< Previous Challenge - Home - Next Challenge>
Challenge-02 needs to be complete; this challenge is dependent on having logon events 4624 and 4625 sent to the Sentinel Log Analytics workspace
A big part of running a SEIM/SOAR solution is triaging as many of the ‘false’ positives as possible. False is in quotes because we still want to keep the data, it is potentially useful, but we know that many alerts/incidents can be closed automatically as they are expected behaviors.
In this challenge, we will create Alerts and Incidents based on tracking logins to our server and leverage Watchlists to identify safe IP addresses. The objective is to ensure that we know everytime a user logs into the machine, or fails to log into the machine. Select two tactics that represent what kind of attack could be underway using the Mitre.org framework.
Alerts
Create an Alert and an Incident based on a user logon . Include the account of the user that logged on and the IP address as Entities.
Write down your justification for tactics selected, severity, query scheduling, alert threshold and event grouping.
Reporting - Create a workbook that tracks the number alerts generated by user activity - successful and failed logon attempts.
Watchlists
Create a Watchlist containing a userName and an IPAddress. Include your home IP address. (Hint: Alias – validips) Example:
Modify the Watchlist and add another row containing “AsiaAdmin” and the home/work IP address of one of your WTH colleagues.
Example: AsiaAdmin, 173.135.10.193
Set the retention date for Watchlist table to 7 days maximum. (Hint: ARM template) and validate the date has been set correctly
Alerts
Watchlists
Look for resources that can help you with setting table retention and verifying it
Each alert is one incident
Too comfortable? Eager to do more? Try these additional challenges!