Getting Started

Once we have created an account in Azure, we can create a sentinel instance. See https://azure.microsoft.com/en-ca/services/azure-sentinel/

Login via: https://portal.azure.com/#home


You will first need to search for Sentinel and then create a workspace. Then you can add a sentinel instance to your workspace.

Data Collection

Azure Sentinel has a number of connectors that can be used to send data and logs to Azure.


Kubernetes Connector

We can use fluent-bit's build in azure connector to send data to Azure. See Fluentbit to Azure Analytics.

Common Event Format

Common Event Format (CEF) is an industry standard format on top of Syslog messages, used by many security vendors to allow event interoperability among different platforms. By connecting your CEF logs to Azure Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.​

https://portal.azure.com/#blade/Microsoft_Azure_Security_Insights/DataConnectorBlade/dataConnectorId/CEF

Syslog Connector

https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog

Install the Linux agent

wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w xxx -s xxx -d opinsights.azure.com

Output

--2021-07-02 10:47:00--  https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3184 (3.1K) [text/plain]
Saving to: 'onboard_agent.sh'
...
Shell bundle exiting with code 0

Uninstall

$ sudo /opt/microsoft/omsagent/bin/uninstall


# Purge - might be the better way to uninstall
$ wget -O onboard_agent.sh https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sudo sh onboard_agent.sh --purge


Querying the Logs

From the Log screen, we can create queries to search our logs.

Query Examples

Syslog
| where Facility in ("authpriv","auth")
| extend c = extract( "Accepted\\s(publickey|password|keyboard-interactive/pam)\\sfor ([^\\s]+)",1,SyslogMessage)
| where isnotempty(c)

Syslog
| where Facility in ("authpriv","auth")
| where SyslogMessage contains "authentication failure "

// Search in multiple tables 
// Search both Syslog and Event tables for the term "login". 
search in (Syslog, Event) "authentication failure"
| where TimeGenerated > ago(24h) // return records from the last 24 hours

// All Syslog with errors 
// Last 100 Syslog with erros. 
Syslog 
| where SeverityLevel == "err" or  SeverityLevel == "error"
| top 100 by TimeGenerated desc

//login errors
Syslog 
| where SeverityLevel == "err" or  SeverityLevel == "error"
| where Facility  == "auth"
| where SyslogMessage contains "kex_exchange_identification"

//any auth errors
Syslog 
| where SeverityLevel == "err" or  SeverityLevel == "error"
| where Facility  == "auth"


//failed login
Syslog 
| where Facility  == "auth"
| where SyslogMessage contains "Failed password"
| order by EventTime asc  

//failed login with extraction of fields
Syslog
| where Facility  == "auth"
| where SyslogMessage contains "Failed password"
| extend user = extract("Failed password for invalid user (.*) from (.*) port (.*) (.*)", 1, SyslogMessage, typeof(string))  
| extend remoteIp = extract("Failed password for invalid user (.*) from (.*) port (.*) (.*)", 2, SyslogMessage, typeof(string))  
| extend port = extract("Failed password for invalid user (.*) from (.*) port (.*) (.*)", 3, SyslogMessage, typeof(string))  
| extend protocol = extract("Failed password for invalid user (.*) from (.*) port (.*) (.*)", 4, SyslogMessage, typeof(string))  
| order by EventTime asc 

//kubernetes logs gathered using fluent-bit
fluentbit_CL
| where kubernetes_labels_app_s contains "ubuntu"
| where log_s contains "Failed password"


Analytics

Navigate to the Analytics page by clicking Analytics in the left side menu.

Create a Rule

To create a new rule, simply click the Create pull down and select Scheduled Query Rule.

Define the general information about the rule: name, description. You also have the ability to categorize the rule into group of tactics.

Define the query, how often to run the query and the alert threshold.

Enable incident creation

Define Response

Review and Save

Incidents

Incidents created from a analytics rule, can be displayed on the Incidents screen.


View details of the triggered incident by clicking the incident and clicking View Full Details.

Clicking Events will display the log records that triggered the incident.







References

ReferenceURL
What is Azure Sentinel and why you should care | Azure Tips and Trickshttps://www.youtube.com/watch?v=dRpOR2GpL1s
Azure Sentinelhttps://azure.microsoft.com/en-ca/services/azure-sentinel/
Azure Portalhttps://portal.azure.com/#home
Samples for queries for Azure Data Explorer and Azure Monitorhttps://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/samples?pivots=azuredataexplorer
Tutorial: Create custom analytics rules to detect threatshttps://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom
Azure Sentinel Lab Series | Setup Syslog Collector and install Azure Sentinel Agent | EP1https://www.youtube.com/watch?v=KJbIH7egdVI
  • No labels