Today I'm going over how I set up Azure Sentinel to show failed access attempts to a virtual machine, and where they are coming from.
Step 1: Log into Azure and create a virtual machine.After logging in to Azure and setting up an account, I selected "Create a resource."
I selected "create" under virtual machine.
I Filled out all the required information, then selected "Review + create," at the bottom of the screen.
I then selected the Networking tab. Under "NIC network security group," selected "Advanced." Then, under "Configure network security group" selected "Create new."
I deleted any inbound rules and a new rule, by selecting "+ Add an inbound rule." Allowing all traffic from the internet, so the VM is quickly discoverable.
I select the "Review + create" tab at the top,Confirmed the information, then selected "Create."
Step 2: Create a Log Analytics workspace.
I used the search bar to search for "Log Analytics workspaces." Selected "+ Create"
I filled out the information and selected the Resource group that I previously created. Then selected "Review + create."
Step 3: Enable the ability to collect logs from the virtual machine
In the search bar, I searched for "Microsoft Defender for Cloud." Then on the left, under "Management," I selected "Environment Settings."
I then selected the Log Analytics workspace that was just created.
I selected the following options, Saved them, then selected "Data collection" on the left side.
I selected "All events," then saved.
Step 4: Connect Log Analytics to the VM.
I went back to Log Analytics workspaces and selected the one I created. I then selected "Virtual Machines" on the left, selected the Virtual Machine I created, and selected "+ Connect."
Step 5: Set up Sentinel.
I searched for "Microsoft Sentinel" in the search bar, selected "Create Azure Sentinel," then selected the Log Analytics workspace that we previously created.
Step 6: Log into VM.
I searched "Virtual machines" and selected the one I created. On the right side I copied the public IP address and used it to log into the VM using RDP on my computer.
Step 7: Implement failed RDP log exporter and ipgeolocation.io.
Before executing the script, I needed to get an API key by creating an account on ipgeolocation.io. This website provides the API I am using to gather the location of the IP addresses that are attempting to log into my VM. After putting my own API key into the script, I started the script to begin collecting the information.
Step 8: Creating custom logs.
I went back to the Log Analytics workspace we created and on the left side selected "legacy custom logs." I then created a new custom log.
I selected the sample log, created by the script, located in C:\ProgramData.
I selected next, then entered the location of the log file and selected next again. Gave it a name, then created it.
Step 9: Extract data from logs
I then went back to Log Analytics workspace, selected the one I previously created, and went to the "logs" selection on the left side. To extract the data I right clicked the log and selected "extract fields."
I then selected each piece of data I wanted in a separate field, and gave it a name (latitude, longitude, destination host, username, country, label, and timestamp), while also correcting any errors on the right, from other data logs, to help the machine learning be more accurate.
Step 10: Set up map in Sentinel.
I then went back to Sentinel, selected the Log Analytics that I previously created. I selected "workbooks" and created a new workbook.
I removed the default widgets and selected "Add query."
I selected "map" under the "Visualization" drop down, and entered the following code:
I then entered the following settings under "map settings."
I then hit "Apply" and waited for the failed log ins!Result:
After waiting several hours this was the result of the map:
Comments
Post a Comment