Azure Sentinel: Use Microsoft's SIEM to map global attacks


 in this tutorial, we will display attacks from all over the globe on a world map using Microsoft cloud SIEM (Security Information and Event Management)

this is a step-by-step guided lab so it will be a long tutorial.

Project steps

this project needs multiple stages to be completed, when you finish this guide you will be able to:
  1. create and configure a Virtual Machine using Azure
  2. configure a cloud network security group and create firewall rules
  3. create and configure a Logs Analytics Workspace
  4. collect data from Virtual Machines into Azure
  5. get familiar with PowerShell scripting and APIs
  6. use (KQL) Kusto Query Language (the Azure data exporter language) 
Let's get started

First of all, go ahead and create a free Azure account at https://azure.microsoft.com/en-us/free/ 
When you're done with that go to your dashboard at https://portal.azure.com/



Ps: Just a quick note before we begin, you will notice in Azure as in GCP or AWS that the search bar is your best friend, so we'll take advantage of it all the time.

Now, go to the search bar and search for virtual machines, then click on Create > Virtual Machine


now create a resource group, this is considered as your working directory, just name and select it
next, you need to fill in the appropriate fields:
  • Name your VM
  • Select a region (select the one near to you)
  • Select Window 10 Pro image
  • Choose the password authentication method
  • Create a username and password (you will use them later to access the VM)
when you finish, click next

leave Disks options as they are and click next 

select the advanced option under “NIC network security group”  

under the network security group, create new configuration 
delete the existing default configuration 


click on add an inbound rule:
  • set the source and the destination ports on * (anything)
  • select the minimum priority (100)
  • give it a name and hit Add   

continue with default settings until the finish : ok > ok > review and create > create

now we'll wait for the deployment to finish, it will take several minutes
while waiting, go to the search bar and type log analytics workspaces 



click on create log analytics workspace

fill the log analytics workspace information  
  • choose the resource group you've created earlier
  • name the instance
  • select the same region as before 
  • click on Review & Create then Create     
next, return to the search bar and look for Microsoft Defender for Cloud   
click upgrade and go to the Environment settings tab



Click on enable all Microsoft Defender for Cloud plans
turn off SQL servers on machines and save   


go to the Data collection menu on your left
choose all Events and save    

go back to log analytics workspaces (use the search bar)
select the log instance > virtual machine tab > select your VM   



click connect to link the log workspace with your VM


we're finished setting up the virtual machine 
////////////////////////////////////
now it's time for the SIEM part
search for Microsoft Sentinel and hit create 


   select the log space to attach it with Sentinel   


get back to the virtual machine menu, enter your VM, and copy its public address     


open your favorite remote desktop viewer (Vinagre or KRDC if you're using Linux or the built-in RDC in Windows) and past the IP address  


fill in your username and password and click authenticate   


now you are inside your Windows VM
if you're prompted to add a public network click yes   


go to the start menu and search for Event Viewer   
once you're inside go to Windows logs > Security to view failed login logs (ID = 4625)


you can try and connect with a false password and then reconnect again to see the log    



   in order to get the locations that we'll use in the map later
you need to go to ipgeolocation.io and sign up for an account    


   copy your API key to the clipboard   


now, we need a Bash script to train our log analytics workspace to extract information from logs
you can download the script at github.com/AhmedBlh/SentinelSOARLab 


copy the script to the clipboard
open PowerShell ISE > new script > paste the code > replace the API_KEY value with your key and run the script 


open Windows Run > search for C:\ProgramData\failed_rdp.log   
 

copy the content of the file to a text file and save it, you'll need it later

return to Azure portal
go to Log Analytics workspaces > your log instance > Custom logs > Add custom log


browse to the saved file   
name it and click create   


now we can see the logs generated by the Windows VM
select logs from the side menu    
search for: SecurityEvent | where EventID == "4625" (failed login logs)   


to see the result of the custom log we've just created fill the query bar with the name you chose before and hit Run it takes time to get the results

after quite a bit here's the result   


now we need to extract the raw data from the logs
expand any log example from the list below > three dots > extract fields
   

just select the latitude value > a pop-up window will appear > name it and set the field type to numeric then click extract   


verify all the extracted fields if any value is not highlighted correctly you can modify the selection
do the same thing with the rest of them   
   

now we must wait for our VM (public IP) to be discovered by attackers globally so that failed logon logs will be generated

Ps: ipgeolocation.io can provide geolocation information for 1000 IPs per day, you may think that this number is enough, but it's not enough when your IP becomes more detected worldwide.

re-run the query to view new logs (only the new logs will fill in the created fields) because old ones were for training solely


now its time to create our map
go to Microsoft Sentinel > Workbooks > Add workbook


remove the two items (Edit > three dots > Remove)   


create a new query (Add > new query)   


the query looks like this (just replace variables with your own) 

FailedLogonLocation_CL
| summarize event_count=count() by sourceHost_CF, Lat_CF, long_CF, label_CF, destinationHost_CF
| where destinationHost_CF != ""  

run query > visualization > map 
change layout settings (location = Latitude/Longtitude) > select the proper variables
set the metric settings > apply > save and close  


set auto-refresh to On (5 or 10 min) and save     





Here you have it, 
Congratulations you just finish setting up your VM attacks map

I hope you enjoyed and learned something out of this tutorial, just a quick piece of advice, if you didn't fully grasp something just do it again, the only obstacle is time nothing else

Lastly, go and check Josh Madakor's repo here github.com/joshmadakor1/  and don't forget to give him a thumbs up

Keep learning  . . . .  








Comments

Post a Comment

Popular posts from this blog

OpenVas: Vulnerability Scanning | Installation Guide

Image
  Introduction: OpenVAS is a vulnerability scanner that analyzes endpoints and web apps to uncover and detect flaws. Corporations frequently employ it as part of their mitigation strategies to initially identify any weaknesses in their operational or testing servers and apps. This isn't an ultimate solution, but it can assist in the elimination of any common weaknesses that may have sneaked through the gaps. Installation: There are three methods to install GreenBone openVas: 1- Install from Kali/OpenVas repositories:  This way varies in difficulty because of the needed configurations, you can simply install it with apt. sudo apt-get update -y &&  sudo apt-get upgrade -y &&  sudo apt-get dist-upgrade -y sudo apt-get install openvas sudo gvm-setup sudo gvm-check-setup 2- Install from source (Manually): This way is not the best for beginners due to prerequisite installations and error handling can be challenging. github.com/greenbone/openvas-scanner 3- R...
Read more

Nmap | TryHackMe Walkthrough

Image
  An in-depth look at scanning with Nmap, a powerful network scanning tool. This room was created by DarkStar  and  MuirlandOracle , as it provides a great way to learn and start practicing nmap. I encourage you to give it a try by yourself since the hands-on practice will give you more understanding of the topic (take advantage of the manual page man nmap ). Task2: What networking constructs are used to direct traffic to the right application on a server? Ports How many of these are available on any network-enabled computer? 65535 [Research] How many of these are considered "well-known"? (These are the "standard" numbers mentioned in the task) 1024 Task3: What is the first switch listed in the help menu for a 'Syn Scan' (more on this later!)? -sS Which switch would you use for a "UDP scan"? -sU If you wanted to detect which operating system the target is running on, which switch would you use? -O Nmap provides a switch to detect the version of the...
Read more

Wireshark for Security Analysis | Customization & Common features

Image
1/ Introduction What is Wireshark? Wireshark is a network packet analyzer. A network packet analyzer presents captured packet data in as much detail as possible. You could think of a network packet analyzer as a measuring device for examining what’s happening inside a network cable, just like an electrician uses a voltmeter for examining what’s happening inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, that has changed. Wireshark is available for free, is open source, and is one of the best packet analyzers available today.  wireshark.org/docs/ Some intended purposes Here are some reasons people use Wireshark: Network administrators use it to troubleshoot network problems Network security engineers use it to examine security problems QA engineers use it to verify network applications Developers use it to debug protocol implementations People use it to learn n...
Read more