From 9827954bc3851ceddf082bea96eba84ad5e02058 Mon Sep 17 00:00:00 2001 From: r-c-steart Date: Wed, 8 May 2024 15:58:43 -0700 Subject: [PATCH] Modified Sentinel lab --- Instructions/Labs/Lab_27_MicrosoftSentinelKustoQueries.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/Instructions/Labs/Lab_27_MicrosoftSentinelKustoQueries.md b/Instructions/Labs/Lab_27_MicrosoftSentinelKustoQueries.md index 01bbb3a1..5136489b 100644 --- a/Instructions/Labs/Lab_27_MicrosoftSentinelKustoQueries.md +++ b/Instructions/Labs/Lab_27_MicrosoftSentinelKustoQueries.md @@ -77,11 +77,3 @@ Microsoft Sentinel is Microsoft's cloud-native SIEM and SOAR solution. Through 1. Select **Run**. 1. This will provide a list of User IDs on Microsoft Entra ID. Since we have just created the workspace, you may not see results. Note the format of the query. - -1. Under **Threat management** in the menu, select **Hunting**. - -1. Scroll down to find the query **Anomalous sign-in location by user account and authenticating application**. This query over Microsoft Entra sign-in considers all user sign-ins for each Microsoft Entra application and picks out the most anomalous change in location profile for a user within an individual application. The intent is to hunt for user account compromise, possibly via a specific application vector. - -1. Select **View query results** to run the query. - -1. This may not provide results with the new workspace, but you now have seen how queries can be run to gather information or for hunting potential threats.