SIEM In Azure


What is Azure Sentinel?

In short, it is an easily scalable and cloud-native solution for threat detection and security analysis. It provides everything ranging from alerts, to proactive hunting, and threat responses.

Overview:

Creating an Azure Subscription, then creating a virtual machine in Azure. This virtual machine will have firewall and windows firewall off so that it is exposed to the internet and attackers. Then a log repository in Azure called Log analytics workspace will be created which will be used to ingest logs. Then Azure Sentinel will be set up to map all the different attacker data. PowerShell will also be used to extract windows IP addresses, send it to a 3rd party, then use that information to create a custom log with geographic data.

Preparation:

The first thing that needs to be done is to create a free Azure Account. You will have to enter a credit card for this, but you will get 200 dollars of free Azure credit that you can use for the lab and beyond. Be sure that once your done with lab, go to resource group and make sure everything is deleted.

The first thing to do is create a virtual machine. This is the machine that will be facing the web, and people from other countries will be trying to attack it.

When you get to networking, go to advanced for NIC network security group. This is a network firewall.

Advanced > create new. Remove the default rule and allow everything into the VM. It will look like this.

The point of this is to make the VM very discoverable quickly. Normally you wouldn’t do this, however this is mainly to generate traffic.

The next step is to create a log analytics workspace. The purpose of this is to ingest logs from the virtual machine. We will ingest event logs and create our own custom log that contains geographic information so we can discover where attacks are coming from.

In the create log analytics workspace:

Next,we’ll go to the security center and enable the ability to gather logs from thevirtual machine into the log analytics workspace. Go to Microsoft Defender ForCloud > Environment Settings and Defender Plans.  Make sure SQL server is off and AzureDefender is on.

In data Collections, allow it to store all events.

Go back to log analytics workspace and connect to the virtual machine.

The next step is toset up Sentinel which is the SIEM we are using to analyze the attack data. Goto azure sentinel > create and pick your law-honeypot1.

Nowgo to the start menu and open up RDP on your windows. This is to log in to your virutal machine

Go to wf.msc and turn all the firewall properties off. That would be domain profile, private profile, and public profile.

Now when I try to ping the server from the command line, I can see ICMP requests.

Use window powershell ise so you can connect to the ipgeolocation API key

Ipgeolocation.io is a website where you can lookup the geo location of the ip address

The log file gets exported to ProgramData. If there is no log file it will create a default log file. You save the data to a notepad file on your main machine, not your VM, this will later be used to train the log to the data.

Now go into Azure and go to Log Analytics Workspace and go to Custom Logs. We will minimize the virtual machine and copy and paste the data into a notepad

Clicknext and when they ask for the Path to the VM use the naming convention. Minewas: C:\ProgramData\failed_rdp.log

You add code to make a new query, this organizes the data

You create a new workbook to create the map

This is our heat map, the map shows where the attacks are coming from mostly bulgaria.

You can also go to analytics and see where eventID is 4625, this means a failed login attempt, you can see the hackers tried to use the username administrator.

Leave a Reply

Your email address will not be published. Required fields are marked *