Forem: Hyacienth Ugochukwu

How To Record And Resolve Domain Names Internally

Hyacienth Ugochukwu — Thu, 05 Sep 2024 13:14:16 +0000

In this article, we will discuss how to; create and configure a private DNS zone, create and configure DNS records, and, configure DNS settings on a virtual net.

Create a private DNS zone
Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without adding a custom DNS solution. Private DNS zones allow you to use your custom domain names rather than the Azure-provided ones available today.

On the portal search bar, type Private DNS zones in the search text box and select Private DNS zones from the results.
Select + Create.
On the Basics tab of Create private DNS zone, enter the information listed below:

Property Value
Subscription Select your subscription
Resource group YOUR RESOURCE GROUP
Name contoso.com
Region East US

Select Review + Create and then select Create.

Create a virtual network link to your private DNS zone

On the portal search bar, type Private DNS zones in the search text box and select Private DNS zones from the results.
Select contoso.com.
Select + Virtual network link.
Select + Add
On the Basics tab of Create Virtual Network link, enter the information listed below:

Property Value
Link name app-vnet-link
Virtual network app-vnet
Enable auto registration Enabled

Select OK

Create a DNS record set

On the portal search bar, type Private DNS zones in the search text box and select Private DNS zones from the results.
Select contoso.com.
Select + Record set.
On the Basics tab of Create record set, enter the information listed below:

Property Value
Name backend
Type A
TTL 1
IP address 10.1.1.4

Select OK
Verify that contoso.com has a record set named backend

How To Route Traffic To The Firewall

Hyacienth Ugochukwu — Wed, 04 Sep 2024 01:49:30 +0000

Now that a firewall is in place with policies that enforce your organization's security requirements, you need to route your network traffic to the firewall subnet so it can filter and inspect the traffic. Route tables provide control over the routing of network traffic to and from the web application. Network Traffic is subject to the firewall rules when you route your network traffic to the firewall as the subnet default gateway. Routing traffic to a firewall is the process of directing network traffic to a firewall subnet so that it can be inspected and filtered.

We create a route table first

Record the private and public IP address of app-vnet-firewall. a. In the search box at the portal's top, enter Firewall. Select Firewall in the search results. b. Select app-vnet-firewall. c. Select Overview. i. Record the Private IP address. d. In the Overview pane select fwpip e. Record the Public IP address.
In the search box, enter Route tables. When the Route table appears in the search results, select it.
In the Route table page, select + Create.
On the Basics tab of Create Route table, enter the information as listed below:

Property Value
Subscription Select your subscription
Resource group YOUR RESOURCE GROUP
Region East US
Name app-vnet-firewall-rt
Select Review + Create and then select Create.

We then associate the route table to the subnets

In the search box, enter Route tables. and select Route Tables from the search results.
Select app-vnet-firewall-rt.
Select Subnets.
Select + Associate.
On the Associate subnet page, enter the information listed below:

Property Value
Virtual network app-vnet (YOUR RESOURCE GROUP)
Subnet frontend

Select OK.
Repeat the steps above to associate the app-vnet-firewall-rt route table to the backend subnet in app-vnet.

Lastly, we will create a route in the route table

In the search box, enter Route tables. and select Route Tables from the search results.
Select app-vnet-firewall-rt.
Select Routes.
Select + Add.
On the Add route page, enter the information listed below:

Property Value
Route name outbound-firewall
Destination type IP addresses
Destination IP addresses/CIDR range 0.0.0.0/0
Next hop type Virtual appliance
Next hop address private IP address of the firewall recorded earlier

Select Add.

Now the outbound traffic from the front end and backend subnet will route to the firewall.

Protecting The Web Application From Malicious Traffic And Blocking Unauthorized Access

Hyacienth Ugochukwu — Wed, 04 Sep 2024 01:08:19 +0000

In this article, I will be showing the steps to take to protect the web application from malicious traffic and block unauthorized access.

We will start by creating an Azure Firewall subnet in our existing virtual network
In the search box at the top of the portal, enter Virtual networks.

Select Virtual networks in the search results.
Select app-vnet.
Select Subnets.
Select + Subnet.
Enter the following information and select Save.

Property Value
Name AzureFirewallSubnet
Address range 10.1.63.0/26
Note: Leave all other settings as default.

Next, we create an Azure Firewall

In the search box at the portal's top, enter Firewall. Select Firewall in the search results.
Select + Create.
Create a firewall by using the following values. For any property that is not specified, use the default value.
Note: Azure Firewall can take a few minutes to deploy.

Property Value
Resource group YOUR RESOURCE GROUP
Name app-vnet-firewall
Firewall SKU Standard
Firewall management Use a Firewall Policy to manage this firewall
Firewall policy select Add new
Policy name fw-policy
Region East US
Policy Tier Standard
Choose a virtual network Use existing
Virtual network app-vnet (YOUR RESOURCE GROUP)
Public IP address Add new: fwpip

Select Review + Create and then select Create.

We update the Firewall Policy next.

In the search box at the portal's top, enter Firewall Policy. Select Firewall Policies in the search results.
Select fw-policy.
Select Application rules.
Select on ”+ Application rule collection”.
Use the values in the following table. For any property that is not specified, use the default value.

Property Value
Name app-vnet-fw-rule-collection
Rule collection type Application
Priority 200
Rule collection action Allow
Rule collection group DefaultApplicationRuleCollectionGroup

a. Under Rules use the values in the below

Property Value
Name AllowAzurePipelines
Source type IP address
Source 10.1.0.0/23
Protocol https
Destination type FQDN
Destination dev.azure.com, azure.microsoft.com
and select Add

Note: The AllowAzurePipelines rule allows the web application to access Azure Pipelines. The rule allows the web application to access the Azure DevOps service and the Azure website.

Create a network rule collection that contains a single IP Address rule by using the values in the following table. For any property that is not specified, use the default value.
Select Network rules.
Select on ”+ Network rule collection”.
Use the values in the following table. For any property that is not specified, use the default value.

Property Value
Name app-vnet-fw-nrc-dns
Rule collection type Network
Priority 200
Rule collection action Allow
Rule collection group DefaultNetworkRuleCollectionGroup

a. Under Rules use the values in the following table

Property Value
Rule AllowDns
Source 10.1.0.0/23
Protocol UDP
Destination ports 53
Destination addresses 1.1.1.1, 1.0.0.1
And select Add.

To verify that the Azure Firewall and Firewall Policy provisioning state shows Succeeded.
In the search box at the portal's top, enter Firewall. Select Firewall in the search results.
Select app-vnet-firewall.
Validate that the Provisioning state has Succeeded.
In the search box at the portal's top, enter Firewall policies. Select Firewall policies in the search results
Select fw-policy.
Validate that the Provisioning state is Succeeded

How To Control The Network Traffic To And From The Web Application

Hyacienth Ugochukwu — Tue, 03 Sep 2024 23:04:26 +0000

This is a continuation of my previous post.

Here, we will be talking about;

Creating an NSG
Creating NSG rules
Associating an NSG to a subnet
Creating and using Application Security Groups in NSG rules.

What is NSG: In Azure, a Network Security Group (NSG) is a tool that controls network traffic in a virtual network (VNet) using rules to allow or deny access. NSGs are a key component of Azure's security fabric.
Also, in Azure, a network security group (NSG) rule is a security rule that controls network traffic to and from Azure resources. NSG rules can allow or deny traffic based on conditions such as:

Source and destination: The IP addresses of the source and destination
Ports: The ports or range of ports that initiate network traffic
Protocols: The protocol used for the network traffic

Here are some other things to know about NSG rules:

Priority: Each rule in an NSG collection must have a unique priority number between 100 and 4096. The lower the number, the higher the priority.
Direction: Rules can be set to apply to either inbound or outbound traffic.
Action: Rules can be set to "Allow" or "Deny".
Logging: Logging can be enabled for an NSG to collect information about which rules are applied to virtual machines, and how often each rule is applied.
Default rules: NSGs contain default rules that can't be deleted, but can be replaced by user-created rules.

First, we will create an Application Security Group
An application security group (ASG) enables you to group servers with similar functions, such as web servers.

In the search box at the portal's top, enter Application security group. Select Application security groups in the search results.
Select + Create.

On the Basics tab of Create an Application Security Group, enter the information listed below:

Property Value
Subscription Select your subscription
Resource group YOUR RESOURCE GROUP
Name app-backend-asg
Region East US

Select Review + Create and then select Create.

Note: You are creating the application security group in the same region as the existing virtual network.

Then you Create and Associate the Network Security Group
A network security group (NSG) secures network traffic in your virtual network. NSGs contain a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated with subnets and/or individual network interfaces attached to Azure Virtual Machines (VM).

In the search box at the portal's top, enter Network security group. Select Network security groups in the search results.
Select + Create.

On the Basics tab of Create Network Security Group, enter the information as listed below:

Property Value
Subscription Select your subscription
Resource group YOUR RESOURCE GROUP
Name app-vnet-nsg
Region East US

Select Review + Create and then select Create.

In this section, you associate the network security group with the subnet of the virtual network you created earlier.

In the search box at the portal's top, enter Network security group. Select Network security groups in the search results.
Select app-vnet-nsg from the list of network security groups.
Select Subnets from the Settings section of app-vnet-nsg.
In the Subnets page, select + Associate
Under Associate subnet, select app-vnet (RG1) for Virtual network. and select Backend for Subnet, and then select OK.

Time to Create Network Security Group Rules
A network security group (NSG) secures network traffic in your virtual network.

In the search box at the portal's top, enter Network security group. Select Network security groups in the search results.
Select app-vnet-nsg from the list of network security groups.
Select Inbound security rules from the Settings section of app-vnet-nsg.
Select + Add.
On the Add inbound security rule page, enter the information as listed below:

Property Value
Source Any
Source port ranges *****
Destination Application Security group
Destination application security group app-backend-asg
Service SSH
Action Allow
Priority 100
Name AllowSSH

Next is to deploy an ARM template using Cloud Shell to create the VMs needed for this exercise

In the Azure portal, open the Azure Cloud Shell by selecting the icon in the top right of the Azure Portal.
If prompted to select either Bash or PowerShell, select PowerShell.

Note: If this is the first time you are starting Cloud Shell and you are presented with the You have no storage mounted message, select the subscription you are using in this lab, and select Create storage.

Deploy the following ARM template using Cloud Shell to create the VMs needed for this exercise:

Code

$RGName = "RG1"

   New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateUri https://raw.githubusercontent.com/MicrosoftLearning/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/main/Instructions/Labs/azuredeploy.json

To verify that both the VM1 and VM2 virtual machines are running, navigate to the RG1 resource group and select VM1.
Validate that the status of the virtual machine is Running.
Repeat the previous step for VM2.

Finally, Associate the application security group to the network interface of the VM
When you created the VMs, Azure created a network interface for each VM and attached it to the VM.

Add the application security group you created previously to the network interface of VM2.

In the Azure portal, navigate to the RG1 resource group and select VM2.
Navigate to the networking tab of the VM, and select + Add application security groups from the Application security groups section.
Select app-backend-asg from the list of application security groups.
Select Add

How To Provide A Shared Services Hub Virtual Network With Isolation And Segmentation

Hyacienth Ugochukwu — Fri, 30 Aug 2024 23:41:31 +0000

A shared services hub virtual network with isolation and segmentation is a network topology that uses a hub virtual network to centralize shared services and resources while isolating environments in spokes. This topology can help improve network performance and security and can be used for various purposes, such as dev/test, staging, user acceptance testing, and production.
Here are some key features of a shared services hub virtual network with isolation and segmentation:
Centralized Services
The hub virtual network hosts shared services and resources, such as DNS IDs, Active Directory Domain Services (AD DS), and Network Time Protocol (NTP).
Isolation
Each environment is deployed to a different spoke to maintain isolation.
Centralized Control
The hub can provide centralized control over security and connectivity. For example, the hub can have a perimeter network firewall, and each spoke can have segregated workload management.
Decentralized Management
The hub and each spoke can be implemented in different resource groups or subscriptions, allowing for decentralized workload management.
Network segmentation is dividing a computer network into smaller parts to improve network performance and security. Other terms for network segmentation include network segregation, network partitioning, and network isolation.
In this article, we will be learning how to provide a shared services hub virtual network with isolation and segmentation.

First, we create hub and spoke virtual networks and subnets

Open a browser and navigate to the Azure portal and login.
To create a Virtual Network, in the search bar at the top of the portal type “Virtual Networks” and select “Virtual Networks” from the results.
In the “Virtual Networks” portal pane, select “+ Create”.
Fill out all the tabs of the creation process by using the values below:

Property Value
Resource group YOUR GROUP
Name app-vnet
Region East US
IPv4 address space 10.1.0.0/16
Subnet name frontend
Subnet address range 10.1.0.0/24
Subnet name backend
Subnet address range 10.1.1.0/24

Note: Leave all other settings as their defaults. Select “Next” to advance to the next tab, and Create to create the virtual network.

Following the same steps as above, create the Azure virtual network Hub-vnet by using the values below:

Property Value
Resource group YOUR GROUP
Name Hub-vnet
Region East US
IPv4 address space 10.0.0.0/16
Subnet name AzureFirewallSubnet
Subnet address range 10.0.0.0/26

Once the deployment is complete. Navigate back to the portal, in the search bar type “resource groups” and select Resource Groups” from the results. Select “RG1” in the main pane and confirm both virtual networks have been deployed.

Then you setup a peer relationship between the virtual networks

Setting up a peer relationship between the two virtual networks will allow traffic to flow in both directions between the app-vnet and hub-vnet virtual networks.
In the Portal in the RG1 resource group view. Select the “app-vnet” virtual network.
On the app-vnet context menu on the left-hand side of the portal scroll down and select peerings
In the app-vnet peerings pane, Select + Add. Fill out the form using the values below:

Property Value
This virtual network Peering link name app-vnet-to-hub
Remote virtual network Peering link name hub-to-app-vnet
Virtual network hub-vnet

Note: Leave all other settings as their defaults. Select “Add” to create the virtual network peering.

Once the process completes and after the configuration updates. Validate that the Peering status is set to Connected. (you may have to refresh the page to see the updated status)

How To Perform A Simulated Attack To Validate The Analytic And Automation Rules

Hyacienth Ugochukwu — Sun, 11 Aug 2024 22:01:44 +0000

This is a continuation of my previous post, you can check it from here

We will need to perform a simulated attack to validate that the Analytic and Automation rules create an incident and assign it to the User. We will perform a simple Privilege Escalation attack on our resource.

Task 1 - Perform a simulated Privilege Escalation attack
Use simulated attacks to test analytic rules in Microsoft Sentinel.

Locate and select the resource, that is the virtual machine in Azure, scroll down the menu items to Operations, and select Run command
On the Run command pane, select RunPowerShellScript
Copy the commands below to simulate the creation of an Admin account into the PowerShell Script form and select Run

Code

net user theusernametoadd /add
 net user theusernametoadd ThePassword1!
 net localgroup administrators theusernametoadd /add

Note: Make sure there is only one command per line, and you can rerun the commands by changing the username.

In the Output window you should see The command completed successfully three times

Task 2 - Verify an incident is created from the simulated attack
Verify that an incident is created that matches the criteria for the analytic rule and automation.

In Microsoft Sentinel, go to the Threat Management menu section and select Incidents
You may or may not see an incident that matches the Severity and Title you configured in the NRT rule you created. It all depends on how your virtual machine was set up or what you used as your resource.
Select the Incident and the detail pane opens
The Owner assignment should be the user, created from the Automation rule, and the Tactics and techniques should be Privilege Escalation (from the NRT rule)
Select View full details to see all the Incident management capabilities and Incident actions

How To Configure A Data Connector Data Collection Rule

Hyacienth Ugochukwu — Sun, 11 Aug 2024 21:18:07 +0000

A Data Collection Rule (DCR) in Azure Monitor is a set of instructions that defines how to collect and process telemetry sent to Azure Monitor. DCRs specify what data should be collected, how to transform it, and where to send it. They can be used for many purposes, including:
Consistent configuration
Scalable configuration options
Edge Pipeline
High-end scalability
Layered network configurations
Periodic connectivity

In this article, we will be looking at how to validate the Microsoft Sentinel deployment to meet the following requirements:

a. Configure the Windows Security Events via AMA connector to collect all security events from only a virtual machine.
b. Create a near-real-time (NRT) query rule to generate an incident based on the following query.

SecurityEvent 
| where EventID == 4732
| where TargetAccount == "Builtin\\Administrators"

c. Create an automation rule that assigns Operator1 the Owner role for incidents that are generated by the NRT rule.

Task 1 - Configure Data Collection rules (DCRs) in Microsoft Sentinel
Configure a Windows Security Events via AMA connector.

In Microsoft Sentinel, go to the Configuration menu section and select Data connectors
Search for and select Windows Security Events via AMA
Select Open connector page
In the Configuration area, select +Create data collection rule
On the Basics tab enter a Rule Name
On the Resources tab expand your subscription and the RG1 resource group in the Scope column
Select the resource that you want to use, and then select Next: Collect >
On the Collect tab leave the default of All Security Events
Select Next: Review + create >, then select Create

Task 2 - Create a near real-time (NRT) query detection
Detect threats with near-real-time (NRT) analytic rules in Microsoft Sentinel.

In Microsoft Sentinel, go to the Configuration menu section and select Analytics
Select + Create, and NRT query rule (Preview)
Enter a Name for the rule, and select Privilege Escalation from Tactics and Techniques.
Select Next: Set rule logic >
Enter the KQL query into the Rule query form

Code

SecurityEvent 
| where EventID == 4732
| where TargetAccount == "Builtin\\Administrators"

Select Next: Incident settings, and select Next: Automated response.
Select Next: Review + Create.
When validation is complete select Save.

Task 3 - Configure automation in Microsoft Sentinel
Configure automation in Microsoft Sentinel.

In Microsoft Sentinel, go to the Configuration menu section and select Automation
Select + Create, and Automation rule
Enter an Automation rule name, and select Assign owner from Actions
Assign the user that you want to use as the owner.
Select Apply

How To Install Microsoft Sentinel Content Hub Solutions And Data Connectors

Hyacienth Ugochukwu — Sun, 11 Aug 2024 19:41:52 +0000

The content hub in Microsoft Sentinel is the centralized location to discover and manage out-of-the-box content including data connectors.
Microsoft Sentinel content is Security Information and Event Management (SIEM) content that enables customers to ingest data, monitor, alert, hunt, investigate, respond, and connect with different products, platforms, and services in Microsoft Sentinel. Microsoft Sentinel solutions are packages of content like data connectors, workbooks, analytic rules, playbooks, etc., or API integrations, that fulfill an end-to-end product, domain, or industry vertical scenario in Microsoft Sentinel. In terms of out-of-the-box content, these 90+ solutions in the Content hub, comprise over 60 data connectors, 250 analytic rules, 100 playbooks, 150 hunting queries, and about 40 workbooks.
Use cases for the Content hub are as follows:

Discover solutions for your scenarios by leveraging enhanced search capabilities. Filter by specific domain or vertical categories, other parameters like content type or provider, or use the powerful text search, to find the content that works best for your organization's needs.
Install a solution in a single step to get out-of-the-box content to immediately unlock your end-to-end use cases.
Manage updates for out-of-the-box content easily and get visibility on which solutions carry new updates.
Get clarity on the support model for each solution.

In this article, I will be showing you how to:
a. Install the following solutions:
Windows Security Events.
Azure Activity connector.
Microsoft Defender for Cloud.
b. Configure the data connector for Azure Activity to apply all new and existing resources in the subscription.
c. Configure the data connector for Microsoft Defender for Cloud to connect to the Azure subscription and ensure that only bi-directional sync is enabled.
d. Enable an analytics rule based on the Suspicious number of resource creation or deployment activities template. The rule should run every hour and only look up data for that last hour.
e. Ensure that the Azure Activity workbook is available in My workbooks.

Task 1 - Deploy a Microsoft Sentinel Content Hub solution
Deploy a Content Hub solution and configure Data connectors.

In Microsoft Sentinel, go to the Content Management menu section and select Content Hub.
Search for and select Windows Security Events
Select the link to View details
Select Windows Security Events plan, and select Create
Select the resource group that includes the Microsoft Sentinel workspace, and select the Workspace.
Select Next to the Data Connectors tab (solution will deploy 2 data connectors)
Select Next to the Workbooks tab (solution installs workbooks)
Select Next to the Analytics tab (solutions installs analytics rules)
Select Next to the Hunting queries tab (solution installs hunting queries)
Select Review + create
Select Create
Repeat these steps for the Azure Activity and the Microsoft Defender for Cloud solutions.

Task 2 - Set up the data connector for Azure Activity
Configure the data connector for Azure Activity to apply all new and existing resources in the subscription.

In Microsoft Sentinel, go to the Content Management menu section and select Content Hub.
In the Content hub, filter Status for Installed Solutions.
Select the Azure Activity solution and select Manage.
Select the Azure Activity Data connector and select the Open connector page.
In the Configuration area under the Instructions tab, scroll down to 2. Connect your subscriptions..., and select Launch Azure Policy Assignment Wizard>.
In the Basics tab, select the ellipsis button (…) under Scope and select your subscription from the drop-down list, and click Select.
Select the Parameters tab, and choose your workspace from the Primary Log Analytics workspace drop-down list.
Select the Remediation tab and select the Create a remediation task checkbox.
Select the Review + Create button to review the configuration.
Select Create to finish.

Task 3 - Set up the Defender for Cloud data connector
Configure the data connector for Microsoft Defender for Cloud and ensure that only incident management is configured.

In Microsoft Sentinel, go to the Content Management menu section and select Content Hub.
In the Content hub, filter Status for Installed Solutions.
Select the Microsoft Defender for Cloud solution and select Manage.
Select the Subscription-based Microsoft Defender for Cloud (Legacy) Data connector and select Open connector page
In the Configuration area under the Instructions tab, scroll down to your subscription and move the slider in the Status column to Connected.
Make sure Bi-directional sync is Enabled.

Task 4 - Create an analytics rule
Create an analytic rule based on the Suspicious number of resource creation or deployment activities template. The rule should run every hour and only look up data for that last hour.

In Microsoft Sentinel, go to the Configuration menu section and select Analytics.
In the Rule templates tab, search for Suspicious number of resource creation or deployment activities.
Select the Suspicious number of resource creation or deployment activities, and select Create rule.
Leave the defaults on the General tab and select Next: Set rule logic >.
Leave the default Rule query and configure Query scheduling using the table:

Setting Value
Run query every 1 Hour
Lookup data from the last 1 Hour

Select Next: Incident settings >.
Leave the defaults and select Next: Automated response >.
Leave the defaults and select Next: Review and create >.
Select Save.

Task 5 - Ensure that the Azure Activity workbook is available in My workbooks

In Microsoft Sentinel, go to the Content Management menu section and select Content Hub.
In the Content hub, filter Status for Installed Solutions.
Select the Azure Activity solution and select Manage.
Select the Azure Activity workbook checkbox, and then select Configuration.
Select the Azure Activity workbook and select Save.
Choose the Azure Region for your Microsoft Sentinel workspace.

How To Create A Microsoft Sentinel Environment

Hyacienth Ugochukwu — Sun, 11 Aug 2024 18:30:01 +0000

What is A Microsoft Sentinel Environment?

Microsoft Sentinel is a cloud-native security information and event management (SIEM) platform that uses built-in AI to help analyze large volumes of data across an enterprise—fast.
Microsoft Sentinel is a scalable, cloud-native security information and event management (SIEM) that delivers an intelligent and comprehensive solution for SIEM and security orchestration, automation, and response (SOAR). Microsoft Sentinel provides cyberthreat detection, investigation, response, and proactive hunting, with a bird's-eye view across your enterprise.
Microsoft Sentinel also natively incorporates proven Azure services, like Log Analytics and Logic Apps, and enriches your investigation and detection with AI. It uses Microsoft's threat intelligence stream and enables you to bring your threat intelligence.
There are multiple ways to configure your sentinel environment but I will show you how to create yours by adding roles and specifying the number of days the data should be retained.

Task 1 - Create a Log Analytics workspace
Create a Log Analytics workspace, including a region option.

In the Azure portal, search for and select Microsoft Sentinel.
Select + Create.
Select Create a new workspace.
Select Create new and add a Resource Group.
Enter a valid name for the Log Analytics workspace.
Select any region of your choice for the workspace.
Select Review + Create to validate the new workspace.
Select Create to deploy the workspace.

Task 2 - Deploy Microsoft Sentinel to a workspace
Deploy Microsoft Sentinel to the workspace.

When the workspace deployment completes, select Refresh to display the new workspace.
Select the workspace you want to add Sentinel to (created in Task 1).
Select Add.

Task 3 - Assign a Microsoft Sentinel role to a user
Assign a Microsoft Sentinel role to a user.

Go to the Resource group.
Select Access Control (IAM).
Select Add and Add role assignment.
In the search bar, search for and select the Microsoft Sentinel Contributor role.
Select Next.
Select the option User, group, or service principal.
Select + Select members.
Search for the user you want to assign.
Select the user icon.
Select Select.
Select “Review + assign”.
Select “Review + assign”.

Task 4 - Configure data retention
Configure data retention.

Go to the Log Analytics workspace created in Task 1 step 5.
Select Usage and estimated costs.
Select Data retention.
Change data retention period to 180 days.
Select OK.

Creating a virtual machine using PowerShell

Hyacienth Ugochukwu — Sun, 22 Oct 2023 22:42:09 +0000

Go to your Azure Portal dashboard and click on the Cloud Shell icon. A coding environment will pop up below your screen. Select PowerShell and proceed to create your resource group and virtual machine.

Creating a resource group in powershell just requires this command;
New-AzResourceGroup -Name "ugopowershell" -Location "East US"

Creating a virtual machine in powershell requires this command;

New-AzVm `
-ResourceGroupName "[name of your choice]" `
-Name "[virtual machine name of your choice]" `
-Location "[location of choice]" `
-VirtualNetworkName "myVnetPS" `
-SubnetName "mySubnetPS" `
-SecurityGroupName "myNSGPS" `
-PublicIpAddressName "myPublicIpPS"

Creating a virtual machine using CLI (Bash)

Hyacienth Ugochukwu — Sun, 22 Oct 2023 21:42:46 +0000

Go to your Azure Portal dashboard and click on the Cloud Shell icon. A coding environment will pop up below your screen. Select Bash and proceed to create your resource group and virtual machine.

Creating a resource group in bash just requires this command;
az group create --name [the name that you want to use] --location [the location that you want to use]

Creating a virtual machine in bash requires this command;

az vm create \
--resource-group [resource group name] \
--name [name of your virtual machine] \
--image Ubuntu2204 \
--generate-ssh-keys

Use the Azure QuickStart gallery to deploy a template that creates a Windows virtual machine

Hyacienth Ugochukwu — Sun, 22 Oct 2023 19:42:18 +0000

Step 1: Go to your Azure Portal search bar and search for deploy a custom template.

Step 2: Click on create a Windows virtual machine.

Step 3: Add your resource group, username, password, location (if you want to). You can leave the other tabs as default and review and create. After deployment, you can delete your virtual machine if you want to.