This is a continuation of my previous post, you can check it from here
We will need to perform a simulated attack to validate that the Analytic and Automation rules create an incident and assign it to the User. We will perform a simple Privilege Escalation attack on our resource.
Task 1 - Perform a simulated Privilege Escalation attack
Use simulated attacks to test analytic rules in Microsoft Sentinel.
- Locate and select the resource, that is the virtual machine in Azure, scroll down the menu items to Operations, and select Run command
- On the Run command pane, select RunPowerShellScript
- Copy the commands below to simulate the creation of an Admin account into the PowerShell Script form and select Run
Code
net user theusernametoadd /add
net user theusernametoadd ThePassword1!
net localgroup administrators theusernametoadd /add
Note: Make sure there is only one command per line, and you can rerun the commands by changing the username.
- In the Output window you should see The command completed successfully three times
Task 2 - Verify an incident is created from the simulated attack
Verify that an incident is created that matches the criteria for the analytic rule and automation.
- In Microsoft Sentinel, go to the Threat Management menu section and select Incidents
- You may or may not see an incident that matches the Severity and Title you configured in the NRT rule you created. It all depends on how your virtual machine was set up or what you used as your resource.
- Select the Incident and the detail pane opens
- The Owner assignment should be the user, created from the Automation rule, and the Tactics and techniques should be Privilege Escalation (from the NRT rule)
- Select View full details to see all the Incident management capabilities and Incident actions