Azure Cloud Detection Lab

 

Azure Cloud Detection Lab

I had lots of fun with this one! In this project I configured and analyzed Azure resources to detect and respond to security threats effectively. Below is a streamlined overview of the project, covering setup, configuration, and key learnings.

Project Setup and Configuration
Step 1: Configuring and Deploying Azure Resources

• Log Analytics Workspace: Established as the core of data collection, set up to gather, query, and analyze log data from both Azure resources and external sources.

• Virtual Machines: Deployed within Azure to simulate an operational environment, meticulously configured with network settings and bolstered security against common threats.

• Azure Sentinel: Seamlessly integrated with the Log Analytics Workspace to provide cloud-native security analytics and intelligent threat intelligence.

Step 2: Implementing Security Best Practices

• Network Security Groups (NSGs): Configured to control both inbound and outbound VM traffic, allowing only authorized traffic.
• Virtual Machine Security: Applied security policies include enabling encryption and automatic updates to enhance VM security.

Step 3: Utilizing Data Connectors

• Essential for bringing data into Azure Sentinel for analysis, I explored various connectors to integrate diverse log sources like Windows Security Event logs and Azure Activity logs.

Step 4: Understanding Windows Security Event Logs

• I RDP'd into the VM. Once I did, I opened windows event view. I looked at event types and interpretations vital for monitoring and detecting unauthorized access and policy violations. Here I looked at events 4624 and 4672
  
  
  
  
  
  

In Azure we can see the events come up

Step 5: Configuring Windows Security Policies

• Configured settings related to account policies, audit policies, and advanced security options to ensure VMs meet security standards.

Step 6: Utilizing KQL for Log Queries

• Used Kusto Query Language (KQL) to write queries that identify patterns, anomalies, and potential security threats within the data. Now when we check the log queries we can see EventID 4624 come up.
  
  
  
  
  
  

Step 7: Writing Custom Analytic Rules

• Developed rules in Azure Sentinel to detect specific Microsoft security events, using KQL to trigger alerts under certain conditions.
  
  
  
  
  

Step 8: Mapping with MITRE ATT&CK

• I then applied the MITRE ATT&CK framework to map detected events to known adversary behaviors, aiding in threat context understanding and mitigation strategy development. And once we set everything you can see it up pop in the incidents tab(last screenshot below)
  
  
  
  
  
  
  
  
  
  
  
  
  

Conclusion

This project let me configure essential Azure resources and apply security principles for cloud security. And this is the tip of the iceberg for cloud security.