Azure Cloud Detection | SIEM - Sentinel

Intially I searched for "Resource Group" in the Azure search bar. Under the "Resource group" field, I entered "soc-1" as the name of the resource group.

Upon clicking "Review + Create", a new window stating "Validation Passed" was displayed.

Upon clicking "Create", my resource group named "soc-1" was created.

Once the resource group was created, the next step is to deploy a virtual machine. In this project I used Windows 10 as the operating system. I searched "Virtual Machine" in the search bar and started to create a new VM. I selected the resource group which I had created earlier. Then I assigned a name to the VM and selected the Windows 10 image. Then I set the size for the VM along with the administrator's username and password. Rest everything was kept as default. Once done, I clicked "Review + create".

Whenever a VM is deployed in Azure, it gets assigned an IP address using Virtual Network or vnet. It also gets assigned a Network Security Group (NSG) which helps to filter traffic to and from Azure resources.

While creating the VM, I had enabled all traffic on pport 3389 which means an attacker can easily attack the VM. A brute force attack can be performed. To prevent this we can enable a feature called as Just In Time access. Apart from that it also implements the principle of least privilege and RBAC. To configure this, I searched for "Microsoft Defender for Cloud" in the search bar and clicked on "Environment settings".

Then I selected my Azure subscription. Upon selection a new window opened in which I clicked "Enable All". (I had a free tier of 30 days)

Then I went to "Virtual Machines" and selected "soc-lab-vm" machine that I had just created. From the "Configuration" option, I selected "Enable just-in-time".

Then I went to the "Overview" section and clicked "Connect" and then selected "RDP"

In the "Source IP" section, I selected "My IP" and the clicked "Request Access"

Then I went to the "Networking" section to check if the rules got updated. The 1st screenshot shows the rules before they were updated. The 2nd screenshot shows the rules after they were updated.

Once the rules were set, I started to create the Log Analytics Workspace to store the data. To configure this, I searched "Microsoft Sentinel" in the search bar and clicked on "Create".

On the next screen I selected "Create Workspace".

Then I selected the resource group which I had created before "soc-1". I set the name of the workspace as "soc-workspace".

Upon clicking "Add" at the bottom of the window, the workspace got created. Now the next step was to get Data into Sentinel. Before configuring that, I checked the "Incidents" tab. It showed no incidents as I had not configured it yet. To configure this, I used data connectors. I went to the "Data Connectors" tab and searched "Windows".

I selected the "Windows Security Events via AMA" rule and on the right side of the window, I selected "Open connector page".

Then I clicked on "+Create data collection rule".

I set the name of the rule as "soc-rule" and then clicked "Next: Resources >"

In the next window, I clicked on "Add Resources"

I then selected the virtual machine that I had created.

Then I selected "All Security Events" in the next window.

Upon clicking next, it says the validation has passed. Then I clicked "Create".

Once everything was configured, I checked the connection status. It showed that it was connected.

At this point of time, the VM was connected to Sentinel. The next step was to generate security events. For this, I started the Windows 10 VM. The VM has a public IP address. I used this IP to connect to the VM using RDP on my PC. I used the credentials that I had set while deploying the virtual machine.

Once connected, I searched for "Event Viewer" in the search bar of Windows VM and once opened, selected "Security" under "Windows Logs".

Then I searched for Event ID: 4624. This indicates a successful logon.

All of the data should be collected at a centralized location. In a corporate environment there are multiple endpoints and all the data from these endpoints need to be collected a certain location. To configure this, I used Kusto Query Language (KQL). This is scripting language used in Azure to extract data from logs. I went to "Microsoft Sentinel" and selected the "Logs" tab. I then added the following query to get the logon data.

SecurityEvent
| where EventID == 4624
| project TimeGenerated, Computer, AccountName

Upon clicking "Run", the result showed the number of times I logged on to the VM.

The next task was to create an Analytics Rule. This rule will give an alert when certain events occur. The rule checks for the VM activity and if something matches the rule, it sends an alert. The alerts have details which help the analyst to start the investigation.

The next task was to create a custom rule. For this lab, I created a rule which triggers an alert whenever Internet Explorer is opened. To configure this, I first created a Scheduled Task to open IE at a certain time. These events are not logged by Event Viewer by default. So, I modified the Windows Security Policy. I searched for "Local Security Policy" in Windows VM search bar and navigated to the following:

In the "Audit Other Object Access Events", I selected "Success" and "Failure". Upon clicking OK, the logging was enabled for scheduled tasks.

The next step was to create a Scheduled Task. To configure this, I searched for "Task Scheduler" in Windows VM. Then I clicked on "Create Task"

I set the name for the task and set the "Configure for" option to Windows 10.

I then went to

Then in the "Actions" tab I selected the Internet Explorer program to run as a scheduled task.

From the event viewer I can see that the task has been executed.

The next step was to create a custom KQL query. To do this I went to the Sentinel homepage, and then clicked on "Scheduled query rule" under "Create".