Exercise 3: Data Operations

Now that Microsoft Sentinel has been set up, storage has been configured and data connectors for the Linux and Windows VMs have been created it’s time to set up and configure the specific data operations that will be monitored for and reported on.

As the Azure administrator, you’ll need to configure Microsoft Sentinel to handle some representative events in Windows and Linux. For this exercise you’ll need to do the following:

• Create an Analytics rule to handle Windows Security event log clearing incidents and create automation to report on these incidents.
• Create an Analytics rule to handle Linux Syslog injection compromise incidents.
• Configure roles and permissions for Microsoft Sentinel to access the appropriate services.
• Test the Analytics rules to verify that the correct incidents are trapped and reported.
• Modify the Add-HostToWatchList Logic App.
• Configure the Windows data connector to be linked to the modified Logic app.
• Configure an Azure Analytics rule for Linux.

---

Table of contents

• 1. Create an Analytics rule using the Windows Security events clear template
• 2. Create a Microsoft Sentinel Playbook
• 3. Add Role-based permission assignments
• 4. Modify the Logic app
• 5. Add automation to the Windows Security event log clear incident
• 6. Configure an Azure Analytics rule for Linux
• 7. Test the Analytics rules