Challenge 02 - Custom Queries & Watchlists

< Previous Challenge - Home - Next Challenge>

Pre-requisites

Challenge-02 needs to be complete; this challenge is dependent on having logon events 4624 and 4625 sent to the Sentinel Log Analytics workspace

Introduction

A big part of running a SEIM/SOAR solution is triaging as many of the ‘false’ positives as possible. False is in quotes because we still want to keep the data, it is potentially useful, but we know that many alerts/incidents can be closed automatically as they are expected behaviors.

Description

In this challenge, we will create Alerts and Incidents based on tracking logins to our server and leverage Watchlists to identify safe IP addresses. The objective is to ensure that we know everytime a user logs into the machine, or fails to log into the machine. Select two tactics that represent what kind of attack could be underway using the Mitre.org framework.

Alerts

Watchlists

Success Criteria

Alerts

Watchlists

Learning Resources

Tips

Look for resources that can help you with setting table retention and verifying it

Each alert is one incident

Advanced Challenges

Too comfortable? Eager to do more? Try these additional challenges!