In this project phase, I will validate automation integration by manually initiating a new incident.
Manually Creating a New Incident
Navigate to Microsoft Sentinel for "SEC-Monitoring".
- Click on "Incidents" under Threat management at the left side bar.
- Click on "Create incident (Preview)"
- Fill in the information:
- Title: Potential Kerberoasing
- Description: ```A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. Each SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. An attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains a hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive requests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number of request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.```
- Click on "Create".
- Select the new incident by clicking on it.
- Click on "View full details".
- Click on "Activity log".
- Successfully created a new incident and validated ChatGPT automation functionality.
Implement Cybersecurity Incident in SIEM
In this project phase, I will validate automation integration by manually initiating a new incident.
Manually Creating a New Incident
- Click on "Incidents" under Threat management at the left side bar.
- Click on "Create incident (Preview)"
- Fill in the information: - Title: Potential Kerberoasing - Description: ```A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. Each SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. An attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains a hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive requests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number of request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.``` - Click on "Create".
- Select the new incident by clicking on it. - Click on "View full details".
- Click on "Activity log".
- Successfully created a new incident and validated ChatGPT automation functionality.