Task 1: Configure Data Collection rules (DCRs) in Microsoft Sentinel
In Microsoft Sentinel, go to the Configuration menu section and select Data connectors.
Search for and select Windows Security Events via AMA.
Select Open connector page.
In the Configuration area, select +Create data collection rule.
On the Basics tab enter a Rule Name.
On the Resources tab expand your subscription and the RG1 resource group in the Scope column.
Select VM1, and then select Next: Collect >
On the Collect tab leave the default of All Security Events.
Select Next: Review + create >, then select Create.
Task 2 - Create a near real-time (NRT) query detection.
In Microsoft Sentinel, go to the Configuration menu section and select Analytics.
Select + Create, and NRT query rule (Preview).
Enter a Name for the rule, and select Privilege Escalation from Tactics and techniques.
Select Next: Set rule logic >.
Enter the KQL query into the Rule query form:
code
SecurityEvent
| where EventID == 4732
| where TargetAccount == "Builtin\Administrators"
Select Next: Incident settings >, and select Next: Automated response >.
Select Next: Review + Create.
When validation is complete select Save.
Task 3: Configure automation in Microsoft Sentinel
In Microsoft Sentinel, go to the Configuration menu section and select Automation.
Select + Create, and Automation rule.
Enter an Automation rule name, and select Assign owner from Actions
Assign Operator1 as the owner.
Select Apply
Top comments (0)