hands-on lab

Investigating Security Events using Microsoft Sentinel

Intermediate

1h 30m

613

4.6/5

Start lab

Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.

Learn and validateUse validations to check your solutions every step of the way.

See resultsTrack your knowledge and monitor your progress.

Lab description

Microsoft Sentinel is a cloud-based SIEM (security information event management) solution that offers advanced intelligence tools across the organizations to secure the cloud and on-premises resources. The core offering of the Microsoft Sentinel revolves around collecting data at scale while detecting the threat in real-time using artificial intelligence to hunt the suspicious activities, ultimately performing actions to either remediate based on the preconfigured actions or provide a response plan to the security teams in an organization.

While deploying new resources in the cloud, securing the assets is crucial as keeping them highly available for production usage. Whether it's a simple DDoS attack or a complicated privilege escalation attack, Microsoft Sentinel gives you the visibility to detect and respond to the attack before it's too late. Understanding how the SIEM tools work and leveraging them to their maximum be a significant differentiator for your job role and skills.

In this hands-on lab, you will understand how to identify, capture and generate incidents for security events and potential attacks using Microsoft Sentinel.

Learning Objectives

Upon completion of this intermediate-level lab, you will be able to:

Use Data Connector to collect Windows VM Security Events
Create Analytics Rule to detect and create incidents based on Security Events
Investigate incidents in Microsoft Sentinel

Intended Audience

Candidates for Azure Security Engineer (AZ-500)
Cloud Architects
Data Engineers
DevOps Engineers
Software Engineers

Prerequisites

Familiarity with the following will be beneficial but is not required:

Azure Windows Virtual Machines
Azure Log Analytics
Microsoft Sentinel

The following content can be used to fulfill the prerequisite:

Updates

September 5th, 2023 - Resolved data connector issue

June 27th, 2023 - Updated the instructions and screenshots to reflect the latest UI

January, 25th, 2023 - Updated the instructions and screenshots to reflect the latest UI

November 29th, 2022: Rebranded Sentinel to reflect the new name: Microsoft Sentinel

Environment before

Environment after

About the author

Parveen Singh, opens in a new tab

Cloud Lab Developer

Students

14,509

Labs

Courses

Learning paths

Parveen is an Azure advocate with previous experience in the professional consulting services industries. He specializes in infrastructure and DevOps with a wide range of knowledge in security and access management. He is also an Azure Certified - DevOps Engineer Expert, Security Engineer, Developer Associate, Administrator Associate, CompTIA Certified - Network+, Security+, and AWS Cloud Practitioner.
Parveen enjoys writing about cloud technologies and sharing the knowledge with the community to help students upskill in the cloud.

Covered topics

Lab steps

Logging in to the Microsoft Azure Portal

Enabling Data Connector to Capture Security Events

Creating Sentinel Analytics Rule

Simulating Password Brute-Force Attack on the Azure VM

Investigating Sentinel Incidents Generated By Analytics Rule

Lab rules apply