Microsoft sentinel Lab

If you're interested in a career in cybersecurity, you might have heard about a tool called SIEM. SIEM is short for Security Information and Event Management System, and it's a really important tool for keeping networks safe from cyber attacks. SIEM allows cybersecurity professionals to analyze data from a plethora of sources within a network, like firewalls and identity solutions, to look for any signs of suspicious activity. This helps them catch potential threats in real-time and take action to stop them before they cause any harm.

I recently completed a project using a cloud-based SIEM solution called Microsoft Sentinel (formerly known as Azure Sentinel). This tool offers lots of helpful features, like threat intelligence and security analytics, all in one platform. It was really interesting to learn how to use it and I feel like I gained a lot of valuable experience.

Before we proceed, I would like to give a huge shoutout to Josh Madakor for inspiration and for providing a video tutorial of this lab on his Youtube channel. 

In this lab, we will:

High-level overview of our lab:

Image courtesy of Josh Madakor

Part 1: Setup Lab Resources


Step 1: Create Free Azure Account

Use this link to create your Account. This process will automatically set up your account and associated Azure Subscription.

https://azure.microsoft.com/en-us/free/

Step 2: Create a Resource Group

When working with Azure Resources, Resource groups are logical containers for all our resources. We will first create a resource group to group all the resources we will use for this lab. These resources will include a Windows 10 VM, Log Analytics Workspace, and an Azure Sentinel Resource.

Search “Resource Group” in the Azure Portal Search Bar and Follow the on-screen prompts for the basic tab.

You can skip to “review and create” after basics and click the create.

Step 3: Deploy a Virtual Machine

In this lab, we will be collecting our data from a Windows Virtual Machine. To deploy a Virtual Machine in Azure follow the following steps.

Click Next, until you reach Networking

Under Configure network security group, click the Create New link below the dropdown list. This will allow us to configure the VM to have no firewall and be vulnerable to the whole internet. We will remove the existing configuration under Inbound Rule and then click Add an inbound rule. See below for the configuration we will use.

Our Inbound Rules should look something like this:

Once confirmed, proceed to Review + create and finalize the process. It will take a bit for the Virtual Machine to deploy completely so lets proceed with the next step.

Step 4: Deploy Log Analyzer machine

We need to setup a Log Analyzer and link it with our Virtual Machine. This will collect the aggregated logs, with geolation, from our Virtual Machine.

From the searchbar at the top of the page, search for Log Analystics Workspace (LAW) and click on it. Click on the +Create button. See below for the settings we're using. Once filled, click on Review + Create and finalize the process.

Once the workspace has been created, we need to actually enable the ability to collect logs from the Virtual Machine for the LAW we created. To do this, search for Microsoft Defender for Cloud and click on it.

In the left pane, look for the Environment settings and proceed.

Look for our subscription, click on the dropdown and you will see our LAW; click on it.

Once in, you will see SQL servers on machines. Make sure you toggle this OFF on the right side. Click save.

On the left pane, you will see an option called Data collection. Click on it and you will be presented with four (4) options. Click on the All Events option, which is the first one. Click save.

Once done, lets go back to the Log Analystics workspace page. Click on the name of the LAW in the left pane.

On the left pane, look for Virtual Machines. In my case, it has (deprecated) in the title. Once in, click on the VM that was created earlier. Click Connect. It will take a few minutes to complete.

Step 5: Deploy Microsoft Sentinel.

At the search bar, search for Microsoft Sentinel and enter. Click on +Create

We will be shown already created workspaces that can be linked with Sentinel. Click on the newly created LAW and click Add

Our VM should be deployed by now. By going back to the Virtual Machines page, and clicking on our VM, we should see that we now have a public IP address.

We can now connect to our VM using Remote Desktop Connection on our computer. On Windows, open the Remote Desktop Connection application. A window will pop up where you input an IP Address; input the public IP address from Azure. You will then be prompted to enter a Username and Password; input the credentials used when creating the Virtual Machine back in Step 3. Once done, you should be able to successfully connect to the VM, as seen below.

Part 2: Log data aggregation 

You will notice that the VM is just like a normal Windows PC. 

Let's head to the Start Menu and search for Event Viewer. This application allows us to view computer logs of different categories, from normal Windows Logs to Application Logs. It's important to understand what is going on behind the scenes so the rest of this Lab makes sense.

On the left pane, we should see a folder called Windows Logs. Click on the dropdown arrow adjacent to the folder and a few items should appear (Left side of image below). Lets proceed by now clicking on Security. Once clicked, the empty middle portion of the Event Viewer application should populate with many logs. This is where Security-based logs accumulate; they specify what type of event occured (Middle of image below). An event can be something as simple as successfully logging into the Computer (in our case, the VM).

You will notice that these events also include the IP Address from where the User attempts to login from. We will use these addresses to figure out their geographic location.

To achieve this, we will visit https://ipgeolocation.io.

This website displays all of our location data based on our IP Address (Right side of image above). This website also provides an API (Application Programming Interface) where we can obtain all this data for different IP Addresses with our own approach. 

The plan here is to utilize scripting to automize the process of obtaining geolocation for every log in Event Viewer. Windows PowerShell ISE will be used to help with this process.

Before we begin this process, lets actually turn off the firewall in the VM. If we open Command Prompt on our own personal computer (NOT the VM), type in the following and press Enter:

ping *VM IP ADDRESS HERE* -t

We will see that we get a "Request timed out." message. This proves that the firewall on our VM is active.

To turn off the firewall, lets go back to our VM. In the Windows search bar, input wf.msc and press Enter. A popup labeled Windows Defender Firewall with Advanced Security on Local Computer will appear. Click on Windows Defender Firewall Properties, as shown in the image below next to the red arrow.

You will notice the tabs Domain Profile, Private Profile and Public Profile. Each tab has the Firewall state option with a dropdown. We must select OFF under each tab, then press Apply.

Once we click Apply, go back to your personal computer and you will notice that the Command Prompt shows the following:

This means our VM is actually responding to outside traffic, meaning it is vulnerable.

We can finally proceed with PowerShell in the VM. As mentioned above, the plan here is to utilize scripting to automize the process of obtaining geolocation for every log in Event Viewer. Courtesy of Josh Makador, his Github features the Script he uses in his Youtube tutorial. Go ahead and copy the whole code.

On Windows, search for PowerShell ISE and click open it. Click on File > New and the Untitled.ps1 tab should open. Go ahead and paste the code from Github and you should have something similar to the image below:

By inspecting the code for a bit, you will notice the following:

$APIKEY: This is where we will paste our own API key from ipgeolocation.io

$LOGFILE_NAME and $LOGFILE_PATH: The file, failed_rdp.log, will be created by this script (along with the file location) to hold every failed attempt. The API will make sure each attempt includes IP Addresses, Latitude, Longitude, Country, Username etc.

By running the code, the pink text (as seen in the image above) will show every failed attempt along with the information provided by the API as well. The same output here will be saved in the failed_rdp.log file. This file is what will be used to display the attacks on Microsoft Sentinel. 

In the image below, we can already see a few logs of failed attempts!

Part 3: Sentinel deployment

Now that we have failed_rdp.log setup to collect the data we need, lets head back to Azure. 

Open Log Analystics workspace and click on your LAW. Scroll on the left pane and click on Custom Logs. Then we will click +Create or Add Custom Log.

The first step will be to upload a custom log file. This will be used as a baseline to train the system.

Go back to the VM, open failed_rdp.log and copy everything. Now head back to your personal computer, open the Notes app, paste everything then save the file as failed_rdp.log.

Go back to Azure, upload failed_rdp.log and click Next.

Once you reach Collection paths, input the information as seen below. The Path used is where the log file is located in the VM itself. Click Next. A Custom log name will be required. I named it FAILED_RDP_WITH_GEOLOCATION. This will be used during the Sentinel deployment process. Click Next then Create.

Once completed, on the left pane, click on Logs. You will be presented with a "shell" where commands/code can be inputed. If you type FAILED, you will see that FAILED_RDP_WITH_GEOLOCATION will automatically appear; click on it. Finally, press on the blue RUN button. 

If enough time has passed, then the Results tab should showcase every entry in the failed_rdp.log file.

This is where we train the Log aggregator. Right click on any entry, and click "Extract fields from...."

A new page should open where it displays a table with the columns Filter, Field Name and Value. The last row for Field Name should be RawData, and adjacent to this should be the log entry itself. You should notice Latitude, Longitude, username etc. along with the respective data.

We want to train this system to automatically capture the Latitude, Longitude, DestinationHost, Username, Sourcehost, State, Country, Label and TimeStamp for each entry,

Let's start with Latitude. With your cursor, highlight the numerical entry for Latitude and a mini-window should pop-up, where it requests a Field Title and Field Type. For this example, we will proceed with LATITUDE_CF, and a Field Type of Text; see image above for example. Click Extract.

Search Results on the right side of the screen should now populate with the rest of the log entries while also correctly highlighting the data you extracted, in this case the Latitude. Scroll to review that every Latitude was correctly extracted/highlighted. Once confirmed, click Save Extraction.

Repeat the process above for Longitude, DestinationHost, Username, Sourcehost, State, Country, Label and TimeStamp.

Once complete, we can finally head to Sentinel. 

Once we're in Sentinel, click on the LAW created already.

On the left pane, scroll through until you see Workbooks under the Threat Management section.

Click on +Add Workbook.

You should see two (2) widgets displayed; they're displayed by default. If you click on Edit, you should see two (2) Edit and Options buttons (displayed as "...") at the right side of the page. Click on each "..." and click Remove for both. 

We should now see the +Add dropdown list. Open it and click on Add Query. You should now see another "shell" type interface (see image above).

The Query that was used is also courtesy of Josh Makador. It should be something similar to the following code; make sure you revise it according to your setup:

FAILED_RDP_WITH_GEO_CL | summarize event_count=count() by sourcehost_CF, latitude_CF, longitude_CF, country_CF, label_CF, destinationhost_CF

| where destinationhost_CF != "samplehost"

| where sourcehost_CF != ""

Above this shell, under Visualization, click on Map to display a World Map.

Now, click on Run Query. If done correctly, a World Map should appear below the shell and options pop up on the right side of the page. Make sure you play around with these settings to get the most optimal world map display.

If done correctly, you should get something like this:

As we can see, the United Kingdom has attempted to infiltrate the VM 12 times. Leaving this running longer will catch more attacker's attention.