Getting started using Microsoft Azure Sentinel (Cloud-Native SIEM and SOAR)
In this module, we are going to explore Microsoft Azure Sentinel (Cloud-Native SIEM and SOAR). We are going to learn how to deploy the SIEM from scratch and we are going to see how to start detecting threats with it
Before learning how to use Azure Sentinel, we need to define it first. According to one of their official blog posts:
Azure Sentinel provides intelligent security analytics at cloud scale for your entire enterprise. Azure Sentinel makes it easy to collect security data across your entire hybrid organization from devices, to users, to apps, to servers on any cloud. It uses the power of artificial intelligence to ensure you are identifying real threats quickly and unleashes you from the burden of traditional SIEMs by eliminating the need to spend time on setting up, maintaining, and scaling infrastructure.
Most of the first steps are already discussed in details in the previous resource. Thus I am going to go through the steps rapidly:
Go to Azure search bar and look for Azure Sentinel (preview) and add a new workplace
Create a new Workspace and press "OK"
Add a new Azure Sentinel
Voila!
Now you need to select a connector to receive logs:
For example, you can select Azure Activities:
Click "Next Steps"
Create a Dashboard. The following graph illustrates some of the Dashboard components:
If you want to receive logs from an Azure VM you can select the Syslog Connector and pick the VM that you want to use:
Deploy the Linux agent for example in "Zeek" VM
Go to "Advanced Settings" - \> Data - \> Syslog - \> select Apply below configuration to my machines
And now you are connected the Linux Machine
If you want to receive logs from a windows machine: Go to "Advanced Settings" - \> Connected Sources and select "Windows Servers". Then download the Windows agent installation binary
Open your Windows machine (in my case Windows 7 x32 ) and install the agent. Click Next
Add your ID and Key (You will find them in Windows servers dashboard )
Click Next and you are done
Now it is hunting time! Go to your Sentinel page and select Hunting and you will be able to type your own hunting queries using KQL Azure query language.
You can also use and create your own Notebooks
You can use some pre-made hunting notebooks delivered by Azure. Click Import
and you will upload them directly from the official Sentinel GitHub account:
The Sentinel dashboards are highly customizable. In other words, you add any visualisation you want. In this example i added a CPU visualization
You can even add your alert/detection rules. If you want to do so click "New alert rule"
I tried an arbitrary condition for educational purposes CPU \> 1.4%
You can also select your action when the condition is performed. In my case, i tried the email notification option
You will receive a confirmation email to check that everything is ok:
When the rule is achieved you will receive an email notification
You can also write your own advanced detection queries with KQL. Go to " Hunting" and Click " New Query" and create your customized query and also you can identify its connection with MITRE ATT&CK framework.
By now you are ready to start your Hunting mission.