A Tutorial for an Azure SIEM IN this lab we will make a SIEM in microsoft Azure
There are three main components to this project
- Honeypot/Target
- Log Anylitcs Workspace
- Microsoft Sentinal Workbook
In order to set up the virtual machine you go to Azure and under virtual machines; we are going to make a new virtual machine.
There are only two things we need to configure. The first being the name, locatoin, resource group, etc.
The other one is the under the network tab where we will use an advanced security group. We will then create a new security group and then edit it.
We will then delete the rule that already exists by clicking on the three dots to the right.
Then create a new rule. This rule will allow for all traffic to come through.
Next we're going to create the log anylitics workspace.
In this screenshot you can see that in the middle of screen is elipses. If you click on that you will get the option to make a new anylitics workspace.
Configuring a log anylitcs work space is pretty simple.
Search Microsoft Sentinal in the search box and create it.
This is simple just click the log analytics workspace.
Then click connect
Go to the Microsoft Defender for Cloud then go to the Enviorment Settings.
Then allow the Server protection but there's no need for the SQL Server Protection.
Go to data collection and change to all events.
Go to log anylitics workspace and choose the one that was made.
Then choose virtual machines on the left
Click the virtual machine we made
Then connect it.
Go back to the Virtual Machine we created earlier and copy the it's IP address.
Copy that ip into remote desktop in and remote in using the details that was supplied when we created the VM.
Here I would make sure that you allow the clipboard between the two machines but not allow anything else especially drives.
Go to the Powershell ISE and make a new script. The name doesn't matter the code you will copy from here.
This script takes every failed rdp attempt that happens while the script is running it then sends the ip to the API to get it's geolocation finally it takes that information and stores it in C:\ProgramData\failed_rdp.log
Make sure you change the API key in the script to one that you get from here.
Run the script then go to C:\ProgramData\failed_rdp.log and copy that information to your desktop
I would suggest that if you turn it off after a few requests come in before doing the next part.
So we have the custom logs in a file on the VM. Now we need those to be read by the Log Anylitics Workspace.
Go to the Log Anylitcs Workspace and choose custom logs.
Next we will supply logs to train the Logs Anylitics Workspace
Use the file that is located on your own computer, that was got from the virtual machine.
In the collection path put where log is on the VM which isC:\ProgramData\failed_rdp.log
In details i named it FAILED_RDP_WITH_GEO it will append _CL at the end of it.
Now we are going to extract the logs.
In the Log Anylitic Workspace go to Logs.
There run the FAILED_RDP_WITH_GEO_CL in the KUSTO interpreter.
Then choose one of the logs and right click choose the extract fields option.
Now highlight the field and name it.
After that it will show the extracted field and how it has been applied to the other logs. If everything worked it will look something like this.
If it doesn't work it will look like this
To fix it go to the wrong entry on the right click on the circle with the line through it in the top right corner of the entry and choose modify.
Then do it just like we did before.
After a couple they should work
You need to extract the label, country, latitude, longitude, source host, and destination host fields.
Finally we are going to see all of our hard work on a map.
Go to Microsoft Sentinal and start a new work book.
Make a new Query.
Then run this query.
FAILED_RDP_WITH_GEO_CL | summarize event_count=count() by sourcehost_CF, latitude_CF, longitude_CF, country_CF, label_CF, destinationhost_CF
| where destinationhost_CF != "samplehost"
| where sourcehost_CF != ""
Change the visualization to map.
And lastly configure the map with the proper latitude, longitude, and label
Then you should see something like this.
