Merge pull request #50066 from KenMAG/main

Revised module with Azure and Defender tabs, added simulation and improved Acrolinx score

Author: ShannonLeavitt

learn-pr/wwl-sci/incident-management-sentinel/6-exercise-investigate-incident.yml

@@ -4,10 +4,10 @@ title: Exercise - Investigate an incident
 metadata:
   title: Exercise - Investigate an incident
   description: Follow these steps to create an analytics rule and use it to investigate an incident in Microsoft Sentinel.
-  ms.date: 05/22/2023
-  author: wwlpublish
+  ms.date: 04/18/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: unit
-durationInMinutes: 20
+durationInMinutes: 35
 content: |
   [!include[](includes/6-exercise-investigate-incident.md)]

learn-pr/wwl-sci/incident-management-sentinel/includes/6-exercise-investigate-incident.md

@@ -1,9 +1,12 @@
+Security operations analysts use Microsoft Sentinel to monitor and respond to security incidents in their organization. In these exercises we investigate security incidents using Microsoft Sentinel in Microsoft Azure, and in the Microsoft Defender portal Unified Security Operations Platform.
 
-As a Contoso security engineer, you need to analyze the deletions of virtual machines (VMs) from the Contoso Azure subscription, and be alerted when a similar activity occurs in the future. You decide to implement an analytics rule to create an incident when someone deletes an existing VM. You can then investigate the incident to determine the details, and close the incident when you're finished.
+## [Azure portal](#tab/azure-portal)
+
+As a Contoso security operations analyst, you need to analyze the deletions of virtual machines (VMs) from the Contoso Azure subscription, and be alerted when a similar activity occurs in the future. You decide to implement an analytics rule to create an incident when someone deletes an existing VM. You can then investigate the incident to determine the details, and close the incident when you're finished.
 
 In this exercise, you create a Microsoft Sentinel analytics rule to detect when a VM is deleted. You then delete the VM you created at the beginning of this module, and investigate and resolve the incident the rule created.
 
-To complete this exercise, make sure you finished the setup exercise at the beginning of the module and the Azure Activity connector now shows a status of **Connected**.
+To complete this exercise, make sure you finished the setup exercise at the beginning of the module, and the Azure Activity connector now shows a status of **Connected**.
 
 ## Create an analytics rule from the wizard
 
@@ -13,7 +16,7 @@ Create an analytics rule that creates an incident when a VM is deleted in the Co
 1. On your Microsoft Sentinel page, select **Analytics** under **Configuration** in the left menu.
 1. On the **Analytics** page, select **Create** > **Scheduled query rule**.
 
-**General tab**
+## General tab
 
 1. On the **General** tab of the wizard, provide the following information.
 
@@ -27,7 +30,7 @@ Create an analytics rule that creates an incident when a VM is deleted in the Co
 
 1. Select **Next: Set rule logic**.
 
-**Set rule logic tab**
+## Set rule logic tab
 
 1. On the **Set rule logic** tab, in the **Rule query** section, enter the following query:
 
@@ -50,14 +53,14 @@ Create an analytics rule that creates an incident when a VM is deleted in the Co
 
 1. Select **Next: Incident settings**.
 
-**Incident settings tab**
+## Incident settings tab
 
 1. On the **Incident settings** tab, ensure that **Create incidents from alerts triggered by this analytics rule** is set to **Enabled**.
 1. In the **Alert grouping** section, select **Enabled** to group related alerts into incidents. Ensure that **Grouping alerts into a single incident if all the entities match (recommended)** is selected.
 1. Ensure that **Reopen closed matching incidents** is **Disabled**.
 1. Select **Next: Automated response**.
 
-**Review and create**
+## Review and create
 
 1. Select **Next: Review**.
 1. On the **Review and create** tab, when validation is successful, select **Create**.
@@ -67,8 +70,8 @@ Create an analytics rule that creates an incident when a VM is deleted in the Co
 To test rule detection and incident creation, delete the VM you created during setup.
 
 1. In the Azure portal, search for and select **Virtual machines**.
-2. On the **Virtual machines** page, select the checkbox next to **simple-vm**, and then select **Delete** from the toolbar.
-3. On the **Delete Resources** pane, enter *delete* in the **Enter "delete" to confirm deletion** field, and then select **Delete**.
+1. On the **Virtual machines** page, select the checkbox next to **simple-vm**, and then select **Delete** from the toolbar.
+1. On the **Delete Resources** pane, enter *delete* in the **Enter "delete" to confirm deletion** field, and then select **Delete**.
 1. Select **Delete** again.
 
 Give the operation several minutes to complete before you proceed to the next step.
@@ -95,7 +98,7 @@ In this step, you investigate the incident Microsoft Sentinel created when you d
 1. Select the close icons to close the **Investigate** and **Incident** pages.
 1. On the **Incidents** page, observe that **Open incidents** and **Active incidents** now have values of **0**.
 
-You've successfully created a Microsoft Sentinel analytics rule, deleted a VM to create an incident, and investigated and closed the incident the rule created.
+You successfully created a Microsoft Sentinel analytics rule, deleted a VM to create an incident, and investigated and closed the incident the rule created.
 
 ## Clean up resources
 
@@ -107,3 +110,76 @@ To avoid incurring costs, delete the Azure resources that you created in this mo
 1. On the **Delete a resource group** page, under **Enter resource group name to confirm deletion**, enter *azure-sentinel-rg*.
 1. Select **Delete**, and then select **Delete** again.
 
+## [Defender portal](#tab/defender-portal)
+
+In this exercise you walk through the process of reviewing, modifying, investigating, and responding to a security incident within the Unified Security Operations Platform.
+
+   > [!NOTE]
+   > When a lab instruction calls for opening a link to the simulated environment, it's recommended that you open the link in a new browser window so that you can simultaneously view the instructions and the exercise environment. To do so, select the right mouse key and select the option.
+
+1. Open the simulated environment by selecting this link: **[Microsoft Defender portal](https://app.highlights.guide/start/1e5185e8-b314-48fe-b848-965232192baa?token=bba5e99b-3887-4a6c-b0d8-3099d15a4c23)**.
+
+   > [!NOTE]
+   > The environment for this exercise is a simulation generated from the product. As a limited simulation, links on a page may not be enabled and text-based inputs that fall outside of the specified script may not be supported. A pop-up message displays stating, "This feature isn't available within the simulation." When this occurs, select OK and continue the exercise steps.  
+   >
+   >:::image type="content" source="../media/simulation-pop-up-error.png" alt-text="Screenshot of pop-up screen indicating that this feature isn't available within the simulation.":::
+
+## Task: Review the Incident Queue and Apply Filters
+
+1. In the Microsoft Defender portal navigation menu:
+    1. Expand **Investigation & response**.
+    1. Expand  **Incidents & alerts**.
+    1. Select **Incidents**.
+
+1. Within the Incident Queue, filter the incidents for high severity and a status of active.
+1. Select "add filter."
+1. Set the filter to categories and set the value to **Ransomware**.
+1. Select the "User account compromise identified from a known attack pattern" incident and view the summary on the right hand menu
+
+## Task: Generate an Incident Summary with Copilot for Security
+
+1. Continuing with the same incident from the previous task, select the name to enter the incident page.
+1. After entering the incident, allow Copilot to review the incident and generate an incident summary.
+1. Review the summary details to understand what took place in the incident.
+
+## Task: Review an Alert
+
+1. Within the alert timeline, select the "Malicious URL In Proxy logs."
+1. Review the details under "what happened."
+1. Check which analytic rule generated this alert.
+1. Within the incident graph, select the IP address "10.50.0.16."
+1. Select the node and choose "view details" to see related details to the IP.
+1. In the alert timeline, select "Connection to a suspicious domain related to credential phishing."
+1. Review the process tree to review the sequence of processes being performed on the workstation up until the incident.
+
+## Task: Review the Incident Assets (Entities)
+
+1. Within the incident, select the "assets" tab near the top.
+1. Select "users."
+1. Select the user’s name.
+1. Review the details in the side menu.
+1. Select "devices."
+1. Select the first device.
+1. Select "open device page."
+1. Review the details shown on the page.
+
+## Task: Review the Evidence and Response
+
+1. Navigate back to the incident page.
+1. Select the "Evidence and Response" tab near the top.
+1. Select a few items of evidence and review the details in the side menu.
+
+## Task: Review the Recommended Actions
+
+1. Select the "Recommended actions" tab.
+1. Review the list of listed actions.
+1. Select through the list to see the details, implementation status, impact, implementation steps, and history.
+
+## Task: Close an Incident
+
+1. Within the incident, select "Manage Incident."
+1. Set the status to resolved.
+1. Within the classification, select a categorization.
+1. Select save.
+
+---

learn-pr/wwl-sci/incident-management-sentinel/includes/7-summary.md

@@ -1,5 +1,4 @@
 
-In this module, you learned about using Microsoft Sentinel to detect and investigate security threats in an environment. You practiced using rules and alerts to investigate and identify anomalies in Contoso's Azure Activity log.
+In this module, you learned about using Microsoft Sentinel to detect and investigate security threats in your Microsoft Azure environment. You also practiced using rules and alerts to investigate and identify anomalies in Contoso's Azure Activity log, and how to use Kusto Query Language (KQL) to summarize and visualize data, which is essential for creating custom analytics rules and workbooks in Microsoft Sentinel. And, you learned how to investigate consolidated incidents in the Microsoft Defender portal.
 
 You can now lead the IT team in helping Contoso protect its security environment by managing incidents with Microsoft Sentinel. Ongoing activities might include creating custom analytics rules, using playbooks for automated responses, and using workbooks to provide dashboards and visualizations.
-

learn-pr/wwl-sci/incident-management-sentinel/index.yml

@@ -3,8 +3,8 @@ uid: learn.azure.incident-management-sentinel
 metadata:
   title: Security incident management in Microsoft Sentinel
   description: Learn about security incidents, incident evidence and entities, incident management, and how to use Microsoft Sentinel to handle incidents.
-  ms.date: 05/22/2023
-  author: wwlpublish
+  ms.date: 04/18/2025
+  author: KenMAG
   ms.author: kelawson
   ms.topic: module
   ms.service: microsoft-sentinel