Task 3.7: Test the Analytics rules

In this task you’ll use Sentinel to create a new high priority Scheduled Query Rule for Linux.

Azure and Microsoft Sentinel can take a significant amount of time to cycle through their queues. This can delay the reporting of incidents by up to 30 minutes.

If all steps during this lab have completed successfully it’s still possible for the tests in this task to not return any results in the interim.

---

1. On the Microsoft Sentinel Analytics pane, in the left navigation, under Threat management select Incidents.

2. To confirm that the Windows Security incident has been reported, in the Search by ID, title, tags, owner or product search box, enter NRT Security Event log cleared and select Enter.
   • One or more entries should appear in the list of incidents.
3. To confirm that the Linux Syslog incident has been reported, in the Search by ID, title, tags, owner or product search box, enter Linux Custom Rule and select Enter.
   • One or more entries should appear in the list of incidents.
4. To confirm that the Windows Security event Watchlist has been created, in the left navigation, under Configuration select Watchlist.
   • The watchlist named SecurityEventLogClear should be displayed in the list of Watchlists.

If the SecurityEventLogClear Watchlist doesn’t appear in the list, select Refresh from the menu.