- Microsoft Sentinel
- Azure Virtual Machine
- Log Analytics Workspace
First I created a resource group in Azure and spun up a virtual machine (VM) running Windows 11 Pro to act as an endpoint.
Network settings were configured to allow remote desktop protocol (RDP) on port 3389 to remain open. This would usually not be a secure setting but is done here for test and demonstration purposes.
I then deployed Microsoft Sentinel as a cloud native security information and event management (SIEM) tool and added it to the Log Analytics Workspace.
Next, I needed to send the Windows event logs from the VM endpoint to Log Analytics Workspace to be able to manage the log data in Sentinel. To do this, I set up a data connector (Azure Monitor Agent).
I then configured a data connection rule. The rule uses a simple query to the log data that filters for activity that contains “success” to show all successful logins.
The query was then modified to still contain “system” but not contain “system”, this is to avoid logging system account logins.
The data connection rule was then used to generate alerts when successful login events occur.
Now, the successful login rule has been created and appears in the Analytics tab.
To test and demonstrate the alert, I signed in to the endpoint using Remote Desktop Connection (RDP) to trigger an alert.
Here the alert was generated as an incident showing there was a successful login to the endpoint.
