Simulating A Brute Force Attack & Investigating With Microsoft Sentinel

Carl Feldman

12 Sept 202318:57

Summary

TLDRIn this tutorial, Carl Feldman demonstrates how to simulate a brute-force attack on an Azure virtual machine and investigate the resulting incidents using Microsoft Sentinel. He walks through the process of setting up data connectors, creating a rule to detect failed login attempts, and configuring the system to run queries every five minutes. The video also highlights the steps for triggering and monitoring the brute-force attack, followed by investigating the incidents and using KQL (Kusto Query Language) to analyze security events and manage alerts in Sentinel.

Takeaways

💻 The video demonstrates how to simulate a Brute Force attack on an Azure virtual machine and investigate it using Microsoft Sentinel.
🛠️ The first step is to navigate to Sentinel, go to 'Data Connectors,' search for 'Windows Security Events,' and install it.
📊 After installation, a data collection rule is created using the virtual machine as the resource, filtering specific security events.
🔑 The video focuses on setting up a rule to detect failed login attempts (event ID 4625) as part of simulating a Brute Force attack.
⌛ Sometimes it takes a few minutes for the data connection and analytic rules to be fully active in Sentinel.
📝 A scheduled query rule named 'Brute Force Detection' is created with entity mapping to monitor failed login attempts.
🔍 The presenter runs queries on the virtual machine to simulate the attack by entering various incorrect passwords.
📈 Sentinel's incident feature is used to monitor and investigate the simulated failed logins and IP address details of the attacker.
⚙️ Incidents can be reviewed, status updated, severity set, and assigned to team members for further investigation.
🎓 The video emphasizes the importance of learning KQL (Kusto Query Language) for better usage of Sentinel and investigating security incidents.

Q & A

What is the main focus of the video?
-The main focus of the video is demonstrating how to simulate a brute force attack on a virtual machine and investigate it using Microsoft Sentinel incidents generated by an analytic rule.
What is the first step Carl takes in the simulation process?
-Carl first goes to Microsoft Sentinel, clicks on 'Data connectors', and searches for 'Windows security events'. He then installs the required connector.
What is the purpose of installing the Windows Security Events connector?
-The Windows Security Events connector is installed to enable the collection of security event data from a virtual machine, which is crucial for detecting and analyzing the brute force attack.
How does Carl create a data collection rule in Sentinel?
-Carl creates a data collection rule by going to the 'Windows Security Events' connector page, selecting the virtual machine as the resource, and configuring it to collect only relevant security events.
What is the significance of event ID 4625 in the brute force attack simulation?
-Event ID 4625 is used to track failed login attempts, which are indicative of a brute force attack where multiple incorrect passwords are attempted to gain unauthorized access.
How often does Carl set the query to run in Sentinel Analytics?
-Carl sets the query in Sentinel Analytics to run every five minutes, pulling data from the last 30 minutes.
What is Carl simulating when he attempts multiple incorrect passwords?
-Carl is simulating a brute force attack by repeatedly trying different, incorrect passwords on the virtual machine to trigger failed login attempts.
How does Carl verify if the brute force attack has been detected?
-Carl goes back to Microsoft Sentinel, checks the logs using a query for event ID 4625, and then looks at the incidents tab to see if any incidents related to the brute force attack have been triggered.
What does Carl do after detecting the incident in Sentinel?
-After detecting the incident in Sentinel, Carl views the full details of the incident, runs a query to gather more information, and then marks the incident as a 'benign positive' before closing it.
What tools and resources does Carl suggest for learning KQL (Kusto Query Language)?
-Carl recommends using resources like Cloud Academy and Microsoft Labs to learn KQL (Kusto Query Language), which is important for investigating incidents in Sentinel.