SC-200 Connect Windows devices to Microsoft Sentinel using data connectors

source: SC-200T00A-Microsoft-Security-Operations-Analyst

Task 1: Create a Windows VM in Azure

Go to Marketplace, search for Windows 10 machines, select the Windows 10 Enterprise, version 22H2 option.

Use pre configured settings as seen below, add user name and password for the administrator account of the vm and proceed to create.

Task 2: Connect Azure Windows VM via AMA

Go to Microsoft Sentinel > Data Connectors > Content Hub and search for the Windows Security Events solution and select it from the list and select install.

Once installed select Manage, select Windows Security Events via AMA and click Open connector page, then select +Create data collection rule.

Give the Collection Rule a name in this case it will be named AZWINDCR, select the resource group where your previously created VM is located.

On the Resources tab, select add resources and select the VM we created previously, click apply once selected.

On Collect tab we will select All Security Events, then proceed to create the Collection Rule, wait a couple of minutes and refresh the page until you see the status change to Connected.

If we go to Sentinel > Logs and run a query on the SecurityEvents table we can see we are receiving security data from our Azure Windows VM AZWIN01

Task 3: Connect a non Azure VM

In this case I am onboarding a Windows VM deployed on VMware on my onsite pc.

Go to Azure Arc, select Add resources > under Machines select Add/Create > Add a machine, select Add a single server and click Generate script.

Fill out the Resource group and Region the VM will be onboarded to. Click Download and run script.

In my case I will copy the script and run it on PowerShell in my VM.

you will need to change PowerShell execution policy to disabled in order to run the Arc script. To do so do the following:
– Open PowerShell as Administrator
– Run the following command
Set-ExecutionPolicy Unrestricted

Now we can run our PowerShell script to install Azure Arc

You will get prompted to authenticate with Azure, enter credentials of the user you would like to use.

We can see that the onsite VM now has been onboarded with Azure Arc and shows on under Machines

We can change the execution policy back to restricted using the following command on PowerShell on Administrator mode on the VM:

Set-ExecutionPolicy Restricted

We can now go to Sentinel > Data connectors > Windows Security Events via AMA > click Open Connector page and then click > Create data collection rule

We will create a Data collection rule for the on-site VM.

Give the Rule a name and select the Resource group your VM is located at.

Select your Azure Arc onboarded VM

On the Collect tab we will select All Security Events, and we can proceed to create.

We can see that Windows Security Events via AMA is now connected.

Author: user

Leave a Reply

Your email address will not be published. Required fields are marked *