Sentinel Lab Notes

This post is to record some key points to set up a Sentinel Lab

 

Data Sources

• Virtual Network (VNet)
• Network Security Group (NSG)
• Virtual Machines (2 windows with 1 MS SQL DB, 1 linux)
• Log Analytics Workspace
• Azure Key Vault
• Azure Storage Account
• Microsoft Sentinel

Create Log Analytics Workspace and Sentinel

Create Log Analytics Workspace

Create Sentinel

Add watchlist in, which is used to generate geography map based on IP

https://github.com/kphillip1/azure-soc-honeynet/blob/main/geoip-summarized.csv

Searchkey = network

Verify it from Log analytics workspace: 

• _GetWatchlist("geoip")
• _GetWatchlist("geoip") | count

make sure scope is the one you add the watchlist. 

Install Microsoft Monitoring Agent for Log Analytics Workspace

Legacy way: 

Download Windows Agent 64b (Leagcy Log Analytics Agent) and install it to your Windows machine with Workspace ID and Key.

Verify the installation on the local machine:

Azure Arc script is to be used on the machine outside of Azure environment. 

If you directly download the client to install from Data Collection Rule's Resources page:

You will get an alert to say using Windows installer is not supported on Azure VM. Use VM Extension instead. 

Enable Logs for Virtual Machine Monitoring

Microsoft Defender for Cloud

Go to Microsoft Defender for Cloud -> Management -> Environments Settings

Choose the subscription -> Analytics Workspace -> JYLogs

Create Data Collection Rules:

For all events.

@subscription level,

Click on settings in previous screenshot:

You also can edit configuraiton from previous screenshot to configure Auto-provisioning configuraiton

@subscription level

Enable continuous export to Log Analytics workspace

Make sure logs exported to correct resource group and workspace.

Onboard Entra ID Logs

Entra ID - Monitoring - Diagnostic Settings

Searching from following tables in Log Analytics Workspace:

• AuditLogs
• SigninLogs

Onboard Monitor Logs

Monitor - Activity Log - Export Activity Logs

Send to Log Analytics workspace:

Checking table: AzureActivity

Stoage Accounts

Storage Account - Monitoring - Diagnostic settings

Select any of the resources to view diagnostic settings:

Onboard NSG Logs

Create a flow log 

select target resource and storage account

Enable Traffic Analytics

Create Data Collection Rules for Windows & Llnux Servers

You might want to create an azure monitor workspace first

then you can send all Windows logs and Linux Logs to Azure Monitor Workspace

Add custom XPath queries:

Examples:

• Application!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0)]]
• Security!*[System[(band(Keywords,13510798882111488))]]
• System!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0)]]

https://github.com/kphillip1/azure-soc-honeynet/blob/main/Xpath.txt

// Windows Defender Malware Detection XPath Query

• Microsoft-Windows-Windows Defender/Operational!*[System[(EventID=1116 or EventID=1117)]]

// Windows Firewall Tampering Detection XPath Query

• Microsoft-Windows-Windows Firewall With Advanced Security/Firewall!*[System[(EventID=2003)]]

Onboard Key Vault Logs

Key Vaults - > Monitoring -> Diagnostic settings

Check table: AzureDiagnostics

Onboard MS SQL DB Logs

Videos

 

References

• Write SQL Server Audit events to the Security log
• Building a SOC + Honeynet in Azure (Live Traffic)
• Migrate to Azure Monitor Agent from Log Analytics agent