diff --git a/Allfiles/Bicep/Create-NewSolutionAndRulesFromList.ps1 b/Allfiles/Bicep/Create-NewSolutionAndRulesFromList.ps1 new file mode 100644 index 00000000..e4c8eb11 --- /dev/null +++ b/Allfiles/Bicep/Create-NewSolutionAndRulesFromList.ps1 @@ -0,0 +1,226 @@ +param( + [Parameter(Mandatory = $true)][string]$ResourceGroup, + [Parameter(Mandatory = $true)][string]$Workspace, + [Parameter(Mandatory = $true)][string]$Region, + [Parameter(Mandatory = $true)][string[]]$Solutions, + [Parameter(Mandatory = $true)][string]$SubscriptionId, + [Parameter(Mandatory = $true)][string]$TenantId, + [Parameter(Mandatory = $true)][string]$Identity, + [Parameter(Mandatory = $false)][string]$Buffer +) + +Write-Output "Resource Group: $ResourceGroup" +Write-Output "Workspace: $Workspace" +Write-Output "Region: $Region" +Write-Output "Solutions: $Solutions" +Write-Output "SubscriptionId: $SubscriptionId" +Write-Output "TenantId: $TenantId" +Write-Output "Identity: $Identity" +Write-Output "Buffer: " $Buffer + +$VerbosePreference = "Continue" + +Connect-AzAccount -Identity -AccountId $Identity + +$SeveritiesToInclude = @("informational", "low", "medium", "high") +$apiVersion = "?api-version=2024-03-01" +$instanceProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile +$profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($instanceProfile) +$token = $profileClient.AcquireAccessToken($TenantId) +$authHeader = @{ + 'Content-Type' = 'application/json' + 'Authorization' = 'Bearer ' + $token.AccessToken +} + +$serverUrl = "https://management.azure.com" +$baseUri = $serverUrl + $SubscriptionId + "/resourceGroups/${ResourceGroup}/providers/Microsoft.OperationalInsights/workspaces/${Workspace}" +$alertUri = "$baseUri/providers/Microsoft.SecurityInsights/alertRules/" + +Write-Output " Base Uri: $baseUri" + +# Get a list of all the solutions +$url = $baseUri + "/providers/Microsoft.SecurityInsights/contentProductPackages" + $apiVersion + +Write-Output " Content Product Packages Uri: $url" + +$allSolutions = (Invoke-RestMethod -Method "Get" -Uri $url -Headers $authHeader ).value + +Write-Output "Number of solutions: " ($allSolutions.count) + +#Deploy each single solution +foreach ($deploySolution in $Solutions) { + Write-Output "Deploy Solution: $deploySolution" + if ($deploySolution.StartsWith("[")) + { + $deploySolution = $deploySolution.Substring(1) + } + Write-Output "Deploy Solution: $deploySolution" + $singleSolution = $allSolutions | Where-Object { $_.properties.displayName -Contains $deploySolution } + if ($null -eq $singleSolution) { + Write-Error "Unable to get find solution with name $deploySolution" + } + else { + $solutionURL = $baseUri + "/providers/Microsoft.SecurityInsights/contentProductPackages/$($singleSolution.name)" + $apiVersion + $solution = (Invoke-RestMethod -Method "Get" -Uri $solutionURL -Headers $authHeader ) + Write-Output "Solution name: " $solution.name + $packagedContent = $solution.properties.packagedContent + #Some of the post deployment instruction contains invalid characters and since this is not displayed anywhere + #get rid of them. + foreach ($resource in $packagedContent.resources) { + if ($null -ne $resource.properties.mainTemplate.metadata.postDeployment ) { + $resource.properties.mainTemplate.metadata.postDeployment = $null + } + } + $installBody = @{"properties" = @{ + "parameters" = @{ + "workspace" = @{"value" = $Workspace } + "workspace-location" = @{"value" = $Region } + } + "template" = $packagedContent + "mode" = "Incremental" + } + } + $deploymentName = ("allinone-" + $solution.name) + if ($deploymentName.Length -ge 64) { + $deploymentName = $deploymentName.Substring(0, 64) + } + $installURL = $serverUrl + $SubscriptionId + "/resourcegroups/$($ResourceGroup)/providers/Microsoft.Resources/deployments/" + $deploymentName + $apiVersion + Write-Output "Deploying solution: $deploySolution" + Write-Output "Deploy URL: $installURL" + + try { + Invoke-RestMethod -Uri $installURL -Method Put -Headers $authHeader -Body ($installBody | ConvertTo-Json -EnumsAsStrings -Depth 50 -EscapeHandling EscapeNonAscii) + Write-Output "Deployed solution: $deploySolution" + } + catch { + $errorReturn = $_ + Write-Error $errorReturn + } + } + +} + +##### +#create rules from any rule templates that came from solutions +##### + +if (($SeveritiesToInclude -eq "None") -or ($null -eq $SeveritiesToInclude)) { + Exit +} + +#Give the system time to update all the needed databases before trying to install the rules. +Start-Sleep -Seconds 60 + +#URL to get all the needed Analytic Rule templates +$solutionURL = $baseUri + "/providers/Microsoft.SecurityInsights/contentTemplates" + $apiVersion +#Add a filter only return analytic rule templates +$solutionURL += "&%24filter=(properties%2FcontentKind%20eq%20'AnalyticsRule')&%24expand=properties/mainTemplate" + +Write-Output "Solution URL: $solutionURL" + +$results = (Invoke-RestMethod -Uri $solutionURL -Method Get -Headers $authHeader).value + +$BaseAlertUri = $baseUri + "/providers/Microsoft.SecurityInsights/alertRules/" +$BaseMetaURI = $baseURI + "/providers/Microsoft.SecurityInsights/metadata/analyticsrule-" + +Write-Output "Results: " ($results.count) + +Write-Output "Severities to include... $SeveritiesToInclude" + +#Iterate through all the rule templates + foreach ($result in $results ) { + #Make sure that the template's severity is one we want to include + $severity = $result.properties.mainTemplate.resources.properties[0].severity + Write-Output "Rule Template's severity is... $severity " + if ($SeveritiesToInclude.Contains($severity.ToLower())) { + Write-Output "Enabling alert rule template... " $result.properties.template.resources.properties.displayName + + $templateVersion = $result.properties.mainTemplate.resources.properties[1].version + $template = $result.properties.mainTemplate.resources.properties[0] + $kind = $result.properties.mainTemplate.resources.kind + $displayName = $template.displayName + $eventGroupingSettings = $template.eventGroupingSettings + if ($null -eq $eventGroupingSettings) { + $eventGroupingSettings = [ordered]@{aggregationKind = "SingleAlert" } + } + $body = "" + $properties = $result.properties.mainTemplate.resources[0].properties + $properties.enabled = $true + #Add the field to link this rule with the rule template so that the rule template will show up as used + #We had to use the "Add-Member" command since this field does not exist in the rule template that we are copying from. + $properties | Add-Member -NotePropertyName "alertRuleTemplateName" -NotePropertyValue $result.properties.mainTemplate.resources[0].name + $properties | Add-Member -NotePropertyName "templateVersion" -NotePropertyValue $result.properties.mainTemplate.resources[1].properties.version + + + #Depending on the type of alert we are creating, the body has different parameters + switch ($kind) { + "MicrosoftSecurityIncidentCreation" { + $body = @{ + "kind" = "MicrosoftSecurityIncidentCreation" + "properties" = $properties + } + } + "NRT" { + $body = @{ + "kind" = "NRT" + "properties" = $properties + } + } + "Scheduled" { + $body = @{ + "kind" = "Scheduled" + "properties" = $properties + } + + } + Default { } + } + #If we have created the body... + if ("" -ne $body) { + #Create the GUId for the alert and create it. + $guid = (New-Guid).Guid + #Create the URI we need to create the alert. + $alertUri = $BaseAlertUri + $guid + "?api-version=2022-12-01-preview" + try { + Write-Output "Attempting to create rule $($displayName)" + $verdict = Invoke-RestMethod -Uri $alertUri -Method Put -Headers $authHeader -Body ($body | ConvertTo-Json -EnumsAsStrings -Depth 50) + #Invoke-RestMethod -Uri $installURL -Method Put -Headers $authHeader -Body ($installBody | ConvertTo-Json -EnumsAsStrings -Depth 50) + Write-Output "Succeeded" + $solution = $allSolutions.properties | Where-Object -Property "contentId" -Contains $result.properties.packageId + $metabody = @{ + "apiVersion" = "2022-01-01-preview" + "name" = "analyticsrule-" + $verdict.name + "type" = "Microsoft.OperationalInsights/workspaces/providers/metadata" + "id" = $null + "properties" = @{ + "contentId" = $result.properties.mainTemplate.resources[0].name + "parentId" = $verdict.id + "kind" = "AnalyticsRule" + "version" = $templateVersion + "source" = $solution.source + "author" = $solution.author + "support" = $solution.support + } + } + Write-Output " Updating metadata...." + $metaURI = $BaseMetaURI + $verdict.name + "?api-version=2022-01-01-preview" + $metaVerdict = Invoke-RestMethod -Uri $metaURI -Method Put -Headers $authHeader -Body ($metabody | ConvertTo-Json -EnumsAsStrings -Depth 5) + Write-Output "Succeeded" + } + catch { + #The most likely error is that there is a missing dataset. There is a new + #addition to the REST API to check for the existance of a dataset but + #it only checks certain ones. Hope to modify this to do the check + #before trying to create the alert. + $errorReturn = $_ + Write-Error $errorReturn + Write-Output $errorReturn + } + #This pauses for 5 second so that we don't overload the workspace. + Start-Sleep -Seconds 1 + } + else { + Write-Outout "No body created" + } + } + } diff --git a/Allfiles/Bicep/Readme.md b/Allfiles/Bicep/Readme.md new file mode 100644 index 00000000..d4aae635 --- /dev/null +++ b/Allfiles/Bicep/Readme.md @@ -0,0 +1,21 @@ +## Folder for Bicep & PowerShell files + +Use to pre-install Microsoft Sentinel and Content Hub Solutions from WIN1. + +### Instructions + +1. Create a *Resource Group* for the deployment. + + ```azurecli + az group create --location eastus --resource-group Defender-RG + ``` + +1. Deploy the Bicep template. + + ```azurecli + az deployment group create --name testDeploy --template-file .\sentinel.bicep --parameters .\sentinelParams.bicepparam --resource-group Defender-RG + ``` + +### Additional Information + +See the following *Microsoft Tech Community* blog post for more information: [Deploy Microsoft Sentinel using Bicep](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/deploy-microsoft-sentinel-using-bicep/4270970) diff --git a/Allfiles/Bicep/Sentinel.bicep b/Allfiles/Bicep/Sentinel.bicep new file mode 100644 index 00000000..2b5169f5 --- /dev/null +++ b/Allfiles/Bicep/Sentinel.bicep @@ -0,0 +1,133 @@ +targetScope = 'resourceGroup' + +@description('Specifies the name of the client who needs Sentinel.') +param workspaceName string + +@description('Specifies the number of days to retain data.') +param retentionInDays int + +@description('Which solutions to deploy automatically') +param contentSolutions string[] + +var subscriptionId = subscription().id +var location = resourceGroup().location +//Sentinel Contributor role GUID +var roleDefinitionId = 'ab8e14d6-4a74-4a29-9ba8-549422addade' + +// Create the Log Analytics Workspace +resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { + name: workspaceName + location: location + properties: { + retentionInDays: retentionInDays + } +} + +// Create Microsoft Sentinel on the Log Analytics Workspace +resource sentinel 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = { + name: 'SecurityInsights(${workspaceName})' + location: location + properties: { + workspaceResourceId: workspace.id + } + plan: { + name: 'SecurityInsights(${workspaceName})' + product: 'OMSGallery/SecurityInsights' + promotionCode: '' + publisher: 'Microsoft' + } +} + +// Onboard Sentinel after it has been created +resource onboardingStates 'Microsoft.SecurityInsights/onboardingStates@2022-12-01-preview' = { + scope: workspace + name: 'default' +} + +/* +// Enable the Entity Behavior directory service +resource EntityAnalytics 'Microsoft.SecurityInsights/settings@2023-02-01-preview' = { + name: 'EntityAnalytics' + kind: 'EntityAnalytics' + scope: workspace + properties: { + entityProviders: ['AzureActiveDirectory'] + } + dependsOn: [ + onboardingStates + ] +} + +// Enable the additional UEBA data sources +resource uebaAnalytics 'Microsoft.SecurityInsights/settings@2023-02-01-preview' = { + name: 'Ueba' + kind: 'Ueba' + scope: workspace + properties: { + dataSources: ['AuditLogs', 'AzureActivity', 'SigninLogs', 'SecurityEvent'] + } + dependsOn: [ + EntityAnalytics + ] +} +*/ + +//Create the user identity to interact with Azure +@description('The user identity for the deployment script.') +resource scriptIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: 'script-identity' + location: location +} + +//Pausing for 5 minutes to allow the new user identity to propagate +resource pauseScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = { + name: 'pauseScript' + location: resourceGroup().location + kind: 'AzurePowerShell' + properties: { + azPowerShellVersion: '12.2.0' + scriptContent: 'Start-Sleep -Seconds 300' + timeout: 'PT30M' + cleanupPreference: 'OnSuccess' + retentionInterval: 'PT1H' + } + dependsOn: [ + scriptIdentity + ] +} + +//Assign the Sentinel Contributor rights on the Resource Group to the User Identity that was just created +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(resourceGroup().name, roleDefinitionId) + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId) + principalId: scriptIdentity.properties.principalId + } + dependsOn: [ + pauseScript + ] +} + +// Call the external PowerShell script to deploy the solutions and rules +resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = { + name: 'deploySolutionsScript' + location: resourceGroup().location + kind: 'AzurePowerShell' + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${scriptIdentity.id}': {} + } + } + properties: { + azPowerShellVersion: '12.2.0' + arguments: '-ResourceGroup ${resourceGroup().name} -Workspace ${workspaceName} -Region ${resourceGroup().location} -Solutions ${contentSolutions} -SubscriptionId ${subscriptionId} -TenantId ${subscription().tenantId} -Identity ${scriptIdentity.properties.clientId} ' + scriptContent: loadTextContent('./Create-NewSolutionAndRulesFromList.ps1') + timeout: 'PT30M' + cleanupPreference: 'OnSuccess' + retentionInterval: 'P1D' + } + dependsOn: [ + roleAssignment + ] +} diff --git a/Allfiles/Bicep/sentinelParams.bicepparam b/Allfiles/Bicep/sentinelParams.bicepparam new file mode 100644 index 00000000..4f8a1d23 --- /dev/null +++ b/Allfiles/Bicep/sentinelParams.bicepparam @@ -0,0 +1,12 @@ +using './Sentinel.bicep' + +param workspaceName = 'defenderWorkspace' +param retentionInDays = 90 +param contentSolutions = [ + 'Microsoft Defender For Cloud' + 'Sentinel SOAR Essentials' + 'Azure Activity' + 'Windows Security Events' + 'Common Event Format' + 'Syslog' +] diff --git a/Instructions/Labs/LAB_AK_01_Lab1_Ex1_Explore_M365_Defender.md b/Instructions/Labs/LAB_AK_01_Lab1_Ex01_Explore_Defender_XDR.md similarity index 93% rename from Instructions/Labs/LAB_AK_01_Lab1_Ex1_Explore_M365_Defender.md rename to Instructions/Labs/LAB_AK_01_Lab1_Ex01_Explore_Defender_XDR.md index bac5fd4c..2cc28ca2 100644 --- a/Instructions/Labs/LAB_AK_01_Lab1_Ex1_Explore_M365_Defender.md +++ b/Instructions/Labs/LAB_AK_01_Lab1_Ex01_Explore_Defender_XDR.md @@ -13,14 +13,15 @@ lab: You're a Security Operations Analyst working at a company that is implementing Microsoft Defender XDR. You start by assigning preset security policies used in Exchange Online Protection (EOP) and Microsoft Defender for Office 365. >**Note:** **WWL Tenants - Terms of Use** -If you are being provided with a tenant as a part of an instructor-led training delivery, please note that the tenant is made available for the purpose of supporting the hands-on labs in the instructor-led training. -Tenants should not be shared or used for purposes outside of hands-on labs. The tenant used in this course is a trial tenant and cannot be used or accessed after the class is over and are not eligible for extension. -Tenants must not be converted to a paid subscription. Tenants obtained as a part of this course remain the property of Microsoft Corporation and we reserve the right to obtain access and repossess at any time. +If you are being provided with a tenant as a part of an instructor-led training delivery, please note that the tenant is made available for the purpose of supporting the hands-on labs in the instructor-led training. +Tenants should not be shared or used for purposes outside of hands-on labs. The tenant used in this course is a trial tenant and cannot be used or accessed after the class is over and are not eligible for extension. +Tenants must not be converted to a paid subscription. Tenants obtained as a part of this course remain the property of Microsoft Corporation and we reserve the right to obtain access and repossess at any time. +### Estimated time to complete this lab: 30 minutes ### Task 1: Obtain Your Microsoft 365 Credentials -Once you launch the lab, a free trial tenant is made available to you to access in the Microsoft virtual Lab environment. This tenant is automatically assigned a unique username and password. You must retrieve this username and password so that you can sign into Azure and Microsoft 365 within the Microsoft Virtual Lab environment. +Once you launch the lab, a Microsoft 365 E5 tenant is made available to you to access in the Microsoft virtual Lab environment. This tenant is automatically assigned a unique username and password. You must retrieve this username and password so that you can sign into and Microsoft 365 within the Microsoft Virtual Lab environment. Because this course can be offered by learning partners using any one of several Authorized Lab Hosting (ALH) providers, the actual steps involved to retrieve the tenant ID associated with your tenant may vary by lab hosting provider. Therefore, your instructor will provide you with the necessary instructions for how to retrieve this information for your course. The information that you should note for later use includes: @@ -45,7 +46,7 @@ In this task, you'll assign preset security policies for Exchange Online Protect 1. If shown, close the Microsoft Defender XDR quick tour pop-up window. **Hint:** Later in this lab, you'll need to wait until the Defender workspace is provisioned, you can take this time to navigate through the guided tours to learn more about Microsoft Defender XDR. -1. From the navigation menu, under *Email & Collaboration* area, select **Policies & rules**. +1. From the navigation menu, expand the *Email & Collaboration* section, and select **Policies & rules**. 1. On the *Policy & rules* dashboard, select **Threat policies**. diff --git a/Instructions/Labs/LAB_AK_02_Lab1_Ex01_Explore_Copilot_Security.md b/Instructions/Labs/LAB_AK_02_Lab1_Ex01_Explore_Copilot_Security.md new file mode 100644 index 00000000..15d04293 --- /dev/null +++ b/Instructions/Labs/LAB_AK_02_Lab1_Ex01_Explore_Copilot_Security.md @@ -0,0 +1,297 @@ +--- +lab: + title: 'Exercise 1 - Explore use cases in Microsoft Security Copilot' + module: 'Learning Path 2 - Mitigate threats using Microsoft Security Copilot' +--- + +# Learning Path 2 - Lab 1 - Exercise 1 - Explore Microsoft Security Copilot + +## Lab scenario + +The organization you work for wants to increase the efficiency and capabilities for its security operations analysts, and to improve security outcomes. In support of that objective, the office of the CISO determined that deploying Microsoft Security Copilot is a key step towards that objective. As a Security administrator for your organization, you're tasked with setting up Copilot. + +In this exercise, you go through the *first run experience* of Microsoft Security Copilot to provision Copilot with one security compute unit (SCU). + +>**Note:** +> The environment for this exercise is a simulation generated from the product. As a limited simulation, links on a page may not be enabled and text-based inputs that fall outside of the specified script may not be supported. A pop-up message will display stating, "This feature is not available within the simulation." When this occurs, select OK and continue the exercise steps. +>:::image type="content" source="../media/simulation-pop-up-error.png" alt-text="Screenshot of pop-up screen indicating that this feature is not available within the simulation."::: + +### Estimated time to complete this lab: 45 minutes + +### Task 1: Provision Microsoft Security Copilot + +For this exercise, you're logged in as Avery Howard and you have the global administrator role in Microsoft Entra. You'll work in both the Azure portal and Microsoft Security Copilot. + +This exercise should take approximately **15** minutes to complete. + +>**Note:** +> When a lab instruction calls for opening a link to the simulated environment, it is generally recommended that you open the link in a new browser window so that you can simultaneously view the instructions and the exercise environment. To do so, select the right mouse key and select the option. + +Before users can start using Copilot, admins need to provision and allocate capacity. To provision capacity: + +- You must have an Azure subscription. +- You need to be an Azure owner or Azure contributor, at a resource group level, as a minimum. + +In this task, you walk through the process of ensuring you have the appropriate role permissions. This starts by enabling access management for Azure resources. + +Once you're assigned the User Access Administrator role in Azure, you can assign a user the necessary access to provision SCUs for Copilot. For the purpose of this exercise only, which is to show you the steps involved, you will be assigning yourself the necessary access. The steps that follow will guide you through the process. + +1. Open the simulated environment by selecting this link: **[Azure portal](https://app.highlights.guide/start/6373500f-1f10-4584-a14e-ca0b4aa7399f?link=1&token=40f793d4-2956-40a4-b11a-6b3d4f92557f&azure-portal=true)**. + +1. You'll start by enabling Access management for Azure resources. To access this setting: + 1. From the Azure portal, select **Microsoft Entra ID**. + 1. From the left navigation panel, expand **Manage**. + 1. From the left navigation panel, scroll down and select **Properties**. + 1. Enable the toggle switch for **Access management for Azure resources**, then select **Save**. + +1. Now that you can view all resources and assign access in any subscription or management group in the directory, assign yourself the Owner role for the Azure subscription. + 1. From the blue banner on the top of the page, select **Microsoft Azure** to return to the landing page of the Azure portal. + 1. Select **Subscriptions** then select the subscription listed **Woodgrove - GTP Demos (Exernal/Sponsored)**. + 1. Select **Access control (IAM)**. + 1. Select **Add**, then **Add role assignment**. + 1. From the Role tab, select **Privileged administrator roles**. + 1. Select **Owner**, then select **Next**. + 1. Select **+ Select members**. + 1. Avery Howard is the first name on this list, select the **+** to the right of the name. Avery Howard is now listed under selected members. Select the **Select** button, then select **Next**. + 1. Select **Allow user to assign all roles except privileged administrator roles, Owner, UAA, RBAC (Recommended)**. + 1. Select **Review + assign**, then select **Review + assign** one last time. + +As an owner to the Azure subscription, you'll now be able to provision capacity within Copilot. + +#### Sub-task 1: Provision capacity + +In this task, you go through the steps of provisioning capacity for your organization. There are two options for provisioning capacity: + +- Provision capacity within Security Copilot (recommended) +- Provision capacity through Azure + +For this exercise, you provision capacity through Security Copilot. When you first open Security Copilot, a wizard guides you through the steps in setting up capacity for your organization. + +1. Open the simulated environment by selecting this link: **[Microsoft Security Copilot](https://app.highlights.guide/start/6373500f-1f10-4584-a14e-ca0b4aa7399f?link=0&token=40f793d4-2956-40a4-b11a-6b3d4f92557f&azure-portal=true)**. + +1. Follow the steps in the Wizard, select **Get started**. +1. On this page, you set up your security capacity. For any of the fields listed below, you can select the information icon for more information. + 1. Azure subscription: From the drop-down, select **Woodgrove - GTP Demos (External/Sponsored)**. + 1. Resource group: From the drop-down, select **RG-1**. + 1. Capacity name: Enter a capacity name. + 1. Prompt evaluation location [Geo]: From the drop-down, select your region. + 1. You can choose whether you want to select the option, "If this location has too much traffic, allow Copilot to evaluate prompts anywhere in the world (recommended for optimal performance). + 1. Capacity region is set based on location selected. + 1. Security compute: This field is automatically populated with the minimum required SCU units, which is 1. Leave field with the value of **1**. + 1. Select the box, **"I acknowledge that I have read, understood, and agree to the Terms and Conditions**. + 1. Select **Continue** on the bottom right corner of the page. + +1. The wizard displays information about where your customer data will be stored. The region displayed is based on the region you selected in the Prompt evaluation field. Select **Continue**. + +1. You can select options to help improve Copilot. You can select the toggle based on your preferences. Select **Continue**. + +1. As part of the initial setup, Copilot provides contributor access to everyone by default and includes Global administrators and Security administrators as Copilot owners. In your production environment, you can change who has access to Copilot, once you've completed the initial setup. Select **Continue**. +1. You're all set! Select **Finish**. +1. Close the browser tab, as the next exercise will use a separate link to the lab-like environment. + +### Task 2: Explore the Microsoft Security Copilot standalone experience + +The security administrator for your organization provisioned Copilot. Since you're the senior analyst on the team, the administrator added you as a Copilot owner and asked you to familiarize yourself with the solution. + +In this exercise, you explore all the key landmarks in the landing page of the standalone experience of Microsoft Security Copilot. + +You're logged in as Avery Howard and have the Copilot owner role. You'll work in the standalone experience of Microsoft Security Copilot. + +This exercise should take approximately **15** minutes to complete. + +#### Sub-task 1: Explore the menu options + +In this task, you start your exploration in the home menu. + +1. Open the simulated environment by selecting this link: **[Microsoft Security Copilot](https://app.highlights.guide/start/2cac767e-42c4-4058-afbb-a9413aac461d?link=0&token=40f793d4-2956-40a4-b11a-6b3d4f92557f&azure-portal=true)**. + +1. Select the **Menu** icon ![home menu icon](../media/home-menu-icon.png), which is sometimes referred to as the hamburger icon. + +1. Select **My sessions** and note the available options. + 1. Select recent to view the most recent sessions + 1. Select filter and note the available options, then close the filer. + 1. Select the home menu icon to open the home menu. + +1. Select **Promptbook library**. + 1. Select My promptbooks. A subsequent task dives deeper into promptbooks. + 1. Select Woodgrove. + 1. Select Microsoft. + 1. Select filter to view the available options, then select the X to close. + 1. Select the home menu icon to open the home menu. + +1. Select **Owner settings**. These settings are available to you as a Copilot owner. A Copilot contributor does have not access to these menu options. + 1. For plugins for Security Copilot, select the drop-down for Who can add and manage their own custom plugins to view the available options. + 1. Select drop-down for Who can add and manage custom plugins for everyone in the organization to view the available options. Note, this option is greyed out if Who can add and manage their own custom plugins is set to owners only. + 1. Select the information icon next to "Allow Security Copilot to access data from your Microsoft 365 Services." This setting must be enabled if you want to use the Microsoft Purview plugin. You'll work with this setting in a later exercise. + 1. Select the drop-down for who can upload files to view the available options. + 1. Select the home menu icon to open the home menu. + +1. Select **Role assignment**. + 1. Select Add members, then close. + 1. Expand owner. + 1. Expand contributor. + 1. Select the home menu icon to open the home menu. + +1. Select **Usage monitoring**. + 1. Select the date filter to view available options. + 1. Select the home menu icon to open the home menu. + +1. Select **Settings**. + 1. Select preferences. Scroll down to view available options. + 1. Select data and privacy. + 1. Select About. + 1. Select the X to close the preferences window. + +1. Select where it says **Woodgrove** at the bottom left of the home menu. + 1. When you select this option, you see your tenants. This is referred to as the tenant switcher. In this case, Woodgrove is the only available tenant. + 1. Select the **Home** to return to the landing page. + +#### Sub-task 2: Explore access to recent sessions + +In the center of the landing page, there are cards representing your most recent sessions. + +1. The largest card is your last session. Selecting the title of any session card takes you to that session. +1. Select **View all sessions** to go to the My sessions page. +1. Select **Microsoft Copilot for Security**, next to the home menu icon, to return to the landing page. + +#### Sub-task 3: Explore access to promptbooks + +The next section of the Copilot landing page revolves around promptbooks. The landing page shows tiles for some Microsoft security promptbooks. Here you explore access to promptbooks and the promptbook library. In a subsequent exercise, you explore creating and running a promptbook. + +1. To the right of where it says "Get started with these promptbooks" are a left and right arrow key that allows you to scroll through the tiles for Microsoft security promptbooks. Select the **right arrow >** + +1. Each tile shows the title of the promptbook, a brief description, the number of prompts, and a run icon. Select the title of any of the promptbook tiles to open that promptbook. Select **Vulnerability impact assessment**, as an example. + 1. The window for the selected promptbook provides information, including who created the promptbook, tags, a brief description, inputs required to run the promptbook, and a listing of the prompts. + 2. Note the information about the promptbook and the available options. For this simulation you can't start a new session, you'll do that in a subsequent exercise. + 1. Select **X** to close the window. + +1. Select **View the promptbook library**. + 1. To view promptbooks that you own, select My promptbooks. + 1. Select Woodgrove for a listing of promptbooks owned by Woodgrove, the name of a fictitious organization. + 1. To view built-in, Microsoft owned/developed promptbooks, select Microsoft. + 1. Select the filter icon. Here you can filter based on tags assigned to the workbook. Close the filter window by selecting the X in the New filter tab. + 1. Select **Microsoft Copilot for Security**, next to the home menu icon, to return to the landing page. + +#### Sub-task 4: Explore the prompts and sources icon in the prompt bar + +At the bottom center of the page is the prompt bar. The prompt bar includes the prompts and sources icon, which you explore in this task. In subsequent exercises you'll enter inputs directly in the prompt bar. + +1. From the prompt bar, you can select the prompts icon to select a built-in prompt or a promptbook. Select the **prompts icon** ![prompts icon](../media/prompt-icon.png). + 1. Select **See all promptbooks** + 1. Scroll to view all the available promptbooks. + 1. Select the **back-arrow** next to the search bar to go back. + 1. Select **See all system capabilities**. The list shows all available system capabilities (these capabilities are in effect prompts that you can run). Many system capabilities are associated with specific plugins and as such will only be listed if the corresponding plugin is enabled. + 1. Scroll to view all the available promptbooks. + 1. Select the **back-arrow** next to the search bar to go back. + +1. Select the **sources icon** ![sources icon](../media/sources-icon.png). + 1. The sources icon opens the manage sources window. From here, you can access Plugins or Files. The **Plugins** tab is selected by default. + 1. Select whether you want to view all plugins, those that are enabled (on), or those that are disabled (off). + 1. Expand/collapse list of Microsoft, non-Microsoft, and custom plugins. + 1. Some plugins require configuring parameters. Select the **Set up** button for the Microsoft Sentinel plugin, to view the settings window. Select **cancel** to close the settings window. In a separate exercise, you configure the plugin. + 1. You should still be in the Manage sources window. Select **Files**. + 1. Review the description. + 1. Files can be uploaded and used as a knowledge base by Copilot. In a subsequent exercise, you'll work with file uploads. + 1. Select **X** to close the manage sources window. + +#### Sub-task 5: Explore the help feature + +At the bottom right corner of the window is the help icon where you can easily access documentation and find solutions to common problems. From the help icon, you also submit a support case to the Microsoft support team if you have the appropriate role permissions. + +1. Select the **Help (?)** icon. + 1. Select **Documentation**. This selection opens a new browser tab to the Microsoft Security Copilot documentation. Return to the Microsoft Security Copilot browser tab. + 1. Select **Help**. + 1. Anyone with access to Security Copilot can access the self help widget by selecting the help icon then selecting the Help tab. Here you can find solutions to common problems by entering something about the problem. + 1. Users with a minimum role of Service Support Administrator or Helpdesk Administrator role can submit a support case to the Microsoft support team. If you have this role, a headset icon is displayed. Close the contact support page. + +### Task 3: Explore the Microsoft Security Copilot embedded experience + +In this exercise, you investigate an incident in Microsoft Defender XDR. As part of the investigation, you explore the key features of Microsoft Copilot in Microsoft Defender XDR, including incident summary, device summary, script analysis, and more. You also pivot your investigation to the standalone experience and use the pin board as a way to share details of your investigation with your colleagues. + +You're logged in as Avery Howard and have the Copilot owner role. You'll work in Microsoft Defender, using the new unified security operations platform, to access the embedded Copilot capabilities in Microsoft Defender XDR. Towards the end of the exercise, you pivot to the standalone experience of Microsoft Security Copilot. + +This exercise should take approximately **30** minutes to complete. + +#### Sub-task 1: Explore Incident summary and guided responses + +1. Open the simulated environment by selecting this link: **[Microsoft Defender portal](https://app.highlights.guide/start/f4f590f6-8937-40f9-91ec-632de546ab98?token=40f793d4-2956-40a4-b11a-6b3d4f92557f&azure-portal=true)**. + +1. From the Microsoft Defender portal: + 1. Expand **Investigation & response**. + 1. Expand **Incidents & alerts**. + 1. Select **Incidents**. + +1. Select the first incident in the list, **Incident Id: 30342** named Human-operated ransomware attack was launched from a compromised asset (attack disruption). + +1. This is a complex incident. Defender XDR provides a great deal of information, but with 72 alerts it can be a challenge to know where to focus. On the right side of the incident page, Copilot automatically generates an **Incident summary** that helps guide your focus and response. Select **See more**. + 1. Copilot's summary describes how this incident has evolved, including initial access, lateral movement, collection, credential access and exfiltration. It identifies specific devices, indicates that the PsExec tool was used to launch executable files, and more. + 1. These are all items you can leverage for further investigation. You explore some of these in subsequent tasks. + +1. Scroll down on the Copilot panel and just beneath the summary are **Guided responses**. Guided responses recommend actions in support of triage, containment, investigation, and remediation. + 1. The first item in the triage category it to Classify this incident. Select **Classify** to view the options. Review the guided responses in the other categories. + 1. Select the **Status** button at the top of the guided responses section and filter on **Completed**. Two completed activities show labeled as Attack Disruption. Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization's assets, and provide more time for security teams to remediate the attack fully. +1. Keep the incident page open, you'll use it in the next task. + +#### Sub-task 2: Explore device and identity summary + +1. From the incident page, select the first alert **Suspicious URL clicked**. + +1. Copilot automatically generates an **Alert summary**, which provides a wealth of information for further analysis. For example, the summary identifies suspicious activity, it identifies data collection activities, credential access, malware, discovery activities, and more. + +1. There's a lot of information on the page, so to get a better view of this alert, select **Open alert page**. It's on the third panel on the alert page, next to the incident graph and below the alert title. + +1. On the top of the page, is card for the device parkcity-win10v. Select the ellipses and note the options. Select **Summarize**. Copilot generates a **Device summary**. It's worth nothing that there are many ways you can access device summary and this is just one convenient method. The summary shows the device is a VM, identifies the owner of the device, it shows its compliance status against Intune policies, and more. + +1. Next to the device card is a card for the owner of the device. Select **parkcity\jonaw**. The third panel on the page updates from showing details of the alert to providing information about the user Jonathan Wolcott, an account executive, whose Microsoft Entra ID risk and Insider risk severity are classified as high. These aren't surprising given what you've learned from the Copilot incident and alert summaries. Select the ellipses then select **Summarize** to obtain an identity summary generated by Copilot. + +1. Keep the alert page open, you'll use it in the next task. + +#### Sub-task 3: Explore script analysis + +1. Let's Focus on the alert story. Select **Maximize ![maximize icon](../media/maximize-icon.png)**, located on the main panel of the alert, just beneath the card labeled 'partycity\jonaw' to get a better view of the process tree. From maximized view, you begin to get a clearer view of how this incident came to be. Many line items indicate that powershell.exe executed a script. Since the user Jonathan Wolcott is an account executive, it's reasonable to assume that executing PowerShell scripts isn't something this user is likely to be doing regularly. + +1. Expand the first instance of **powershell.exe execute a script**, it's the one showing the timestamp of 4:57:11 AM. Copilot has the capability to analyze scripts. Select **Analyze**. + 1. Copilot generates an analysis of the script and suggests it could be a phishing attempt or used to deliver a web-based exploit. + 1. Select **Show code**. The code shows a defanged URL. + +1. There are several other items that indicate powershell.exe executed a script. Expand the one labeled **powershell.exe -EncodedCommand...** with the timestamp 5:00:47 AM. The original script was base 64 encoded, but Defender has decoded that for you. For the decoded version, select **Analyze**. The analysis highlights the sophistication of the script used in this attack. + +1. Close the alert story page by selecting the **X** (the X that is to the left of Copilot panel). Now use the breadcrumb to return to the incident. Select **Human-operated ransomware attack was launched from a compromised asset (attack disruption)**. + +#### Sub-task 4: Explore file analysis + +1. You're back at the incident page. In the alert summary, Copilot identified the file Rubeus.exe, which is associated with the 'Kekeo' malware. You can use the file analysis capability in Defender XDR to see what other insights you can get. There are several ways to access files. From the top of the page, select the **Evidence and Response** tab. + +1. From the left side of the screen select **Files**. +1. Select the first item from the list with the entity named **Rubeus.exe**. +1. From the window that opens, select **Analyze**. Copilot generates a summary. +1. Review the detailed file analysis that Copilot generates. +1. Close the file analysis window. + +#### Sub-task 5: Pivot to the standalone experience + +This task is complex and requires the involvement of more senior analysts. In this task, you pivot your investigation and run the Defender incident promptbook so the other analysts have a running start on the investigation. You pin responses to the pin board and generate a link to this investigation that you can share with more advanced members of the team to help investigate. + +1. Return to the incident page by selecting the **Attack story** tab from the top of the page. + +1. Select the ellipses next to Copilot's Incident summary and select **Open in Copilot for Security**. + +1. Copilot opens in the standalone experience and shows the incident summary. You can also run more prompts. In this case, you'll run the promptbook for an incident. Select the **prompt icon** ![prompt icon](../media/prompt-icon.png). + 1. Select **See all promptbooks**. + 1. Select **Microsoft 365 Defender incident investigation**. + 1. The promptbook page opens and asks for the Defender Incident ID. Enter **30342** then select **Run**. + 1. Review the information provided. By pivoting to the standalone experience and running the promptbook, the investigation is able to invoke capabilities from a broader set security solution, beyond just Defender XDR, based on the plugins enabled. + +1. Select the **box icon ![box icon](../media/box-icon.png)** next to the pin icon to select all the prompts and and the corresponding responses, then select the **Pin icon ![pin icon](../media/pin-icon.png)** to save those responses to the pin board. + +1. The pin board opens automatically. The pin board holds your saved prompts and responses, along with a summary of each one. You can open and close the pin board by selecting the **pin board icon ![pin board icon](../media/pinboard-icon.png)**. + +1. From the top of the page, select **Share** to view your options. By sharing the incident via a link or email, people in your organization with Copilot access can view this session. Close the window by selecting the **X**. + +1. You can now close the browser tab to exit the simulation. + +## Summary and additional resources + +In this exercise, you explored the first run experience of Microsoft Security Copilot, provisioned capacity, and explored the standalone and embedded experiences of Copilot. You investigated an incident in Microsoft Defender XDR, explored the incident summary, device summary, script analysis, and more. You also pivoted your investigation to the standalone experience and used the pin board as a way to share details of your investigation with your colleagues. + +To run additional Microsoft Security Copilot use case simulations, browse to [Explore Microsoft Security Copilot use case simulations](/training/modules/security-copilot-exercises/) diff --git a/Instructions/Labs/LAB_AK_03_Lab1_Ex01_Explore_Purview_Audit.md b/Instructions/Labs/LAB_AK_03_Lab1_Ex01_Explore_Purview_Audit.md new file mode 100644 index 00000000..cbfa3aed --- /dev/null +++ b/Instructions/Labs/LAB_AK_03_Lab1_Ex01_Explore_Purview_Audit.md @@ -0,0 +1,48 @@ +--- +lab: + title: 'Exercise 1 - Explore Microsoft Purview Audit logs' + module: 'Learning Path 3 - Mitigate threats using Microsoft Purview' +--- + +# Learning Path 3 - Lab 1 - Exercise 1 - Explore Microsoft Purview Audit logs + +## Lab scenario + +You're a Security Operations Analyst working at a company that is implementing Microsoft Defender XDR and Microsoft Purview. You're assisting colleagues on the the IT compliance team with configuring both Purview Audit (Standard) and Audit (Premium). Their objective is to ensure that all access and modifications to patient data in our network of healthcare facilitie sare accurately logged to meet health data protection regulations. + +### Estimated time to complete this lab: 15 minutes + +### Task 1: Enable Purview Audit logs + +In this task, you'll assign preset security policies for Exchange Online Protection (EOP) and Microsoft Defender for Office 365 in the Microsoft 365 security portal. + +1. Log in to WIN1 virtual machine as Admin with the password: **Pa55w.rd**. + +1. Start the Microsoft Edge browser. + +1. In the Microsoft Edge browser, go to the Microsoft Defender XDR portal at (). + +1. In the **Sign in** dialog box, copy, and paste in the tenant Email account for the admin username provided by your lab hosting provider and then select **Next**. + +1. In the **Enter password** dialog box, copy, and paste in the admin's tenant password provided by your lab hosting provider and then select **Sign in**. + +1. From the navigation menu, expand *Operational technology* and select **More resources**. + +1. In the **More resources** pane, select the **Open** button om the *Microsoft Purview portal* tile. + +1. When the Microsoft Purview portal opens, a message about the *new Microsoft Purview portal* will appear on the screen. Select the option to agree with the terms of data flow disclosure and the privacy statement, then select **Try now**. + + ![Screenshot showing the Welcome to the new Microsoft Purview portal screen.](../Media/welcome-purview-portal.png) + +1. Select **Solutions** from the left sidebar, then select **Audit**. + +1. On the **Search** page, select the blue **Start recording user and admin activity** bar to enable audit logging. + + ![Screenshot showing the Start recording user and admin activity button.](../Media/enable-audit-button.png) + +1. Once you select this option, the blue bar should disappear from this page. + + >**Note:** + > It might take 60 minutes to start recording activities. + +## You have completed the lab diff --git a/Instructions/Labs/LAB_AK_03_Lab1_Ex1_Enable_Defender.md b/Instructions/Labs/LAB_AK_03_Lab1_Ex1_Enable_Defender.md deleted file mode 100644 index 23efb8f1..00000000 --- a/Instructions/Labs/LAB_AK_03_Lab1_Ex1_Enable_Defender.md +++ /dev/null @@ -1,230 +0,0 @@ ---- -lab: - title: 'Exercise 1 - Enable Microsoft Defender for Cloud' - module: 'Learning Path 3 - Mitigate threats using Microsoft Defender for Cloud' ---- - -# Learning Path 3 - Lab 1 - Exercise 1 - Enable Microsoft Defender for Cloud - -## Lab scenario - -![Lab overview.](../Media/SC-200-Lab_Diagrams_Mod3_L1_Ex1.png) - -You're a Security Operations Analyst working at a company that is implementing cloud workload protection with Microsoft Defender for Cloud. In this lab, you enable Microsoft Defender for Cloud. - ->**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Enable%20Microsoft%20Defender%20for%20Cloud)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. - - -### Task 1: Access the Azure portal and set up a Subscription - -In this task, you'll set up an Azure Subscription required to complete this lab and future labs. - -1. Log in to **WIN1** virtual machine as Admin with the password: **Pa55w.rd**. - -1. Open the Microsoft Edge browser or open a new tab if already open. - -1. In the Microsoft Edge browser, navigate to the Azure portal at . - -1. In the **Sign in** dialog box, copy, and paste in the tenant Email account for the admin username provided by your lab hosting provider and then select **Next**. - -1. In the **Enter password** dialog box, copy, and paste in the admin's tenant password provided by your lab hosting provider and then select **Sign in**. - -1. In the Search bar of the Azure portal, type *Subscription*, then select **Subscriptions**. - -1. Select the *"Azure Pass - Sponsorship"* subscription shown (or equivalent name in your selected language). - - >**Note:** If the subscription is not shown, ask your instructor on how to create the Azure subscription with your tenant admin user credentials. **Note:** The subscription creation process could take up to 10 minutes. - -1. Select **Access control (IAM)** and then select **Add role assignment** from the *Grant access to this resource* box. - -1. Select the **Privileged administrator roles** tab and then select **Owner**. Select **Next** to continue. - -1. Under the *Members* tab, select **+ Select members** and select the **MOD Administrator** account and select **Select** to continue. - - >**Note:** If the **Conditions** tab displays a red dot, select **Next**, and either select **Not constrained** if presented with the *Delegation* type, or select **Allow user to assign all roles (highly privileged)** if presented with *What user can do*. - -1. Select **Review + assign** twice to assign the owner role to your admin account. - ->**Important:** These labs have been designed to use less than USD $10 of Azure services during the class. - - -### Task 2: Create a Log Analytics Workspace - -In this task, you create a Log Analytics workspace for use with Azure Monitoring, Microsoft Sentinel and Microsoft Defender for Cloud. - -1. In the Search bar of the Azure portal, type *Log Analytics workspaces*, then select the same service name. - -1. Select **+Create** from the command bar. - -1. Select **Create new** for the Resource group. - -1. Enter *RG-Defender* and select **Ok**. - -1. For the Name, enter something unique like: *uniquenameDefender*. - -1. Select **Review + Create**. - -1. Once the workspace validation has passed, select **Create**. Wait for the new workspace to be provisioned, this may take a few minutes. - - -### Task 3: Enable Microsoft Defender for Cloud - -In this task, you'll enable and configure Microsoft Defender for Cloud. - -1. In the Search bar of the Azure portal, type *Defender*, then select **Microsoft Defender for Cloud**. - -1. On the **Getting started** page, under the **Upgrade** tab, make sure your subscription is selected, and then select the **Upgrade** button at the bottom of the page. Wait for the *Trial started* notification to appear, it takes about 2 minutes. - - >**Hint:** You can click the bell button on the top bar to review your Azure portal notifications. - - >**Note:** If you see the error *"Could not start Azure Defender trial on the subscription"*, continue with the next steps to enable all the Defender plans in Step 5. - -1. In the left menu for Microsoft Defender for Cloud, under the Management, select **Environment settings**. - -1. Select the **"Azure Pass - Sponsorship"** subscription (or equivalent name in your Language). - -1. Review the Azure resources that are now protected with the Defender for Cloud plans. - - >**Important:** If all Defender plans are *Off*, select **Enable all plans**. Select the *$200/month Microsoft Defender for APIs Plan 1* and then select **Save**. Select **Save** at the top of the page and wait for the *"Defender plans (for your) subscription were saved successfully!"* notifications to appear. - -1. Select the **Settings & monitoring** tab from the Settings area (next to Save). - -1. Review the monitoring extensions. It includes configurations for Virtual Machines, Containers, and Storage Accounts. Close the "Settings & monitoring" page by selecting the 'X' on the upper right of the page. - -1. Close the settings page by selecting the 'X' on the upper right of the page to go back to the **Environment settings** and select the '>' to the left of your subscription. - -1. Select the Log analytics workspace you created earlier *uniquenameDefender* to review the available options and pricing. - -1. Select **Enable all plans** (to the right of Select Defender plan) and then select **Save**. Wait for the *"Microsoft Defender plan for workspace uniquenameDefender were saved successfully!"* notification to appear. - - >**Note:** If the page is not being displayed, refresh your Edge browser and try again. - -1. Close the Defender plans page by selecting the 'X' on the upper right of the page to go back to the **Environment settings** - - -### Task 4: Install Azure Arc on an On-Premises Server - -In this task, you install Azure Arc on an on-premises server to make onboarding easier. - ->**Important:** The next steps are done in a different machine than the one you were previously working. Look for the Virtual Machine name references. - -1. Log in to **WINServer** virtual machine as Administrator with the password: **Passw0rd!** if necessary. - -1. Open the Microsoft Edge browser and navigate to the Azure portal at . - -1. In the **Sign in** dialog box, copy, and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**. - -1. In the **Enter password** dialog box, copy, and paste in the **Tenant Password** provided by your lab hosting provider and then select **Sign in**. - -1. In the Search bar of the Azure portal, type *Arc*, then select **Azure Arc**. - -1. In the navigation pane under **Azure Arc resources** select **Machines** - -1. Select **+ Add/Create**, then select **Add a machine**. - -1. Select **Generate script** from the "Add a single server" section. - - - -1. In the *Add a server with Azure Arc* page, select the Resource group you created earlier under *Project details*. **Hint:** *RG-Defender* - - >**Note:** If you haven't already created a resource group, open another tab and create the resource group and start over. - -1. For *Region*, select **(US) East Us** from the drop-down list. - -1. Review the *Server details* and *Connectivity method* options. Keep the default values and select **Next** to get to the Tags tab. - -1. Review the default available tags. Select **Next** to get to the Download and run script tab. - -1. Scroll down and select the **Download** button. **Hint:** if your browser blocks the download, take action in the browser to allow it. In Microsoft Edge Browser, select the ellipsis button (...) if needed and then select **Keep**. - -1. Right-click the Windows Start button and select **Windows PowerShell (Admin)**. - -1. Enter *Administrator* for "Username" and *Passw0rd!* for "Password" if you get a UAC prompt. - -1. Enter: cd C:\Users\Administrator\Downloads - - >**Important:** If you do not have this directory, most likely means that you are in the wrong machine. Go back to the beginning of Task 4 and change to WINServer and start over. - -1. Type *Set-ExecutionPolicy -ExecutionPolicy Unrestricted* and press enter. - -1. Enter **A** for Yes to All and press enter. - -1. Type *.\OnboardingScript.ps1* and press enter. - - >**Important:** If you get the error *"The term .\OnboardingScript.ps1 is not recognized..."*, make sure you are doing the steps for Task 4 in the WINServer virtual machine. Other issue might be that the name of the file changed due to multiple downloads, search for *".\OnboardingScript (1).ps1"* or other file numbers in the running directory. - -1. Enter **R** to Run once and press enter (this may take a couple minutes). - -1. The setup process opens a new Microsoft Edge browser tab to authenticate the Azure Arc agent. Select your admin account, wait for the message "Authentication complete" and then go back to the Windows PowerShell window. - -1. When the installation finishes, go back to the Azure portal page where you downloaded the script and select **Close**. Close the **Add servers with Azure Arc** to go back to the Azure Arc **Machines** page. - -1. Select **Refresh** until WINServer server name appears and the Status is *Connected*. - - >**Note:** This could take a couple of minutes. - - -### Task 5: Protect an On-Premises Server - -In this task, you manually install the *Azure Monitor Agent* by adding a *Data Collection Rule (DCR)* on the **WINServer** virtual machine. - -1. Go to **Microsoft Defender for Cloud** and select the **Getting Started** page from the left menu. - -1. Select the **Get Started** tab. - -1. Scroll down and select **Configure** under the *Add non-Azure servers* section. - -1. Select **Upgrade** next to the workspace you created earlier. This might take a few minutes. Wait until you see the notification *"Microsoft Defender plan for workspace uniquenameDefender were saved successfully!"*. - -1. Select **+ Add Servers** next to the workspace you created earlier. - -1. Select **Data Collection Rules** - -1. Select **+ Create**. - -1. Enter **WINServer** for Rule Name. - -1. Select your *Azure Pass - Sponsorship* subscription and select a Resource Group. **Hint:** *RG-Defender* - -1. You can keep the default *East US* region or select another preferable location. - -1. Select the **Windows** radio button for *Platform Type* and select **Next: Resources**. - -1. In the **Resources** tab, **+ Add resources**. - -1. In the **Select a scope** page, expand the *Scope* column for **RG-Defender** (or the Resource Group your created), then select **WINServer** and select **Apply**. - - >**Note:** You may need to set the column filter for *Resource type* to *Server-Azure Arc* if **WINServer** is not displayed. - -1. Select **Next: Collect and deliver** - -1. In the **Collect and deliver** tab, select **+ Add data source** - -1. In the **Add a data source** page, select **Performance Counters** from *Data source type*. - - >**Note:** For the purposes of this lab you could select *Windows Event Logs*. These selections can be revised later. - -1. Select the **Destination** tab - -1. Select **Azure Monitor Logs** in the **Destination Type** dropdown - -1. Select your *Azure Pass - Sponsorship* subscription from the **Subscription** dropdown - -1. Select your workspace name **Hint:** *RG-Defender* from the **Account or namespace** dropdown - -1. Select **Add data source** and select **Review + create** - -1. Select **Create** after *Validation passed* is displayed. - -1. The **Data Collection Rule** creation initiates the installation of the *AzureMonitorWindowsAgent* extension on **WINServer**. - -1. When the *Data Collection Rule* creation completes, enter **WINServer** in the *Search resources, services and docs* search bar, and select **WINServer** from *Resources*. - -1. On **WINServer** scroll down through the left menu to *Settings* and *Extensions*. - -1. The **AzureMonitorWindowsAgent** should be listed with a *Status* of **Succeeded**. - -1. You can move on to the next lab and return later to review the **Inventory** section of **Microsoft Defender for Cloud** to verify that **WINServer** is included. - -## Proceed to Exercise 2 diff --git a/Instructions/Labs/LAB_AK_02_Lab1_Ex1_Deploy_Defender_Endpoint.md b/Instructions/Labs/LAB_AK_04_Lab1_Ex01_Deploy_Defender_Endpoint.md similarity index 93% rename from Instructions/Labs/LAB_AK_02_Lab1_Ex1_Deploy_Defender_Endpoint.md rename to Instructions/Labs/LAB_AK_04_Lab1_Ex01_Deploy_Defender_Endpoint.md index 49af43de..058bb524 100644 --- a/Instructions/Labs/LAB_AK_02_Lab1_Ex1_Deploy_Defender_Endpoint.md +++ b/Instructions/Labs/LAB_AK_04_Lab1_Ex01_Deploy_Defender_Endpoint.md @@ -1,10 +1,10 @@ --- lab: title: 'Exercise 1 - Deploy Microsoft Defender for Endpoint' - module: 'Learning Path 2 - Mitigate threats using Microsoft Defender for Endpoint' + module: 'Learning Path 4 - Mitigate threats using Microsoft Defender for Endpoint' --- -# Learning Path 2 - Lab 1 - Exercise 1 - Deploy Microsoft Defender for Endpoint +# Learning Path 4 - Lab 1 - Exercise 1 - Deploy Microsoft Defender for Endpoint ## Lab scenario @@ -14,9 +14,11 @@ You're a Security Operations Analyst working at a company that is implementing M You start by initializing the Defender for Endpoint environment. Next, you onboard the initial devices for your deployment by running the onboarding script on the devices. You configure security for the environment. Lastly, you create Device groups and assign the appropriate devices. ->**Important:** The lab Virtual Machines are used through different modules. SAVE your virtual machines. If you exit the lab without saving, you will be required to re-run some configurations again. +>**Important:** The lab Virtual Machines are used through different modules. SAVE your virtual machines. If you exit the lab without saving, you will be required to re-run some configurations again. ->**Note:** Make sure you have completed successfully Task 3 of the previous module. +>**Note:** Make sure you have completed successfully Task 3 of the first module. + +### Estimated time to complete this lab: 30 minutes ### Task 1: Initialize Microsoft Defender for Endpoint @@ -46,7 +48,6 @@ In this task, you'll perform the initialization of the Microsoft Defender for En >**Hint:** If you do not see the option, refresh the page. - ### Task 2: Onboard a Device In this task, you'll onboard a device to Microsoft Defender for Endpoint using an onboarding script. @@ -80,9 +81,7 @@ In this task, you'll configure roles for use with device groups. 1. In the Microsoft Defender XDR portal left menu bar, expand the **System** section and select **Settings**, then select **Endpoints**. - >**Note:** Some versions of the portal may not have the **Settings** option under the **System** section. **Settings** may be grouped with *Reports* and *Audit*. - -1. Select **Roles** under the permissions section. +1. Select **Roles** under the permissions area. 1. Select the **Turn on roles** button. diff --git a/Instructions/Labs/LAB_AK_02_Lab1_Ex2_Mitigate_Attacks.md b/Instructions/Labs/LAB_AK_04_Lab1_Ex02_Mitigate_Attacks.md similarity index 96% rename from Instructions/Labs/LAB_AK_02_Lab1_Ex2_Mitigate_Attacks.md rename to Instructions/Labs/LAB_AK_04_Lab1_Ex02_Mitigate_Attacks.md index 529ee35a..f5344e9a 100644 --- a/Instructions/Labs/LAB_AK_02_Lab1_Ex2_Mitigate_Attacks.md +++ b/Instructions/Labs/LAB_AK_04_Lab1_Ex02_Mitigate_Attacks.md @@ -1,10 +1,10 @@ --- lab: - title: 'Exercise 2 - Mitigate Attacks with Microsoft Defender for Endpoint' - module: 'Learning Path 2 - Mitigate threats using Microsoft Defender for Endpoint' + title: 'Exercise 4 - Mitigate Attacks with Microsoft Defender for Endpoint' + module: 'Learning Path 4 - Mitigate threats using Microsoft Defender for Endpoint' --- -# Learning Path 2 - Lab 1 - Exercise 2 - Mitigate Attacks with Microsoft Defender for Endpoint +# Learning Path 4 - Lab 1 - Exercise 2 - Mitigate Attacks with Microsoft Defender for Endpoint ## Lab scenario @@ -14,6 +14,8 @@ You are a Security Operations Analyst working at a company that is implementing To explore the Defender for Endpoint attack mitigation capabilities, you will verify successful device onboarding and investigate alerts and incidents created during that process. +### Estimated time to complete this lab: 30 minutes + ### Task 1: Verify Device onboarding In this task, you will confirm that the device is onboarded successfully and create a test alert. @@ -110,7 +112,7 @@ In this task, you will simulate an attack on the WIN1 virtual machine and verify 1. Mouse over and select the **Incident graph nodes** to review the *entities*. -1. Re expand the **Alerts** pane (left-side) and select the **Play attack story** *Run* icon. This shows the attack timeline alert by alert and dynamically populates the *Incident graph*. +1. Re-expand the **Alerts** pane (left-side) and select the **Play attack story** *Run* icon. This shows the attack timeline alert by alert and dynamically populates the *Incident graph*. 1. Review the contents of the *Attack story, Alerts, Assets, Investigations, Evidence and Response*, and *Summary* tabs. Devices and Users are under the *Assets* tab. **Hint:** Some tabs might be hidden due the size of your display. Select the ellipsis tab (...) to make them appear. diff --git a/Instructions/Labs/LAB_AK_05_Lab1_Ex01_Enable_MDC.md b/Instructions/Labs/LAB_AK_05_Lab1_Ex01_Enable_MDC.md new file mode 100644 index 00000000..63fb0cfd --- /dev/null +++ b/Instructions/Labs/LAB_AK_05_Lab1_Ex01_Enable_MDC.md @@ -0,0 +1,83 @@ +--- +lab: + title: 'Exercise 1 - Enable Microsoft Defender for Cloud' + module: 'Learning Path 5 - Mitigate threats using Microsoft Defender for Cloud' +--- + +# Learning Path 5 - Lab 1 - Exercise 1 - Enable Microsoft Defender for Cloud + +## Lab scenario + +You're a Security Operations Analyst working at a company that is implementing cloud workload protections with Microsoft Defender for Cloud. In this lab, you enable Microsoft Defender for Cloud. + +>**Important:** The lab exercises for Learning Path #5 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again. + +### Estimated time to complete this lab: 15 minutes + +### Task 1: Enable Microsoft Defender for Cloud + +In this task, you'll enable and configure Microsoft Defender for Cloud. + +1. Log in to **WIN1** virtual machine as Admin with the password: **Pa55w.rd**. + +1. In the Microsoft Edge browser, navigate to the Azure portal at . + + >**Note:** Select the **Resources** tab for the *Username* and *Password* for the lab. Use the **** account for this lab. + +1. In the **Sign in** dialog box, copy, and paste in the tenant Email account for the admin username provided by your lab hosting provider and then select **Next**. + +1. In the **Enter password** dialog box, copy, and paste in the admin's tenant password provided by your lab hosting provider and then select **Sign in**. + +1. In the Search bar of the Microsoft Azure portal, type *Defender*, then select **Microsoft Defender for Cloud**. + +1. In the left navigation menu for Microsoft Defender for Cloud, expand the *Management* section , and select **Environment settings**. + +1. Select the **Expand all** button to view all subscriptions and resources. + +1. Select the **MOC Subscription-lodxxxxxxxx** subscription (or equivalent name in your Language). + +1. Review the Azure resources that are now protected with the Defender for Cloud plans. + + >**Important:** If all Defender plans are *Off*, select **Enable all plans**. Select the *$200/month Microsoft Defender for APIs Plan 1* and then select **Save**. Select **Save** at the top of the page and wait for the *"Defender plans (for your) subscription were saved successfully!"* notifications to appear. + +1. Select the **Settings & monitoring** tab from the Settings area (next to Save). + +1. Review the monitoring extensions. It includes configurations for Virtual Machines, Containers, and Storage Accounts. + +1. Select the **Continue** button, or cClose the "Settings & monitoring" page by selecting the 'X' on the upper right of the page. + +1. Close the settings page by selecting the 'X' on the upper right of the page to go back to the **Environment settings**. + + + +### Task 3: Understanding the Microsoft Defender for Cloud Dashboard + +1. In the Search bar of the Microsoft Azure portal, type *Defender*, then select **Microsoft Defender for Cloud**. + +1. In the left navigation menu for Microsoft Defender for Cloud, under the *General* section, select **Overview**. + +1. The Overview blade provides a unified view into the security posture and includes multiple independent cloud security pillars such as Security posture, Regulatory compliance, Workload protections, Firewall Manager, Inventory, and Information Protection (preview). Each of these pillars also has its dedicated dashboard allowing deeper insights and actions around that vertical, providing easy access and better visibility for security professionals. + + >**Note:** The top menu bar allows you to view and filter subscriptions by selecting the Subscriptions button. In this lab, we will use only one but selecting different/additional subscriptions will adjust the interface to reflect the security posture of the selected subscriptions + +1. Click on the **What’s new** icon link – a new tab opens with the latest release notes where you can stay current on the new features, bug fixes, and more. + + >**Note:** The high-level numbers at the top menu; This view allows you to see a summary of your subscriptions, active recommendations, and security alerts alongside connected cloud accounts. + +1. From the top menu bar, select **Azure subscriptions**. This will bring you into the environment settings where you can select from the available subscriptions. + +1. Return to the **Overview** page, and review the **Security posture** tile. You can see your current *Secure score* along with the number of completed controls and recommendations. Selecting this tile will redirect you to a drill-down view across subscriptions + +1. On the **Regulatory compliance** tile, you can get insights into your compliance posture based on continuous assessment of both Azure and hybrid cloud environments. This tile shows the following standards which are Microsoft Cloud Security benchmark, and Lowest compliance regulatory standard. To view the data we first need to add Security policies. + +1. Selecting this tile will redirect you to the **Regulatory compliance** dashboard – where you can add additional standards and explore the current ones + +1. We will continue exploring *Microsoft Defender for Cloud* **Security posture** and **Regulatory compliance** in the next exercise. + +## Proceed to Exercise 2 diff --git a/Instructions/Labs/LAB_AK_03_Lab1_Ex2_Azure_Defender.md b/Instructions/Labs/LAB_AK_05_Lab1_Ex02_Explore_MDC.md similarity index 90% rename from Instructions/Labs/LAB_AK_03_Lab1_Ex2_Azure_Defender.md rename to Instructions/Labs/LAB_AK_05_Lab1_Ex02_Explore_MDC.md index 39c19972..3b141a0d 100644 --- a/Instructions/Labs/LAB_AK_03_Lab1_Ex2_Azure_Defender.md +++ b/Instructions/Labs/LAB_AK_05_Lab1_Ex02_Explore_MDC.md @@ -1,10 +1,10 @@ --- lab: title: 'Exercise 2 - Mitigate threats using Microsoft Defender for Cloud' - module: 'Learning Path 3 - Mitigate threats using Microsoft Defender for Cloud' + module: 'Learning Path 5 - Mitigate threats using Microsoft Defender for Cloud' --- -# Learning Path 3 - Lab 1 - Exercise 2 - Mitigate threats using Microsoft Defender for Cloud +# Learning Path 5 - Lab 1 - Exercise 2 - Mitigate threats using Microsoft Defender for Cloud ## Lab scenario @@ -12,8 +12,9 @@ lab: You're a Security Operations Analyst working at a company that implemented Microsoft Defender for Cloud. You need to respond to recommendations and security alerts generated by Microsoft Defender for Cloud. ->**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Mitigate%20threats%20using%20Microsoft%20Defender%20for%20Cloud)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. +>**Important:** The lab exercises for Learning Path #5 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again. +### Estimated time to complete this lab: 15 minutes ### Task 1: Explore Regulatory Compliance diff --git a/Instructions/Labs/LAB_AK_04_Lab1_Ex1_KQL.md b/Instructions/Labs/LAB_AK_06_Lab1_Ex01_KQL.md similarity index 94% rename from Instructions/Labs/LAB_AK_04_Lab1_Ex1_KQL.md rename to Instructions/Labs/LAB_AK_06_Lab1_Ex01_KQL.md index babb757b..1d99d15c 100644 --- a/Instructions/Labs/LAB_AK_04_Lab1_Ex1_KQL.md +++ b/Instructions/Labs/LAB_AK_06_Lab1_Ex01_KQL.md @@ -1,10 +1,10 @@ --- lab: title: 'Exercise 1 - Create queries for Microsoft Sentinel using Kusto Query Language (KQL)' - module: 'Learning Path 4 - Create queries for Microsoft Sentinel using Kusto Query Language (KQL)' + module: 'Learning Path 6 - Create queries for Microsoft Sentinel using Kusto Query Language (KQL)' --- -# Learning Path 4 - Lab 1 - Exercise 1 - Create queries for Microsoft Sentinel using Kusto Query Language (KQL) +# Learning Path 6 - Lab 1 - Exercise 1 - Create queries for Microsoft Sentinel using Kusto Query Language (KQL) ## Lab scenario @@ -14,17 +14,19 @@ You are a Security Operations Analyst working at a company that is implementing >**Important:** This lab involves entering many KQL scripts into Microsoft Sentinel. The scripts were provided in a file at the beginning of this lab. An alternate location to download them is: +### Estimated time to complete this lab: 60 minutes + ### Task 1: Access the KQL testing area In this task, you will access a Log Analytics environment where you can practice writing KQL statements. 1. Login to **WIN1** virtual machine as Admin with the password: **Pa55w.rd**. -1. Go to in your browser. Login with the MOD Administrator credentials. +1. In the Microsoft Edge browser, go to and login with the Administrator credentials. 1. Close the Log Analytics video pop-up window that appears. -1. Explore the available tables listed in the tab on the left side of the screen. +1. Explore the available tables and other tools listed in the *schema and filter pane* on the left side of the screen. 1. In the query editor, enter the following query and select the **Run** button. You should see the query results in the bottom window. @@ -94,7 +96,7 @@ In this task, you will build basic KQL statements. ``` -1. The following statement demonstrates the use of the **let** statement to declare *variables*. In the Query Window enter the following statement and select **Run**: +1. The following statement demonstrates the use of the **let** statement to declare *variables*. In the Query Window enter the following statement and select **Run**: ```KQL let timeOffset = 1h; @@ -104,7 +106,7 @@ In this task, you will build basic KQL statements. | where EventID != discardEventId ``` -1. The following statement demonstrates the use of the **let** statement to declare a *dynamic list*. In the Query Window enter the following statement and select **Run**: +1. The following statement demonstrates the use of the **let** statement to declare a *dynamic list*. In the Query Window enter the following statement and select **Run**: ```KQL let suspiciousAccounts = datatable(account: string) [ @@ -118,7 +120,7 @@ In this task, you will build basic KQL statements. >**Tip:** You can re-format the query easily by selecting the ellipsis (...) in the Query window and select **Format query**. -1. The following statement demonstrates the use of the **let** statement to declare a *dynamic table*. In the Query Window enter the following statement and select **Run**: +1. The following statement demonstrates the use of the **let** statement to declare a *dynamic table*. In the Query Window enter the following statement and select **Run**: ```KQL let LowActivityAccounts = @@ -171,7 +173,6 @@ In this task, you will build basic KQL statements. | project-away ProcessName ``` - ### Task 3: Analyze Results in KQL with the Summarize Operator In this task, you will build KQL statements to aggregate data. **Summarize** groups the rows according to the **by** group columns, and calculates aggregations over each group. @@ -329,7 +330,7 @@ In this task, you will build multi-table KQL statements. | summarize count() by Type ``` -1. The following statement demonstrates the **join** operator, which merges the rows of two tables to form a new table by matching values of the specified column(s) from each table. In the Query Window enter the following statement and select **Run**: +1. The following statement demonstrates the **join** operator, which merges the rows of two tables to form a new table by matching values of the specified column(s) from each table. In the Query Window enter the following statement and select **Run**: ```KQL SecurityEvent @@ -344,11 +345,11 @@ In this task, you will build multi-table KQL statements. ) on Account ``` - >**Important:** The first table specified in the join is considered the Left table. The table after the **join** operator is the right table. When working with columns from the tables, the $left.Column name and $right.Column name is to distinguish which tables column are referenced. The **join** operator supports a full range of types: flouter, inner, innerunique, leftanti, leftantisemi, leftouter, leftsemi, rightanti, rightantisemi, rightouter, rightsemi. + >**Important:** + The first table specified in the join is considered the Left table. The table after the **join** operator is the right table. When working with columns from the tables, the $left.Column name and $right.Column name is to distinguish which tables column are referenced. The **join** operator supports a full range of types: flouter, inner, innerunique, leftanti, leftantisemi, leftouter, leftsemi, rightanti, rightantisemi, rightouter, rightsemi. 1. Change back the **Time range** to **Last 24 hours** in the Query Window. - ### Task 6: Work with string data in KQL In this task, you will work with structured and unstructured string fields with KQL statements. @@ -395,7 +396,7 @@ In this task, you will work with structured and unstructured string fields with | extend OS = DeviceDetail.operatingSystem ``` -1. The following example shows how to break out packed fields for SigninLogs. In the Query Window enter the following statement and select **Run**: +1. The following example shows how to break out packed fields for SigninLogs. In the Query Window enter the following statement and select **Run**: ```KQL SigninLogs @@ -444,4 +445,4 @@ In this task, you will work with structured and unstructured string fields with PrivLogins ``` -## You have completed the lab +## You have completed the lab. diff --git a/Instructions/Labs/LAB_AK_06_Lab1_Ex4_Connect_Defender_XDR.md b/Instructions/Labs/LAB_AK_06_Lab1_Ex4_Connect_Defender_XDR.md deleted file mode 100644 index a4ba9ba5..00000000 --- a/Instructions/Labs/LAB_AK_06_Lab1_Ex4_Connect_Defender_XDR.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -lab: - title: 'Exercise 4 - Connect Defender XDR to Microsoft Sentinel using data connectors' - module: 'Learning Path 6 - Connect logs to Microsoft Sentinel' ---- - -# Learning Path 6 - Lab 1 - Exercise 4 - Connect Defender XDR to Microsoft Sentinel using data connectors - -## Lab scenario - -![Lab overview.](../Media/SC-200-Lab_Diagrams_Mod6_L1_Ex4.png) - -You're a Security Operations Analyst working at a company that deployed both Microsoft Defender XDR and Microsoft Sentinel. You need to prepare for the Unified Security Operations Platform connecting Microsoft Sentinel to Defender XDR. Your next step will be to install the Defender XDR Content Hub solution and deploy the Defender XDR data connector to Microsoft Sentinel. - ->**Important:** Be aware that there are capability differences between the azure Microsoft Sentinel portal and Sentinel in the Microsoft Defender XDR portal **[Portal capability differences](https://learn.microsoft.com/azure/sentinel/microsoft-sentinel-defender-portal#capability-differences-between-portals)**. - -### Task 1: Connect Defender XDR - -In this task, you deploy the Microsoft Defender XDR connector. - -1. Login to WIN1 virtual machine as Admin with the password: **Pa55w.rd**. - -1. In the Microsoft Edge browser, navigate to the Azure portal at (). - -1. In the **Sign in** dialog box, copy, and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**. - -1. In the **Enter password** dialog box, copy, and paste in the **Tenant Password** provided by your lab hosting provider and then select **Sign in**. - -1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**. - -1. Select your Microsoft Sentinel Workspace you created earlier. - -1. In the Microsoft Sentinel left menus, scroll down to the **Content management** section and select **Content Hub**. - -1. In the *Content hub*, search for the **Microsoft Defender XDR** solution and select it from the list. - -1. On the *Microsoft Defender XDR* solution details page, select **Install**. - -1. When the installation completes, search for the **Microsoft Defender XDR** solution and select it. - -1. On the *Microsoft Defender XDR* solution details page, select **Manage** - -1. Select the *Microsoft Defender XDR* Data connector check-box, and select **Open connector page**. - -1. In the *Configuration* section, under the *Instructions* tab, **deselect** the checkbox for the *Turn off all Microsoft incident creation rules for these products. Recommended*, and select the **Connect incidents & alerts** button. - -1. You should see a message that the connection was successful. - -### Task 2: Connect Microsoft Sentinel and Microsoft Defender XDR - -In this task, you'll connect a Microsoft Sentinel workspace to Microsoft Defender XDR. - ->**Note:** Microsoft Sentinel in the Microsoft Defender XDR portal is in public preview and the user interface experience and steps may differ from the lab instructions. - -1. Log in to the **WIN1** virtual machine as *Admin* with the password: **Pa55w.rd**. - -1. Start the Microsoft Edge browser. - -1. In the Edge browser, go to the Microsoft Defender XDR portal at . - -1. In the **Sign in** dialog box, copy, and paste in the tenant Email account for the admin username provided by your lab hosting provider and then select **Next**. - -1. In the **Enter password** dialog box, copy, and paste in the admin's tenant password provided by your lab hosting provider and then select **Sign in**. - - >**Tip:** The admin's tenant email account and password can be found on the Resources tab. - -1. On the **Defender XDR** portal **Home** screen, you should see a banner at the top with the message, *Get your SIEM and XDR in one place*. Select the **Connect a workspaces** button. - -1. On the *Choose a workspace* page, select the **Microsoft Sentinel** workspace you created earlier. - - >**Hint:** It should have a name like *uniquenameDefender*. - -1. Select the **Next** button. - - >**Note:** if the *Next* button is disabled, or greyed out, and you see an error message that the Microsoft Sentinel workspace is *not onboarded* to Defender XDR, try refreshing the Defender XDR portal page as it may take 5 to 10 minutes to sync up. - -1. On the *Review changes* page, verify that the *Workspace* selection is correct and review the bulleted items under the *What to expect when the workspace is connected* section. Select the **Connect** button. - -1. You should see a *Connecting the workspace* message followed by a *Workspace successfully connected* message. - -1. Select the **Close** button. - -1. On the **Defender XDR** portal **Home** screen, you should see a banner at the top with the message, *Your unified SIEM and XDR is ready*. Select the **Start Hunting** button. - -1. In *Advanced hunting*, you should see a message to "Explore your content from Sentinel". In the left menu pane, note the *Microsoft Sentinel* tables, functions, and queries under the corresponding tabs. - -1. Expand the left main menu pane if collapsed and expand the new **Microsoft Sentinel** menu items. You should see *Threat management*, *Content management* and *Configuration* selections. - - >**Note:** The syncronization between Microsoft Sentinel and Microsoft Defender XDR may take a few minutes to complete, so you may not see all the installed *Data connectors* for example. - -## You completed the lab - Please proceed to Learning Path 7 - Lab 1 - Exercise 2 - Create a Playbook in Microsoft Sentinel diff --git a/Instructions/Labs/LAB_AK_05_Lab1_Ex1_Deploy_Sentinel.md b/Instructions/Labs/LAB_AK_07_Lab1_Ex01_Deploy_Sentinel.md similarity index 63% rename from Instructions/Labs/LAB_AK_05_Lab1_Ex1_Deploy_Sentinel.md rename to Instructions/Labs/LAB_AK_07_Lab1_Ex01_Deploy_Sentinel.md index ba63f7df..e2723e60 100644 --- a/Instructions/Labs/LAB_AK_05_Lab1_Ex1_Deploy_Sentinel.md +++ b/Instructions/Labs/LAB_AK_07_Lab1_Ex01_Deploy_Sentinel.md @@ -1,47 +1,76 @@ --- lab: title: 'Exercise 1 - Configure your Microsoft Sentinel environment' - module: 'Learning Path 5 - Configure your Microsoft Sentinel environment' + module: 'Learning Path 7 - Configure your Microsoft Sentinel environment' --- -# Learning Path 5 - Lab 1 - Exercise 1 - Configure your Microsoft Sentinel environment +# Learning Path 7 - Lab 1 - Exercise 1 - Configure your Microsoft Sentinel environment ## Lab scenario -![Lab overview.](../Media/SC-200-Lab_Diagrams_Mod5_L1_Ex1.png) - You are a Security Operations Analyst working at a company that is implementing Microsoft Sentinel. You are responsible for setting up the Microsoft Sentinel environment to meet the company requirement to minimize cost, meet compliance regulations, and provide the most manageable environment for your security team to perform their daily job responsibilities. ->**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Configure%20your%20Microsoft%20Sentinel%20environment)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. - +>**Important:** The lab exercises for Learning Path #7 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again. -### Task 1: Initialize the Microsoft Sentinel Workspace +### Estimated time to complete this lab: 30 minutes -In this task, you will create a Microsoft Sentinel workspace. +### Task 1 - Create a Log Analytics workspace -1. Log in to **WIN1** virtual machine as Admin with the password: **Pa55w.rd**. +Create a Log Analytics workspace, including region option. Learn more about [onboarding Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/quickstart-onboard). -1. Open the Edge browser. +1. Log in to **WIN1** virtual machine as Admin with the password: **Pa55w.rd**. -1. In the Edge browser, navigate to the Azure portal at https://portal.azure.com. +1. In the Microsoft Edge browser, navigate to the Azure portal at . + + >**Note:** Select the **Resourses** tab for the *Username* and *Password* for the lab. Use the **** account for this lab. -1. In the **Sign in** dialog box, copy and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**. +1. In the **Sign in** dialog box, copy, and paste in the tenant Email account for the admin username provided by your lab hosting provider and then select **Next**. -1. In the **Enter password** dialog box, copy and paste in the **Tenant Password** provided by your lab hosting provider and then select **Sign in**. +1. In the **Enter password** dialog box, copy, and paste in the admin's tenant password provided by your lab hosting provider and then select **Sign in**. -1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**. +1. In the Search bar of the Azure portal, type "Microsoft Sentinel", then select 1. Select **+ Create**. -1. Next, select the Log Analytics workspace you created earlier, for example *uniquenameDefender* and select **Add**. The activation could take a few minutes. +1. Select **Create a new workspace**. + +1. Select **Create new** for the Resource group. + +1. Enter *Defender-RG* and select **Ok**. + +1. For the Name, enter *defenderWorkspace*. + +1. You can leave the default region for the workspace. + +1. Select **Review + create** to validate the new workspace. + +1. Select **Create** to deploy the workspace. + +### Task 2 - Deploy Microsoft Sentinel to a workspace + +Deploy Microsoft Sentinel to the workspace. + +1. When the workspace deployment completes, select **Refresh** to display the new workspace. - >**Note:** If you do not see a Log Analytics workspace here, please refer to Module 3, Exercise 1, Task 2 to create one. +1. Select the workspace you want to add Sentinel to (created in Task 1). -1. In **Microsoft Sentinel** you should be in the **General** section *News & Guides* and see a notice stating *Microsoft Sentinel free trial activated*. Press the **OK** button. +1. Select **Add**. -1. Navigate around the newly created Microsoft Sentinel workspace to become familiar with the user interface options. +### Task 3 - Configure data retention -### Task 2: Create a Watchlist +1. In the Microsoft Azure "breadcrumb" menu, select **Home**. + +1. In the Search bar of the Azure portal, type "Log Analytics" and select the workspace created in Task 1. + +1. Expand the *Settings* section in the navigation menu and select **Usage and estimated costs**. + +1. Select **Data retention**. + +1. Change data retention period to **180 days**. + +1. Select **OK**. + +### Task 4: Create a Watchlist In this task, you will create a watchlist in Microsoft Sentinel. @@ -90,13 +119,12 @@ In this task, you will create a watchlist in Microsoft Sentinel. 1. Select the *HighValueHosts* watchlist and on the right pane, select **View in logs**. >**Important:** It could take up to ten minutes for the watchlist to appear. **Please continue to with the following task and run this command on the next lab**. - + >**Note:** You can now use the _GetWatchlist('HighValueHosts') in your own KQL statements to access the list. The column to reference would be *Hostname*. 1. Close the *Logs* window by selecting the 'x' in the top-right and select **OK** to discard the unsaved edits. - -### Task 3: Create a Threat Indicator +### Task 5: Create a Threat Indicator In this task, you will create an indicator in Microsoft Sentinel. @@ -135,8 +163,7 @@ In this task, you will create an indicator in Microsoft Sentinel. | project DomainName ``` - -### Task 4: Configure log retention +### Task 6: Configure log retention In this task, you will change the retention period for the SecurityEvent table. @@ -154,5 +181,4 @@ In this task, you will change the retention period for the SecurityEvent table. 1. Select **Save** to apply the changes. - -## You have completed the lab. +## You have completed the lab diff --git a/Instructions/Labs/LAB_AK_07_Lab1_Ex2_Playbook.md b/Instructions/Labs/LAB_AK_07_Lab1_Ex2_Playbook.md deleted file mode 100644 index 3d61e96c..00000000 --- a/Instructions/Labs/LAB_AK_07_Lab1_Ex2_Playbook.md +++ /dev/null @@ -1,126 +0,0 @@ ---- -lab: - title: 'Exercise 2 - Create a Playbook' - module: 'Learning Path 7 - Create detections and perform investigations using Microsoft Sentinel' ---- - -# Learning Path 7 - Lab 1 - Exercise 2 - Create a Playbook - -## Lab scenario - -![Lab overview.](../Media/SC-200-Lab_Diagrams_Mod7_L1_Ex2.png) - -You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to detect and mitigate threats using Microsoft Sentinel. Now, you want to respond and reMediate actions that can be run from Microsoft Sentinel as a routine. - -With a playbook, you can help automate and orchestrate your threat response, integrate with other systems both internal and external, and can be set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively. - ->**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Create%20a%20playbook)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. - -### Task 1: Create a Security Operations Center Team in Microsoft Teams - -In this task, you'll create a Microsoft Teams team for use in the lab. - -1. Log in to WIN1 virtual machine as Admin with the password: **Pa55w.rd**. - -1. In the Microsoft Edge browser, open a new tab and navigate to the Microsoft Teams portal at (https://teams.microsoft.com). - -1. In the **Sign in** dialog box, copy and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**. - -1. In the **Enter password** dialog box, copy and paste in the **Tenant Password** provided by your lab hosting provider and then select **Sign in**. - -1. Close any Teams pop-ups that may appear. - - >**Note:** If prompted to use **New Teams** accept and proceed with the exercise. - -1. If not already selected, select **Teams** on the left menu, then at the top, select the ![plus sign icon](../Media/plus-sign-icon-lab.png) icon. - -1. Select the **Create Team** option. - -1. Select the **From scratch** button. - -1. Select the **Private** button. - -1. Give the team the name: type **SOC** and select the **Create** button. - -1. In the Add members to SOC screen, select the **Skip** button. - -1. Scroll down the Teams blade to locate the newly created SOC team, select the ellipsis **(...)** on the right side of the name and select **Add channel**. - -1. Enter a channel name of *New Alerts* then select the **Add** button. - - -### Task 2: Create a Playbook in Microsoft Sentinel - -In this task, you'll create a Logic App that is used as a Playbook in Microsoft Sentinel. - -1. In the Microsoft Edge browser, navigate to [Microsoft Sentinel on GitHub](https://github.com/Azure/Azure-Sentinel). - - - -1. Scroll down and select the **Solutions** folder. - -1. Next select the **SentinelSOARessentials** folder, then the **Playbooks** folder. - -1. Select the **Post-Message-Teams** folder. - -1. In the readme.md box, scroll down to the *Quick Deployment* section, **Deploy with incident trigger (recommended)** and select the **Deploy to Azure** button. - -1. Make sure your Azure Subscription is selected. - -1. For Resource Group, select **Create New**, enter *RG-Playbooks* and select **OK**. - -1. Leave **(US) East US** as the default value for *Region*. - -1. Rename the *Playbook Name* to "PostMessageTeams-OnIncident" and select **Review + create**. - -1. Now select **Create**. - - >**Note:** Wait for the deployment to finish before proceeding to the next task. - -### Task 3: Update a Playbook in Microsoft Sentinel - -In this task, you'll update the new playbook you created with the proper connection information. - -1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**. - -1. Select your Microsoft Sentinel Workspace. - -1. Select **Automation** under the *Configuration* area and then select the **Active Playbooks** tab. - -1. Select **Refresh** from the command bar in case you don't see any playbooks. You should see the playbook created from the previous step. - -1. Select the **PostMessageTeams** playbook name. - -1. On the Logic App page for *PostMessageTeams*, in the command menu, select **Edit**. - - >**Note:** You may need to refresh the page. - -1. Select the *first* block, **Microsoft Sentinel incident**. - -1. Select the **Change connection** link. - -1. Select **Add new** and select **Sign in**. In the new window, select your Azure subscription admin credentials when prompted. The last line of the block should now read "Connected to your-admin-username". - -1. Now select the *second* block, **Post a message (V3)**. - -1. In the Prameters tab, scroll down and select the **Change connection** link and then select **Add new** and **Sign in**. Chose your Azure admin credentials when prompted. The Prameters tab should now read "Connected to your-admin-username". - -1. At the end of the *Team* field, select the **X** to clear the contents. The field is changed to a drop-down with a listing of the available Teams from Microsoft Teams. Select **SOC**. - -1. Do the same for the *Channel* field, select the **X** at the end of the field to clear the contents. The field is changed to a drop-down with a listing of the Channels of the SOC Teams. Select **New Alerts**. - -1. Select **Save** on the command bar. The Logic App will be used in a future lab. - -## Proceed to Exercise 3 diff --git a/Instructions/Labs/LAB_AK_06_Lab1_Ex1_Connect_Services.md b/Instructions/Labs/LAB_AK_08_Lab1_Ex01_Connect_Services.md similarity index 88% rename from Instructions/Labs/LAB_AK_06_Lab1_Ex1_Connect_Services.md rename to Instructions/Labs/LAB_AK_08_Lab1_Ex01_Connect_Services.md index e40863de..de67be7d 100644 --- a/Instructions/Labs/LAB_AK_06_Lab1_Ex1_Connect_Services.md +++ b/Instructions/Labs/LAB_AK_08_Lab1_Ex01_Connect_Services.md @@ -1,10 +1,10 @@ --- lab: title: 'Exercise 1 - Connect data to Microsoft Sentinel using data connectors' - module: 'Learning Path 6 - Connect logs to Microsoft Sentinel' + module: 'Learning Path 8 - Connect logs to Microsoft Sentinel' --- -# Learning Path 6 - Lab 1 - Exercise 1 - Connect data to Microsoft Sentinel using data connectors +# Learning Path 8 - Lab 1 - Exercise 1 - Connect data to Microsoft Sentinel using data connectors ## Lab scenario @@ -12,8 +12,9 @@ lab: You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to connect log data from the many data sources in your organization. The organization has data from Microsoft 365, Microsoft 365 Defender, Azure resources, non-azure virtual machines, etc. You start connecting the Microsoft sources first. ->**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Connect%20data%20to%20Microsoft%20Sentinel%20using%20data%20connectors)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. +>**Important:** The lab exercises for Learning Path #8 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again. +### Estimated time to complete this lab: 20 minutes ### Task 1: Access the Microsoft Sentinel Workspace @@ -23,7 +24,7 @@ In this task, you will access your Microsoft Sentinel workspace. 1. Open the Microsoft Edge browser. -1. In the Edge browser, navigate to the Azure portal at https://portal.azure.com. +1. In the Edge browser, navigate to the Azure portal at . 1. In the **Sign in** dialog box, copy, and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**. diff --git a/Instructions/Labs/LAB_AK_06_Lab1_Ex2_Connect_Windows.md b/Instructions/Labs/LAB_AK_08_Lab1_Ex02_Connect_Windows.md similarity index 59% rename from Instructions/Labs/LAB_AK_06_Lab1_Ex2_Connect_Windows.md rename to Instructions/Labs/LAB_AK_08_Lab1_Ex02_Connect_Windows.md index ed50f4f2..2fd57328 100644 --- a/Instructions/Labs/LAB_AK_06_Lab1_Ex2_Connect_Windows.md +++ b/Instructions/Labs/LAB_AK_08_Lab1_Ex02_Connect_Windows.md @@ -1,10 +1,10 @@ --- lab: title: 'Exercise 2 - Connect Windows devices to Microsoft Sentinel using data connectors' - module: 'Learning Path 6 - Connect logs to Microsoft Sentinel' + module: 'Learning Path 8 - Connect logs to Microsoft Sentinel' --- -# Learning Path 6 - Lab 1 - Exercise 2 - Connect Windows devices to Microsoft Sentinel using data connectors +# Learning Path 8 - Lab 1 - Exercise 2 - Connect Windows devices to Microsoft Sentinel using data connectors ## Lab scenario @@ -12,8 +12,9 @@ lab: You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to connect log data from the many data sources in your organization. The next source of data is Windows virtual machines inside and outside of Azure, like On-Premises environments or other Public Clouds. ->**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Connect%20Windows%20devices%20to%20Microsoft%20Sentinel%20using%20data%20connectors)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. +>**Important:** The lab exercises for Learning Path #8 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again. +### Estimated time to complete this lab: 30 minutes ### Task 1: Create a Windows Virtual Machine in Azure @@ -21,7 +22,7 @@ In this task, you'll create a Windows virtual machine in Azure. 1. Login to **WIN1** virtual machine as Admin with the password: **Pa55w.rd**. -1. In the Microsoft Edge browser, navigate to the Azure portal at https://portal.azure.com. +1. In the Microsoft Edge browser, navigate to the Azure portal at . 1. In the **Sign in** dialog box, copy, and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**. @@ -65,7 +66,67 @@ In this task, you'll create a Windows virtual machine in Azure. 1. Select **Create**. Wait for the Resource to be created, this may take a few minutes. -### Task 2: Connect an Azure Windows virtual machine +### Task 2: Install Azure Arc on an On-Premises Server + +In this task, you install Azure Arc on an on-premises server to make onboarding easier. + +>**Important:** The next steps are done in a different machine than the one you were previously working. Look for the Virtual Machine name references. + +1. Log in to **WINServer** virtual machine as Administrator with the password: **Passw0rd!** if necessary. + +1. Open the Microsoft Edge browser and navigate to the Azure portal at . + +1. In the **Sign in** dialog box, copy, and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**. + +1. In the **Enter password** dialog box, copy, and paste in the **Tenant Password** provided by your lab hosting provider and then select **Sign in**. + +1. In the Search bar of the Azure portal, type *Arc*, then select **Azure Arc**. + +1. In the navigation pane under **Azure Arc resources** select **Machines** + +1. Select **+ Add/Create**, then select **Add a machine**. + +1. Select **Generate script** from the "Add a single server" section. + +1. In the *Add a server with Azure Arc* page, select the Resource group you created earlier under *Project details*. **Hint:** *RG-Defender* + + >**Note:** If you haven't already created a resource group, open another tab and create the resource group and start over. + +1. For *Region*, select **(US) East Us** from the drop-down list. + +1. Review the *Server details* and *Connectivity method* options. Keep the default values and select **Next** to get to the Tags tab. + +1. Review the default available tags. Select **Next** to get to the Download and run script tab. + +1. Scroll down and select the **Download** button. **Hint:** if your browser blocks the download, take action in the browser to allow it. In Microsoft Edge Browser, select the ellipsis button (...) if needed and then select **Keep**. + +1. Right-click the Windows Start button and select **Windows PowerShell (Admin)**. + +1. Enter *Administrator* for "Username" and *Passw0rd!* for "Password" if you get a UAC prompt. + +1. Enter: cd C:\Users\Administrator\Downloads + + >**Important:** If you do not have this directory, most likely means that you are in the wrong machine. Go back to the beginning of Task 4 and change to WINServer and start over. + +1. Type *Set-ExecutionPolicy -ExecutionPolicy Unrestricted* and press enter. + +1. Enter **A** for Yes to All and press enter. + +1. Type *.\OnboardingScript.ps1* and press enter. + + >**Important:** If you get the error *"The term .\OnboardingScript.ps1 is not recognized..."*, make sure you are doing the steps for Task 4 in the WINServer virtual machine. Other issue might be that the name of the file changed due to multiple downloads, search for *".\OnboardingScript (1).ps1"* or other file numbers in the running directory. + +1. Enter **R** to Run once and press enter (this may take a couple minutes). + +1. The setup process opens a new Microsoft Edge browser tab to authenticate the Azure Arc agent. Select your admin account, wait for the message "Authentication complete" and then go back to the Windows PowerShell window. + +1. When the installation finishes, go back to the Azure portal page where you downloaded the script and select **Close**. Close the **Add servers with Azure Arc** to go back to the Azure Arc **Machines** page. + +1. Select **Refresh** until WINServer server name appears and the Status is *Connected*. + + >**Note:** This could take a couple of minutes. + +### Task 3: Connect an Azure Windows virtual machine In this task, you'll connect an Azure Windows virtual machine to Microsoft Sentinel. @@ -101,7 +162,7 @@ In this task, you'll connect an Azure Windows virtual machine to Microsoft Senti 1. Wait a minute and then select **Refresh** to see the new data collection rule listed. -### Task 3: Connect a non-Azure Windows Machine +### Task 4: Connect a non-Azure Windows Machine In this task, you'll add an Azure Arc connected, non-Azure Windows virtual machine to Microsoft Sentinel. diff --git a/Instructions/Labs/LAB_AK_06_Lab1_Ex3_Connect_Linux.md b/Instructions/Labs/LAB_AK_08_Lab1_Ex03_Connect_Linux.md similarity index 91% rename from Instructions/Labs/LAB_AK_06_Lab1_Ex3_Connect_Linux.md rename to Instructions/Labs/LAB_AK_08_Lab1_Ex03_Connect_Linux.md index 8a54bb89..6a90ca67 100644 --- a/Instructions/Labs/LAB_AK_06_Lab1_Ex3_Connect_Linux.md +++ b/Instructions/Labs/LAB_AK_08_Lab1_Ex03_Connect_Linux.md @@ -1,10 +1,10 @@ --- lab: title: 'Exercise 3 - Connect Linux hosts to Microsoft Sentinel using data connectors' - module: 'Learning Path 6 - Connect logs to Microsoft Sentinel' + module: 'Learning Path 8 - Connect logs to Microsoft Sentinel' --- -# Learning Path 6 - Lab 1 - Exercise 3 - Connect Linux hosts to Microsoft Sentinel using data connectors +# Learning Path 8 - Lab 1 - Exercise 3 - Connect Linux hosts to Microsoft Sentinel using data connectors ## Lab scenario @@ -12,7 +12,9 @@ lab: You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to connect log data from the many data sources in your organization. The next source of data are Linux virtual machines using the Common Event Formatting (CEF) via Legacy Agent and Syslog connectors. ->**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Connect%20Linux%20hosts%20to%20Microsoft%20Sentinel%20using%20data%20connectors)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. +>**Important:** The lab exercises for Learning Path #8 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again. + +### Estimated time to complete this lab: 30 minutes >**Important:** There are steps within the next Tasks that are done in different virtual machines. Look for the Virtual Machine name references. @@ -24,7 +26,7 @@ In this task, you will access your Microsoft Sentinel workspace. 1. Start the Microsoft Edge browser. -1. In the Edge browser, navigate to the Azure portal at https://portal.azure.com. +1. In the Edge browser, navigate to the Azure portal at . 1. In the **Sign in** dialog box, copy, and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**. @@ -49,7 +51,7 @@ In this task, you will connect a Linux host to Microsoft Sentinel with the Commo >**Note:** The *Common Event Format* solution installs both the *Common Events Format (CEF) via AMA* and the *Common Events Format (CEF)* Data connectors. -1. Select the *Common Events Format (CEF)* Data connector, and select **Open connector page** on the connector information blade. +1. Select the *Common Events Format (CEF) via AMA* Data connector, and select **Open connector page** on the connector information blade. 1. In the *Configuration* section, under the *Instructions* tab, copy to the clipboard the command shown in *1.2 Install the CEF collector on the Linux machine*. diff --git a/Instructions/Labs/LAB_AK_07_Lab1_Ex1_Security_Rule.md b/Instructions/Labs/LAB_AK_09_Lab1_Ex01_Security_Rule.md similarity index 65% rename from Instructions/Labs/LAB_AK_07_Lab1_Ex1_Security_Rule.md rename to Instructions/Labs/LAB_AK_09_Lab1_Ex01_Security_Rule.md index f4cd1bc5..14f54c69 100644 --- a/Instructions/Labs/LAB_AK_07_Lab1_Ex1_Security_Rule.md +++ b/Instructions/Labs/LAB_AK_09_Lab1_Ex01_Security_Rule.md @@ -1,10 +1,10 @@ --- lab: title: 'Exercise 1 - Modify a Microsoft Security rule' - module: 'Learning Path 7 - Create detections and perform investigations using Microsoft Sentinel' + module: 'Learning Path 9 - Create detections and perform investigations using Microsoft Sentinel' --- -# Learning Path 7 - Lab 1 - Exercise 1 - Modify a Microsoft Security rule +# Learning Path 9 - Lab 1 - Exercise 1 - Modify a Microsoft Security rule ## Lab scenario @@ -12,10 +12,9 @@ lab: You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to detect and mitigate threats using Microsoft Sentinel. First, you need to filter the alerts coming from Defender for Cloud into Microsoft Sentinel, by Severity. ->**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Modify%20a%20Microsoft%20Security%20rule)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. - ->**Important:** If you completed the previous lab *Learning Path 6 - Lab 1 - Exercise 4 - Connect Defender XDR to Microsoft Sentinel using data connectors*, you can skip this lab and proceed to the next exercise. +>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again. +### Estimated time to complete this lab: 10 minutes ### Task 1: Activate a Microsoft Security Rule @@ -23,7 +22,7 @@ In this task, you will activate a Microsoft Security rule. 1. Log in to WIN1 virtual machine as Admin with the password: **Pa55w.rd**. -1. In the Microsoft Edge browser, navigate to the Azure portal at (https://portal.azure.com). +1. In the Microsoft Edge browser, navigate to the Azure portal at (). 1. In the **Sign in** dialog box, copy, and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**. @@ -31,22 +30,22 @@ In this task, you will activate a Microsoft Security rule. 1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**. -1. Select your Microsoft Sentinel Workspace you created in the previous labs. +1. Select the Microsoft Sentinel Workspace provided. 1. Select **Analytics** from the Configuration area. 1. Select the **+ Create** button from the command bar and select **Microsoft incident creation rule**. -1. Under *Name*, enter **Create incidents based on Defender for Endpoint**. +1. Under *Name*, enter **Create incidents based on Defender for Cloud**. -1. Scroll down and under *Microsoft security service* select **Microsoft Defender for Endpoint**. +1. Scroll down and under *Microsoft security service* select **Microsoft Defender for Cloud**. 1. Under *Filter by Severity*, select the *Custom* option and select **Low**, **Medium** and **High** for the severity level and go back to the rule. 1. Select the **Next: Automated response** button and then select the **Next: Review and create** button. -1. Review the changes made and select the **Save** button. The Analytics rule will be saved and incidents will be created if there is an Alert in Defender for Endpoint. +1. Review the changes made and select the **Save** button. The Analytics rule will be saved and incidents will be created if there is an Alert in Defender for Cloud. -1. You will now have the one *Fusion* and two *Microsoft Security* alert types. +1. You will now have the one *Fusion* and one *Microsoft Security* alert types. ## Proceed to Exercise 2 diff --git a/Instructions/Labs/LAB_AK_09_Lab1_Ex02_Playbook.md b/Instructions/Labs/LAB_AK_09_Lab1_Ex02_Playbook.md new file mode 100644 index 00000000..26e699cd --- /dev/null +++ b/Instructions/Labs/LAB_AK_09_Lab1_Ex02_Playbook.md @@ -0,0 +1,123 @@ +--- +lab: + title: 'Exercise 2 - Create a Playbook' + module: 'Learning Path 9 - Create detections and perform investigations using Microsoft Sentinel' +--- + +# Learning Path 9 - Lab 1 - Exercise 2 - Create a Playbook in Microsoft Sentinel + +## Lab scenario + +You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to detect and mitigate threats using Microsoft Sentinel. Now, you want to respond and reMediate actions that can be run from Microsoft Sentinel as a routine. + +With a playbook, you can help automate and orchestrate your threat response, integrate with other systems both internal and external, and can be set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively. + +>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again. + +### Task 1: Create a Playbook in Microsoft Sentinel + +In this task, you'll create a Logic App that is used as a Playbook in Microsoft Sentinel. + +1. Log in to WIN1 virtual machine as Admin with the password: **Pa55w.rd**. + +1. In the **Sign in** dialog box, copy and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**. + +1. In the **Enter password** dialog box, copy and paste in the **Tenant Password** provided by your lab hosting provider and then select **Sign in**. + +1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**. + +1. Select your Microsoft Sentinel Workspace. + +1. In *Microsoft Sentinel*, navigate to **Content Hub**. + +1. Within the search bar, look for **Sentinel SOAR Essentials**. + +1. Select the solution that appears in the results. + +1. Within the solution details, select **Manage**. + +1. Find the **Defender_XDR_Ransomware_Playbook_for_SecOps-Tasks** playbook and select the name. + +1. Select the **Incident tasks - Microsoft Defender XDR Ransomware Playbook for SecOps** template. + +1. On the details pane, select **Create playbook**. + +1. For Resource Group, select **Create New**, enter **RG-Playbooks** and select OK. + +1. Remove **for** from the playbook name (would exceed limit of 64 characters). + +1. Select **Connections**. + +1. Select **Next: Review and create**. + +1. Now select **Create Playbook**. + + >**Note:** Wait for the deployment to finish before proceeding to the next task. + +### Task 2: Update a Playbook in Microsoft Sentinel + +In this task, you’ll update the new playbook you created with the proper connection information. + +1. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel. + +1. Select your Microsoft Sentinel Workspace. + +1. Select Automation under the Configuration area and then select the Active Playbooks tab. + +1. Select Refresh from the command bar in case you don’t see any playbooks. You should see the playbook created from the previous step. + +1. Select the **Defender_XDR_Ransomware_Playbook_SecOps_Tasks** playbook name. + +1. On the Logic App page for **Defender_XDR_Ransomware_Playbook_SecOps_Tasks**, in the command menu, select Edit. + + >**Note:** You may need to refresh the page. + +1. Select the first block, Microsoft Sentinel incident. + +1. Select the Change connection link. + +1. Select Add new and select Sign in. In the new window, select your Azure subscription admin credentials when prompted. The last line of the block should now read “Connected to your-admin-username”. + +1. Below within the logic split, select Add task to incident. + +1. Select Save on the command bar. The Logic App will be used in a future lab. + +### Task 3: Create an Automation Rule + +1. Within Microsoft Sentinel, go to Automation under Configuration. + +1. Select Create and choose Automation Rule. + +1. Give the rule a name + +1. Leave the incident provider as All. + +1. Leave the Analytic rule name as All. + +1. Click Add and choose And. + +1. From the drop down, select Tactics. + +1. Select the **Contains** operator from the dropdown. + +1. Select the following tactics: + - Reconnaissance + - Execution + - Persistence + - Command and Control + - Exfiltration + - PreAttack + +1. Under Actions, select Run Playbook. + +1. Select the link to **Manage playbook permissions**. + +1. On the *Manage Permissions* page, select the **RG-Playbooks** resource group you created in the previous lab, and select **Apply**. + +1. From the drop down list, select the **Defender_XDR_Ransomware_Playbook_SecOps_Tasks** playbook. + +1. Select **Apply** at the bottom. + +From here, depending on your role, you will either continue doing more architect exercises or you will pivot to the analyst exercises. + +## Proceed to Exercise 3 diff --git a/Instructions/Labs/LAB_AK_07_Lab1_Ex3_Scheduled_Query.md b/Instructions/Labs/LAB_AK_09_Lab1_Ex03_Scheduled_Query.md similarity index 76% rename from Instructions/Labs/LAB_AK_07_Lab1_Ex3_Scheduled_Query.md rename to Instructions/Labs/LAB_AK_09_Lab1_Ex03_Scheduled_Query.md index 130dc260..d24e9d70 100644 --- a/Instructions/Labs/LAB_AK_07_Lab1_Ex3_Scheduled_Query.md +++ b/Instructions/Labs/LAB_AK_09_Lab1_Ex03_Scheduled_Query.md @@ -1,21 +1,20 @@ --- lab: title: 'Exercise 3 - Create a Scheduled Query from a template' - module: 'Learning Path 7 - Create detections and perform investigations using Microsoft Sentinel' + module: 'Learning Path 9 - Create detections and perform investigations using Microsoft Sentinel' --- -# Learning Path 7 - Lab 1 - Exercise 3 - Create a Scheduled Query from a template +# Learning Path 9 - Lab 1 - Exercise 3 - Create a Scheduled Query from a template ## Lab scenario -![Lab overview.](../Media/SC-200-Lab_Diagrams_Mod7_L1_Ex3.png) - You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to detect and mitigate threats using Microsoft Sentinel. After connecting your data sources to Microsoft Sentinel, you create custom analytics rules to help discover threats and anomalous behaviors in your environment. Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for your SOC to triage and investigate, and respond to threats with automated tracking and reMediation processes. ->**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Create%20a%20scheduled%20query)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. +>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again. +### Estimated time to complete this lab: 30 minutes ### Task 1: Create a Scheduled Query @@ -62,31 +61,41 @@ In this task, you create a scheduled query and connect it to the Teams channel y 1. Under the *Event grouping* area, leave the **Group all events into a single alert** as the selected option since we want to generate a single alert every time it runs, as long as the query returns more results than the specified alert threshold above. -1. Select the **Next: Incident settings >** button. +1. Select the **Next: Incident settings >** button. 1. On the *Incident settings* tab, review the default options. 1. Select the **Next: Automated response >** button. -1. On the *Automated response* tab under *Automation rules*, select **+ Add new**. +1. Select the **Next: Review and create >** button. + +1. Select **Save**. -1. For the *Automation rule name*, enter **Tier 2**. +### Task 2: Edit your new rule -1. For the *Actions*, select **Assign owner**. +1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**. -1. Then select **Assign to me**. Then select **+ Add action**. +1. Select your Microsoft Sentinel Workspace. -1. Use the *And then* drop-down menus to select **Run playbook** +1. Select **Analytics** from the Configuration area. -1. A second drop-down menu appears with an *Information (i)* message regarding playbook permissions and a **Manage playbook permissions link** +1. Make sure that you are in the *Active rules* tab in the command bar and select the **New CloudShell User** rule. - >**Note:** The playbooks will appear grayed out in the drop-down list until permissions are configured. +1. Right click the rule and select **Edit** from the *pop-up* menu. -1. Select the **Manage playbook permissions link** +1. Select the **Next: Set rule logic >** button. -1. On the *Manage Permissions* page, select the **RG-Playbooks** resource group you created in the previous lab, and select **Apply**. +1. Select the **Next: Incident settings >** button. -1. From the drop-down menu, select the playbook **PostMessageTeams-OnIncident** you created in the previous exercise. +1. Select the **Next: Automated response >** button. + +1. On the *Automated response* tab under *Automation rules*, select **+ Add new**. + +1. For the *Automation rule name*, enter **Tier 2**. + +1. For the *Actions*, select **Assign owner**. + +1. Then select **Assign to me**. 1. Select **Apply** @@ -94,8 +103,7 @@ In this task, you create a scheduled query and connect it to the Teams channel y 1. Select **Save**. - -### Task 2: Test your new rule +### Task 3: Test your new rule In this task, you test your new scheduled query rule. @@ -129,7 +137,4 @@ In this task, you test your new scheduled query rule. 1. Select the Incident and review the information in the right blade. -1. Go back to Microsoft Teams by selecting the tab in your Microsoft Edge browser. If you closed it, just open a new tab and type . Go to the *SOC* Teams, select the *New Alerts* channel and see the message post about the incident. - - ## Proceed to Exercise 4 diff --git a/Instructions/Labs/LAB_AK_07_Lab1_Ex4_Entity_Behavior.md b/Instructions/Labs/LAB_AK_09_Lab1_Ex04_Entity_Behavior.md similarity index 68% rename from Instructions/Labs/LAB_AK_07_Lab1_Ex4_Entity_Behavior.md rename to Instructions/Labs/LAB_AK_09_Lab1_Ex04_Entity_Behavior.md index 023bbad7..7e250326 100644 --- a/Instructions/Labs/LAB_AK_07_Lab1_Ex4_Entity_Behavior.md +++ b/Instructions/Labs/LAB_AK_09_Lab1_Ex04_Entity_Behavior.md @@ -1,27 +1,28 @@ --- lab: title: 'Exercise 4 - Explore Entity Behavior Analytics' - module: 'Learning Path 7 - Create detections and perform investigations using Microsoft Sentinel' + module: 'Learning Path 9 - Create detections and perform investigations using Microsoft Sentinel' --- -# Learning Path 7 - Lab 1 - Exercise 4 - Explore Entity Behavior Analytics +# Learning Path 9 - Lab 1 - Exercise 4 - Explore Entity Behavior Analytics ## Lab scenario -You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You already created Scheduled and Microsoft Security Analytics rules. - +You are a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You already created Scheduled and Microsoft Security Analytics rules. You need to configure Microsoft Sentinel to perform Entity Behavior Analytics to discover anomalies and provide entity analytic pages. ->**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Explore%20entity%20behavior%20analytics)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. +>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again. + +### Estimated time to complete this lab: 15 minutes -### Task 1: Explore Entity Behavior +### Task 1: Explore Entity Behavior In this task, you will explore Entity behavior analytics in Microsoft Sentinel. 1. Log in to WIN1 virtual machine as Admin with the password: **Pa55w.rd**. -1. In the Edge browser, navigate to the Azure portal at https://portal.azure.com. +1. In the Edge browser, navigate to the Azure portal at . 1. In the **Sign in** dialog box, copy and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**. @@ -29,22 +30,15 @@ In this task, you will explore Entity behavior analytics in Microsoft Sentinel. 1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**. -1. Select your Microsoft Sentinel Workspace you created earlier. +1. Select your Microsoft Sentinel Workspace. 1. Select the **Entity behavior** page. 1. On the popup from *Entity behavior settings*, select **Set UEBA**. -1. On the *Settings* tab under *Entity behaviour analytics*, select **Set UEBA**. - -1. Review the three pre-requisite steps to enable entity behavior analytics. - -1. Close the *Entity behavior configuration* page by selecting the 'x' at the top right of the page. - -1. Scroll down the *Settings* tab to the *Anomalies* sectiom and read through the paragraph. - -1. Select **Go to analytics in oder to configure the anomalies**. +1. On the *Settings* tab under *Entity behaviour analytics*, scroll down the *Anomalies* section and verify read through the paragraph, and verify that the *switch* is *On*. +1. Select the **Go to analytics in oder to configure the anomalies** link. ### Task 2: Confirm and review Anomalies rules @@ -77,6 +71,5 @@ In this task, you will confirm Anomalies analytics rules are enabled. 1. Select **Next: Review and Create** and then **Save** to update the rule. >**Note:** You can upgrade the **Flighting** rule to **Production** by changing the setting on this rule and save the changes. The **Production** rule will become the **Flighting** rule afterwards. - ## Proceed to Exercise 5 diff --git a/Instructions/Labs/LAB_AK_07_Lab1_Ex5_Attacks.md b/Instructions/Labs/LAB_AK_09_Lab1_Ex05_Attacks.md similarity index 90% rename from Instructions/Labs/LAB_AK_07_Lab1_Ex5_Attacks.md rename to Instructions/Labs/LAB_AK_09_Lab1_Ex05_Attacks.md index 146d637b..9ca48ee1 100644 --- a/Instructions/Labs/LAB_AK_07_Lab1_Ex5_Attacks.md +++ b/Instructions/Labs/LAB_AK_09_Lab1_Ex05_Attacks.md @@ -1,18 +1,22 @@ --- lab: title: 'Exercise 5 - Understand Detection Modeling' - module: 'Learning Path 7 - Create detections and perform investigations using Microsoft Sentinel' + module: 'Learning Path 9 - Create detections and perform investigations using Microsoft Sentinel' --- -# Learning Path 7 - Lab 1 - Exercise 5 - Understand Detection Modeling +# Learning Path 9 - Lab 1 - Exercise 5 - Understand Detection Modeling + +## Lab scenario ![Lab overview.](../Media/SC-200-Lab_Diagrams_Mod7_L1_Ex5.png) + +### Estimated time to complete this lab: 30 minutes + ### Task 1: Understand the Attacks >**Important: You will perform no actions in this exercise.** These instructions are only an explanation of the attacks you will perform in the next exercise. Please carefully read this page. -The attack patterns are based on an open-source project: https://github.com/redcanaryco/atomic-red-team - +The attack patterns are based on an open-source project: #### Attack 1 - Persistence with Registry Key Add @@ -32,7 +36,7 @@ net user theusernametoadd ThePassword1! net localgroup administrators theusernametoadd /add ``` -#### Attack 3 - DNS / C2 +#### Attack 3 - DNS / C2 Attacker will send a large volume of DNS queries to a command and control (C2) server. The intent is to trigger threshold-based detection on the number of DNS queries either from a single source system or to a single target domain. @@ -78,14 +82,12 @@ Do { Until ($TimeNow -ge $RunEnd) ``` - ### Task 2: Understand Detection Modeling The attack-detect configuration cycle used in this lab represents all data sources even though you are only focused on two specific data sources. To build a detection, you first start with building a KQL statement. Since you will attack a host, you will have representative data to start building the KQL statement. - After you have the KQL statement, you create the Analytical Rule. Once the rule triggers and creates the alerts and incidents, you then investigate to decide if you are providing fields that help Security Operations Analysts in their investigation. diff --git a/Instructions/Labs/LAB_AK_07_Lab1_Ex6_Perform_Attacks.md b/Instructions/Labs/LAB_AK_09_Lab1_Ex06_Perform_Attacks.md similarity index 89% rename from Instructions/Labs/LAB_AK_07_Lab1_Ex6_Perform_Attacks.md rename to Instructions/Labs/LAB_AK_09_Lab1_Ex06_Perform_Attacks.md index e1845456..598c6c23 100644 --- a/Instructions/Labs/LAB_AK_07_Lab1_Ex6_Perform_Attacks.md +++ b/Instructions/Labs/LAB_AK_09_Lab1_Ex06_Perform_Attacks.md @@ -1,10 +1,10 @@ --- lab: title: 'Exercise 6 - Conduct attacks' - module: 'Learning Path 7 - Create detections and perform investigations using Microsoft Sentinel' + module: 'Learning Path 9 - Create detections and perform investigations using Microsoft Sentinel' --- -# Learning Path 7 - Lab 1 - Exercise 6 - Conduct attacks +# Learning Path 9 - Lab 1 - Exercise 6 - Conduct attacks ## Lab scenario @@ -12,9 +12,9 @@ lab: You are going to simulate the attacks that you will later use to detect and investigate in Microsoft Sentinel. +>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again. ->**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Perform%20simulated%20attacks)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. - +### Estimated time to complete this lab: 30 minutes ### Task 1: Persistence Attack with Registry Key Add diff --git a/Instructions/Labs/LAB_AK_07_Lab1_Ex7_Detections.md b/Instructions/Labs/LAB_AK_09_Lab1_Ex07_Detections.md similarity index 93% rename from Instructions/Labs/LAB_AK_07_Lab1_Ex7_Detections.md rename to Instructions/Labs/LAB_AK_09_Lab1_Ex07_Detections.md index 5bad6cfa..1e7bd0ed 100644 --- a/Instructions/Labs/LAB_AK_07_Lab1_Ex7_Detections.md +++ b/Instructions/Labs/LAB_AK_09_Lab1_Ex07_Detections.md @@ -1,10 +1,10 @@ --- lab: title: 'Exercise 7 - Create Detections' - module: 'Learning Path 7 - Create detections and perform investigations using Microsoft Sentinel' + module: 'Learning Path 9 - Create detections and perform investigations using Microsoft Sentinel' --- -# Learning Path 7 - Lab 1 - Exercise 7 - Create Detections +# Learning Path 9 - Lab 1 - Exercise 7 - Create Detections ## Lab scenario @@ -14,9 +14,9 @@ You are a Security Operations Analyst working at a company that implemented Micr Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for your SOC to triage and investigate, and respond to threats with automated tracking and reMediation processes. +>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again. ->**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Create%20detections)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. - +### Estimated time to complete this lab: 30 minutes ### Task 1: Persistence Attack Detection @@ -26,7 +26,7 @@ In this task, you will create a detection for the first attack of the previous e 1. Log in to WIN1 virtual machine as Admin with the password: **Pa55w.rd**. -1. In the Edge browser, navigate to the Azure portal at https://portal.azure.com. +1. In the Edge browser, navigate to the Azure portal at . 1. In the **Sign in** dialog box, copy and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**. @@ -34,7 +34,7 @@ In this task, you will create a detection for the first attack of the previous e 1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**. -1. Select your Microsoft Sentinel Workspace you created earlier. +1. Select your Microsoft Sentinel Workspace. 1. Select **Logs** from the *General* section. diff --git a/Instructions/Labs/LAB_AK_07_Lab1_Ex8_Investigate.md b/Instructions/Labs/LAB_AK_09_Lab1_Ex08_Investigate.md similarity index 88% rename from Instructions/Labs/LAB_AK_07_Lab1_Ex8_Investigate.md rename to Instructions/Labs/LAB_AK_09_Lab1_Ex08_Investigate.md index 435ed1c4..694e1de0 100644 --- a/Instructions/Labs/LAB_AK_07_Lab1_Ex8_Investigate.md +++ b/Instructions/Labs/LAB_AK_09_Lab1_Ex08_Investigate.md @@ -1,10 +1,10 @@ --- lab: title: 'Exercise 8 - Investigate Incidents' - module: 'Learning Path 7 - Create detections and perform investigations using Microsoft Sentinel' + module: 'Learning Path 9 - Create detections and perform investigations using Microsoft Sentinel' --- -# Learning Path 7 - Lab 1 - Exercise 8 - Investigate Incidents +# Learning Path 9 - Lab 1 - Exercise 8 - Investigate Incidents ## Lab scenario @@ -14,8 +14,9 @@ You are a Security Operations Analyst working at a company that implemented Micr An incident can include multiple alerts. It is an aggregation of all the relevant evidence for a specific investigation. The properties related to the alerts, such as severity and status, are set at the incident level. After you let Microsoft Sentinel know what kinds of threats you are looking for and how to find them, you can monitor detected threats by investigating incidents. ->**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Investigate%20incidents)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. +>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again. +### Estimated time to complete this lab: 30 minutes ### Task 1: Investigate an incident @@ -23,7 +24,7 @@ In this task, you will investigate an incident. 1. Log in to WIN1 virtual machine as Admin with the password: **Pa55w.rd**. -1. In the Edge browser, navigate to the Azure portal at https://portal.azure.com. +1. In the Edge browser, navigate to the Azure portal at . 1. In the **Sign in** dialog box, copy and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**. @@ -31,7 +32,7 @@ In this task, you will investigate an incident. 1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**. -1. Select your Microsoft Sentinel Workspace you created earlier. +1. Select your Microsoft Sentinel Workspace. 1. Select the **Incidents** page. diff --git a/Instructions/Labs/LAB_AK_07_Lab1_Ex9_ASIM.md b/Instructions/Labs/LAB_AK_09_Lab1_Ex09_ASIM.md similarity index 84% rename from Instructions/Labs/LAB_AK_07_Lab1_Ex9_ASIM.md rename to Instructions/Labs/LAB_AK_09_Lab1_Ex09_ASIM.md index c1967efa..d080a7a0 100644 --- a/Instructions/Labs/LAB_AK_07_Lab1_Ex9_ASIM.md +++ b/Instructions/Labs/LAB_AK_09_Lab1_Ex09_ASIM.md @@ -1,18 +1,20 @@ --- lab: title: 'Exercise 9 - Create ASIM parsers' - module: 'Learning Path 7 - Create detections and perform investigations using Microsoft Sentinel' + module: 'Learning Path 9 - Create detections and perform investigations using Microsoft Sentinel' --- -# Learning Path 7 - Lab 1 - Exercise 9 - Deploy ASIM parsers +# Learning Path 9 - Lab 1 - Exercise 9 - Deploy ASIM parsers ## Lab scenario ![Lab overview.](../Media/SC-200-Lab_Diagrams_Mod7_L1_Ex9.png) -You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You need to model ASIM parsers for a specific Windows registry event. These parsers will be finalized at a later time following the [Advanced Security Information Model (ASIM) Registry Event normalization schema reference](https://docs.microsoft.com/en-us/azure/sentinel/registry-event-normalization-schema). +You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You need to model ASIM parsers for a specific Windows registry event. These parsers will be finalized at a later time following the [Advanced Security Information Model (ASIM) Registry Event normalization schema reference](https://docs.microsoft.com/azure/sentinel/registry-event-normalization-schema). ->**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Create%20Advanced%20Security%20Information%20Model%20Parsers)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. +>**Important:** The lab exercises for Learning Path #9 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again. + +### Estimated time to complete this lab: 30 minutes ### Task 1: Deploy the Registry Schema ASIM parsers @@ -20,7 +22,7 @@ In this task, you'll review the Registry Schema parsers that are included with t 1. Log in to WIN1 virtual machine as Admin with the password: **Pa55w.rd**. -1. In the Microsoft Edge browser, navigate to the Azure portal at https://portal.azure.com. +1. In the Microsoft Edge browser, navigate to the Azure portal at . 1. In the **Sign in** dialog box, copy, and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**. @@ -28,7 +30,7 @@ In this task, you'll review the Registry Schema parsers that are included with t 1. In the Search bar of the Azure portal, type *Sentinel*, then select **Microsoft Sentinel**. -1. Select your Microsoft Sentinel Workspace you created earlier. +1. Select your Microsoft Sentinel Workspace. 1. Select the **Search** page under *General* in Microsoft Sentinel. @@ -205,4 +203,57 @@ In this task, you will use a Search job to look for a C2. >**Note:** If you were running the job, the restore would run for a couple of minutes and your data would be available in a new table. +### Task 4: Create a hunt that combines multiple queries into a MITRE tactic + +1. The MITRE ATT&CK map helps you identify specific gaps in your detection coverage. Use predefined hunting queries for specific MITRE ATT&CK techniques as a starting point to develop new detection logic. + +1. In Microsoft Sentinel, expand **Threat management** from the left navigation menus. + +1. Select **MITRE ATT&CK (Preview)**. + +1. Unselect items in the *Active rules* drop-down menu. + +1. Select **Hunting queries** in the *Simulated rules* filter to see which techniques have hunting queries associated with them. + +1. Select the card for **Account Manipulation**. + +1. In the details pane locate *Simulated coverage* and select the **View** link next to *Hunting queries*. + +1. This link takes you to a filtered view of the Queries tab on the Hunting page based on the technique you selected. + +1. Select all the queries for that technique by selecting the box near the top of the list on the left. + +1. Select the **Hunt actions** drop down menu near the middle of the screen above the filters. + +1. Select **Create new hunt**. All the queries you selected are cloned for this new hunt. + +1. Fill out the hunt name and optional fields. The description is a good place to verbalize your hypothesis. The Hypothesis pull down menu is where you set the status of your working hypothesis. + +1. Select **Create** to get started. + +1. Select the **Hunts (Preview)** tab to view your new hunt. + +1. Select the hunt link by name to view the details and take actions. + +1. View the details pane with the Hunt name, Description, Content, Last update time, and Creation time. + +1. Select all of the queries by using the box next to the *Query* column. + +1. Either select **Run selected queries** or uncheck the selected rows and *right click* and **Run** a single query. + +1. You can also select a single query and select **View results** in the details pane. + +1. Review which queries returned results. + +1. Based on the results, determine if there is enough strong evidence to validate the hypothesis. If there isn’t, close the Hunt and mark it as invalidated. + +1. Alternative Steps: + - Go to Microsoft Sentinel. + - Expand Threat management. + - Choose Hunting. + - Select ‘add filter’. + - Set the filter to tactics:persistence. + - Add another filter. + - Set the second filter to have techniques: T1098. + ## Proceed to Exercise 2 diff --git a/Instructions/Labs/LAB_AK_08_Lab1_Ex2_Notebooks.md b/Instructions/Labs/LAB_AK_10_Lab1_Ex02_Notebooks.md similarity index 86% rename from Instructions/Labs/LAB_AK_08_Lab1_Ex2_Notebooks.md rename to Instructions/Labs/LAB_AK_10_Lab1_Ex02_Notebooks.md index d096145f..006ee7df 100644 --- a/Instructions/Labs/LAB_AK_08_Lab1_Ex2_Notebooks.md +++ b/Instructions/Labs/LAB_AK_10_Lab1_Ex02_Notebooks.md @@ -1,10 +1,10 @@ --- lab: title: 'Exercise 2 - Threat Hunting using Notebooks with Microsoft Sentinel' - module: 'Learning Path 8 - Perform threat hunting in Microsoft Sentinel' + module: 'Learning Path 10 - Perform threat hunting in Microsoft Sentinel' --- -# Learning Path 8 - Lab 1 - Exercise 2 - Threat Hunting using Notebooks with Microsoft Sentinel +# Learning Path 10 - Lab 1 - Exercise 2 - Threat Hunting using Notebooks with Microsoft Sentinel ## Lab scenario @@ -14,7 +14,9 @@ You're a Security Operations Analyst working at a company that implemented Micro - Create data visualizations that aren't provided out-of-the-box in Microsoft Sentinel, such as custom timelines and process trees. - Integrate data sources outside of Microsoft Sentinel, such as an on-premises data set. ->**Note:** An **[interactive lab simulation](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulation%20-%20Hunt%20for%20threats%20using%20notebooks%20in%20Microsoft%20Sentinel)** is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same. +>**Important:** The lab exercises for Learning Path #10 are in a *standalone* environment. If you exit the lab before completing it, you will be required to re-run the configurations again. + +### Estimated time to complete this lab: 30 minutes ### Task 1: Explore Notebooks @@ -22,7 +24,7 @@ In this task, you'll explore using notebooks in Microsoft Sentinel. 1. Log in to WIN1 virtual machine as Admin with the password: **Pa55w.rd**. -1. In the Microsoft Edge browser, navigate to the Azure portal at https://portal.azure.com. +1. In the Microsoft Edge browser, navigate to the Azure portal at . 1. In the **Sign in** dialog box, copy, and paste in the **Tenant Email** account provided by your lab hosting provider and then select **Next**. @@ -55,7 +57,7 @@ In this task, you'll explore using notebooks in Microsoft Sentinel. 1. Select **Notebooks** again and then select the **Templates** tab from the middle command bar. -1. Select **A Getting Started Guide for Microsoft Sentinel ML Notebooks**. +1. Select **A Getting Started Guide for Microsoft Sentinel ML Notebooks**. 1. On the right pane, scroll down and select **Create from template** button. Review the default options and then select **Save**. @@ -63,7 +65,7 @@ In this task, you'll explore using notebooks in Microsoft Sentinel. 1. Select **Close** if an informational window appears in the Microsoft Azure Machine Learning studio. -1. In the command bar, to the right of the **Compute:** selector, select the **+** symbol to create a new compute instance. **Hint:** It might be hidden inside the ellipsis icon **(...)**. +1. In the command bar, to the right of the **Compute:** selector, select the **+** symbol to *Create Azure ML compute* instance. **Hint:** It might be hidden inside the ellipsis icon **(...)**. >**Note:** You can have more screen space by hiding the Azure ML Studio left blade by selecting the *Hamburger menu* (3 horizontal lines on the top left), as well as by collapsing the Notebooks Files by selecting the **<<** icon. @@ -85,9 +87,9 @@ In this task, you'll explore using notebooks in Microsoft Sentinel. 1. Run the *Python code* to initialize the cell by selecting the **Run cell** button (Play icon) to the left of the code. -1. It should take approximately 15 seconds to run. Once it's done, review the output messages and disregard any warnings about the Python kernel version. The code ran successfully if *msticpyconfig.yaml* was created in the *utils* folder in the *file explorer* pane on the left. +1. It should take approximately 15 seconds to run. Once it's done, review the output messages and disregard any warnings about the Python kernel version. The code ran successfully if *msticpyconfig.yaml* was created in the *utils* folder in the *file explorer* pane on the left. It may take another 30 seconds for the file to appear. - >**Hint:** You can clear the output messages by using *square with an x* icon above the code cell. + >**Hint:** You can clear the output messages by selecting the ellipsis (...) on the left of the code window for the *Output menu* and selecting the *Clear output* (square with an x*) icon. 1. Select the **msticpyconfig.yaml** file in the *file explorer* pane on the left to review the contents of the file and then close it. diff --git a/Instructions/Media/add-plugin-button.png b/Instructions/Media/add-plugin-button.png new file mode 100644 index 00000000..a77a8700 Binary files /dev/null and b/Instructions/Media/add-plugin-button.png differ diff --git a/Instructions/Media/box-icon.png b/Instructions/Media/box-icon.png new file mode 100644 index 00000000..0ae6963e Binary files /dev/null and b/Instructions/Media/box-icon.png differ diff --git a/Instructions/Media/check-mark-icon.png b/Instructions/Media/check-mark-icon.png new file mode 100644 index 00000000..a6f97767 Binary files /dev/null and b/Instructions/Media/check-mark-icon.png differ diff --git a/Instructions/Media/create-promptbook-icon.png b/Instructions/Media/create-promptbook-icon.png new file mode 100644 index 00000000..f0e6eb56 Binary files /dev/null and b/Instructions/Media/create-promptbook-icon.png differ diff --git a/Instructions/Media/edit-icon.png b/Instructions/Media/edit-icon.png new file mode 100644 index 00000000..bf90bdbd Binary files /dev/null and b/Instructions/Media/edit-icon.png differ diff --git a/Instructions/Media/enable-audit-button.png b/Instructions/Media/enable-audit-button.png new file mode 100644 index 00000000..b54aba57 Binary files /dev/null and b/Instructions/Media/enable-audit-button.png differ diff --git a/Instructions/Media/home-menu-icon.png b/Instructions/Media/home-menu-icon.png new file mode 100644 index 00000000..14936c3c Binary files /dev/null and b/Instructions/Media/home-menu-icon.png differ diff --git a/Instructions/Media/information-icon.png b/Instructions/Media/information-icon.png new file mode 100644 index 00000000..bc939494 Binary files /dev/null and b/Instructions/Media/information-icon.png differ diff --git a/Instructions/Media/launch-copilot-button.png b/Instructions/Media/launch-copilot-button.png new file mode 100644 index 00000000..873f10df Binary files /dev/null and b/Instructions/Media/launch-copilot-button.png differ diff --git a/Instructions/Media/launch-purview-portal-button.png b/Instructions/Media/launch-purview-portal-button.png new file mode 100644 index 00000000..19bea318 Binary files /dev/null and b/Instructions/Media/launch-purview-portal-button.png differ diff --git a/Instructions/Media/maximize-icon.png b/Instructions/Media/maximize-icon.png new file mode 100644 index 00000000..ad968a1a Binary files /dev/null and b/Instructions/Media/maximize-icon.png differ diff --git a/Instructions/Media/pin-icon.png b/Instructions/Media/pin-icon.png new file mode 100644 index 00000000..411928c7 Binary files /dev/null and b/Instructions/Media/pin-icon.png differ diff --git a/Instructions/Media/pinboard-icon.png b/Instructions/Media/pinboard-icon.png new file mode 100644 index 00000000..bb2207f4 Binary files /dev/null and b/Instructions/Media/pinboard-icon.png differ diff --git a/Instructions/Media/prompt-icon.png b/Instructions/Media/prompt-icon.png new file mode 100644 index 00000000..9b38a5b1 Binary files /dev/null and b/Instructions/Media/prompt-icon.png differ diff --git a/Instructions/Media/raw-file-download-icon-v2.png b/Instructions/Media/raw-file-download-icon-v2.png new file mode 100644 index 00000000..ed67a404 Binary files /dev/null and b/Instructions/Media/raw-file-download-icon-v2.png differ diff --git a/Instructions/Media/run-icon.png b/Instructions/Media/run-icon.png new file mode 100644 index 00000000..16ffa5bd Binary files /dev/null and b/Instructions/Media/run-icon.png differ diff --git a/Instructions/Media/security-copilot-launch-exercise-button-v2.png b/Instructions/Media/security-copilot-launch-exercise-button-v2.png new file mode 100644 index 00000000..b3a2334b Binary files /dev/null and b/Instructions/Media/security-copilot-launch-exercise-button-v2.png differ diff --git a/Instructions/Media/simulation-pop-up-error copy.png b/Instructions/Media/simulation-pop-up-error copy.png new file mode 100644 index 00000000..97a9b261 Binary files /dev/null and b/Instructions/Media/simulation-pop-up-error copy.png differ diff --git a/Instructions/Media/simulation-pop-up-error.png b/Instructions/Media/simulation-pop-up-error.png new file mode 100644 index 00000000..97a9b261 Binary files /dev/null and b/Instructions/Media/simulation-pop-up-error.png differ diff --git a/Instructions/Media/sources-icon.png b/Instructions/Media/sources-icon.png new file mode 100644 index 00000000..5075246a Binary files /dev/null and b/Instructions/Media/sources-icon.png differ diff --git a/Instructions/Media/welcome-purview-portal.png b/Instructions/Media/welcome-purview-portal.png new file mode 100644 index 00000000..7efc30f3 Binary files /dev/null and b/Instructions/Media/welcome-purview-portal.png differ