Microsoft Azure Sentinel | Using a SIEM for live attacks

Huge thanks to Josh Madakor for creating this awesome lab! It was really fun to recreate and learn about. His video can be found here

Learning Objectives:

• Configuration & Deployment of Microsoft Azure virtual machines, Log Analytics Workspaces, and Microsoft Sentinel
• Hands-on experience with Microsoft Sentinel, a cloud-native SIEM (Security Information and Event Management)
• Understanding Windows Security Event logs
• Using Kusto Query Language (KQL) to query logs
• Displaying attack data on a dashboard with Workbooks (Viewing it as a World Map)

Tools

• Microsoft Azure
• Remote Desktop Protocol
• 3rd party API: IP Geolocation
• Custom powershell script by Josh Madakor

Overview

Steps

Creating a Microsoft Azure account

Creating a new Azure account to have $200 credit for 30 days

Creating a Virtual Machine to be our Honeypot

I went back to change the machine size so it was not running slowly

Changing VM security to allow all inbound traffic

Only did this so the machine can be found faster

Log Analytics Workspace

Purpose of this is to ingest logs from the VM, create a log with the data, then have it be seen in the SIEM

Changing Microsoft Defender for Cloud security

Setting up Microsoft Sentinel

Created the SIEM and then choose workbooks to add the honeypot

Log into VM with Remote Desktop

Once logged into VM I turned off Windows Firewall and tested the connection

Using Custom powershell script and Making Free IP Geolocation account for API

Waiting for logs to populate

Map on inital set-up

End of Project

left the VM running for roughly 4 hours before stopping it. This was my final results