Task 3.1: Create an Analytics rule using the Windows Security events clear template

In this task you’ll create an Analytics rule to handle Windows Security event log clearing incidents and create automation to report on these incidents.

Events are being triggered in this lab every 5 minutes, incidents should eventually appear on their own.

The following documents may help you complete this task.

• Azure Sentinel: Using rule templates

---

1. Return to the Microsoft Sentinel Data connectors page by selecting it in the breadcrumb navigation at the top of the page.

   

2. On the left navigation, scroll down to Configuration, then select Analytics.

3. On the Rule templates tab in the Search by ID, name, tactic or technique box search for and select NRT Security Event log cleared.

   

4. On the NRT Security Event log cleared panel to the right review the details and select Create rule

5. On the Analytics rule wizard - Create new NRT rule page, on the General tab, accept the defaults and select Next : Set rule logic >.

6. On the Set rule logic tab, review the values and select Next : Incident settings >

7. On the Incident settings tab, review the values and select Next : Automated response >.

8. On the Automated response tab, select Next : Review + create >.

   A new automation rule will be added to this template later in this exercise.

9. Once the validation has completed successfully select Save.