Sentinel Lab Notes – 51 Safety

This submit is to report some key factors to arrange a Sentinel Lab

Information Sources

• Digital Community (VNet)
• Community Safety Group (NSG)
• Digital Machines (2 home windows with 1 MS SQL DB, 1 linux)
• Log Analytics Workspace
• Azure Key Vault
• Azure Storage Account
• Microsoft Sentinel

Create Log Analytics Workspace

Create Sentinel

Add watchlist in, which is used to generate geography map primarily based on IP

https://github.com/kphillip1/azure-soc-honeynet/blob/foremost/geoip-summarized.csv

Searchkey = community

Confirm it from Log analytics workspace: 

• _GetWatchlist(“geoip”)
• _GetWatchlist(“geoip”) | rely

be sure scope is the one you add the watchlist. 

Set up Microsoft Monitoring Agent for Log Analytics Workspace

Legacy manner: 

Obtain Home windows Agent 64b (Leagcy Log Analytics Agent) and set up it to your Home windows machine with Workspace ID and Key.

Confirm the set up on the native machine:

Azure Arc script is for use on the machine exterior of Azure setting. 

For those who instantly obtain the shopper to put in from Information Assortment Rule’s Assets web page:

You’re going to get an alert to say utilizing Home windows installer will not be supported on Azure VM. Use VM Extension as a substitute. 

Allow Logs for Digital Machine Monitoring

Select the subscription -> Analytics Workspace -> JYLogs

Create Information Assortment Guidelines:

For all occasions.

@subscription stage,

Click on on settings in earlier screenshot:

You can also edit configuraiton from earlier screenshot to configure Auto-provisioning configuraiton

@subscription stage

Allow steady export to Log Analytics workspace

Be certain logs exported to appropriate useful resource group and workspace.

Onboard Entra ID Logs

Entra ID – Monitoring – Diagnostic Settings

Looking from following tables in Log Analytics Workspace:

Ship to Log Analytics workspace:

Checking desk: AzureActivity

Storage Account – Monitoring – Diagnostic settings

Choose any of the sources to view diagnostic settings:

Create a circulate log 

choose goal useful resource and storage account

Allow Site visitors Analytics

You would possibly wish to create an azure monitor workspace first

then you may ship all Home windows logs and Linux Logs to Azure Monitor Workspace

Add customized XPath queries:

Examples:

• Utility!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0)]]
• Safety!*[System[(band(Keywords,13510798882111488))]]
• System!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0)]]

https://github.com/kphillip1/azure-soc-honeynet/blob/foremost/Xpath.txt

// Home windows Defender Malware Detection XPath Question

• Microsoft-Home windows-Home windows Defender/Operational!*[System[(EventID=1116 or EventID=1117)]]

// Home windows Firewall Tampering Detection XPath Question

• Microsoft-Home windows-Home windows Firewall With Superior Safety/Firewall!*[System[(EventID=2003)]]

Onboard Key Vault Logs

Key Vaults – > Monitoring -> Diagnostic settings

Verify desk: AzureDiagnostics

Movies