Sentinel Lab Notes (Install MMA, Onboarding Log Sources, Automation Rule, etc)

This post is to record some key points to set up a Microsoft Sentinel Lab

Steps to build a basic Sentinel Environment

1. Setup

2. Create Log Analytics workspace

3. Enable sentinel

4. Import from Content Hub

5. Manage data Connector

6. Deploy Analytic Rules & UEBA

7. KQL Basics & Incidents

8. Reporting Basics
 

Data Sources in LAB

• Virtual Network (VNet)
• Network Security Group (NSG)
• Virtual Machines (2 windows with 1 MS SQL DB, 1 linux)
• Log Analytics Workspace
• Azure Key Vault
• Azure Storage Account
• Microsoft Sentinel

Microsoft provides free evaluation of Sentinel for 31 days, with 10GB per day of ingestion. 

- Turn on the daily cap: 10G/day

- Log Analytics workspace - Settings - Usage and estimated costs 

- Data retention : by default , log analytics workspace has 31 days of retention. With Sentinel enabled on top of log analytics workspace, you can extend this 31 days to 90 days retention for free. 

- If you will have to pci compliance, you might want to make it 365 days. 

Always Free Data Sources & Data Types:

1. Azure Activity Logs (Azure Activity): 

    . Azure Activity

2. Office 365 Audit Logs (Microsoft 365) , Including

    . SharePoint Office Activity

    . Exchange Office Activity

    . Teams Office Activity

3. Security Alerts from: (Microsoft Defender XDR)

    . Microsoft Defender for Cloud

    . Microsoft 365 Defender

    . Microsoft Defender for Office 365

    . Microsoft Defender for IoT

    . Microsoft Defender for Identity (includes Security Incident)

    . Microsoft Defender for Endpoint (only alerts)

    . Microsoft Defender for Cloud Apps

Not Free but recommended:

• Microsoft Entra ID

Create Log Analytics Workspace and Sentinel

Create Log Analytics Workspace

Create Sentinel

Add watchlist in, which is used to generate geography map based on IP

https://github.com/kphillip1/azure-soc-honeynet/blob/main/geoip-summarized.csv

Searchkey = network

Verify it from Log analytics workspace: 

• _GetWatchlist("geoip")
• _GetWatchlist("geoip") | count

make sure scope is the one you add the watchlist. 

Enable UEBA

Microsoft Sentinel - settings 

• Entity behavior analytics
• Anomalies

Install Microsoft Monitoring Agent for Log Analytics Workspace

Legacy way: 

Download Windows Agent 64b (Leagcy Log Analytics Agent) and install it to your Windows machine with Workspace ID and Key.

Verify the installation on the local machine:

New Way:

1. For machines outside of Azure environment (ARC enabled machines)

Using DCR rule to install AMA extension on ARC enabled machines. 

Azure Arc script is to be used on the machine outside of Azure environment. 

If you directly download the client to install from Data Collection Rule's Resources page:

You will get an alert to say using Windows installer is not supported on Azure VM. Use VM Extension instead. 

2. For Azure VM, just need to enable Logs for Virtual Machine Monitoring

Microsoft Defender for Cloud

Go to Microsoft Defender for Cloud -> Management -> Environments Settings

Choose the subscription -> Analytics Workspace -> JYLogs

Create Data Collection Rules:

For all events.

@subscription level,

Click on settings in previous screenshot:

You also can edit configuraiton from previous screenshot to configure Auto-provisioning configuraiton

@subscription level

Enable continuous export to Log Analytics workspace

Make sure logs exported to correct resource group and workspace.

Onboard Entra ID Logs

Entra ID - Monitoring - Diagnostic Settings

Searching from following tables in Log Analytics Workspace:

• AuditLogs
• SigninLogs

Onboard Monitor Logs

Monitor - Activity Log - Export Activity Logs

Send to Log Analytics workspace:

Checking table: AzureActivity

Stoage Accounts

Storage Account - Monitoring - Diagnostic settings

Select any of the resources to view diagnostic settings:

Onboard NSG Logs

Create a flow log 

select target resource and storage account

Enable Traffic Analytics

Create Data Collection Rules for Windows & Llnux Servers

You might want to create an azure monitor workspace first

then you can send all Windows logs and Linux Logs to Azure Monitor Workspace

Add custom XPath queries:

Examples:

• Application!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0)]]
• Security!*[System[(band(Keywords,13510798882111488))]]
• System!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0)]]

https://github.com/kphillip1/azure-soc-honeynet/blob/main/Xpath.txt

// Windows Defender Malware Detection XPath Query

• Microsoft-Windows-Windows Defender/Operational!*[System[(EventID=1116 or EventID=1117)]]

// Windows Firewall Tampering Detection XPath Query

• Microsoft-Windows-Windows Firewall With Advanced Security/Firewall!*[System[(EventID=2003)]]

Onboard Key Vault Logs

Key Vaults - > Monitoring -> Diagnostic settings

Check table: AzureDiagnostics

Microsoft Sentinel | Automation

Automation Rule

SOAR

From incident detail, create automation rule:

Analytic Rules Limitation:

1. NRT rules - maximum 50

2. Scheduled Rules - Maximum 512

Playbook:

logic flow, 

Onboard MS SQL DB Logs

Videos

 

References

• Write SQL Server Audit events to the Security log
• Building a SOC + Honeynet in Azure (Live Traffic)
• Migrate to Azure Monitor Agent from Log Analytics agent