule.png](../media/delete_analytics_rule.png) 59 | 60 | 1. On the left blade of the incident, change the Status to **Active**. 61 | 62 | ![set_incident_active.png](../media/set_incident_active.png) 63 | 64 | 1. Scroll down to the *Tags* area, select **+** and enter **RegKey** and select **OK**. 65 | 66 | ![incident_tag.png](../media/incident_tag.png) 67 | 68 | 1. Scroll down and in the *Write a comment...* box enter **I will research this** and select the **>** icon to submit the new comment. 69 | 70 | ![incident_comment.png](../media/incident_comment.png) 71 | 72 | 1. Hide the left blade by selecting the **<<** icon next to the owner. 73 | 74 | ![hide_blade.png](../media/hide_blade.png) 75 | 76 | 1. Review the **Incident timeline** window. Select the **Incident Actions** button at top-right, and then select **Run playbook**. 77 | 78 | ![run_playbook.png](../media/run_playbook.png) 79 | 80 | {: .note } 81 | > The **Run playbook on incident** blade allows you to view and select the active playbooks and run them manually. Since you haven't configured any playbooks as part of this lab you won't see any listed here. 82 | 83 | 1. Close the *Run playbook on incident* blade by selecting the **X** icon in the upper right. 84 | 85 | ![close_run_paybook_on_incident.png](../media/close_run_paybook_on_incident.png) 86 | 87 | 1. Review the **Entities** window. At least the *Host* entity that we mapped within the KQL query from the previous exercise should appear. 88 | 89 | {: .note } 90 | > If no entities are shown, refresh the page. 91 | 92 | ![entities_window.png](../media/entities_window.png) 93 | 94 | 1. To open the **Incident tasks** blade select the **Tasks** button from the command bar. 95 | 96 | ![incident_tasks_blade.png](../media/incident_tasks_blade.png) 97 | 98 | 1. Select **+ Add task**, in the Title box type **Review who owns the machine** and then select **Save**. 99 | 100 | ![incident_tasks_add.png](../media/incident_tasks_add.png) 101 | 102 | 1. Close the **Incident tasks** blade by selecting the **X** icon in the upper right. 103 | 104 | 1. Select the **Activity Log** button from the command bar and review the actions you've taken during this exercise. 105 | 106 | ![incident_activity_log.png](../media/incident_activity_log.png) 107 | 108 | 1. Close the **Incident activity log** blade by selecting **Close** at the lower right. 109 | 110 | 1. From the almost hidden left blade, select the user icon named **Unassigned**. The new incident experience allows quick changes from here. 111 | 112 | 1. Select **Assign to me** and then scroll down to select **Apply** to save the changes. 113 | 114 | ![incident_assign_to_me.png](../media/incident_assign_to_me.png) 115 | -------------------------------------------------------------------------------- /docs/Ex10/1002.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: '2. Investigate an incident' 3 | layout: default 4 | nav_order: 2 5 | parent: 'Lab 3 Exercise 5: Investigate incidents' 6 | --- 7 | 8 | # Task 5.2: Investigate an incident 9 | 10 | In this task, you will investigate a Sentinel incident using the Investigation blade. 11 | 12 | --- 13 | 14 | 1. Expand the left blade by selecting the **>>** icon. and then, at the bottom, select **Investigate**. 15 | 16 | {: .highlight } 17 | > **Hint:** If the icons are too small for your screen, select **(+)** to magnify them. 18 | 19 | 1. Hover over the **WORKSTATION5** entity icon and wait for new **exploration queries** to be shown. It looks like *Related Alerts* has more data on it. Select the name of the exploration query **Related Alerts** to bring them to the investigation graph 20 | 21 | 1. Hover over the **WORKSTATION5** entity icon and wait for new **exploration queries** to be shown. Hover over any node and then select **Events >** to investigate it with a KQL query. 22 | 23 | 1. Close the query window by selecting the **X** icon at the upper right to go back to the **Investigation** page. 24 | 25 | 1. To open a window on the right with more detailed information about the virtual machine nodes select the **WORKSTATION5** entity and review the details on the Info page. 26 | 27 | ![investigation_workstation5_node_info.png](../media/investigation_workstation5_node_info.png) 28 | 29 | 1. To see which items on the graph occurred at a point in time select the **Timeline** tab and hover over the incident. 30 | 31 | ![investigation_timeline.png](../media/investigation_timeline.png) 32 | 33 | 1. To review the *Entities* and *Alerts* related to **WORKSTATION5**, select the **Entities** tab and hover over the entity or alert. 34 | 35 | ![investigation_entities.png](../media/investigation_entities.png) 36 | 37 | 1. Close the investigation graph by selecting the **X** icon at the upper right of the page. 38 | 39 | 1. Back on the incident page, in the left pane, select **Active Status** and select **Closed**. 40 | 41 | 1. In the *Select classification* drop-down menu review the different options. After that, select **True positive - suspicious activity** and then select **Apply**. 42 | 43 | ![incident_status_closed.png](../media/incident_status_closed.png) 44 | 45 | --- 46 | 47 | ## Congratulations! 48 | You've successfully completed the **TechExcel: Sentinel onboarding and migration acceleration** lab. 49 | -------------------------------------------------------------------------------- /docs/Ex10/Ex10.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: 'Lab 3 Exercise 5: Investigate incidents' 3 | layout: default 4 | nav_order: 11 5 | has_children: true 6 | --- 7 | 8 | # Exercise 5: Investigate incidents 9 | 10 | At Humongous IT, the Security Operations team, having integrated Microsoft Sentinel, is now ready to probe the incidents flagged by their existing Scheduled, Microsoft Security, Fusion, and Anomalies Analytics rules. Incidents, which may comprise several alerts, serve as a consolidated package of evidence crucial for investigations. They set the stage for understanding the alerts' attributes like severity and status. With threat parameters defined and detection methods in place, the team is poised to monitor and investigate the detected threats through these incidents. 11 | 12 | {: .note } 13 | > An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Investigate%20incidents)** is available that allows you to move through this lab scenario at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. 14 | -------------------------------------------------------------------------------- /docs/media/5qoyf33h.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/5qoyf33h.jpg -------------------------------------------------------------------------------- /docs/media/Add-MS-Sentinel-to-a-work-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Add-MS-Sentinel-to-a-work-1.png -------------------------------------------------------------------------------- /docs/media/Add-MS-Sentinel-to-workspace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Add-MS-Sentinel-to-workspace.png -------------------------------------------------------------------------------- /docs/media/Add-Workspace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Add-Workspace.png -------------------------------------------------------------------------------- /docs/media/Breadcrumbs-MS-Sentinel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Breadcrumbs-MS-Sentinel.png -------------------------------------------------------------------------------- /docs/media/Compromised-Msg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Compromised-Msg.png -------------------------------------------------------------------------------- /docs/media/Configure Azure Activity-RG.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Configure Azure Activity-RG.png -------------------------------------------------------------------------------- /docs/media/Configure Azure Activity-Scope-Subscr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Configure Azure Activity-Scope-Subscr.png -------------------------------------------------------------------------------- /docs/media/Configure Azure Activity-Scope.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Configure Azure Activity-Scope.png -------------------------------------------------------------------------------- /docs/media/Configure Azure Activity-workspace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Configure Azure Activity-workspace.png -------------------------------------------------------------------------------- /docs/media/ConfigureAzureActivity-Create.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/ConfigureAzureActivity-Create.png -------------------------------------------------------------------------------- /docs/media/ConfigureAzureActivity-ManagedId.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/ConfigureAzureActivity-ManagedId.png -------------------------------------------------------------------------------- /docs/media/ConfigureAzureActivity-Notifications.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/ConfigureAzureActivity-Notifications.png -------------------------------------------------------------------------------- /docs/media/ConfigureAzureActivity-RG.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/ConfigureAzureActivity-RG.png -------------------------------------------------------------------------------- /docs/media/ConfigureAzureActivity-Scope.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/ConfigureAzureActivity-Scope.png -------------------------------------------------------------------------------- /docs/media/ConfigureAzureActivity-workspace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/ConfigureAzureActivity-workspace.png -------------------------------------------------------------------------------- /docs/media/Data-connectors-breadcrumb-data-connectors.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Data-connectors-breadcrumb-data-connectors.png -------------------------------------------------------------------------------- /docs/media/Data-connectors-breadcrumb-syslog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Data-connectors-breadcrumb-syslog.png -------------------------------------------------------------------------------- /docs/media/Data-connectors-breadcrumb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Data-connectors-breadcrumb.png -------------------------------------------------------------------------------- /docs/media/E1-T1-S10-Workspace-Refresh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T1-S10-Workspace-Refresh.png -------------------------------------------------------------------------------- /docs/media/E1-T1-S13-Sentinel-Trial.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T1-S13-Sentinel-Trial.png -------------------------------------------------------------------------------- /docs/media/E1-T1-S2-Az-RG.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T1-S2-Az-RG.png -------------------------------------------------------------------------------- /docs/media/E1-T1-S3-Azure-Search-for-Sentinel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T1-S3-Azure-Search-for-Sentinel.png -------------------------------------------------------------------------------- /docs/media/E1-T1-S3-Azure-Sentinel-Search-Results.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T1-S3-Azure-Sentinel-Search-Results.png -------------------------------------------------------------------------------- /docs/media/E1-T1-S3b-Azure-Search-for-Sentinel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T1-S3b-Azure-Search-for-Sentinel.png -------------------------------------------------------------------------------- /docs/media/E1-T1-S4-Create-Sentinel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T1-S4-Create-Sentinel.png -------------------------------------------------------------------------------- /docs/media/E1-T1-S6-Add-Workspace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T1-S6-Add-Workspace.png -------------------------------------------------------------------------------- /docs/media/E1-T2-S10-Select-Create-Data-Collection-Rule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T2-S10-Select-Create-Data-Collection-Rule.png -------------------------------------------------------------------------------- /docs/media/E1-T2-S13-Select-Linux1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T2-S13-Select-Linux1.png -------------------------------------------------------------------------------- /docs/media/E1-T2-S15-Set-SysLog-Level.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T2-S15-Set-SysLog-Level.png -------------------------------------------------------------------------------- /docs/media/E1-T2-S16-Refresh-Data-Rules.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T2-S16-Refresh-Data-Rules.png -------------------------------------------------------------------------------- /docs/media/E1-T2-S2-Data-Connectors.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T2-S2-Data-Connectors.png -------------------------------------------------------------------------------- /docs/media/E1-T2-S2-S4-Syslog-Prereq.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T2-S2-S4-Syslog-Prereq.png -------------------------------------------------------------------------------- /docs/media/E1-T2-S2-Search-Select-Syslog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T2-S2-Search-Select-Syslog.png -------------------------------------------------------------------------------- /docs/media/E1-T2-S2-Search-Syslog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T2-S2-Search-Syslog.png -------------------------------------------------------------------------------- /docs/media/E1-T2-S3-Syslog-Pane.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T2-S3-Syslog-Pane.png -------------------------------------------------------------------------------- /docs/media/E1-T2-S4-Syslog-Faculties.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T2-S4-Syslog-Faculties.png -------------------------------------------------------------------------------- /docs/media/E1-T2-S4-Syslog-Prereqs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T2-S4-Syslog-Prereqs.png -------------------------------------------------------------------------------- /docs/media/E1-T2-S7-Syslog-Via-AMA.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T2-S7-Syslog-Via-AMA.png -------------------------------------------------------------------------------- /docs/media/E1-T2a-S2-More-Content-At-Content-Hub.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T2a-S2-More-Content-At-Content-Hub.png -------------------------------------------------------------------------------- /docs/media/E1-T2a-S3-Provider-Microsoft.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T2a-S3-Provider-Microsoft.png -------------------------------------------------------------------------------- /docs/media/E1-T2a-S5-Install-Syslog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E1-T2a-S5-Install-Syslog.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S10-Incident-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S10-Incident-settings.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S10-Notepad5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S10-Notepad5.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S11-Alert-grouping.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S11-Alert-grouping.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S11-Notepad6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S11-Notepad6.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S11-Start-Win-Term_Admin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S11-Start-Win-Term_Admin.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S11b-Start-Win-Term_Admin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S11b-Start-Win-Term_Admin.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S12-Notepad7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S12-Notepad7.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S12-UAC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S12-UAC.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S13-Notepad8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S13-Notepad8.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S13-Review-create-Previous.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S13-Review-create-Previous.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S14-Notepad10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S14-Notepad10.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S14-Paste-Warning.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S14-Paste-Warning.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S15-Notepad9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S15-Notepad9.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S18-SSH-Success.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S18-SSH-Success.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S2-Analytics.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S2-Analytics.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S2-Az-Svcs-VM.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S2-Az-Svcs-VM.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S3-Create-Scheduled-query-rule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S3-Create-Scheduled-query-rule.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S3-Public-IP.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S3-Public-IP.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S3-RG-RG.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S3-RG-RG.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S4-Ana-rule-details-Name.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S4-Ana-rule-details-Name.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S4-RG-LogA.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S4-RG-LogA.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S5-Ana-rule-details-Severity.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S5-Ana-rule-details-Severity.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S5-LogA-Agents-Mgt-Linux-Servers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S5-LogA-Agents-Mgt-Linux-Servers.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S5-LogA-Agents-Mgt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S5-LogA-Agents-Mgt.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S7-Ana-rule-Wiz-Rule-query.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S7-Ana-rule-Wiz-Rule-query.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S7-LogA-Agents-Mgt-Download-and-onboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S7-LogA-Agents-Mgt-Download-and-onboard.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S8-Notepad1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S8-Notepad1.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S8-Notepad2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S8-Notepad2.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S8-Notepad3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S8-Notepad3.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S8-Query-Sched-Minutes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S8-Query-Sched-Minutes.png -------------------------------------------------------------------------------- /docs/media/E2-T1-S9-Query-Sched-Lookup-data.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T1-S9-Query-Sched-Lookup-data.png -------------------------------------------------------------------------------- /docs/media/E2-T2-S12-Notepad4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E2-T2-S12-Notepad4.png -------------------------------------------------------------------------------- /docs/media/E3-T1-S2-Sentinel-LogA.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E3-T1-S2-Sentinel-LogA.png -------------------------------------------------------------------------------- /docs/media/E3-T1-S2-Sentinel-LogAb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E3-T1-S2-Sentinel-LogAb.png -------------------------------------------------------------------------------- /docs/media/E3-T1-S2-Sentinel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E3-T1-S2-Sentinel.png -------------------------------------------------------------------------------- /docs/media/E3-T1-S4-Data-connectors.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E3-T1-S4-Data-connectors.png -------------------------------------------------------------------------------- /docs/media/E3-T2-S15-Expand-Right-Panel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E3-T2-S15-Expand-Right-Panel.png -------------------------------------------------------------------------------- /docs/media/E3-T2-S4-Sentinel-Overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E3-T2-S4-Sentinel-Overview.png -------------------------------------------------------------------------------- /docs/media/E3-T4-S10-Add-Watchlist-Alias.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E3-T4-S10-Add-Watchlist-Alias.png -------------------------------------------------------------------------------- /docs/media/E3-T4-S13-Add-Hosts-Hostname.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E3-T4-S13-Add-Hosts-Hostname.png -------------------------------------------------------------------------------- /docs/media/E3-T4-S14-Save-Logic-App-Design.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E3-T4-S14-Save-Logic-App-Design.png -------------------------------------------------------------------------------- /docs/media/E3-T4-S4-Follow-False-Branch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E3-T4-S4-Follow-False-Branch.png -------------------------------------------------------------------------------- /docs/media/E3-T4-S5-Create-New-Watchlist.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E3-T4-S5-Create-New-Watchlist.png -------------------------------------------------------------------------------- /docs/media/E3-T4-S7-fx-Icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/E3-T4-S7-fx-Icon.png -------------------------------------------------------------------------------- /docs/media/Faculty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Faculty.png -------------------------------------------------------------------------------- /docs/media/Hamburger-Menu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Hamburger-Menu.png -------------------------------------------------------------------------------- /docs/media/Home.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Home.png -------------------------------------------------------------------------------- /docs/media/Linux-servers-see-in-logs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Linux-servers-see-in-logs.png -------------------------------------------------------------------------------- /docs/media/Linux-servers-tab.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Linux-servers-tab.png -------------------------------------------------------------------------------- /docs/media/Linux1-SSH-Fingerpring.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Linux1-SSH-Fingerpring.png -------------------------------------------------------------------------------- /docs/media/LogAgent.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/LogAgent.png -------------------------------------------------------------------------------- /docs/media/MS-Sentinel-Legacy-Agents-Syslog-Notif.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/MS-Sentinel-Legacy-Agents-Syslog-Notif.png -------------------------------------------------------------------------------- /docs/media/MS-Sentinel-Legacy-Agents-Syslog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/MS-Sentinel-Legacy-Agents-Syslog.png -------------------------------------------------------------------------------- /docs/media/Paste-Anyway-cat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Paste-Anyway-cat.png -------------------------------------------------------------------------------- /docs/media/Paste-Anyway.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Paste-Anyway.png -------------------------------------------------------------------------------- /docs/media/RG1-Workspace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/RG1-Workspace.png -------------------------------------------------------------------------------- /docs/media/ResourceGroups.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/ResourceGroups.png -------------------------------------------------------------------------------- /docs/media/SC-200-Lab_Diagrams_Mod7_L1_Ex5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/SC-200-Lab_Diagrams_Mod7_L1_Ex5.png -------------------------------------------------------------------------------- /docs/media/SC-200-Lab_Diagrams_Mod7_L1_Ex6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/SC-200-Lab_Diagrams_Mod7_L1_Ex6.png -------------------------------------------------------------------------------- /docs/media/SC200_sysmon_attack3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/SC200_sysmon_attack3.png -------------------------------------------------------------------------------- /docs/media/See-them-in-Logs-x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/See-them-in-Logs-x.png -------------------------------------------------------------------------------- /docs/media/See-them-in-logs-Linux1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/See-them-in-logs-Linux1.png -------------------------------------------------------------------------------- /docs/media/Sentinel-Dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Sentinel-Dashboard.png -------------------------------------------------------------------------------- /docs/media/Sentinel-Incidents.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Sentinel-Incidents.png -------------------------------------------------------------------------------- /docs/media/SplunkData_json_file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/SplunkData_json_file.png -------------------------------------------------------------------------------- /docs/media/SplunkData_json_file2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/SplunkData_json_file2.png -------------------------------------------------------------------------------- /docs/media/Syslog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/Syslog.png -------------------------------------------------------------------------------- /docs/media/actions2entries.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/actions2entries.png -------------------------------------------------------------------------------- /docs/media/activerulesdetails.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/activerulesdetails.png -------------------------------------------------------------------------------- /docs/media/activerulesdetailsedit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/activerulesdetailsedit.png -------------------------------------------------------------------------------- /docs/media/addarule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/addarule.png -------------------------------------------------------------------------------- /docs/media/addarulebaseblobs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/addarulebaseblobs.png -------------------------------------------------------------------------------- /docs/media/addaruledetails.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/addaruledetails.png -------------------------------------------------------------------------------- /docs/media/addfacilitysyslog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/addfacilitysyslog.png -------------------------------------------------------------------------------- /docs/media/addresources.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/addresources.png -------------------------------------------------------------------------------- /docs/media/addroleassignment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/addroleassignment.png -------------------------------------------------------------------------------- /docs/media/addroleassignmentowner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/addroleassignmentowner.png -------------------------------------------------------------------------------- /docs/media/amacreatedatacollectionrule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/amacreatedatacollectionrule.png -------------------------------------------------------------------------------- /docs/media/analytics-rule-wizard-general.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/analytics-rule-wizard-general.png -------------------------------------------------------------------------------- /docs/media/analyticsrulewizardgeneral.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/analyticsrulewizardgeneral.png -------------------------------------------------------------------------------- /docs/media/automated_response_add_new.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/automated_response_add_new.png -------------------------------------------------------------------------------- /docs/media/automatedresponsetab.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/automatedresponsetab.png -------------------------------------------------------------------------------- /docs/media/automation-breadcrumb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/automation-breadcrumb.png -------------------------------------------------------------------------------- /docs/media/automation-rules-configure-permissions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/automation-rules-configure-permissions.png -------------------------------------------------------------------------------- /docs/media/automation-rules-more-content.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/automation-rules-more-content.png -------------------------------------------------------------------------------- /docs/media/automation_rule_config2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/automation_rule_config2.png -------------------------------------------------------------------------------- /docs/media/automationrulesaddnew.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/automationrulesaddnew.png -------------------------------------------------------------------------------- /docs/media/automationsearchbyname.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/automationsearchbyname.png -------------------------------------------------------------------------------- /docs/media/azureservicesmicrosoftsentinel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/azureservicesmicrosoftsentinel.png -------------------------------------------------------------------------------- /docs/media/bell_notification_icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/bell_notification_icon.png -------------------------------------------------------------------------------- /docs/media/breadcrumbdataconnectors.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/breadcrumbdataconnectors.png -------------------------------------------------------------------------------- /docs/media/breadcrumbsyslog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/breadcrumbsyslog.png -------------------------------------------------------------------------------- /docs/media/cat-output-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/cat-output-2.png -------------------------------------------------------------------------------- /docs/media/cat-output.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/cat-output.png -------------------------------------------------------------------------------- /docs/media/clipboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/clipboard.png -------------------------------------------------------------------------------- /docs/media/close_queries.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/close_queries.png -------------------------------------------------------------------------------- /docs/media/close_run_paybook_on_incident.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/close_run_paybook_on_incident.png -------------------------------------------------------------------------------- /docs/media/close_sentinel_logs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/close_sentinel_logs.png -------------------------------------------------------------------------------- /docs/media/close_welcome_to_log_analytics.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/close_welcome_to_log_analytics.png -------------------------------------------------------------------------------- /docs/media/configuration_menu_analytics.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/configuration_menu_analytics.png -------------------------------------------------------------------------------- /docs/media/create_microsoft_sentinel_alert.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/create_microsoft_sentinel_alert.png -------------------------------------------------------------------------------- /docs/media/createexportruledestination.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/createexportruledestination.png -------------------------------------------------------------------------------- /docs/media/createexportrulesource.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/createexportrulesource.png -------------------------------------------------------------------------------- /docs/media/data-connectors-windows-security-events.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/data-connectors-windows-security-events.png -------------------------------------------------------------------------------- /docs/media/dataconnectorsama.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/dataconnectorsama.png -------------------------------------------------------------------------------- /docs/media/dataconnectorssyslog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/dataconnectorssyslog.png -------------------------------------------------------------------------------- /docs/media/delete_analytics_rule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/delete_analytics_rule.png -------------------------------------------------------------------------------- /docs/media/deleteme.txt: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /docs/media/download_rdp_file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/download_rdp_file.png -------------------------------------------------------------------------------- /docs/media/dynamiccontentdialog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/dynamiccontentdialog.png -------------------------------------------------------------------------------- /docs/media/dynamiccontentdialog2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/dynamiccontentdialog2.png -------------------------------------------------------------------------------- /docs/media/enable_disable_toggle.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/enable_disable_toggle.png -------------------------------------------------------------------------------- /docs/media/enable_fail_validation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/enable_fail_validation.png -------------------------------------------------------------------------------- /docs/media/enable_pass_validation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/enable_pass_validation.png -------------------------------------------------------------------------------- /docs/media/entities_window.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/entities_window.png -------------------------------------------------------------------------------- /docs/media/entity_mapping.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/entity_mapping.png -------------------------------------------------------------------------------- /docs/media/error_codeless_connector.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/error_codeless_connector.png -------------------------------------------------------------------------------- /docs/media/facilitysyslogconfig.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/facilitysyslogconfig.png -------------------------------------------------------------------------------- /docs/media/hide_blade.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/hide_blade.png -------------------------------------------------------------------------------- /docs/media/incident_activity_log.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/incident_activity_log.png -------------------------------------------------------------------------------- /docs/media/incident_assign_to_me.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/incident_assign_to_me.png -------------------------------------------------------------------------------- /docs/media/incident_comment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/incident_comment.png -------------------------------------------------------------------------------- /docs/media/incident_status_closed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/incident_status_closed.png -------------------------------------------------------------------------------- /docs/media/incident_tag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/incident_tag.png -------------------------------------------------------------------------------- /docs/media/incident_tasks_add.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/incident_tasks_add.png -------------------------------------------------------------------------------- /docs/media/incident_tasks_blade.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/incident_tasks_blade.png -------------------------------------------------------------------------------- /docs/media/install-windowssecurityevents.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/install-windowssecurityevents.png -------------------------------------------------------------------------------- /docs/media/installed_rules.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/installed_rules.png -------------------------------------------------------------------------------- /docs/media/installed_rules2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/installed_rules2.png -------------------------------------------------------------------------------- /docs/media/invalid_query_x_close.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/invalid_query_x_close.png -------------------------------------------------------------------------------- /docs/media/invalid_query_x_close2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/invalid_query_x_close2.png -------------------------------------------------------------------------------- /docs/media/investigation_entities.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/investigation_entities.png -------------------------------------------------------------------------------- /docs/media/investigation_timeline.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/investigation_timeline.png -------------------------------------------------------------------------------- /docs/media/investigation_workstation5_node_info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/investigation_workstation5_node_info.png -------------------------------------------------------------------------------- /docs/media/linux1connect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/linux1connect.png -------------------------------------------------------------------------------- /docs/media/list_entry_enabled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/list_entry_enabled.png -------------------------------------------------------------------------------- /docs/media/loganaliticsdeploymentcomplete.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/loganaliticsdeploymentcomplete.png -------------------------------------------------------------------------------- /docs/media/loganalyticsworkspacescreate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/loganalyticsworkspacescreate.png -------------------------------------------------------------------------------- /docs/media/logicappdesignerbluesection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/logicappdesignerbluesection.png -------------------------------------------------------------------------------- /docs/media/logicappdesignercondition.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/logicappdesignercondition.png -------------------------------------------------------------------------------- /docs/media/logicappdesignerfinal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/logicappdesignerfinal.png -------------------------------------------------------------------------------- /docs/media/logicappdesignerwatchlists.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/logicappdesignerwatchlists.png -------------------------------------------------------------------------------- /docs/media/manageplaybookpermissions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/manageplaybookpermissions.png -------------------------------------------------------------------------------- /docs/media/manually_translated.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/manually_translated.png -------------------------------------------------------------------------------- /docs/media/manually_translated2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/manually_translated2.png -------------------------------------------------------------------------------- /docs/media/microsoft_sentinel_analytics.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/microsoft_sentinel_analytics.png -------------------------------------------------------------------------------- /docs/media/microsoftsentineladdtoworkspace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/microsoftsentineladdtoworkspace.png -------------------------------------------------------------------------------- /docs/media/microsoftsentinelcreate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/microsoftsentinelcreate.png -------------------------------------------------------------------------------- /docs/media/minimizepanel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/minimizepanel.png -------------------------------------------------------------------------------- /docs/media/mky9t3ei.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/mky9t3ei.jpg -------------------------------------------------------------------------------- /docs/media/native_rdp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/native_rdp.png -------------------------------------------------------------------------------- /docs/media/native_rdp_download.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/native_rdp_download.png -------------------------------------------------------------------------------- /docs/media/nextsteps.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/nextsteps.png -------------------------------------------------------------------------------- /docs/media/not-ready-message.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/not-ready-message.png -------------------------------------------------------------------------------- /docs/media/opennotifications.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/opennotifications.png -------------------------------------------------------------------------------- /docs/media/openyourworkspaceagentsconfiguration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/openyourworkspaceagentsconfiguration.png -------------------------------------------------------------------------------- /docs/media/pao8dq3n.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/pao8dq3n.jpg -------------------------------------------------------------------------------- /docs/media/playbooktemplatestab.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/playbooktemplatestab.png -------------------------------------------------------------------------------- /docs/media/privileged-administrator-roles.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/privileged-administrator-roles.png -------------------------------------------------------------------------------- /docs/media/query_scheduling.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/query_scheduling.png -------------------------------------------------------------------------------- /docs/media/queryscheduling.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/queryscheduling.png -------------------------------------------------------------------------------- /docs/media/ready_to_migrate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/ready_to_migrate.png -------------------------------------------------------------------------------- /docs/media/ready_to_migrate_b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/ready_to_migrate_b.png -------------------------------------------------------------------------------- /docs/media/redundancygrs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/redundancygrs.png -------------------------------------------------------------------------------- /docs/media/refresh_data_collection_rule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/refresh_data_collection_rule.png -------------------------------------------------------------------------------- /docs/media/refreshconfiguration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/refreshconfiguration.png -------------------------------------------------------------------------------- /docs/media/relevantanalyticstemplates.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/relevantanalyticstemplates.png -------------------------------------------------------------------------------- /docs/media/remote_desktop_connection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/remote_desktop_connection.png -------------------------------------------------------------------------------- /docs/media/remote_desktop_connection_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/remote_desktop_connection_2.png -------------------------------------------------------------------------------- /docs/media/role-assignment-conditions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/role-assignment-conditions.png -------------------------------------------------------------------------------- /docs/media/run_playbook.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/run_playbook.png -------------------------------------------------------------------------------- /docs/media/search_startupbat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/search_startupbat.png -------------------------------------------------------------------------------- /docs/media/security-event-rule-template.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/security-event-rule-template.png -------------------------------------------------------------------------------- /docs/media/securityevent_expanded.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/securityevent_expanded.png -------------------------------------------------------------------------------- /docs/media/securityevent_expanded2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/securityevent_expanded2.png -------------------------------------------------------------------------------- /docs/media/select_mssen2go.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/select_mssen2go.png -------------------------------------------------------------------------------- /docs/media/select_view_query_results.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/select_view_query_results.png -------------------------------------------------------------------------------- /docs/media/select_view_query_results2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/select_view_query_results2.png -------------------------------------------------------------------------------- /docs/media/selectlastbox.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/selectlastbox.png -------------------------------------------------------------------------------- /docs/media/selectlogicappcontributor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/selectlogicappcontributor.png -------------------------------------------------------------------------------- /docs/media/selectlogicapps.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/selectlogicapps.png -------------------------------------------------------------------------------- /docs/media/selectmanagedidentity.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/selectmanagedidentity.png -------------------------------------------------------------------------------- /docs/media/selectmanagedidentitymembers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/selectmanagedidentitymembers.png -------------------------------------------------------------------------------- /docs/media/selectmembers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/selectmembers.png -------------------------------------------------------------------------------- /docs/media/selectmicrosoftsentinelcontributor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/selectmicrosoftsentinelcontributor.png -------------------------------------------------------------------------------- /docs/media/selectwinscope.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/selectwinscope.png -------------------------------------------------------------------------------- /docs/media/sentinel_instance.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/sentinel_instance.png -------------------------------------------------------------------------------- /docs/media/set_incident_active.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/set_incident_active.png -------------------------------------------------------------------------------- /docs/media/siem_migration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/siem_migration.png -------------------------------------------------------------------------------- /docs/media/skillable_SC-200-Lab_Diagrams_Mod7_L1_Ex5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/skillable_SC-200-Lab_Diagrams_Mod7_L1_Ex5.png -------------------------------------------------------------------------------- /docs/media/skillable_SC-200-Lab_Diagrams_Mod7_L1_Ex6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/skillable_SC-200-Lab_Diagrams_Mod7_L1_Ex6.png -------------------------------------------------------------------------------- /docs/media/skillable_SC-200-Lab_Diagrams_Mod7_L1_Ex7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/skillable_SC-200-Lab_Diagrams_Mod7_L1_Ex7.png -------------------------------------------------------------------------------- /docs/media/skillable_SC-200-Lab_Diagrams_Mod7_L1_Ex8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/skillable_SC-200-Lab_Diagrams_Mod7_L1_Ex8.png -------------------------------------------------------------------------------- /docs/media/skillable_SC-200-Lab_Diagrams_Mod7_L1_Ex9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/skillable_SC-200-Lab_Diagrams_Mod7_L1_Ex9.png -------------------------------------------------------------------------------- /docs/media/splunk_entry_fully_translated.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/splunk_entry_fully_translated.png -------------------------------------------------------------------------------- /docs/media/splunk_entry_fully_translated2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/splunk_entry_fully_translated2.png -------------------------------------------------------------------------------- /docs/media/splunk_entry_partially_translated.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/splunk_entry_partially_translated.png -------------------------------------------------------------------------------- /docs/media/splunk_entry_partially_translated2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/splunk_entry_partially_translated2.png -------------------------------------------------------------------------------- /docs/media/splunk_migrated_prefix.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/splunk_migrated_prefix.png -------------------------------------------------------------------------------- /docs/media/splunk_migrated_prefix2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/splunk_migrated_prefix2.png -------------------------------------------------------------------------------- /docs/media/startup_regkey_incident.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/startup_regkey_incident.png -------------------------------------------------------------------------------- /docs/media/syslogconfiginstall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/syslogconfiginstall.png -------------------------------------------------------------------------------- /docs/media/target_query_error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/target_query_error.png -------------------------------------------------------------------------------- /docs/media/target_query_error2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/target_query_error2.png -------------------------------------------------------------------------------- /docs/media/typetexticon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/typetexticon.png -------------------------------------------------------------------------------- /docs/media/virtual_machine_scope.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/virtual_machine_scope.png -------------------------------------------------------------------------------- /docs/media/virtualmachineslinux1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/virtualmachineslinux1.png -------------------------------------------------------------------------------- /docs/media/watchlists-utilities-install.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/watchlists-utilities-install.png -------------------------------------------------------------------------------- /docs/media/wget.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/wget.png -------------------------------------------------------------------------------- /docs/media/windows-security-events-create-rule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/windows-security-events-create-rule.png -------------------------------------------------------------------------------- /docs/media/windows_security_events_create_dcr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/windows_security_events_create_dcr.png -------------------------------------------------------------------------------- /docs/media/windows_security_events_install.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/windows_security_events_install.png -------------------------------------------------------------------------------- /docs/media/windows_security_events_open_connector_page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/windows_security_events_open_connector_page.png -------------------------------------------------------------------------------- /docs/media/workstation5_connect_connect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/TechExcel-Sentinel-onboarding-and-migration-acceleration/f0acf9ae0249de178721674532922d030038d1e5/docs/media/workstation5_connect_connect.png -------------------------------------------------------------------------------- /index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Introduction 3 | layout: home 4 | nav_order: 1 5 | --- 6 | 7 | # TechExcel: Sentinel onboarding and migration acceleration (level 300 / CSU) lab 8 | 9 | **The estimated time to complete this lab is 180 minutes.** 10 | 11 | Humongous IT, a global data infrastructure provider, manages a complex network of private and public clouds, along with on-premises data centers. Recognizing the need to streamline operations and enhance security, the company's board of directors approved a cloud modernization initiative, with a focus on adopting Microsoft Sentinel. 12 | 13 | Elisabeth Eriksson, an experienced Azure admin at Humongous IT, has been put in charge of ramping up Microsoft Sentinel. She will be executing the deployment plan and ensuring that Sentinel's integration aligns with the company's IT framework and security requirements.​ 14 | 15 | **The goal of this lab is to practice configuring an environment for managing Windows and Linux security events in Azure Sentinel, integrating migrated Splunk rules, and simulating attacks to enhance threat detection and incident response.** 16 | 17 | Prior to you starting the journey, the Humongous IT environment will have programmatically deployed Windows and Linux virtual machines (VMs) with internet access. The Linux virtual machine will have a single modification to the template that adds events into its syslog. The Windows machine will have an event triggered during the lab exercises. 18 | 19 | These events will later be sent to Sentinel, and Sentinel will be configured to interpret these events as a potential risk and you will identify the risk created. 20 | 21 | As part of Humongous IT's transition to Microsoft Sentinel, the environment has been pre-configured with an Azure workspace and a base Sentinel setup to facilitate the migration from Splunk. We will replicate the steps as Elisabeth Eriksson, the Azure administrator, is tasked with managing the critical process of exporting data analytics rules from Splunk and integrating them into Microsoft Sentinel. 22 | 23 | And lastly, as Humongous IT's technical team is tasked with understanding and simulating various types of attacks, we will also dive into creating detection rules using Log Analytics KQL, and investigating incidents. 24 | 25 | To successfully complete this lab, you need to perform the following tasks: 26 | 27 | - **Set up and configure Sentinel:** Establish a Sentinel environment with log analytics workspace and set up data connectors for Windows and Linux VMs. Configure Azure monitoring agents and define data retention strategies. 28 | - **Develop detection systems:** Import and verify Splunk data, create and enable Sentinel analytics rules for threat detection. 29 | - **Simulate threats and create detections:** Review and simulate various attack types using different methods, and develop detections with Log Analytics KQL. 30 | - **Investigate and respond:** Analyze incidents and alerts in Sentinel, and deploy ASIM parsers for targeted registry events in Windows. 31 | 32 | ## Exercises 33 | 34 | This lab has exercises on: 35 | 36 | - Configuring the Azure environment for Microsoft Sentinel 37 | - Standing up Microsoft Sentinel with Windows and Linux data connectors 38 | - Data Operations 39 | - Importing Splunk data into Microsoft Sentinel 40 | - Verifying the Splunk migration 41 | - Importing a Splunk data export file into Microsoft Sentinel 42 | - Verifying the migration of Splunk data rules 43 | - Enabling migrated Splunk rules within Microsoft Sentinel 44 | - Simulating various types of security attacks and developing detection strategies 45 | - Creating and implementing analytics rules using Log Analytics KQL 46 | - Investigating and responding to incidents and alerts within Microsoft Sentinel 47 | - Deploying Advanced Security Information Management (ASIM) parsers for specific event monitoring 48 | 49 | ## Disclaimer 50 | 51 | This presentation, demonstration, and demonstration model are for informational purposes only and (1) are not subject to SOC 1 and SOC 2 compliance audits, and (2) are not designed, intended or made available as a medical device(s) or as a substitute for professional medical advice, diagnosis, treatment or judgment. Microsoft makes no warranties, express or implied, in this presentation, demonstration, and demonstration model. Nothing in this presentation, demonstration, or demonstration model modifies any of the terms and conditions of Microsoft’s written and signed agreements. This is not an offer and applicable terms and the information provided are subject to revision and may be changed at any time by Microsoft. 52 | 53 | This presentation, demonstration, and demonstration model do not give you or your organization any license to any patents, trademarks, copyrights, or other intellectual property covering the subject matter in this presentation, demonstration, and demonstration model. 54 | 55 | The information contained in this presentation, demonstration and demonstration model represents the current view of Microsoft on the issues discussed as of the date of presentation and/or demonstration, for the duration of your access to the demonstration model. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of presentation and/or demonstration and for the duration of your access to the demonstration model. 56 | 57 | No Microsoft technology, nor any of its component technologies, including the demonstration model, is intended or made available as a substitute for the professional advice, opinion, or judgment of (1) a certified financial services professional, or (2) a certified medical professional. Partners or customers are responsible for ensuring the regulatory compliance of any solution they build using Microsoft technologies. 58 | 59 | ## Copyright 60 | 61 | © 2024 Microsoft Corporation. All rights reserved.  62 | 63 | By using this demo/lab, you agree to the following terms: 64 | 65 | The technology/functionality described in this demo/lab is provided by Microsoft Corporation for purposes of obtaining your feedback and to provide you with a learning experience. You may only use the demo/lab to evaluate such technology features and functionality and provide feedback to Microsoft. You may not use it for any other purpose. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, or sell this demo/lab or any portion thereof. 66 | 67 | COPYING OR REPRODUCTION OF THE DEMO/LAB (OR ANY PORTION OF IT) TO ANY OTHER SERVER OR LOCATION FOR FURTHER REPRODUCTION OR REDISTRIBUTION IS EXPRESSLY PROHIBITED. 68 | 69 | THIS DEMO/LAB PROVIDES CERTAIN SOFTWARE TECHNOLOGY/PRODUCT FEATURES AND FUNCTIONALITY, INCLUDING POTENTIAL NEW FEATURES AND CONCEPTS, IN A SIMULATED ENVIRONMENT WITHOUT COMPLEX SET-UP OR INSTALLATION FOR THE PURPOSE DESCRIBED ABOVE. THE TECHNOLOGY/CONCEPTS REPRESENTED IN THIS DEMO/LAB MAY NOT REPRESENT FULL FEATURE FUNCTIONALITY AND MAY NOT WORK THE WAY A FINAL VERSION MAY WORK. WE ALSO MAY NOT RELEASE A FINAL VERSION OF SUCH FEATURES OR CONCEPTS. YOUR EXPERIENCE WITH USING SUCH FEATURES AND FUNCITONALITY IN A PHYSICAL ENVIRONMENT MAY ALSO BE DIFFERENT. 70 | 71 | --------------------------------------------------------------------------------