This submit is to report some key factors to arrange a Sentinel Lab
Information Sources
- Digital Community (VNet)
- Community Safety Group (NSG)
- Digital Machines (2 home windows with 1 MS SQL DB, 1 linux)
- Log Analytics Workspace
- Azure Key Vault
- Azure Storage Account
- Microsoft Sentinel
Create Log Analytics Workspace and Sentinel
Create Log Analytics Workspace
Create Sentinel
Add watchlist in, which is used to generate geography map primarily based on IP
https://github.com/kphillip1/azure-soc-honeynet/blob/foremost/geoip-summarized.csv
Searchkey = community
Confirm it from Log analytics workspace:
- _GetWatchlist(“geoip”)
- _GetWatchlist(“geoip”) | rely
be sure scope is the one you add the watchlist.
Set up Microsoft Monitoring Agent for Log Analytics Workspace
Legacy manner:
Confirm the set up on the native machine:
Azure Arc script is for use on the machine exterior of Azure setting.
For those who instantly obtain the shopper to put in from Information Assortment Rule’s Assets web page:
You’re going to get an alert to say utilizing Home windows installer will not be supported on Azure VM. Use VM Extension as a substitute.
Allow Logs for Digital Machine Monitoring
Microsoft Defender for Cloud
Go to Microsoft Defender for Cloud -> Administration -> Environments Settings
Select the subscription -> Analytics Workspace -> JYLogs
Create Information Assortment Guidelines:
For all occasions.
@subscription stage,
Click on on settings in earlier screenshot:
You can also edit configuraiton from earlier screenshot to configure Auto-provisioning configuraiton
@subscription stage
Allow steady export to Log Analytics workspace
Be certain logs exported to appropriate useful resource group and workspace.
Onboard Entra ID Logs
Entra ID – Monitoring – Diagnostic Settings
Looking from following tables in Log Analytics Workspace:
Onboard Monitor Logs
Monitor – Exercise Log – Export Exercise Logs
Ship to Log Analytics workspace:
Checking desk: AzureActivity
Storage Account – Monitoring – Diagnostic settings
Choose any of the sources to view diagnostic settings:
Create a circulate log
choose goal useful resource and storage account
Allow Site visitors Analytics
Create Information Assortment Guidelines for Home windows & Llnux Servers
You would possibly wish to create an azure monitor workspace first
then you may ship all Home windows logs and Linux Logs to Azure Monitor Workspace
Add customized XPath queries:
Examples:
- Utility!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0)]]
- Safety!*[System[(band(Keywords,13510798882111488))]]
- System!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0)]]
https://github.com/kphillip1/azure-soc-honeynet/blob/foremost/Xpath.txt
// Home windows Defender Malware Detection XPath Question
- Microsoft-Home windows-Home windows Defender/Operational!*[System[(EventID=1116 or EventID=1117)]]
// Home windows Firewall Tampering Detection XPath Question
- Microsoft-Home windows-Home windows Firewall With Superior Safety/Firewall!*[System[(EventID=2003)]]
Onboard Key Vault Logs
Key Vaults – > Monitoring -> Diagnostic settings
Verify desk: AzureDiagnostics
Movies
