This article will explain how to trigger alerts and incidents for failed logins on Windows machines. This can be particularly useful to the SOC Team during a brute force attack. I am also using a watchlist to add a description to the SubStatus field.
In this article, I will be focusing on Azure Monitor Agent.
Without further ado, let us get started.
Firstly, let us look at the data connectors that are required.
You can navigate to Microsoft Sentinel -> Content Hub and install the solutions namely Windows Security Events and Threat Intelligence.
Once installed, navigate back to Microsoft Sentinel -> Data Connectors and just hit the connect button to ingest Indicators of Compromise from Microsoft Defender Threat Intelligence also referred to as MDTI.
Data Collection Rule
Once that is done, click on the data connector "Windows Security Events via AMA" and hit the open connector page. Once here, click on Create Data Collection Rule under Configuration.
Now, give a name for your rule and select the Resource Group where the DCR configuration will reside.
Once done, click on Next and here, we can add our resource similar to the following screenshot.
Click Next, now for this demo I am going to collect All Security Events however if required you can also add a custom xpath query.
If using Custom, you can use the following XPATH to monitor Event ID 4625. XPath entries are written in the format "LogName!XPathQuery".
Security!*[System[(EventID=4625)]]
Once done, hit the Review and Create button.
Azure will use REST API to push the DCR configuration and Azure Monitor Agent on the selected resources.
Now, lets check if AMA has been provisioned. Head back to Microsoft Sentinel -> Logs and use the following query.
That's great, our test server is giving out heartbeat.
Analytic Rule
Now, let us create the analytic rule. Make sure you select NRT (Near RealTime) so that we get notified as soon a failed login event has been detected.
I will add screenshots and you can add a similar rule.
Let us have a look at the query itself.
let SubStatus = GetWatchlist("SubstatusList");
SecurityEvent
| where EventID == 4625
| join kind=innerunique SubStatus on $left.SubStatus == $right.SearchKey
| project
TimeGenerated,
EventID,
WorkstationName,
LogonTypeName,
SubStatus,
Description,
Account,
Computer,
IpAddress
| extend AccountEntity = Account
| extend IPEntity = IpAddress
Here, we can see that I am leveraging a watchlist to match the Substatus code and give us a description for that. We will get to the watchlist in the next section.
You can use the following Entity Mappings.
For the next tab, I have disabled grouping as I want individual events to generate unique alerts and incidents.
Now, for automation I am running a playbook which will block the attacker IP at NSG level and enrich the IP with geographic details and threat score which will aid the SOC Team for investigation. I will show the playbook architecture and how it works in the next article.
Once done, hit the Review and Create.
Watchlist
Navigate to the watchlist blade in Microsoft Sentinel.
Click on Create and you can use the following name and alias.
I am attaching the csv file below for easier upload.
It is a simple excel file that just maps code with the description.
Use the following settings for the second tab.
Next, just hit Review and Create! It might take a few minutes for the values to get ingested into Watchlist table. Now, let us move on to the actual testing phase and have a look at our incident.
Testing Phase
I am going to generated a failed login event and then have a look at the incident.
As I am using my machine and it is not an IoC, I need to add a mock entry so that we can see enrichment of IP.
For this, I head back to Microsoft Sentinel, Threat Intelligence and click on the Add New button. Following is the indicator that I have pushed, sensitive information is redacted.
You can verify the same by querying the following table.
ThreatIntelligenceIndicator
| where NetworkIP == 'XXX'
Hit the apply button and now, it is finally time to RDP with an invalid password.
Once done, go to your VM -> Windows Event Viewer -> Windows Logs -> Security and look for a failed login event by using the following search filter.
Great, I can see one failed login here.
Incident
Within 2 minutes, I could see an incident generated in Microsoft Sentinel.
As the automation has triggered our playbook, the severity has been lowered to Low, a nice description has been added and a task has been added with geo details of the Attacker IP address.
Let's scroll down and see what else has been added.
Here, thanks to the watchlist that we created earlier, we are able to get a description which seems to be accurate however do not reply on the description completely for your investigation purposes.
Here, we can see additional tags added like Playbook run status and Threat Score.
I also, got a cool looking email notification.
Thank you for reading!
Comments