Exercise - Hunt for threats by using Microsoft Sentinel
As a security engineer working for Contoso, you recently noticed that a significant number of virtual machines (VMs) were deleted from your Azure subscription. You want to simulate a deleted VM, analyze this occurrence, and understand the key elements of the potential threat in Microsoft Sentinel.
In this exercise, you delete a VM, manage threat-hunting queries, and save key findings with bookmarks.
Note
To complete this exercise, you need to have completed the setup exercise earlier in the module. If you haven't done that, please do it now.
Delete a VM
In this task, you delete a VM to test rule detection and incident creation.
- In the Azure portal, search for and select Virtual machines.
- On the Virtual machines page, select the check box beside the virtual machine labeled simple-vm, and then select Delete from the toolbar.
- In the Delete Resources pane, confirm the deletion and then select Delete.
Manage Microsoft Sentinel threat-hunting queries
In this task, you create and manage threat-hunting queries to review events related to deleting the VM in the previous task. It might take up to 5 minutes for the event to appear in Microsoft Sentinel after you delete the VM.
In the Azure portal, search for and select Microsoft Sentinel, and then select the previously created Sentinel workspace.
On the Microsoft Sentinel page, on the menu bar, in the Threat management section, select Hunting.
On the Hunting page, select the Queries tab. Then choose New Query.
On the Create custom query page, provide the following inputs, and then select Create.
Name: Enter Deleted VMs.
Description: Enter a detailed description that helps other security analysts understand what the rule does.
Custom query: Enter the following code.
AzureActivity | where OperationName == 'Delete Virtual Machine' | where ActivityStatus == 'Accepted' | extend AccountCustomEntity = Caller | extend IPCustomEntity = CallerIpAddressTactics: Select Impact.
On the Hunting page, on the Queries tab, enter Deleted VMs in the Search queries field.
In the list of queries, select the star icon beside Deleted VMs to mark the query as a favorite.
Select the Deleted VMs query. In the details pane, select View Results.
Note
It might take up to 15 minutes for the deleted VM event to be sent to Microsoft Sentinel. You can periodically choose to run the query on the Results tab if the VM deletion event doesn't appear.
On the Logs page, in the Results section, select the listed event. It should have
"action": "Microsoft.Compute/virtualMachines/delete"in the Authorization column. This is the event from the Azure Activity log that indicates that the VM was deleted.Remain on this page for the next task.
Save key findings with bookmarks
In this task, you use bookmarks to save events and do more hunting.
- On the Logs page, in the Results section, select the check box beside the listed event. Then select Add bookmark.
- On the Add bookmark pane, select Create.
- At the top of the page, select Microsoft Sentinel on the breadcrumb trail.
- On the Hunting page, select the Bookmarks tab.
- In the list of bookmarks, select the bookmark that begins with Deleted VMs.
- On the details page, select Investigate.
- On the Investigation page, select Deleted VMs and observe the details of the incident.
- On the Investigation page, select the entity on the graph that represents a user. This is your user account, which indicates that you deleted the VM.
Results
In this exercise, you deleted a VM, managed threat-hunting queries, and saved key findings with bookmarks.
Clean up Azure resources
After you finish using the Azure resources that you created in this exercise, delete them to avoid incurring costs:
- In the Azure portal, search for Resource groups.
- Select your resource group.
- In the header bar, select Delete resource group.
- In the TYPE THE RESOURCE GROUP NAME field, enter the name of the resource group and select Delete.