Azure Sentinel To-Go 🛒 — Part 2: Integrating a Basic Windows Lab 🧪 via ARM Templates 🚀

Azure Sentinel To-Go?

Extending The Basic Azure Sentinel Template

  1. Enable the Azure Sentinel Security Events Data Connector to stream all security events (Microsoft-Windows-Security-Auditing event provider) to the Azure Sentinel workspace.
  2. Enable and stream additional Windows event providers (i.e Microsoft-Windows-Sysmon/Operational or Microsoft-Windows-WMI-Activity/Operational) to increase the visibility from a data perspective.

1) Azure Sentinel + Security Events Data Connector

https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events

Azure Resource Manager (ARM) Translation

{
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
"apiVersion": "2020-03-01-preview",
"location": "[parameters('location')]",
"name": "<workspacename>/<datasource-name>",
"kind": "SecurityInsightsSecurityEventCollectionConfiguration",
"properties": {
"tier": "<None,Minimal,Recommended,All>",
"tierSetMethod": "Custom"
}
}

2) Azure Sentinel + Additional Win Event Providers

Azure Resource Manager (ARM) Translation

{
"type": "Microsoft.OperationalInsights/workspaces/dataSources",
"apiVersion": "2020-03-01-preview",
"location": "[parameters('location')]",
"name": "<workspacename>/<datasource-name>",
"kind": "WindowsEvent",
"properties": {
"eventLogName": "",
"eventTypes": [
{ "eventType": "Error"},
{ "eventType": "Warning"},
{ "eventType": "Information"}
]
}
}
"System"
"Microsoft-Windows-Sysmon/Operational", "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", "Microsoft-Windows-Bits-Client/Operational", "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "Directory Service", "Microsoft-Windows-DNS-Client/Operational", "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
"Windows PowerShell", "Microsoft-Windows-PowerShell/Operational", "Microsoft-Windows-WMI-Activity/Operational"
"Microsoft-Windows-TaskScheduler/Operational"

Executing The Extended Azure Sentinel Template

Download current demo template

Azure CLI (Create Resource Group)

az group create -n AzSentinelDemo -l eastus
  • az group create : Create a resource group
  • -n : Name of the new resource group
  • -l : Location/region

Azure CLI (Deploy ARM Template)

az deployment group create -f ./LA-Sentinel-Windows-Settings.json -g AzSentinelDemo
  • az deployment group create: Start a deployment
  • -f : Template that I put together for this deployment.
  • -g: Name of the Azure Resource group

Monitor Deployment

Check Azure Sentinel Automatic Settings (Data Connector)

Check Azure Sentinel Automatic Settings (Win Event Providers)

Re-Using a Windows 10 ARM Template

A Win 10 ARM Template 101 Recipe

  • Publisher: The organization that created the image. Examples: MicrosoftWindowsDesktop, MicrosoftWindowsServer
  • Offer: The name of a group of related images created by a publisher. Examples: Windows-10, WindowsServer
  • SKU: An instance of an offer, such as a major release of a distribution. Examples: 19h2-pro, 2019-Datacenter
  • Version: The version number of an image SKU.
> az vm image list-offers -p MicrosoftWindowsDesktop -o tableLocation    Name
---------- --------------------------------------------
eastus corevmtestoffer04
eastus office-365
eastus Test-offer-legacy-id
eastus test_sj_win_client
eastus Windows-10
eastus windows-10-1607-vhd-client-prod-stage
eastus windows-10-1803-vhd-client-prod-stage
eastus windows-10-1809-vhd-client-office-prod-stage
eastus windows-10-1809-vhd-client-prod-stage
eastus windows-10-1903-vhd-client-office-prod-stage
eastus windows-10-1903-vhd-client-prod-stage
eastus windows-10-1909-vhd-client-office-prod-stage
eastus windows-10-1909-vhd-client-prod-stage
eastus windows-10-2004-vhd-client-office-prod-stage
eastus windows-10-2004-vhd-client-prod-stage
eastus windows-10-ppe
eastus windows-7
> az vm image list-skus -l eastus -f Windows-10 -p MicrosoftWindowsDesktop -o tableLocation    Name
---------- ---------------------------
eastus 19h1-ent
eastus 19h1-ent-gensecond
eastus 19h1-entn
eastus 19h1-entn-gensecond
eastus 19h1-evd
eastus 19h1-pro
eastus 19h1-pro-gensecond
eastus 19h1-pro-zh-cn
eastus 19h1-pro-zh-cn-gensecond
eastus 19h1-pron
eastus 19h1-pron-gensecond

Execute the Win 10 ARM Template 101 Recipe (Optional)

az deployment group create -f ./Win10-101.json -g AzSentinelDemo --parameters adminUsername='wardog' adminPassword='<PASSWORD>' allowedIPAddresses=<YOUR-PUBLIC-IP>

Extending the Basic Windows 10 ARM Template

  • Download and install the Log Analytics agent (also known as the Microsoft Monitoring Agent or MMA) on the machines for which we want to stream security events into Azure Sentinel from.

Win 10 ARM Template + Log Analytics Agent

{ 
"name": "<VM-NAME/EXTENSION-NAME>",
"type": "Microsoft.Compute/virtualMachines/extensions",
"apiVersion": "2019-12-01",
"location": "[parameters('location')]",
"properties": {
"publisher": "Microsoft.EnterpriseCloud.Monitoring",
"type": "MicrosoftMonitoringAgent",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": {
"workspaceId": "[parameters('workspaceId')]"
},
"protectedSettings": {
"workspaceKey": "[parameters('workspaceKey')]"
}
}
}

Putting it All Together!

  • Deploy an Azure Sentinel solution
  • Enable the Azure Sentinel SecurityEvents data connector
  • Enable more Windows event providers to collect more telemetry
  • Deploy a Windows 10 virtual machine and its own virtual network.
  • Install the Log Analytics Agent (Microsoft Monitoring Agent) in the Windows 10 VM.

Executing the ARM Template (Azure CLI)

az deployment group create -n Win10Demo -f ./Win10-Azure-Sentinel-Basic.json -g Win10AzSentinel --parameters adminUsername='wardog' adminPassword='<PASSWORD>' allowedIPAddresses=<PUBLIC-IP-ADDRESS>

SecurityEvent

SecurityEvent
| limit 1

Event

Event
| summarize count() by EventLog, Source

Improving the Final Template! What? Why? 😆

https://github.com/OTRF/Azure-Sentinel2Go

The Final Results 🔥!

Azure Sentinel

Windows 10 VM

[Optional] Ubuntu — Empire Option Set

ssh wardog@<UBUNTU-PUBLIC-IP>> sudo docker exec -ti empire ./empire
Sysmon
| summarize count() by EventID
"dataSources": {
"windowsEventLogs": [
{
"name": "AuthenticationLog",
"streams": [
"Microsoft-WindowsEvent"
],
"scheduledTransferPeriod": "PT1M",
"xPathQueries": [
"Security!*[System[(EventID=4624)]]"
]
}
]
}

References

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store