Securing and Monitoring Infrastructure with Azure Sentinel: A Comprehensive Lab Walkthrough

In today’s digital age, securing and monitoring our virtual infrastructure is more critical than ever. As a part of this ongoing journey, I recently completed a comprehensive lab setup that allowed me to delve deep into Microsoft’s Azure platform, specifically focusing on Azure Sentinel, Azure’s scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.

This blog post will serve as a walk-through of this lab, providing insights on setting up Azure resources, implementing security best practices, utilizing data connectors, understanding and configuring Windows security logs and policies, crafting KQL queries, writing custom analytic rules, and mapping adversary tactics using MITRE ATT&CK. So, let’s dive right in.

Step 1: Setting up Azure’s Crucial Components

For the foundation of our security infrastructure, I started with the configuration and deployment of essential Azure resources. This phase involved setting up Log Analytics Workspace, creating Virtual Machines, and deploying Azure Sentinel. These tools together formed the fundamental environment for our security management.

Create Azure Resource group.

Create azure VM and deploy

Step 2: Building a Robust Security Framework

Following the setup, I proceeded to incorporate security best practices into the network and virtual machines. My main objective was to ensure that our environment was secure and well-prepared to defend against potential threats.

When deploying the VM, I made sure to place the virtual machine within a vnet (Virtual Network) and NSG (Network Security Group) with default configurations. These resources can be found in the resource group named ‘cloudlab’.

Initially, the VM had RDP access enabled from any IP address, which posed a significant security risk. To address this vulnerability, I decided to implement Just-in-Time (JIT) access for the VM. JIT access is a feature provided by Azure that allows temporary and controlled access to VMs for specific administrative tasks. Its primary purpose is to enhance security by reducing the exposure of VMs to potential attacks and limiting access to only when necessary.

Setting up Microsoft Defender for Cloud

Enabling defender plans from Environment Settings

To enable JITM, I navigated to the VM’s configuration tab or Microsoft Defender’s Workload Protection tab. From there, I activated JITM with the default settings. This feature provides temporary, controlled access to the VMs for specific administrative tasks, significantly reducing the exposure of the environment to potential attacks.

We are then required to ask for access from VM’s connect tab.

for verification Correct configuration can be viewed in NGS group

Step 3: Harnessing Sentinel’s Data Connectors

Next, it was time to bring in data for Sentinel to analyze. I utilized data connectors in Azure Sentinel to achieve this, demonstrating the power of centralized monitoring and analysis in a digital infrastructure.

Create Log Analytics Workspace

Go to Microsoft Sentinel and add analytics workspace to sentinel

Go to Microsoft Defender’s Data Connector tab and search Windows Security Events via AMA

Create collection rule under Windows Security Events Via AMA

Step 4: Decoding Windows Security Logs

To understand the heartbeat of our system, I took a deep dive into Windows Security Event logs. Recognizing what different event IDs represent and how they can be used to detect possible security incidents proved incredibly informative.

Note: Please request access via the connect tab in the VM before connecting to it via RDP due to the JITM setup.

Connect to Windows 10 VM that we created using RDP

Open Event Viewer and go to Security logs

Here, I was able to see logs of security events

Step 5: Creating Custom Analytic Rules and Scheduling Tasks

Building upon the knowledge gathered from KQL queries, I devised custom analytic rules to automatically detect specific Microsoft Security Events. The power of automation in threat detection was clearly highlighted in this step.

Configure Audit Other Object Access Events from Local Security Policy Editor

Creating Tasks for getting logs

Scheduling for the time I wanted execution to be done

Trigger Action for Task Schedular (I have used Internet Explorer)

Step 6: Mastering Kusto Query Language

One of the most powerful tools at our disposal in Azure is Kusto Query Language (KQL). I used KQL to query logs, extract crucial information, and detect any anomalies or potential threats in our system.

Create Analytics Rule in Microsoft Sentinel

I opened the Analytics Rule wizard and proceeded to use the following rule logic. Firstly, I selected Event ID 4698, which is commonly associated with Task Scheduler. I then specified the Tactics/Techniques as persistence (T1053 – Schedular Task/Job).

To narrow down the data and obtain only the information required, I utilized entity mapping. This allowed me to refine the data according to specific parameters, making the analysis more focused and effective. By utilizing the Analytics Rule wizard in this way, I was able to improve our ability to detect and respond to potential threats in a timely and effective manner.

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
SecurityEvent
| where EventID == 4698
| parse EventData with * '<Data Name="SubjectUserName">' User '</Data>' *
| parse EventData with * '<Data Name="TaskName">' NameofSceuduledTask '</Data>' *
| parse EventData with * '<Data Name="ClientProcessId">' ClientProcessID '</Data>' *
| project Computer, TimeGenerated, ClientProcessID, NameofSceuduledTask, User
SecurityEvent | where EventID == 4698 | parse EventData with * '<Data Name="SubjectUserName">' User '</Data>' * | parse EventData with * '<Data Name="TaskName">' NameofSceuduledTask '</Data>' * | parse EventData with * '<Data Name="ClientProcessId">' ClientProcessID '</Data>' * | project Computer, TimeGenerated, ClientProcessID, NameofSceuduledTask, User
SecurityEvent                             
 | where EventID == 4698
 | parse EventData with * '<Data Name="SubjectUserName">' User '</Data>' *
 | parse EventData with * '<Data Name="TaskName">' NameofSceuduledTask '</Data>' *
 | parse EventData with * '<Data Name="ClientProcessId">' ClientProcessID '</Data>' *
 | project Computer, TimeGenerated, ClientProcessID, NameofSceuduledTask, User

Here, I was able to get log of task scheduled in sentinel Incidents Tab

Step 7: Mapping Threats with MITRE ATT&CK Framework

Finally, I used the MITRE ATT&CK framework to understand and map potential adversary tactics and techniques. This part of the lab was particularly interesting as it provided a structured approach to understanding the landscape of cyber threats and devising effective countermeasures.

The MITRE ATT&CK tactic observed in this lab is referred to as TA0003 Persistence. This tactic is used by malicious actors to establish a foothold within a targeted environment, allowing them to maintain access and control over a prolonged period.

To establish persistence in this instance, the sub-technique of employing a scheduled Task/Job was used. Attackers frequently employ this method, which poses a serious risk to the environment’s security in an organisation.

We used monitoring and logging particular Windows event IDs to find such attacks. However, MITRE offers more guidance for identifying persistence-based assaults.

MITRE advises establishing user account management policies that restrict the privileges of users who are authorized to set scheduled tasks on distant systems in order to lessen the risk posed by this kind of threat. Organizations can dramatically lessen their exposure to persistence-based attacks by limiting these privileges to just authorized admins.

Conclusion:

Lastly, I would like to express my gratitude to Cyberwox academy for providing the project idea and inspiration for this walkthrough. It was a valuable experience to work through the Azure Sentinel lab, gaining practical exposure to essential cybersecurity tools and practices.

I sincerely hope that this guide has been helpful to those seeking to learn more about Azure Sentinel and its capabilities. Stay tuned for more in-depth explorations into the ever-evolving world of cybersecurity!

Don’t hesitate to leave a comment on this post if you have any questions or concerns about implementing Azure Sentinel in your environment. Let’s work together to create a more secure digital world.


Latest Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *