You are currently using Azure Sentinel for the collection of Windows security events.
You want to use Azure Sentinel to identify Remote Desktop Protocol (RDP) activity that is unusual for your environment.
You need to enable the Anomalous RDP Login Detection rule.
What two prerequisites do you need to ensure are in place before you can enable this rule? Each correct answer presents part of the solution.
Choose the correct answers.
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answers: A and B
One of the best features of a Security information and event management (SIEM) tool like Azure Sentinel is correlating important data and finding events that deserve your attention.
The Anomalous RDP Login Detection rule does just that.
Enabling this rule requires two prerequisites:
You should collect Security events or Windows Security Events with Event ID 4624
This is the event ID for an account successfully logging on to a machine/system.
This covers many log in types, including RDP.
Without this data, Azure Sentinel would be blind to RDP logins entirely.
This process would be completed in the Security Events Data Connector or Windows Security Events (Preview) Data Connector pages within Azure Sentinel.
You should also select an event set other than None.
This is a configuration step completed during the data connector implementation described above.
This step ensures that the connector detailed in the above step is actually passing data.
Options other than None include All events, Common, and Minimal.
Although it may seem counterintuitive that there would even be a None event set, this can be used to disable a connector without deleting/removing it.
This can be helpful in certain troubleshooting scenarios.
You should not create a data collection rule that includes Event ID 4720
This is the Event ID for the creation of a user account, not for logging on to a machine or system.
While it may seem picky to expect a security professional to memorize exact event IDs, it is incredibly helpful to recognize some of the most common ones.
Log ins (4624) and user creation (4720) are two that are very critical to know well in the event of conducting time sensitive research of a potential compromise and privilege escalation/account creation incident response (IR) scenario.
You should not let the machine learning algorithm collect 30 days' worth of Windows Security events data.
This is, however, a very important time frame in regards to the time after you enable the rule.
This rule relies on a machine learning algorithm that ultimately requires 30 days' worth of data before it can build a baseline.
This baseline is a profile of your company's normal user behavior, so you need to allow 30 days of Windows Security events data to be ingested before this rule will result in the discovery of any incidents.
Remember, however, that the question only refers to the process to enable the rule and not the generation of incidents thereafter.
Finally, the actual process to enable the rule after these prerequisites are set is fairly simple.
Starting in the Azure Sentinel portal, you will click Analytics, and then click the Rule templates tab.
Next, you must choose the (Preview) Anomalous RDP Login Detection rule and simply move the Status slider from Disabled (the default) to Enabled.
Reference:
To enable the Anomalous RDP Login Detection rule in Azure Sentinel, you need to ensure that two prerequisites are in place:
Collect Security events or Windows Security Events with Event ID 4624: The first prerequisite is to ensure that Azure Sentinel is collecting Windows Security Events with Event ID 4624. This event ID is generated when a user successfully logs on to a computer. It is essential to collect this event as it forms the basis for anomaly detection. Azure Sentinel uses machine learning algorithms to analyze the frequency and behavior of users logging in via RDP. If there is a deviation from the usual pattern, it triggers an alert. Therefore, it is important to collect this event to enable the Anomalous RDP Login Detection rule.
Let the machine learning algorithm collect 30 days' worth of Windows Security events data: The second prerequisite is to allow the machine learning algorithm to collect 30 days' worth of Windows Security Events data. This data is used to establish a baseline of what is normal behavior in your environment. It helps the algorithm identify unusual patterns of RDP activity. The more data the algorithm has to work with, the more accurate the detection will be. It is important to ensure that enough data is collected before enabling the Anomalous RDP Login Detection rule.
Therefore, the correct answers are A and C. Selecting an event set other than None and collecting Security events or Windows Security Events with Event ID 4720 are not prerequisites for enabling the Anomalous RDP Login Detection rule.